On 9 Mar 2010, at 20:11, Vidar Ramdal wrote: > On Tue, Mar 9, 2010 at 8:30 PM, D. Stuart Freeman > <[email protected]> wrote: >> I've got an AuthenticationHandler and I'd like to allow users to log in >> without doing any further registration. My understanding is that my >> AuthenticationPlugin will have to create accounts in JCR for users if >> they don't exist already. > > That is not necessarily true. If you have a custom LoginModulePlugin > [1], you can lookup user data from anywhere - it doesn't have to be > from JCR. The LoginModulePlugin then instantiates your custom > AuthenticationPlugins on LoginModulePlugin.getAuthentication(). > >> Will it work (and is it advisable) to do >> something like: >> >> userManager.createUser(name, RandomStringUtils.random(32), principal); >> >> or am I completely misunderstanding something? > > I'd say, if you already have your user data somewhere else (like an > external database or LDAP directory), don't replicate that data in > Jackrabbit's UserManager. In fact, don't use UserManager at all > (except, perhaps, for the pre-defined admin and anonymous users). > Instead, implement a LoginModulePlugin to use your external source. > > [1] > http://sling.apache.org/apidocs/sling5/org/apache/sling/jcr/jackrabbit/server/security/LoginModulePlugin.html >
IIRC if the users want to be members of Groups they have to be created in the UserManager since the UserManager uses weak references to define the membership (ie pointing to jcr nodes containing authorizables). Also if the user wants to be referenced in any ACL/ACE then the principal needs to be resolvable (otherwise you cant set the ACL). hence you need a to implement a PrincipalManager that connects to the external source. I started to make the UserManager and PrincipalManager pluggable, but got stumped by the weak references in the UserManagerImpl (however in JR2 this is extendable). So in short, if you need group membership or acls then you are going to have to have the users internally, if you only want to to AuthN, then a LoginModulePlugin is needed. (also I think you can do the same by registering a JAAS login module with callbacks, but thats native Jackrabbit rahter than Sling, so slightly harder.) Ian > > -- > Vidar S. Ramdal <[email protected]> - http://www.idium.no > Sommerrogata 13-15, N-0255 Oslo, Norway > + 47 22 00 84 00 / +47 21 531941, ext 2070
