On Wed, Apr 22, 2015 at 6:08 PM, Emmanuel Lécharny <[email protected]>
wrote:
> Hi,
>
> yesterday, we were hit by a bus, and it was expected for a very long
> time. The way we handle authenticators is far from ebing perfect.
>
>
Here is the current code :
>
> public void bind( BindOperationContext bindContext ) throws
> LdapException
> {
> ...
> for ( Authenticator authenticator : authenticators )
> {
> try
> {
> // perform the authentication
> LdapPrincipal principal =
> authenticator.authenticate( bindContext );
> ...
>
> We have many instances of Authenticator :
> - AnonymousAuthenticator
> - DelegatingAuthenticator
> - SimpleAuthenticator
> - StrongAuthenticator
>
> The list of authenticator we will use is determinated by the type of
> requested authentication (one of none, simple, or strong). Here is the
> list of the associated authentication we currently support.
>
> Level Authenticator
> Simple -> SimpleAuthenticator, DelegatingAuthenticator
> None -> AnonymousAuthenticator
> Strong -> StrongAuthenticator
>
>
> As we can see, the 'Simple' bind will try two authenticator at least
> (this is true for any authentication level, assuming some additional
> Authenticator instance has been added for a specific level).
>
> So how can we proceed ? Currently, we expect the authenticator to be
> checked one after the other, even if it's a waste (typically, we will
> try to do an authentication using the SimpleAuthenticator, even if the
> Bind DN is part of the DelegatedAuthenticator area).
>
> I think we should add a selector in the Authenticator interface, that
> tells if the Authenticator instance has to be called or not. All in all,
> we should *never* call two authenticator instances.
>
> A method like :
>
> Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level
> )
>
> +1 this is indeed the right thing to do
> which would select the unique authenticator instance that will be used
> to authenticate the session would be a good addition, IMO.
>
> WDYT ?
>
>
--
Kiran Ayyagari
http://keydap.com
