You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/01/28 17:45:39 UTC

[jira] [Commented] (OAK-3899) Extend TokenLoginModule to respect shared key javax.security.auth.login.name

    [ https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15121859#comment-15121859 ] 

Alexander Klimetschek commented on OAK-3899:
--------------------------------------------

If you want to put it into the TokenProvider, you have to change its API (a method to pass in credentials plus user id), which I think is putting too much complexity into the TokenProvider and breaks existing custom TokenProviders (if there are any).

I see the separation this way:

TokenProvider: token generation & storage
TokenLoginModule: mapping from credentials, extra validation

As an application, I don't think it's common thatyou want to switch the token generation to sonething else (too many security/crypto considerations that applications builders can't or don't want to make).

> Extend TokenLoginModule to respect shared key javax.security.auth.login.name
> ----------------------------------------------------------------------------
>
>                 Key: OAK-3899
>                 URL: https://issues.apache.org/jira/browse/OAK-3899
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.3.14
>            Reporter: Alexander Klimetschek
>            Assignee: angela
>         Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/1144914c053ec9c2723450261fabfee1bd9d0e58/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165] when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and non-username/password credentials, the SimpleCredentials are used but don't have a user id as the real user id is determined not by the caller of {{Repository.login()}}, but by the external identity provider inside the ExternalLoginModule (and the credentials might not include any kind of user id, say an opaque token from an external service). In this case, {{SimpleCredentials.getUserID()}} returns null and the token implementation fails to create a token and does not return it in the {{.token}} attribute of the credentials.
> Instead, the TokenLoginModule should look at the shared {{javax.security.auth.login.name}} attribute, which can de-facto override a {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)