[
https://issues.apache.org/jira/browse/OAK-3508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14954626#comment-14954626
]
angela commented on OAK-3508:
-----------------------------
if your first SSO loginmodule is configured to be {{SUFFICIENT}} you will not
reach the external login module if the first succeeds according to the
definition of {{SUFFICIENT}} which is
{quote}
Sufficient - The LoginModule is not required to
succeed. If it does succeed, control immediately
returns to the application (authentication does not
proceed down the LoginModule list).
If it fails, authentication continues down the
LoginModule list.
{quote}
if you want the last module in the chain to be _always_ called during login
(irrespective of the success of the predecessors) you either have to configure
the proceeding modules to be {{OPTIONAL}} or {{REQUIRED}} depending on the
desired result. {{OPTIONAL}} is only suited if it really doesn't matter if the
login module succeeds. if it matters if the {{login}} succeeds you have define
it {{REQUIRED}}; {{REQUISITE}} is not appropriate in this case as it will abort
in case of login failure and not proceed down the list unless you rephrase your
requirement to _each successful login must reach the external login module_. if
that was actually your intention {{REQUISITE}} might even be more appropriate.
also the intermediate {{OPTIONAL}} entry looks a bit odd to me. IMHO the
default and the external are exclusive as a given user is either covered by
either of those modules. making the default entry {{OPTIONAL}} looks like
ending up with extra overhead as it will always end up in the external
module... that looks troublesome to me.
but after all it depends on the definition of your external login module. if
the latter is defined to verify authentication (and optionally sync) against a
third party provider the overhead might be desired|intended. but reading your
report i rather get the impression that it's not about the authentication
itself. i have the impression that you probably don't even want to be performed
the _login_ in the external module given the fact that you have an SSO module
configured upfront)... so, isn't it just that you are looking for means to
synchronize the user attributes? if this was the case, maybe it would be better
to drop the external module altogether in this setup and provide means to
trigger the synchronization upon successful login elsewhere...
> External login module should reduce LDAP lookups for pre-authenticated users
> ----------------------------------------------------------------------------
>
> Key: OAK-3508
> URL: https://issues.apache.org/jira/browse/OAK-3508
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Affects Versions: 1.2, 1.4, 1.0.22
> Reporter: Tobias Bocanegra
> Assignee: Tobias Bocanegra
>
> consider the following JAAS setup:
> - *sufficient* SSO Login Module
> - *optional* Default Login Module
> - *sufficient* External Login Module
> This causes each login() to reach the external login module (which is
> desired) but causes an IDP lookup for each login, even if the user is already
> synced with the repository.
> ideally the login module could pass the {{ExternalIdentityRef}} to the sync
> handler and to a tentative sync. the {{lastSyncTime}} should be respected in
> this case.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
