You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by ma...@oracle.com on 2019/02/12 18:39:47 UTC
Issue Retrieving Custom UserAuthenticationFactory
Hello all,
I'm trying to implement a custom UserAuthenticationFactory. I can see
the service in the Felix Services console. It has a service.ranking of
7000. I can also see the OOB UserAuthenticationFactoryImpl service with
no service ranking specified.
When I make a request, my corresponding
CustomAuthenticationHandler(Sling) can pull the credentials out of the
request. My CustomLoginModule is able to get those credentials. I've
cribbed the implementation of GetUserAuthentication() from
LoginModuleImpl. When I call this, I can see the call retrieve a
UserAuthenticationFactory always returns the OOB
UserAuthenticationFactoryImpl. If I step into the call, I can see in
the WhiteboardUserAuthenticationFactory receives a list of two possible
factory Services from getServices()(:48) which include both the OOTB UAF
and my custom UAF. But the order of this list does not reflect any
service ranking, so the OOTB UAF is always returned first.
Is there another configuration I should be doing? I'm currently on
1.6.8. I could not find any JIRA tickets that would address this, but
then again my JIRA-foo isn't the best.
Much appreciated,
Marc Davenport
Re: Issue Retrieving Custom UserAuthenticationFactory
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Marc
I created OAK-8045 [1] to get the missing support for service ranking fixed when using multiple UserAuthenticationFactory implementations. That's simply an oversight on our side and currently the service ranking (even if you specify it) is ignored despite all the information in documentation.
The currently implementation just adds the factories to the list as they are bound to SecurityProviderRegistration. That's why I thought one way to get it working currently was to make sure you custom bundle containing your custom implementation of UserAuthenticationFactory has a start-level set such that is bound first... but I didn't try it out.
Alternatively, you might want to consider disabling of default implementation in your OSGi console. However, before you can do that, you have to remove it from the list of required service IDs present with SecurityProviderRegistration and add your implementation instead. Otherwise the SecurityProvider will be unregistered due to the missing mandatory dependency.
Regarding the usage of external authentication module: based on your short description it doesn't seem to be particularly suited for the use case at hand because it's main purpose is to authentication against an external IDP and subsequently sync users into the repository. What functionality of the ExternalLoginModule are you relying on?
Kind regards
Angela
[1] https://issues.apache.org/jira/browse/OAK-8045
________________________________
From: marc.davenport@oracle.com <ma...@oracle.com>
Sent: Friday, February 15, 2019 1:12 AM
To: users@jackrabbit.apache.org
Subject: Re: Issue Retrieving Custom UserAuthenticationFactory
Hi Angela,
The previously unthinkable happened and I was able to move to 1.10.0
(thank you for your help identifying OAK-7778). I also don't see how I
would be able to use the service ranking to affect the order of the UAFs.
Reading this part of the doc I expected to be able to :
https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#user_authentication
"In case multiple implementations of the UserAuthenticationFactory are
available, the precedence depends on its OSGi service ranking property.
The default factory implementation has a ranking of 0 (OSGi default).
Services with the highest ranking will take precedence."
Am I reading this right that I would expect my service to return first
with the annotations below:
@Component(immediate = true)
@Service(UserAuthenticationFactory.class)
@Properties({
@Property(name = "service.description", value = "A custom
Authentication Factory for serving OAuth token Validation"),
@Property(name = "service.ranking", intValue = 7000,
propertyPrivate = false) })
public class OAuthUserAuthenticationFactory implements
UserAuthenticationFactory {
@Reference
private SlingRepository repository;
...
}
I'm a bit new to all of this so perhaps I'm just going about this the
wrong way by transposing what is in our old code. The point of the
custom UserAuthenticationFactory is that we have another class that
validates the token, and then we will either add or duplicate a user in
the repository. Because of some existing code further down the line all
users have to come from the repository. We don't have a full external
system that can sync (as describe in the external-auth , just this
single user at a time by way of the oauth token). This is how it was
done in our previous Jackrabbit2 set up with this activity happening in
an implementation of
org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin.
The more I write this out, the more I think I need to revisit the use of
oak-external-auth module, but the question about the behavior around
service ranking and multiple implementations of
UserAuthenticationFactories described in the doc still stands I suppose.
I will look at adding to the service IDs, but I'm not sure if I can
considering I need a valid reference to the SlingRepository. I think
that will cause a dependency problem.
Thank you so much for all your help & time so far.
Marc
On 2/13/19 3:14 AM, Angela Schreiber wrote:
> Hi Marc
>
>
> I looked at the code in trunk and 1.6 branch and there is no extra way to configure the service ranking of the UserAuthenticationFactory implementations. However, IMHO it would make sense to allow for explicit ordering and I will create an improvement request for that.
