[
https://jira.duraspace.org/browse/DS-367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Donohue updated DS-367:
---------------------------
Status: Volunteer Needed (was: Received)
> processing of Authentication methods is independent of the chosen Login
> method (when multiple are available)
> ------------------------------------------------------------------------------------------------------------
>
> Key: DS-367
> URL: https://jira.duraspace.org/browse/DS-367
> Project: DSpace
> Issue Type: Bug
> Components: DSpace API
> Affects Versions: 1.6.0
> Reporter: Ben Bosman
> Priority: Major
>
> When using multiple authentication methods, e.g.
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
> org.dspace.authenticate.PasswordAuthentication, \
> org.dspace.authenticate.LDAPAuthentication, \
> org.dspace.authenticate.ShibAuthentication
> The user is presented with a choice of authentication methods when trying to
> log-in.
> If the user chooses LDAPAuthentication, the entered credentials will be
> processed by ShibAuthentication, PasswordAuthentication and
> LDAPAuthentication in that order.
> The implementation simply tries all implicit methods first, and hereafter all
> explicit methods until one mechanism authorizes the user.
> Whether implicit methods should be used by default, independent of whether
> the user wants that authentication to be used, is somewhat of a policy
> question.
> But if automatic processing of implicit methods is always used, it is not
> sensible to ask a user for a login method, and when the user chooses
> PasswordAuthentication and enters their username and password, the system at
> that point decides to log the user in using their ShibAuthentication
> credentials after all.
> So either the implicit methods should be attempted before offering the user
> the choices of authentication types (and the implicit authentication types
> should be removed from the list as stated in
> http://jira.dspace.org/jira/browse/DS-64), or the implicit methods should
> remain listed and only be used if the user requests one of those to be used.
> If none of the implicit methods do authorize a user to log in, all of the
> explicit methods are being tested, again independent of the chosen login
> method. This normally doesn't pose an issue, as the odds for an
> authentication to be a success with the wrong explicit authentication method
> are slim.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
