[
http://jira.codehaus.org/browse/MNG-4602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=235018#action_235018
]
David Boden commented on MNG-4602:
----------------------------------
I've done some investigation. The relevant class is in the artifact manager
project and is called WagonManager. The DefaultWagonManager implementation is
injected by Plexus.
The WagonManager interface contains definitions for methods that I want to
modify the implementation of:
* addConfiguration(String repositoryId, Xpp3Dom configuration) - Change to
detect a <singleSignOn>com.custom.login.CustomLoginContext</singleSignOn> tag
under the <server/> definition, put there instead of username and password. The
classname in the <singleSignOn/> tag would implement
javax.security.auth.login.LoginContext.
In the case of single sign on, I can make the addConfiguration method log the
user in using the LoginContext and then call the following method with the
username and password:
* addAuthenticationInfo(String repositoryId, String username, String
password, String privateKey, String passphrase)
The addAuthenicationInfo and the getAuthenticationInfo methods can probably
remain as they are.
So, I'm now trying to weigh up what's involved in replacing the injection of
DefaultWagonManager with a subclass; SingleSignOnWagonManager. Judging by the
fact that plexus.xml is already present in the
MAVEN_HOME/lib/maven-2.2.1-uber.jar under META-INF/plexus and you can only have
one plexus.xml I don't think it's going to be possible to customise Maven
2.2.1. Instead, it looks like I'm going to have to do a checkout of the whole
Maven project, make my changes then rebuild Maven 2.2.1.x. If I'm forced to go
along this route, I'll submit a patch to DefaultWagonManager rather than
creating a subclass.
> Allow pluggable authentication (using JAAS ?) so that the username and
> password to connect to a deployment repository can be generated by a Single
> Sign On-enabled client
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MNG-4602
> URL: http://jira.codehaus.org/browse/MNG-4602
> Project: Maven 2 & 3
> Issue Type: New Feature
> Components: Artifacts and Repositories, Settings
> Reporter: David Boden
> Priority: Minor
>
> The username and password used to authenticate with the remote repository
> during deployment are stored in the user's settings.xml under the <servers/>
> structure. This structure allows a username and password to be specified, or
> for a .ssh private key to be specified.
> It does not allow for pluggable single sign on, where a Java module (perhaps
> a JAAS LoginModule) is available on the client to generate a token in place
> of a password. Many corporates use this technique for other web applications,
> generating an LDAP token from the user's PC and verifying it against an LDAP
> server on the server side. It adds security by removing the need to pass the
> user's password over the wire.
> This Jira is a request for a pluggable entry point for this single sign on
> module, perhaps by specifying a class name in the <server/> structure or by
> setting a system property. The solution could either define a new interface
> which Authentication Providers must implement or can use existing interfaces
> from JAAS, (Http) Authenticator or other frameworks.
> Please feel free to move this item to the "Maven Wagon" component if you feel
> that's the best place to implement the feature. Alternatively, please also
> feel free to move to the generic "Maven 2&3" component if you think that the
> feature has wider scope than just deployment; perhaps to also authenticate
> using Single Sign On with an internal company's repository when *downloading*
> artifacts (as well as uploading).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
