Hi Angela,
The previously unthinkable happened and I was able to move to 1.10.0
(thank you for your help identifying OAK-7778). I also don't see how I
would be able to use the service ranking to affect the order of the UAFs.
Reading this part of the doc I expected to be able to :
https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#user_authentication
"In case multiple implementations of the UserAuthenticationFactory are
available, the precedence depends on its OSGi service ranking property.
The default factory implementation has a ranking of 0 (OSGi default).
Services with the highest ranking will take precedence."
Am I reading this right that I would expect my service to return first
with the annotations below:
@Component(immediate = true)
@Service(UserAuthenticationFactory.class)
@Properties({
@Property(name = "service.description", value = "A custom
Authentication Factory for serving OAuth token Validation"),
@Property(name = "service.ranking", intValue = 7000,
propertyPrivate = false) })
public class OAuthUserAuthenticationFactory implements
UserAuthenticationFactory {
@Reference
private SlingRepository repository;
...
}
I'm a bit new to all of this so perhaps I'm just going about this the
wrong way by transposing what is in our old code. The point of the
custom UserAuthenticationFactory is that we have another class that
validates the token, and then we will either add or duplicate a user in
the repository. Because of some existing code further down the line all
users have to come from the repository. We don't have a full external
system that can sync (as describe in the external-auth , just this
single user at a time by way of the oauth token). This is how it was
done in our previous Jackrabbit2 set up with this activity happening in
an implementation of
org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin.
The more I write this out, the more I think I need to revisit the use of
oak-external-auth module, but the question about the behavior around
service ranking and multiple implementations of
UserAuthenticationFactories described in the doc still stands I suppose.
I will look at adding to the service IDs, but I'm not sure if I can
considering I need a valid reference to the SlingRepository. I think
that will cause a dependency problem.
Thank you so much for all your help & time so far.
Marc
On 2/13/19 3:14 AM, Angela Schreiber wrote:
Hi Marc
I looked at the code in trunk and 1.6 branch and there is no extra way to
configure the service ranking of the UserAuthenticationFactory implementations.
However, IMHO it would make sense to allow for explicit ordering and I will
create an improvement request for that.
But since that doesn't help with your setup on 1.6: IMO the bundle containing your implementation needs
to have a start-level defined that makes it come before the built-in. What is also important to note:
in case you don't already have that, you should add your custom UserAuthenticationFactory in the list
of required service IDs with the SecurityProviderRegistration to make sure the SecurityProvider is only
registered once your service is ready (see
https://urldefense.proofpoint.com/v2/url?u=http-3A__jackrabbit.apache.org_oak_docs_security_introduction.html-23SecurityProvider&d=DwIFAw&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=Dnz1hXAxfZ5RSAHBFoHD3f9gHosNNQ1zf8m3dqEWQsA&m=WoUAOFpc49MWb4ruJpTcBRa5v35KC28s-vHXjDQgHMI&s=XQxB7RZ9pEnLgsY_uR4SCHQ7qgTW9ExYYzGaH99zTn8&e=).
Equally, if you wanted to disable the default impl altogether you had to remove
it from that required service IDs list before doing so otherwise the
SecurityProvider would be unregistered.
Hope that helps
Angela
________________________________
From: [email protected] <[email protected]>
Sent: Tuesday, February 12, 2019 7:39 PM
To: [email protected]
Subject: Issue Retrieving Custom UserAuthenticationFactory
Hello all,
I'm trying to implement a custom UserAuthenticationFactory. I can see
the service in the Felix Services console. It has a service.ranking of
7000. I can also see the OOB UserAuthenticationFactoryImpl service with
no service ranking specified.
When I make a request, my corresponding
CustomAuthenticationHandler(Sling) can pull the credentials out of the
request. My CustomLoginModule is able to get those credentials. I've
cribbed the implementation of GetUserAuthentication() from
LoginModuleImpl. When I call this, I can see the call retrieve a
UserAuthenticationFactory always returns the OOB
UserAuthenticationFactoryImpl. If I step into the call, I can see in
the WhiteboardUserAuthenticationFactory receives a list of two possible
factory Services from getServices()(:48) which include both the OOTB UAF
and my custom UAF. But the order of this list does not reflect any
service ranking, so the OOTB UAF is always returned first.
Is there another configuration I should be doing? I'm currently on
1.6.8. I could not find any JIRA tickets that would address this, but
then again my JIRA-foo isn't the best.
Much appreciated,
Marc Davenport
