[
http://jira.dspace.org/jira/browse/DS-367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10789#action_10789
]
Stuart Lewis commented on DS-367:
---------------------------------
[09:19am] stuartlewis: http://jira.dspace.org/jira/browse/DS-367 processing
of Authentication methods is independent of the chosen Login method (when
multiple are available)
[09:19am] stuartlewis: +1, leave until 1.7 (or whatever follows 1.6)
[09:19am] tdonohue: +1 - after 1.6
[09:19am] mhwood: +1
[09:19am] kshepherd: +1, comments make sense
[09:20am] tdonohue: DS-367: +4, mark for after 1.6 release
> processing of Authentication methods is independent of the chosen Login
> method (when multiple are available)
> ------------------------------------------------------------------------------------------------------------
>
> Key: DS-367
> URL: http://jira.dspace.org/jira/browse/DS-367
> Project: DSpace 1.x
> Issue Type: Bug
> Components: DSpace API
> Affects Versions: 1.6.0
> Reporter: Ben Bosman
>
> When using multiple authentication methods, e.g.
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
> org.dspace.authenticate.PasswordAuthentication, \
> org.dspace.authenticate.LDAPAuthentication, \
> org.dspace.authenticate.ShibAuthentication
> The user is presented with a choice of authentication methods when trying to
> log-in.
> If the user chooses LDAPAuthentication, the entered credentials will be
> processed by ShibAuthentication, PasswordAuthentication and
> LDAPAuthentication in that order.
> The implementation simply tries all implicit methods first, and hereafter all
> explicit methods until one mechanism authorizes the user.
> Whether implicit methods should be used by default, independent of whether
> the user wants that authentication to be used, is somewhat of a policy
> question.
> But if automatic processing of implicit methods is always used, it is not
> sensible to ask a user for a login method, and when the user chooses
> PasswordAuthentication and enters their username and password, the system at
> that point decides to log the user in using their ShibAuthentication
> credentials after all.
> So either the implicit methods should be attempted before offering the user
> the choices of authentication types (and the implicit authentication types
> should be removed from the list as stated in
> http://jira.dspace.org/jira/browse/DS-64), or the implicit methods should
> remain listed and only be used if the user requests one of those to be used.
> If none of the implicit methods do authorize a user to log in, all of the
> explicit methods are being tested, again independent of the chosen login
> method. This normally doesn't pose an issue, as the odds for an
> authentication to be a success with the wrong explicit authentication method
> are slim.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
