Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: jspwiki-dev@incubator.apache.org
Message-ID: <1317944500.1230587624149.JavaMail.jira@brutus>
Date: Mon, 29 Dec 2008 13:53:44 -0800 (PST)
From: "Andrew Jaquith (JIRA)" <jira@apache.org>
To: jspwiki-dev@incubator.apache.org
Subject: [jira] Commented: (JSPWIKI-464) JSPWiki authentication support for
 TextOutputCallback (display login messages on Login.jsp)
In-Reply-To: <1012742238.1230579884177.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/JSPWIKI-464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659665#action_12659665 ] 

Andrew Jaquith commented on JSPWIKI-464:
----------------------------------------

I think there is a better way to do this. I do not want to add a holding-tank Map AuthenticationManager for messages that should be propagated immediately back to the client. As proposed, the patch is a recipe for a memory leak, and we have enough of those already. :)

I'd recommend extending WikiCallBackHandler to look for TextOutputCallbacks. If the message type is of type ERROR, it should throw a LoginException (which is what normally signifies login failure). The LoginModule should pass this back through to AuthenticationManager.

The LoginException itself should be caught by doJAASLogin(), and rethrown as a WikiSecurityException, which our LoginActionBean already catches (without modification to existing code...).

Harry, can you re-work?

> JSPWiki authentication support for TextOutputCallback (display login messages on Login.jsp)
> -------------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-464
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-464
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 3.0
>         Environment: JSPWiki 3.0
>            Reporter: Harry Metske
>            Assignee: Harry Metske
>            Priority: Minor
>         Attachments: jspwiki-login-3.0.patch
>
>
> The current version of the JSPWiki JAAS implementation does not support TextOutputCallback's.
> JAAS offers several types of Callbacks, JSPWiki's CallbackHandler currently only uses the NameCallback and PasswordCallback.
> As a result the following scenario:
> Users try to login, the login fails but the user is not told for what reason.
> I have had lots of complaints about this behavior, especially from users who do not login very often but use the wiki mostly for reading.
> When they try to login, it fails, but the Login.jsp does not tell anything at all, not even that is has failed (C.M.A.). 
> In most cases because either the userid has become inactive, is revoked, or the password is expired. The net effect is that the wiki is often not usable for updates.
> Now I know that giving this information (the failure reason) to the user is often considered a security trade off.
> But in an intranet environment this is very acceptable.
> I will attach a patch that solves this in the following way :
> - AuthenticationManager keeps a Hashtable of last loginMessages for each user.
> - The WikiCallbackHandler now also handles TextOutputCallbacks and sets the login result
> - If the login fails, the LoginActionBean first reads the loginMessage for the user, if it is not null, it is displayed, else you get the old behavior.
> The exploitation of TextOutputCallbacks is optional, the default LoginModule (supplied with JSPWiki) does not use them, and therefore it's behavior is unchanged. 
> The installer has to supply a LoginModule that uses the TextOutputCallback to store the loginResult.  (And off course we have one that uses it).
> (Andrew), can we take this patch in the trunk ?
> regards,
> Harry

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.