Can I use LoginModulePlugins in Oak?

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

Some Sling integration tests (SLING-3221) are failing, due to a form
login mechanism that's supported by Sling's FormLoginModulePlugin [1]
when running on Jackrabbit, and is not present on our Oak setup.

Can I use plugins that implement
org.apache.sling.jcr.jackrabbit.server.security.LoginModulePlugin in
Oak (and how), or is there a similar mechanism?

-Bertrand

[1] https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormLoginModulePlugin.java

Re: Can I use LoginModulePlugins in Oak?

[Chetan Mehrotra <ch...@gmail.com>]

Missed looking into this thread as i was on vacation. Regarding the
pluggable Authentication support I need to finish up on releasing the
JAAS support in Felix [1]. Would try to get that released this week
and would then follow up on Sling to get it used to enable use of
pluggable LoginModules

[1] http://felix.apache.org/documentation/subprojects/apache-felix-jaas.html
Chetan Mehrotra


On Mon, Nov 4, 2013 at 3:52 PM, Bertrand Delacretaz
<bd...@apache.org> wrote:
> On Mon, Nov 4, 2013 at 10:56 AM, Angela Schreiber <an...@adobe.com> wrote:
>> ...are you sure that it is really the configuration part that you are
>> fighting with?
>> or are you rather looking for the replacement of the DefaultLoginModule?...
>
> I'm not fighting with anything so far, just trying to get all the
> existing Sling integration tests to run with Oak.
>
> Some of them, like this SLING-3221 one, probably depend too much on
> Jackrabbit-specific stuff, as you mention.
>
> The JAAS/OSGi stuff that you mention is probably the right solution
> here, I'll have a closer look.
>
> -Bertrand

Re: Can I use LoginModulePlugins in Oak?

[Bertrand Delacretaz <bd...@apache.org>]

On Mon, Nov 4, 2013 at 10:56 AM, Angela Schreiber <an...@adobe.com> wrote:
> ...are you sure that it is really the configuration part that you are
> fighting with?
> or are you rather looking for the replacement of the DefaultLoginModule?...

I'm not fighting with anything so far, just trying to get all the
existing Sling integration tests to run with Oak.

Some of them, like this SLING-3221 one, probably depend too much on
Jackrabbit-specific stuff, as you mention.

The JAAS/OSGi stuff that you mention is probably the right solution
here, I'll have a closer look.

-Bertrand

Re: Can I use LoginModulePlugins in Oak?

[Angela Schreiber <an...@adobe.com>]

hi bertrand

there is no replacement for the repository.xml configuration in OAK;
for neither of the elements mentioned on the jackrabbit configuration
documentation.

as far as the authentication is concerned the statement wrt JAAS setup is
IMO no longer true. thanks to the effort made by Chetan to incorporate
that 
direct on the Felix level, setting up runtime pluggable authentication
with 
JAAS should no longer be an issue. and writing a LoginModule definitely
can't
be considered difficult.

the separation between 'local' (repository.xml) and JAAS setup in
jackrabbit used to be quite awkward IMO. as far as our products are
concerned i am not aware of any customer making use of that local
setup... 

are you sure that it is really the configuration part that you are
fighting with?
or are you rather looking for the replacement of the DefaultLoginModule?

kind regards
anglea


On 11/4/13 9:59 AM, "Bertrand Delacretaz" <bd...@apache.org> wrote:

>Hi Angela,
>
>On Mon, Nov 4, 2013 at 9:53 AM, Angela Schreiber <an...@adobe.com>
>wrote:
>> ...if i was you i would just deprecate that unfortunate part of sling
>> that intended to make the login module pluggable at runtime and
>> drop it asap....
>
>Ok, but how do you suggest implementing the use case that's covered by
>Sling's current FormLoginModulePlugin?
>
>http://jackrabbit.apache.org/jackrabbit-configuration.html says "if
>JAAS authentication is not available or (as is often the case) too
>complex to set up, Jackrabbit allows you to specify a
>repository-specific JAAS LoginModule that is then used for
>authenticating repository users."
>
>I'm basically looking for the equivalent in Oak, something that a
>Sling instance can setup by default, without requiring users to do any
>configuration.
>
>-Bertrand

Re: Can I use LoginModulePlugins in Oak?

[Bertrand Delacretaz <bd...@apache.org>]

Hi Angela,

On Mon, Nov 4, 2013 at 9:53 AM, Angela Schreiber <an...@adobe.com> wrote:
> ...if i was you i would just deprecate that unfortunate part of sling
> that intended to make the login module pluggable at runtime and
> drop it asap....

Ok, but how do you suggest implementing the use case that's covered by
Sling's current FormLoginModulePlugin?

http://jackrabbit.apache.org/jackrabbit-configuration.html says "if
JAAS authentication is not available or (as is often the case) too
complex to set up, Jackrabbit allows you to specify a
repository-specific JAAS LoginModule that is then used for
authenticating repository users."

I'm basically looking for the equivalent in Oak, something that a
Sling instance can setup by default, without requiring users to do any
configuration.

-Bertrand

Re: Can I use LoginModulePlugins in Oak?

[Angela Schreiber <an...@adobe.com>]

hi bertrand

IMHO the LoginModulePlugin mechanism in sling has some fundamental flaws.

for example it extends from a implementation detail in jackrabbit core
(DefaultLoginModule) that is pluggable by means of changing the
configuration
and not a built-in functionality.

then, the individual implementations such as FormLoginModulePlugin.java
register themselves as service, which basically shows a fundamental
misunderstanding of how the JAAS LoginModule works and is designed
(every login gets it's own instance).

afaik there is no reasonable way how you can get that fixed with oak.

if i was you i would just deprecate that unfortunate part of sling
that intended to make the login module pluggable at runtime and
drop it asap. 

kind regards
angela




On 11/1/13 5:49 PM, "Bertrand Delacretaz" <bd...@apache.org> wrote:

>Hi,
>
>Some Sling integration tests (SLING-3221) are failing, due to a form
>login mechanism that's supported by Sling's FormLoginModulePlugin [1]
>when running on Jackrabbit, and is not present on our Oak setup.
>
>Can I use plugins that implement
>org.apache.sling.jcr.jackrabbit.server.security.LoginModulePlugin in
>Oak (and how), or is there a similar mechanism?
>
>-Bertrand
>
>[1] 
>https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/ja
>va/org/apache/sling/auth/form/impl/FormLoginModulePlugin.java