[jira] Resolved: (JSPWIKI-514) Custom Login Module not called at login

Mon, 02 Mar 2009 12:25:17 -0800 

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Jaquith resolved JSPWIKI-514.
------------------------------------

    Resolution: Invalid
      Assignee: Andrew Jaquith

Calling custom LoginModules *as part of the container-managed authentication 
process* is not supported or planned in 2.8 or higher.

When using container-managed authentication, we delegate responsibility for 
authentication to whatever system the container uses. JSPWiki recommends 
standard form authentication (we provide a j_username/j_password form for the 
container to use), but other methods, like basic auth or client certificates, 
are also possible.

You are, of course, free to use any LoginModule you wish if you are using 
*custom* authentication. But in that case, it is clear that JSPWiki itself is 
managing the entire login process.

In other words: if you want JSPWiki to authenticate users with a JAAS 
LoginModule, you must use custom authentication. That is supported today. You 
can use JAAS LoginModules with container-managed authentication also, but you 
must configure it to work with the container realm. That is also supported 
today.

But, wanting to do both -- having both the container AND JSPWiki authenticate 
users at the same time -- is not something we support, or plan to.

Make sense?

> Custom Login Module not called at login
> ---------------------------------------
>
>                 Key: JSPWIKI-514
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-514
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.8.1
>            Reporter: Emmanuel Hugonnet
>            Assignee: Andrew Jaquith
>         Attachments: AuthenticationManager.patch
>
>
> The AuthenticationManager doesn't call the custom LoginModule when trying to 
> log the user in. So our custom login module which uses a HttpSession 
> attribute to assert that the user is logged in can't be called.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to