AuthenticationPlugin with external users

["D. Stuart Freeman" <st...@et.gatech.edu>]

I've got an AuthenticationHandler and I'd like to allow users to log in
without doing any further registration.  My understanding is that my
AuthenticationPlugin will have to create accounts in JCR for users if
they don't exist already.  Will it work (and is it advisable) to do
something like:

  userManager.createUser(name, RandomStringUtils.random(32), principal);

or am I completely misunderstanding something?

-- 
D. Stuart Freeman
Georgia Institute of Technology

Re: AuthenticationPlugin with external users

[Ian Boston <ie...@tfd.co.uk>]

On 9 Mar 2010, at 22:19, D. Stuart Freeman wrote:

> 
> I take it these are the issues with the current approach, not being able
> to reference external users as needed.

yes
Ian

Re: AuthenticationPlugin with external users

["D. Stuart Freeman" <st...@et.gatech.edu>]

On Tue, Mar 09, 2010 at 09:58:58PM +0000, Ian Boston wrote:
> >> 
> > 
> > Well, this is for Sakai/Nakamura, so I imagine I need the groups, ACLs,
> > ACEs, and anything else that might come up.  What I've done is have the
> > LoginModulePlugin.getAuthentication return the above mentioned
> > AuthenticationPlugin which creates the users in JCR with a random
> > password.  Is that a viable approach (will anyone ever need the
> > password)?
> 
> For the moment, it is viable.
OK, good.

> 
> But longer term it would be better to be able to integrate with external sources and avoid having the user records internally.
> The main problem here is 
> 
I agree this would be ideal.

> What about users that haven't logged in, how do they get added to groups, or encouraged to log in (invited), so although you can add them at login, I think you will have to push them all into the UserManager and maintain their status by pushing updated.
>

I take it these are the issues with the current approach, not being able
to reference external users as needed.
 
> Ian
> 
> > 
> >> Ian
> >> 
> >> 
> >> 
> >> 
> >>> 
> >>> -- 
> >>> Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
> >>> Sommerrogata 13-15, N-0255 Oslo, Norway
> >>> + 47 22 00 84 00 / +47 21 531941, ext 2070
> >> 
> > 
> > -- 
> > D. Stuart Freeman
> > Georgia Institute of Technology
> 

-- 
D. Stuart Freeman
Georgia Institute of Technology

Re: AuthenticationPlugin with external users

[Ian Boston <ie...@tfd.co.uk>]

>> 
> 
> Well, this is for Sakai/Nakamura, so I imagine I need the groups, ACLs,
> ACEs, and anything else that might come up.  What I've done is have the
> LoginModulePlugin.getAuthentication return the above mentioned
> AuthenticationPlugin which creates the users in JCR with a random
> password.  Is that a viable approach (will anyone ever need the
> password)?

For the moment, it is viable.

But longer term it would be better to be able to integrate with external sources and avoid having the user records internally.
The main problem here is 

What about users that haven't logged in, how do they get added to groups, or encouraged to log in (invited), so although you can add them at login, I think you will have to push them all into the UserManager and maintain their status by pushing updated.

Ian

> 
>> Ian
>> 
>> 
>> 
>> 
>>> 
>>> -- 
>>> Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
>>> Sommerrogata 13-15, N-0255 Oslo, Norway
>>> + 47 22 00 84 00 / +47 21 531941, ext 2070
>> 
> 
> -- 
> D. Stuart Freeman
> Georgia Institute of Technology

Re: AuthenticationPlugin with external users

["D. Stuart Freeman" <st...@et.gatech.edu>]

On Tue, Mar 09, 2010 at 09:03:13PM +0000, Ian Boston wrote:
> 
> On 9 Mar 2010, at 20:11, Vidar Ramdal wrote:
> 
> > On Tue, Mar 9, 2010 at 8:30 PM, D. Stuart Freeman
> > <st...@et.gatech.edu> wrote:
> >> I've got an AuthenticationHandler and I'd like to allow users to log in
> >> without doing any further registration.  My understanding is that my
> >> AuthenticationPlugin will have to create accounts in JCR for users if
> >> they don't exist already.
> > 
> > That is not necessarily true. If you have a custom LoginModulePlugin
> > [1], you can lookup user data from anywhere - it doesn't have to be
> > from JCR. The LoginModulePlugin then instantiates your custom
> > AuthenticationPlugins on LoginModulePlugin.getAuthentication().
> > 
> >> Will it work (and is it advisable) to do
> >> something like:
> >> 
> >>  userManager.createUser(name, RandomStringUtils.random(32), principal);
> >> 
> >> or am I completely misunderstanding something?
> > 
> > I'd say, if you already have your user data somewhere else (like an
> > external database or LDAP directory), don't replicate that data in
> > Jackrabbit's UserManager. In fact, don't use UserManager at all
> > (except, perhaps, for the pre-defined admin and anonymous users).
> > Instead, implement a LoginModulePlugin to use your external source.
> > 
> > [1] http://sling.apache.org/apidocs/sling5/org/apache/sling/jcr/jackrabbit/server/security/LoginModulePlugin.html
> > 
> 
> IIRC if the users want to be members of Groups they have to be created in the UserManager since the UserManager uses weak references to define the membership (ie pointing to jcr nodes containing authorizables).
> 
> Also if the user wants to be referenced in any ACL/ACE then the principal needs to be resolvable (otherwise you cant set the ACL). hence you need a to implement a PrincipalManager that connects to the external source. 
> 
> I started to make the UserManager and PrincipalManager pluggable, but got stumped by the weak references in the UserManagerImpl (however in JR2 this is extendable).
> 
> So in short, if you need group membership or acls then you are going to have to have the users internally, if you only want to to AuthN, then a LoginModulePlugin is needed. (also I think you can do the same by registering a JAAS login module with callbacks, but thats native Jackrabbit rahter than Sling, so slightly harder.)
> 

