processing of Authentication methods is independent of the chosen Login method
(when multiple are available)
------------------------------------------------------------------------------------------------------------
Key: DS-367
URL: http://jira.dspace.org/jira/browse/DS-367
Project: DSpace 1.x
Issue Type: Bug
Components: DSpace API
Affects Versions: 1.6.0
Reporter: Ben Bosman
When using multiple authentication methods, e.g.
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
org.dspace.authenticate.PasswordAuthentication, \
org.dspace.authenticate.LDAPAuthentication, \
org.dspace.authenticate.ShibAuthentication
The user is presented with a choice of authentication methods when trying to
log-in.
If the user chooses LDAPAuthentication, the entered credentials will be
processed by ShibAuthentication, PasswordAuthentication and LDAPAuthentication
in that order.
The implementation simply tries all implicit methods first, and hereafter all
explicit methods until one mechanism authorizes the user.
Whether implicit methods should be used by default, independent of whether the
user wants that authentication to be used, is somewhat of a policy question.
But if automatic processing of implicit methods is always used, it is not
sensible to ask a user for a login method, and when the user chooses
PasswordAuthentication and enters their username and password, the system at
that point decides to log the user in using their ShibAuthentication
credentials after all.
So either the implicit methods should be attempted before offering the user the
choices of authentication types (and the implicit authentication types should
be removed from the list as stated in
http://jira.dspace.org/jira/browse/DS-64), or the implicit methods should
remain listed and only be used if the user requests one of those to be used.
If none of the implicit methods do authorize a user to log in, all of the
explicit methods are being tested, again independent of the chosen login
method. This normally doesn't pose an issue, as the odds for an authentication
to be a success with the wrong explicit authentication method are slim.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
