incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Janne Jalkanen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-464) JSPWiki authentication support for TextOutputCallback (display login messages on Login.jsp)
Date Thu, 01 Jan 2009 21:41:44 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660240#action_12660240
] 

Janne Jalkanen commented on JSPWIKI-464:
----------------------------------------

Why would "Apache JSPWiki" reside in the "wiki" -package?  In addition, if we change the project
name, we need to go through entire name change process, namecheck and legal stuff, not to
mention that we lose the "jspwiki" brand that has been accumulate over the years.

This is clearly a bug in Jasper and needs to be fixed on their part.  Please raise a bug in
the Jasper bug tracker.  I think it can be fixed fairly fast, if need be.

I remember in Tomcat 4.x there was a problem with us calling our template "default", since
it resulted in package names which were illegal.  It was fixed, and we didn't have to change
anything.

I don't think we should change the project name because of one buggy implementation.  We should
direct people to use Jetty or some other container instead.

We don't have to worry about the "market".  Ain't nobody getting any money out of this.  We
need to do the *right* thing.

> JSPWiki authentication support for TextOutputCallback (display login messages on Login.jsp)
> -------------------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-464
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-464
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 3.0
>         Environment: JSPWiki 3.0
>            Reporter: Harry Metske
>            Assignee: Harry Metske
>            Priority: Minor
>         Attachments: JSPWIKI-464.patch, jspwiki-login-3.0.patch
>
>
> The current version of the JSPWiki JAAS implementation does not support TextOutputCallback's.
> JAAS offers several types of Callbacks, JSPWiki's CallbackHandler currently only uses
the NameCallback and PasswordCallback.
> As a result the following scenario:
> Users try to login, the login fails but the user is not told for what reason.
> I have had lots of complaints about this behavior, especially from users who do not login
very often but use the wiki mostly for reading.
> When they try to login, it fails, but the Login.jsp does not tell anything at all, not
even that is has failed (C.M.A.). 
> In most cases because either the userid has become inactive, is revoked, or the password
is expired. The net effect is that the wiki is often not usable for updates.
> Now I know that giving this information (the failure reason) to the user is often considered
a security trade off.
> But in an intranet environment this is very acceptable.
> I will attach a patch that solves this in the following way :
> - AuthenticationManager keeps a Hashtable of last loginMessages for each user.
> - The WikiCallbackHandler now also handles TextOutputCallbacks and sets the login result
> - If the login fails, the LoginActionBean first reads the loginMessage for the user,
if it is not null, it is displayed, else you get the old behavior.
> The exploitation of TextOutputCallbacks is optional, the default LoginModule (supplied
with JSPWiki) does not use them, and therefore it's behavior is unchanged. 
> The installer has to supply a LoginModule that uses the TextOutputCallback to store the
loginResult.  (And off course we have one that uses it).
> (Andrew), can we take this patch in the trunk ?
> regards,
> Harry

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message