JSPWiki authentication support for TextOutputCallback (display login messages
on Login.jsp)
-------------------------------------------------------------------------------------------
Key: JSPWIKI-464
URL: https://issues.apache.org/jira/browse/JSPWIKI-464
Project: JSPWiki
Issue Type: Improvement
Components: Authentication&Authorization
Affects Versions: 3.0
Environment: JSPWiki 3.0
Reporter: Harry Metske
Assignee: Harry Metske
Priority: Minor
Attachments: jspwiki-login-3.0.patch
The current version of the JSPWiki JAAS implementation does not support
TextOutputCallback's.
JAAS offers several types of Callbacks, JSPWiki's CallbackHandler currently
only uses the NameCallback and PasswordCallback.
As a result the following scenario:
Users try to login, the login fails but the user is not told for what reason.
I have had lots of complaints about this behavior, especially from users who do
not login very often but use the wiki mostly for reading.
When they try to login, it fails, but the Login.jsp does not tell anything at
all, not even that is has failed (C.M.A.).
In most cases because either the userid has become inactive, is revoked, or the
password is expired. The net effect is that the wiki is often not usable for
updates.
Now I know that giving this information (the failure reason) to the user is
often considered a security trade off.
But in an intranet environment this is very acceptable.
I will attach a patch that solves this in the following way :
- AuthenticationManager keeps a Hashtable of last loginMessages for each user.
- The WikiCallbackHandler now also handles TextOutputCallbacks and sets the
login result
- If the login fails, the LoginActionBean first reads the loginMessage for the
user, if it is not null, it is displayed, else you get the old behavior.
The exploitation of TextOutputCallbacks is optional, the default LoginModule
(supplied with JSPWiki) does not use them, and therefore it's behavior is
unchanged.
The installer has to supply a LoginModule that uses the TextOutputCallback to
store the loginResult. (And off course we have one that uses it).
(Andrew), can we take this patch in the trunk ?
regards,
Harry
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