>
> But since that doesn't help with your setup on 1.6: IMO the bundle containing your implementation needs to have a start-level defined that makes it come before the built-in. What is also important to note: in case you don't already have that, you should add your custom UserAuthenticationFactory in the list of required service IDs with the SecurityProviderRegistration to make sure the SecurityProvider is only registered once your service is ready (see https://urldefense.proofpoint.com/v2/url?u=http-3A__jackrabbit.apache.org_oak_docs_security_introduction.html-23SecurityProvider&d=DwIFAw&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=Dnz1hXAxfZ5RSAHBFoHD3f9gHosNNQ1zf8m3dqEWQsA&m=WoUAOFpc49MWb4ruJpTcBRa5v35KC28s-vHXjDQgHMI&s=XQxB7RZ9pEnLgsY_uR4SCHQ7qgTW9ExYYzGaH99zTn8&e=).
>
> Equally, if you wanted to disable the default impl altogether you had to remove it from that required service IDs list before doing so otherwise the SecurityProvider would be unregistered.
>
>
> Hope that helps
>
> Angela
>
>
> ________________________________
> From: marc.davenport@oracle.com <ma...@oracle.com>
> Sent: Tuesday, February 12, 2019 7:39 PM
> To: users@jackrabbit.apache.org
> Subject: Issue Retrieving Custom UserAuthenticationFactory
>
> Hello all,
>
> I'm trying to implement a custom UserAuthenticationFactory. I can see
> the service in the Felix Services console. It has a service.ranking of
> 7000. I can also see the OOB UserAuthenticationFactoryImpl service with
> no service ranking specified.
>
> When I make a request, my corresponding
> CustomAuthenticationHandler(Sling) can pull the credentials out of the
> request. My CustomLoginModule is able to get those credentials. I've
> cribbed the implementation of GetUserAuthentication() from
> LoginModuleImpl. When I call this, I can see the call retrieve a
> UserAuthenticationFactory always returns the OOB
> UserAuthenticationFactoryImpl. If I step into the call, I can see in
> the WhiteboardUserAuthenticationFactory receives a list of two possible
> factory Services from getServices()(:48) which include both the OOTB UAF
> and my custom UAF. But the order of this list does not reflect any
> service ranking, so the OOTB UAF is always returned first.
>
> Is there another configuration I should be doing? I'm currently on
> 1.6.8. I could not find any JIRA tickets that would address this, but
> then again my JIRA-foo isn't the best.
>
> Much appreciated,
>
> Marc Davenport
>
>
Re: Issue Retrieving Custom UserAuthenticationFactory
Posted by ma...@oracle.com.
Hi Angela,
The previously unthinkable happened and I was able to move to 1.10.0
(thank you for your help identifying OAK-7778). I also don't see how I
would be able to use the service ranking to affect the order of the UAFs.
Reading this part of the doc I expected to be able to :
https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#user_authentication
"In case multiple implementations of the UserAuthenticationFactory are
available, the precedence depends on its OSGi service ranking property.
The default factory implementation has a ranking of 0 (OSGi default).
Services with the highest ranking will take precedence."
Am I reading this right that I would expect my service to return first
with the annotations below:
@Component(immediate = true)
@Service(UserAuthenticationFactory.class)
@Properties({
@Property(name = "service.description", value = "A custom
Authentication Factory for serving OAuth token Validation"),
@Property(name = "service.ranking", intValue = 7000,
propertyPrivate = false) })
public class OAuthUserAuthenticationFactory implements
UserAuthenticationFactory {
@Reference
private SlingRepository repository;
...
}
I'm a bit new to all of this so perhaps I'm just going about this the
wrong way by transposing what is in our old code. The point of the
custom UserAuthenticationFactory is that we have another class that
validates the token, and then we will either add or duplicate a user in
the repository. Because of some existing code further down the line all
users have to come from the repository. We don't have a full external
system that can sync (as describe in the external-auth , just this
single user at a time by way of the oauth token). This is how it was
done in our previous Jackrabbit2 set up with this activity happening in
an implementation of
org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin.
The more I write this out, the more I think I need to revisit the use of
oak-external-auth module, but the question about the behavior around
service ranking and multiple implementations of
UserAuthenticationFactories described in the doc still stands I suppose.
I will look at adding to the service IDs, but I'm not sure if I can
considering I need a valid reference to the SlingRepository. I think
that will cause a dependency problem.
Thank you so much for all your help & time so far.
Marc
On 2/13/19 3:14 AM, Angela Schreiber wrote:
> Hi Marc
>
>
> I looked at the code in trunk and 1.6 branch and there is no extra way to configure the service ranking of the UserAuthenticationFactory implementations. However, IMHO it would make sense to allow for explicit ordering and I will create an improvement request for that.
