chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sascha Homeier (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CMIS-887) RunAs Authentication possiblity
Date Thu, 29 Jan 2015 18:59:34 GMT

    [ https://issues.apache.org/jira/browse/CMIS-887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14297341#comment-14297341
] 

Sascha Homeier commented on CMIS-887:
-------------------------------------

bq. ... Sasha has extended the TokenCallContextHandler and you're suggesting to extend the
Standard authentication provider ...

To clarify: This is not like either AuthenticationProvider or TokenCallContextHandler. You
need both from my point of view:

On client side you extend the StandardAuthenticationProvider as Florian stated above. This
is necessary to set additional HTTP parameters.
StandardAuthenticationProvider for example sets username and password parameters.

On server side you need to somehow handle your additional parameters. The normal username
and password parameters are handled by TokenCallContextHandler and put on the CallContext.
This is why you can get username and password via CallContext.getUsername() and CallContext.getPassword().
Additional parameter needs to be handled by your own TokenCallContextHandler which for example
might read the HTTP parameter "RunAs" (which was set on Client side by your own AuthenticationProvider)
and put it on the CallContext via key "RunAs". After that you can get the "RunAs"-value from
the CMIS service methods via CallContext.get("RunAs") (btw. I do not know Alfresco and don't
know the semantics of this RunAs-value).

bq. So I in this case have a custom external service to authenticate

I see no problem to also handle multiple authentication services. You can simply set the name
of the login realm on client side via AuthenticationProvider and read it from token handler
on server side.
This way you can configure which LoginModule you want to use. This way for example you could
choose between LDAPLoginModule which uses LDAP to authenticate or DBLoginModule which authenticates
against database stored user/pw.

> RunAs Authentication possiblity
> -------------------------------
>
>                 Key: CMIS-887
>                 URL: https://issues.apache.org/jira/browse/CMIS-887
>             Project: Chemistry
>          Issue Type: Improvement
>          Components: opencmis-client, opencmis-server
>    Affects Versions: OpenCMIS 0.12.0
>         Environment: Alfresco 4.2
>            Reporter: Tahir Malik
>
> There is no possibility to define a RunAs user through CMIS.
> At the moment we have a custom webscript in Alfresco which logs in as the RunAs user
and returns the ticket.
> Then we use the ticket in the password field and do our stuff.
> It would be nice to extent the Authentication mechanism to supply extra parameters and
control them server side so this is not needed.
> If this is already possible, then I didn't knew that and I'd love to have some info how
to do that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message