User model with configurable authentication?

[Ryan McKinley <ry...@gmail.com>]

Hello-

I am building an application that needs a user model, but the  
authentication may be elsewhere (LDAP whatever) -- is there any advice  
on the best way to design this?

Say I have a user class User, and store info like name, email, list of  
"favorites", etc, etc.   Consider the case where the user  
authenticates successfully on an LDAP server, but that user does not  
exist in my local database:  are there any suggested models for where  
to trigger creating a new User class?   Perhaps I need to extend a  
SecurityManager and then make Users on #createSubject()  -- perhaps a  
wrapper Realm that creates a user on successful login.  Are there an  
general practices people use?

Another question is if the User should be attached to the Subject  
somehow.  Alternatively, Subject#getPrincipal() could be used to grab  
the User class whenever it is needed.

Any advice would be great.  I'll do my best to distill any best  
practices in the wicketstuff example apps.

Thanks again
ryan

Re: User model with configurable authentication?

[Les Hazlewood <lh...@apache.org>]

I wanted to add on to this email to further elaborate now that the approach
is lined out (didn't want to write this in the original reply below - it
would have been too long).

In reality, there is another layer in my API between the UserService and the
Ki Subject.  I really have a SubjectService that has the _exact same_ method
signatures as the Subject interface.  Then I have an implementation called
KiSubjectService that just immediately delegates those calls to
SecurityUtils.getSubject().*

I do this because all of my other components in my application never know
about the Ki API at all - they never have to import any of Ki's classes for
anything.  They all only interact with my application's SubjectService for
everything and never know that the implementation uses Ki for anything.

The SubjectService also has a conveninece method:

SubjectService.asUser() : User

Then, in my UserService implementation (wired by Spring), I can do the
following:

public class DefaultUserService implements UserService {

    @Autowired
    private SubjectService currentSubject;

    ....
}

Then anywhwere in my DefaultUserService implementation (or any other Service
that needs to do similar 'current user' stuff), they simply call:

...
User currentUser = currentSubject.asUser();
...

if the 'currentUser' variable above is null, the current subject hasn't
logged in yet.  Then the other components can interact with your
application's data model 'User' object, which is easier and more natural.

Cheers,

Les

On Sat, Mar 28, 2009 at 3:25 PM, Les Hazlewood <lh...@apache.org>wrote:

> Hi Ryan,
>
> I do this myself in my applications as well with multiple realms.  But I
> don't have the Ki components do this directly.  Instead, I have a that
> performs all user-specific functionality.
>
> What you're talking about is really business logic unrelated to Ki, so it
> belongs in a business-tier component.  Here's how I do this kind of stuff (a
> little simplified though for this discussion):
>
> I have a UserService interface with a DefaultUserService implementation.
>
> There will be a UserService.login(String username, String password);
> interface method.  The implementation can use the Ki Subject to perform the
> logic.
>
> If the authentication succeeds, I check (via a UserDAO) if there is a
> corresponding record in the RDBMS for that login.  If not, I create one at
> that time, making the appropriate association with the LDAP credentials.
> Then the method returns quietly if there are no problems, otherwise throws
> application-specific exceptions (not Ki Exceptions) if something goes wrong
> to let the GUI know what went wrong.
>
> I hope that helps!
>
> Cheers,
>
> Les
>
>
> On Fri, Mar 27, 2009 at 8:53 PM, Ryan McKinley <ry...@gmail.com> wrote:
>
>> Hello-
>>
>> I am building an application that needs a user model, but the
>> authentication may be elsewhere (LDAP whatever) -- is there any advice on
>> the best way to design this?
>>
>> Say I have a user class User, and store info like name, email, list of
>> "favorites", etc, etc.   Consider the case where the user authenticates
>> successfully on an LDAP server, but that user does not exist in my local
>> database:  are there any suggested models for where to trigger creating a
>> new User class?   Perhaps I need to extend a SecurityManager and then make
>> Users on #createSubject()  -- perhaps a wrapper Realm that creates a user on
>> successful login.  Are there an general practices people use?
>>
>> Another question is if the User should be attached to the Subject somehow.
>>  Alternatively, Subject#getPrincipal() could be used to grab the User class
>> whenever it is needed.
>>
>> Any advice would be great.  I'll do my best to distill any best practices
>> in the wicketstuff example apps.
>>
>> Thanks again
>> ryan
>>
>
>

Re: User model with configurable authentication?

[Les Hazlewood <lh...@apache.org>]

Hi Ryan,

I do this myself in my applications as well with multiple realms.  But I
don't have the Ki components do this directly.  Instead, I have a that
performs all user-specific functionality.

What you're talking about is really business logic unrelated to Ki, so it
belongs in a business-tier component.  Here's how I do this kind of stuff (a
little simplified though for this discussion):

I have a UserService interface with a DefaultUserService implementation.

There will be a UserService.login(String username, String password);
interface method.  The implementation can use the Ki Subject to perform the
logic.

If the authentication succeeds, I check (via a UserDAO) if there is a
corresponding record in the RDBMS for that login.  If not, I create one at
that time, making the appropriate association with the LDAP credentials.
Then the method returns quietly if there are no problems, otherwise throws
application-specific exceptions (not Ki Exceptions) if something goes wrong
to let the GUI know what went wrong.

I hope that helps!

Cheers,

Les

On Fri, Mar 27, 2009 at 8:53 PM, Ryan McKinley <ry...@gmail.com> wrote:

> Hello-
>
> I am building an application that needs a user model, but the
> authentication may be elsewhere (LDAP whatever) -- is there any advice on
> the best way to design this?
>
> Say I have a user class User, and store info like name, email, list of
> "favorites", etc, etc.   Consider the case where the user authenticates
> successfully on an LDAP server, but that user does not exist in my local
> database:  are there any suggested models for where to trigger creating a
> new User class?   Perhaps I need to extend a SecurityManager and then make
> Users on #createSubject()  -- perhaps a wrapper Realm that creates a user on
> successful login.  Are there an general practices people use?
>
> Another question is if the User should be attached to the Subject somehow.
>  Alternatively, Subject#getPrincipal() could be used to grab the User class
> whenever it is needed.
>
> Any advice would be great.  I'll do my best to distill any best practices
> in the wicketstuff example apps.
>
> Thanks again
> ryan
>