[
https://jira.duraspace.org/browse/DS-652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18330#action_18330
]
Tim Donohue commented on DS-652:
--------------------------------
Flavio,
I still feel your patch seems to be changing more than it really should be.
Although IPAuthentication is separate, your patch now requires that an
Authentication Plugin return 'AuthenticationMethod.SUCCESS' in order for
Special Groups to be added. The IPAuthentication *never* returns SUCCESS as
it doesn't actually do authentication, it only serves to add you to special
groups if you are in an IP range. So, based on your code changes, the
IPAuthentication plugin will no longer work (as far as I can tell). Also, if
we changed IPAuthentication to return SUCCESS, we'd need to make sure that
didn't cause other issues in the AuthenticationManager (as SUCCESS is supposed
to only be returned when you truly are logged into the system).
So, what you may be misunderstanding is that *anonymous users* can also
sometimes be added to Special Groups. The primary example of that is
IPAuthentication which will specifically add any anonymous users to special
group(s) if they are in a given IP range. So, these users are never truly
"logged into" the system (i.e. they cannot see a user 'profile' page or submit
a new Item or anything else that requires an actual login), but they may be
given special viewing/access rights based on their IP range.
So, that's why I was wondering if there's actually a bug in LDAPAuthentication
that is the cause of your problems. Obviously, logging in via
PasswordAuthentication should not add you to the ldap.login.specialgroup. I
agree with that, and if that's what is happening, we need to figure out why the
LDAPAuthentication.getSpecialGroups() method isn't working properly for you.
That method should *not* be adding anyone who wasn't authenticated via LDAP,
but it obviously must be for you.
> Wrong behaviour of special groups at login. Use only special groups of the
> authetication that DID authenticate the user.
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: DS-652
> URL: https://jira.duraspace.org/browse/DS-652
> Project: DSpace
> Issue Type: Bug
> Components: DSpace API
> Affects Versions: 1.6.0
> Reporter: Flávio Botelho
> Priority: Major
> Attachments: Fix_behaviour_of_autentication_specialGroups.patch
>
>
> We have internal users autheticating thru LDAP. And external users are still
> able to create new users.
> Unfortunally the authentication is putting all external users created thru
> the Login Authentication also in the ldap.login.specialgroup, of course that
> is not expected.
> Looking at code at AuthenticationManager it becomes clear that it is adding
> ALL the special groups of ALL the possible authentication mechanism, which
> doesnt make any sense whatsoever...
> It should only add special groups of the authentication mechanism that DID
> authenticate the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