Well, this is for Sakai/Nakamura, so I imagine I need the groups, ACLs,
ACEs, and anything else that might come up.  What I've done is have the
LoginModulePlugin.getAuthentication return the above mentioned
AuthenticationPlugin which creates the users in JCR with a random
password.  Is that a viable approach (will anyone ever need the
password)?

> Ian
> 
> 
> 
> 
> > 
> > -- 
> > Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
> > Sommerrogata 13-15, N-0255 Oslo, Norway
> > + 47 22 00 84 00 / +47 21 531941, ext 2070
> 

-- 
D. Stuart Freeman
Georgia Institute of Technology

Re: AuthenticationPlugin with external users

[Ian Boston <ie...@tfd.co.uk>]

On 9 Mar 2010, at 20:11, Vidar Ramdal wrote:

> On Tue, Mar 9, 2010 at 8:30 PM, D. Stuart Freeman
> <st...@et.gatech.edu> wrote:
>> I've got an AuthenticationHandler and I'd like to allow users to log in
>> without doing any further registration.  My understanding is that my
>> AuthenticationPlugin will have to create accounts in JCR for users if
>> they don't exist already.
> 
> That is not necessarily true. If you have a custom LoginModulePlugin
> [1], you can lookup user data from anywhere - it doesn't have to be
> from JCR. The LoginModulePlugin then instantiates your custom
> AuthenticationPlugins on LoginModulePlugin.getAuthentication().
> 
>> Will it work (and is it advisable) to do
>> something like:
>> 
>>  userManager.createUser(name, RandomStringUtils.random(32), principal);
>> 
>> or am I completely misunderstanding something?
> 
> I'd say, if you already have your user data somewhere else (like an
> external database or LDAP directory), don't replicate that data in
> Jackrabbit's UserManager. In fact, don't use UserManager at all
> (except, perhaps, for the pre-defined admin and anonymous users).
> Instead, implement a LoginModulePlugin to use your external source.
> 
> [1] http://sling.apache.org/apidocs/sling5/org/apache/sling/jcr/jackrabbit/server/security/LoginModulePlugin.html
> 

IIRC if the users want to be members of Groups they have to be created in the UserManager since the UserManager uses weak references to define the membership (ie pointing to jcr nodes containing authorizables).

Also if the user wants to be referenced in any ACL/ACE then the principal needs to be resolvable (otherwise you cant set the ACL). hence you need a to implement a PrincipalManager that connects to the external source. 

I started to make the UserManager and PrincipalManager pluggable, but got stumped by the weak references in the UserManagerImpl (however in JR2 this is extendable).

So in short, if you need group membership or acls then you are going to have to have the users internally, if you only want to to AuthN, then a LoginModulePlugin is needed. (also I think you can do the same by registering a JAAS login module with callbacks, but thats native Jackrabbit rahter than Sling, so slightly harder.)

Ian




> 
> -- 
> Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
> Sommerrogata 13-15, N-0255 Oslo, Norway
> + 47 22 00 84 00 / +47 21 531941, ext 2070

Re: AuthenticationPlugin with external users

[Vidar Ramdal <vi...@idium.no>]

On Tue, Mar 9, 2010 at 8:30 PM, D. Stuart Freeman
<st...@et.gatech.edu> wrote:
> I've got an AuthenticationHandler and I'd like to allow users to log in
> without doing any further registration.  My understanding is that my
> AuthenticationPlugin will have to create accounts in JCR for users if
> they don't exist already.

That is not necessarily true. If you have a custom LoginModulePlugin
[1], you can lookup user data from anywhere - it doesn't have to be
from JCR. The LoginModulePlugin then instantiates your custom
AuthenticationPlugins on LoginModulePlugin.getAuthentication().

> Will it work (and is it advisable) to do
> something like:
>
>  userManager.createUser(name, RandomStringUtils.random(32), principal);
>
> or am I completely misunderstanding something?

I'd say, if you already have your user data somewhere else (like an
external database or LDAP directory), don't replicate that data in
Jackrabbit's UserManager. In fact, don't use UserManager at all
(except, perhaps, for the pre-defined admin and anonymous users).
Instead, implement a LoginModulePlugin to use your external source.

[1] http://sling.apache.org/apidocs/sling5/org/apache/sling/jcr/jackrabbit/server/security/LoginModulePlugin.html


-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Sommerrogata 13-15, N-0255 Oslo, Norway
+ 47 22 00 84 00 / +47 21 531941, ext 2070