Le 2/22/13 9:11 AM, Kiran Ayyagari a écrit : > On Thu, Feb 21, 2013 at 11:29 PM, Emmanuel Lécharny > <[email protected]>wrote: > >> Le 2/21/13 6:54 PM, Kiran Ayyagari a écrit : >>> On Thu, Feb 21, 2013 at 11:10 PM, Emmanuel Lécharny <[email protected] >>> wrote: >>> >>>> Le 2/21/13 5:25 PM, Kiran Ayyagari a écrit : >>>>> don't think we have such a support right now do we? is that looping of >>>>> authenticators makes this a possibility? >>>> I see that the Authenticator interface provide a checkPwdPolicy() >> method : >>>> /** >>>> * performs checks on the given entry based on the specified >>>> password policy configuration >>>> * >>>> * @param userEntry the user entry to be checked for authentication >>>> * @throws PasswordPolicyException >>>> */ >>>> void checkPwdPolicy( Entry userEntry ) throws LdapException; >>>> >>>> Why can't we do all the passwordPolicy checks in the authenticator, >>>> instead of the interceptor ? >>>> >>>> The only pb is that we need the user entry at this point, but couldn't >>>> we pass the BindContext, so for the checkPwdPolicy() to fetch the entry >>>> from the DS instead ? >>>> >>>> Does it make sense ? >>>> >>>> password policy is enforced not only during authentication but also >> after >>> authentication and while doing modify operation >> Absolutly, but here, I'm just mentioning the check when doing a bind. >> Every other operation should be done in the interceptors. >> >> we still need to perform several checkes during and after authentication > in the same bind operation > so we cannot move this logic entirely to authenticators >
The thing is that we may not need the entry to do those checks. If we do, then it's a problem, because that means we can't delegate authentication... So we have to find a way to avoid requesting the entry. What are the checks we need to do btw ? (I've not spent much time on this part of the code...) Thanks ! PS : Moving this discussion to the dev mailing list -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
