Gary Mui (JIRA) wrote:
Expand authentication capability of UserManager interface ---------------------------------------------------------Key: FTPSERVER-54 URL: http://issues.apache.org/jira/browse/FTPSERVER-54 Project: FtpServer Issue Type: Improvement Reporter: Gary Mui The current authenticate method in the UserManager interface allows for UserManager implmentations to authenticate login requests with just username and password. Given the support for FTPS and client certificate checking, it would make sense to include additional information for authentication purposes. By including the RequestHandler, we could get access to the control socket (for information like the client IP address) as well as get the client's certificate chain in case the Socket is an instance of SSLSocket. Once the client certificate is available, a UserManager implementation can perform 2 factor authentication by matching the user login with parameters within the client certificate.
While I agree that making the UserManager being able to use the client certificates for login is excellent, I do not like providing the entire ReqestHandler to UserManager as it would make these two components very tightly bound to each other.
Could we possibly create a different authenticate method that would take a principal object instead, this could then be implemented in different ways that a UserManager would understand, the two most obvious being user/password and certificate. This design is similar to what Acegi Security do in their AuthenticationManager (http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/AuthenticationManager.html).
/niklas