>
> But since that doesn't help with your setup on 1.6: IMO the bundle containing your implementation needs to have a start-level defined that makes it come before the built-in. What is also important to note: in case you don't already have that, you should add your custom UserAuthenticationFactory in the list of required service IDs with the SecurityProviderRegistration to make sure the SecurityProvider is only registered once your service is ready (see https://urldefense.proofpoint.com/v2/url?u=http-3A__jackrabbit.apache.org_oak_docs_security_introduction.html-23SecurityProvider&d=DwIFAw&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=Dnz1hXAxfZ5RSAHBFoHD3f9gHosNNQ1zf8m3dqEWQsA&m=WoUAOFpc49MWb4ruJpTcBRa5v35KC28s-vHXjDQgHMI&s=XQxB7RZ9pEnLgsY_uR4SCHQ7qgTW9ExYYzGaH99zTn8&e=).
>
> Equally, if you wanted to disable the default impl altogether you had to remove it from that required service IDs list before doing so otherwise the SecurityProvider would be unregistered.
>
>
> Hope that helps
>
> Angela
>
>
> ________________________________
> From: marc.davenport@oracle.com <ma...@oracle.com>
> Sent: Tuesday, February 12, 2019 7:39 PM
> To: users@jackrabbit.apache.org
> Subject: Issue Retrieving Custom UserAuthenticationFactory
>
> Hello all,
>
> I'm trying to implement a custom UserAuthenticationFactory. I can see
> the service in the Felix Services console. It has a service.ranking of
> 7000. I can also see the OOB UserAuthenticationFactoryImpl service with
> no service ranking specified.
>
> When I make a request, my corresponding
> CustomAuthenticationHandler(Sling) can pull the credentials out of the
> request. My CustomLoginModule is able to get those credentials. I've
> cribbed the implementation of GetUserAuthentication() from
> LoginModuleImpl. When I call this, I can see the call retrieve a
> UserAuthenticationFactory always returns the OOB
> UserAuthenticationFactoryImpl. If I step into the call, I can see in
> the WhiteboardUserAuthenticationFactory receives a list of two possible
> factory Services from getServices()(:48) which include both the OOTB UAF
> and my custom UAF. But the order of this list does not reflect any
> service ranking, so the OOTB UAF is always returned first.
>
> Is there another configuration I should be doing? I'm currently on
> 1.6.8. I could not find any JIRA tickets that would address this, but
> then again my JIRA-foo isn't the best.
>
> Much appreciated,
>
> Marc Davenport
>
>
Re: Issue Retrieving Custom UserAuthenticationFactory
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Marc
I looked at the code in trunk and 1.6 branch and there is no extra way to configure the service ranking of the UserAuthenticationFactory implementations. However, IMHO it would make sense to allow for explicit ordering and I will create an improvement request for that.
But since that doesn't help with your setup on 1.6: IMO the bundle containing your implementation needs to have a start-level defined that makes it come before the built-in. What is also important to note: in case you don't already have that, you should add your custom UserAuthenticationFactory in the list of required service IDs with the SecurityProviderRegistration to make sure the SecurityProvider is only registered once your service is ready (see http://jackrabbit.apache.org/oak/docs/security/introduction.html#SecurityProvider).
Equally, if you wanted to disable the default impl altogether you had to remove it from that required service IDs list before doing so otherwise the SecurityProvider would be unregistered.
Hope that helps
Angela
________________________________
From: marc.davenport@oracle.com <ma...@oracle.com>
Sent: Tuesday, February 12, 2019 7:39 PM
To: users@jackrabbit.apache.org
Subject: Issue Retrieving Custom UserAuthenticationFactory
Hello all,
I'm trying to implement a custom UserAuthenticationFactory. I can see
the service in the Felix Services console. It has a service.ranking of
7000. I can also see the OOB UserAuthenticationFactoryImpl service with
no service ranking specified.
When I make a request, my corresponding
CustomAuthenticationHandler(Sling) can pull the credentials out of the
request. My CustomLoginModule is able to get those credentials. I've
cribbed the implementation of GetUserAuthentication() from
LoginModuleImpl. When I call this, I can see the call retrieve a
UserAuthenticationFactory always returns the OOB
UserAuthenticationFactoryImpl. If I step into the call, I can see in
the WhiteboardUserAuthenticationFactory receives a list of two possible
factory Services from getServices()(:48) which include both the OOTB UAF
and my custom UAF. But the order of this list does not reflect any
service ranking, so the OOTB UAF is always returned first.
Is there another configuration I should be doing? I'm currently on
1.6.8. I could not find any JIRA tickets that would address this, but
then again my JIRA-foo isn't the best.
Much appreciated,
Marc Davenport