[jira] [Commented] (OAK-3899) Extend TokenLoginModule to respect shared key javax.security.auth.login.name

Thu, 28 Jan 2016 08:46:00 -0800 

    [ 
https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15121859#comment-15121859
 ] 

Alexander Klimetschek commented on OAK-3899:
--------------------------------------------

If you want to put it into the TokenProvider, you have to change its API (a 
method to pass in credentials plus user id), which I think is putting too much 
complexity into the TokenProvider and breaks existing custom TokenProviders (if 
there are any).

I see the separation this way:

TokenProvider: token generation & storage
TokenLoginModule: mapping from credentials, extra validation

As an application, I don't think it's common thatyou want to switch the token 
generation to sonething else (too many security/crypto considerations that 
applications builders can't or don't want to make).

> Extend TokenLoginModule to respect shared key javax.security.auth.login.name
> ----------------------------------------------------------------------------
>
>                 Key: OAK-3899
>                 URL: https://issues.apache.org/jira/browse/OAK-3899
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.3.14
>            Reporter: Alexander Klimetschek
>            Assignee: angela
>         Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at 
> SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/1144914c053ec9c2723450261fabfee1bd9d0e58/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
>  when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and 
> non-username/password credentials, the SimpleCredentials are used but don't 
> have a user id as the real user id is determined not by the caller of 
> {{Repository.login()}}, but by the external identity provider inside the 
> ExternalLoginModule (and the credentials might not include any kind of user 
> id, say an opaque token from an external service). In this case, 
> {{SimpleCredentials.getUserID()}} returns null and the token implementation 
> fails to create a token and does not return it in the {{.token}} attribute of 
> the credentials.
> Instead, the TokenLoginModule should look at the shared 
> {{javax.security.auth.login.name}} attribute, which can de-facto override a 
> {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to