[
http://jira.magnolia.info/browse/MAGNOLIA-2313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17920#action_17920
]
Fabrizio Giustina commented on MAGNOLIA-2313:
---------------------------------------------
> jaas configuration in which you would be using non magnolia Authorization
> module with magnolia Authentication
well, actually is a custom *authentication* module used with the magnolia
standard *authorization* one.
this is a snippet from a sample jaas.config:
magnolia {
net.sourceforge.openutils.mgnlcas.CASAuthenticationModule
requisite
realm=cas
default_role=cas-user
roles_attribute=roles
groups_attribute=groups;
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule
requisite
skip_on_previous_success=true;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
We implemented a magnolia CAS login module (will be open sourced as soon as I
can find the time to cleanup and document it properly, ping here if someone
could need it now), which does the authentication by connecting to a CAS
server. The Authentication module returns a user with the list of groups and
roles, which are expanded by the standard magnolia authorization module.
The problem here was that the authorization module was also checking the
authentication token, crashing because CAS doesn't use an username/password
authentication tocken but a ticket (a simple TextInputCallback). After the
change the authorization module expects a user already autenticated and only
expands its acls.
> JcrAuthorizationModule should not extend JCRAuthenticationModule
> ----------------------------------------------------------------
>
> Key: MAGNOLIA-2313
> URL: http://jira.magnolia.info/browse/MAGNOLIA-2313
> Project: Magnolia
> Issue Type: Bug
> Components: core
> Affects Versions: 3.6.1
> Reporter: Fabrizio Giustina
> Assignee: Fabrizio Giustina
> Priority: Critical
> Fix For: 3.6.2
>
>
> ... or at least it shouldn't call login() in the JCRAuthenticationModule.
> The problem is that JcrAuthorizationModule should be usable to handle jcr
> authorization (expand groups and roles to ACLs), regardless of the
> authentication method used. But if you try to supply a different
> Authorization module, at least if this module uses different callbacks from
> the JcrAuthenticationModule, the login() method in the
> JCRAuthenticationModule will never pass.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/
----------------------------------------------------------------
