fate of authenticator / authorizer actions in 1.4

["Gregor J. Rothfuss" <gr...@apache.org>]

with all the refactoring going on in 1.4, the fate of the authenticator 
/a authorizer actions has come up (see below). i propose to:

* keep the authorizer action in 1.4, for now
* re-add the authenticator action in 1.4, for now
* look into possibly replacing them with a ServletFilter post-1.4

with re-adding the authenticator action, WebDAV should work, according 
to doug (see below), and we can commit it.

WDYT?


[11:03] Chestnut: Hey gregor, is the authorizer action going to be 
replaced (by usecase) anytime soon?
[11:03] Chestnut: in 1.4
[11:04] gregor: i would suggest you ask about these two on the dev list, 
and describe why they are needed (or not)
[11:05] gregor: i still like the idea of a servlet filter for authentication
[11:06] nobby: the authorizer action can't be replaced by a usecase ...
[11:06] gregor: because it wraps the pipeline, right?
[11:06] Chestnut: what is a servlet filter?  are you talking about 
putting authentication to the servlet container (tomcat, jetty)?
[11:06] gregor: Chestnut, yes
[11:06] nobby: 1) performance
[11:07] gregor: that would allow to fall back to container auth as well
[11:07] nobby: 2) usecases need the lenya.usecase request parameter
[11:07] nobby: no idea, fine with me :)
[11:07] gregor: i havent thought through all the consequences yet, but 
we use a servlet filter here for SSO
[11:08] gregor: it would need to have access to the AC API to query 
various things, like URI patterns, identities etc
[11:08] Chestnut: what is SSO?
[11:08] gregor: single sign on
[11:09] Chestnut: ahh, I have to look at that in the near future 
(pubcookie)
[11:09] gregor: Chestnut, mike moretti implemented something like that 
with client certs using anon auth
[11:10] gregor: but in the same vein, you may want to use tomcat 
facilities, or AAAS or whatever
[11:10] Chestnut: I will shoot him an email, thanks :)
[11:10] gregor: it's already checked in ;)
[11:11] joker2000: where the user authentication take place?
[11:11] joker2000: we want to login our users automatically
[11:11] joker2000: where is the 'logincheck' ?
[11:11] joker2000: do you know what i mean?
[11:11] nobby: sitemap.xmap
[11:12] nobby: $LENYA_WEBAPP/sitemap.xmap
[11:14] joker2000: aby idea where to insert my ideas to login the users 
automatically?
[11:14] joker2000: any i mean
[11:15] gregor: check the anon authenticator class
[11:15] joker2000: k
[11:15] gregor: i added some docs at 
http://lenya.apache.org/1_2_x/components/accesscontrol/authenticators.html#The+anonymous+authenticator
[11:15] Chestnut: is this the work that Mike checked in?
[11:16] gregor: he submittted it, yes
[11:16] gregor: ask him for the full recipe
[11:17] Chestnut: so everyone authenticated with certs use the same anon 
account?
[11:17] Chestnut: in lenya
[11:17] gregor: yeah
[11:17] gregor: strikes me as a low end solution, but hey
[11:17] Chestnut: Ouch, that hurts
[11:18] joker2000: what do you mean with certs? client certificates?
[11:18] gregor: yeah
[11:18] Chestnut: don't think that would meet our needs
[11:18] gregor: i suppose in many cases they share accounts anyway
[11:18] gregor: that's what i have seen many times
[11:18] joker2000: my user comes from the jCifs filter. The credential 
are in the request so all things are there
[11:18] Chestnut: Don't let our sys goup hear that :)
[11:19] joker2000: is there any chance to login them automatically?
[11:19] gregor: there is a JCFIS authenticator too
[11:19] joker2000: k
[11:19] Chestnut: Yeah, this is what I am using currently (JCIFS)
[11:19] joker2000: the problem is that our user should login once into 
the NT domain and then get this information to lo them into our lenya...
[11:20] joker2000: to log i mean
[11:20] Chestnut: Look into LDAP before you look at JCIFS
[11:21] joker2000: cool but we have no problem with login in our user if 
the provider user and password in the login form, but automatically?
[11:21] joker2000: LDAP and jcifs works
[11:21] joker2000: but together...
[11:23] joker2000: once again do to too many typos :-)
[11:23] joker2000: we have no problem with login in our user if they 
provide user and password in the login form, but automatical login is 
the issue
[11:24] Chestnut: sounds like the anonymous authenticator would be worth 
a look
[11:24] Chestnut: I haven't gotten that far yet
[11:25] joker2000: hm
[11:35] gregor: either that, or an authenticator that takes the header 
values and maps them to a lenya user
[11:35] gregor: similar to the basic AUTH authenticator Chestnut wrote
[11:36] gregor: as we do more and more of that stuff, i think we should 
really be delegating this to the container as much as possible
[11:36] gregor: re-implementing all the millions of auth schemes is crayz
[11:36] Chestnut: how does the container pass auth on to lenya? example?
[11:37] gregor: that's where the filter comes in
[11:37] gregor: a filter runs before the servlet gets called
[11:38] Chestnut: yeah, but then the filter passes auth info on to 
lenya?  through the env?
[11:38] gregor: for instance 
http://www.developer.com/java/ent/article.php/3467801
[11:39] gregor: right. it would set up the session and do what lenya does
[11:39] gregor: the servlet filter would be a lenya class and be 
registered in web.xml
[11:45] Chestnut: so lenya would need a authentication  and 
authorization servlet filter (to replace the actions/usecase now being 
used)?
[11:47] gregor: perhaps this would offer more options, yeah
[11:47] gregor: post-1.4 material though
[11:47] gregor: so i guess we should reinstate the auth action
[11:48] gregor: and leave the authorizer one alone as well
[11:48] Chestnut: that would be the easiest approach to get webDAV working
[11:49] Chestnut: I think that was the only thing about your patch that 
didn't work (no auth action class)
[11:50] gregor: so yeah :) lets move the discussion to the list for 
archival purposes

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org