You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by st...@apache.org on 2018/10/10 07:38:01 UTC
svn commit: r1843401 - in /jackrabbit/oak/trunk:
oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/
oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/
oak-be...
Author: stillalex
Date: Wed Oct 10 07:38:01 2018
New Revision: 1843401
URL: http://svn.apache.org/viewvc?rev=1843401&view=rev
Log:
OAK-7288 Change default JAAS ranking of ExternalLoginModuleFactory
- based on a patch provided by Lars Krapf
Modified:
jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.java
jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java
jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/ExternalLoginTest.java
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.java?rev=1843401&r1=1843400&r2=1843401&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.java (original)
+++ jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.java Wed Oct 10 07:38:01 2018
@@ -64,7 +64,7 @@ public class ExternalLoginModuleFactory
@SuppressWarnings("UnusedDeclaration")
@Property(
- intValue = 50,
+ intValue = 150,
label = "JAAS Ranking",
description = "Specifying the ranking (i.e. sort order) of this login module entry. The entries are sorted " +
"in a descending order (i.e. higher value ranked configurations come first)."
Modified: jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java?rev=1843401&r1=1843400&r2=1843401&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java (original)
+++ jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/PreAuthDefaultExternalLoginModuleTest.java Wed Oct 10 07:38:01 2018
@@ -79,14 +79,15 @@ public class PreAuthDefaultExternalLogin
preAuthOptions);
AppConfigurationEntry entry2 = new AppConfigurationEntry(
- LoginModuleImpl.class.getName(),
- AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL,
- new HashMap<String, Object>());
-
- AppConfigurationEntry entry3 = new AppConfigurationEntry(
ExternalLoginModule.class.getName(),
AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
options);
+
+ AppConfigurationEntry entry3 = new AppConfigurationEntry(
+ LoginModuleImpl.class.getName(),
+ AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
+ new HashMap<String, Object>());
+
return new AppConfigurationEntry[]{entry1, entry2, entry3};
}
};
Modified: jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/ExternalLoginTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/ExternalLoginTest.java?rev=1843401&r1=1843400&r2=1843401&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/ExternalLoginTest.java (original)
+++ jackrabbit/oak/trunk/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/authentication/external/ExternalLoginTest.java Wed Oct 10 07:38:01 2018
@@ -22,10 +22,17 @@ import javax.security.auth.login.AppConf
import javax.security.auth.login.Configuration;
import com.google.common.collect.ImmutableMap;
+
+import org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule;
import org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl;
+import org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule;
import org.jetbrains.annotations.NotNull;
+import static javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT;
+import static javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag.REQUIRED;
+import static javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL;
+
/**
* Login against the {@link ExternalLoginModule} with a randomly selected user.
* The first login of a given user will trigger the user-synchronization mechanism.
@@ -50,17 +57,25 @@ public class ExternalLoginTest extends A
return new Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String s) {
- return new AppConfigurationEntry[]{
+ return new AppConfigurationEntry[] {
new AppConfigurationEntry(
- LoginModuleImpl.class.getName(),
- AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
- ImmutableMap.<String, Object>of()),
+ GuestLoginModule.class.getName(),
+ OPTIONAL,
+ ImmutableMap.of()),
+ new AppConfigurationEntry(
+ TokenLoginModule.class.getName(),
+ SUFFICIENT,
+ ImmutableMap.of()),
new AppConfigurationEntry(
ExternalLoginModule.class.getName(),
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ SUFFICIENT,
ImmutableMap.of(
ExternalLoginModule.PARAM_SYNC_HANDLER_NAME, syncConfig.getName(),
- ExternalLoginModule.PARAM_IDP_NAME, idp.getName()))
+ ExternalLoginModule.PARAM_IDP_NAME, idp.getName())),
+ new AppConfigurationEntry(
+ LoginModuleImpl.class.getName(),
+ SUFFICIENT,
+ ImmutableMap.of())
};
}
};
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1843401&r1=1843400&r2=1843401&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md Wed Oct 10 07:38:01 2018
@@ -25,18 +25,19 @@ allows easy integration of 3rd party aut
external system as authentication source and as a provider for users and groups
that may also be synchronized into the repository.
-what it does:
+What it does:
* facilitate the use of a 3rd party system for authentication
* simplify populating the oak user manager with identities from a 3rd party system
-what it does not:
+What it does not:
* provide a transparent oak user manager
* provide a transparent oak principal provider.
* offer services for background synchronization of users and groups
<a name="details"/>
+
### Implementation Details
The external identity and login handling is split into 3 parts:
@@ -121,6 +122,7 @@ See section [User Synchronization](users
description of the default implementation.
<a name="configuration"/>
+
### Configuration
#### Configuration Parameters
@@ -134,7 +136,7 @@ for the [ExternalLoginModuleFactory]/[Ex
| `PARAM_SYNC_HANDLER_NAME` | String | \- | Name of the sync handler to be retrieved from the `SyncManager` |
| | | | |
| _Optional (OSGi-setup)_ | | | |
-| `JAAS_RANKING` | int | 50 | Ranking of the `ExternalLoginModule` in the JAAS configuration, see [LoginModuleFactory] |
+| `JAAS_RANKING` | int | 150 | Ranking of the `ExternalLoginModule` in the JAAS configuration, see [LoginModuleFactory] |
| `JAAS_CONTROL_FLAG` | String | SUFFICIENT | See [LoginModuleControlFlag] for supported values. |
| `JAAS_REALM_NAME` | String | \- | See [LoginModuleFactory] |
@@ -149,13 +151,14 @@ are omitted):
jackrabbit.oak {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
- org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
- org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
+ org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule sufficient
sync.handlerName="default"
idp.name="ldap";
+ org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
};
<a name="pluggability"/>
+
### Pluggability
The design of the `ExternalLoginModule` allows for customization of the key features
@@ -250,6 +253,7 @@ handles the same set of supported creden
[ExternalIdentityProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html
[ExternalIdentityProviderManager]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html
[ExternalIDPManagerImpl]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalIDPManagerImpl.html
+[ExternalLoginModule]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.html
[ExternalLoginModuleFactory]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.html
[LoginModuleFactory]: http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java
[LoginModuleControlFlag]: https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html