incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Sling Website > OpenID AuthenticationHandler
Date Sun, 20 Jun 2010 19:57:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=SLINGxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/SLINGxSITE/OpenID+AuthenticationHandler">OpenID
AuthenticationHandler</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~fmeschbe">Felix
Meschberger</a>
    </h4>
        <br/>
                         <h4>Changes (15)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{toc:type=flat|separator=pipe|minLevel=2|maxLevel=3}
<br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
OpenID Authentication Handler .... <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
OpenID Authentication Handler supports authentication of request users using the [OpenID|http://www.openid.net]
authentication protocol. If the user has successfully authenticated with his OpenID provider
a signed OpenID identity is further used to identify the user. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">he
OpenID Authentication Handler is maintained in the [Sling SVN|http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/openidauth]
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Since
generally an OpenID identity is an URL and URLs may not be used as JCR user names, an association
mechanism is used by the OpenID authentication handler to associate an OpenID identity with
an existing JCR user: The OpenID identity URL is set as the value of a JCR user property.
When a user authenticates with his OpenID identity the matching user searched for by looking
for a match in this property. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">_NOTE:_
This association currently only works with Jackrabbit (or Jackrabbit based repositories) because
user management is not part of the JCR 2 specification and the OpenID authentication handler
uses the Jackrabbit {{UserManager}} to find users by a user property value. <br> <br>The
OpenID Authentication Handler is maintained in the [Sling SVN|http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/openidauth]
<br> <br></td></tr>
            <tr><td class="diff-unchanged" >h3. AuthenticationHandler implementation
<br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h3. Phase 1: Form Submission <br>
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">TODO:
Require POST form (at any URL ??) <br> <br></td></tr>
            <tr><td class="diff-unchanged" >The form is rendered by redirecting
the client to the URL indicated by the {{form.login.form}} configuration parameter. This redirection
request may accompanyied by the following parameters: <br> <br>* {{resource}}
-- The resource to which the user should be redirected after successful login. This request
parameter should be submitted back to the server as the {{resource}} parameter. <br></td></tr>
            <tr><td class="diff-changed-lines" >* {{j_reason}} -- This parameter
indicates the reason for rendering the login form. If this parameter is set, it is set to
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{{INVALID_CREDENTIALS}}
indicating a previous form submission presented invalid username and password or {{TIMEOUT}}
indicating a login session has timed out.</span> <span class="diff-added-words"style="background-color:
#dfd;">the name of any of the {{OpenIDFailure}} constants.</span> The login form
servlet/script can present the user with an appropriate message. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>The Form Based Authentication
handlers supports the following request parameters submitted by the HTML form: <br>
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">*
{{openid_identifier}} -- OpenID Claimed Identifier <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">*
{{openid_identifier}} -- OpenID Claimed Identifier. This may be any actual OpenID identity
URL or the URL of OpenID Provider such as https://www.google.com/accounts/o8/id, https://me.yahoo.com,
or https://www.myopenid.com. <br>* {{sling:authRequestLogin}} -- This request parameter
is recommended to be set with a hidden field to the value _OpenID_ to ensure the request is
handled by the OpenID Authentication Handler. <br>* {{resource}} -- The {{resource}}
request parameter should be sent back to ensure the user is finally redirected to requested
target resource after successful authentication. <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">The
OpenID Authentication Handler provides a default login form registered at {{/system/sling/openid/login}}.
<br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The
OpenID Authentication Handler provides a default login form ... (work in progress) <br></td></tr>
            <tr><td class="diff-unchanged" > <br></td></tr>
            <tr><td class="diff-unchanged" >h3. Phase 2: Authenticated Requests
<br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>|| Parameter || Default
|| Description || <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">|
{{..name..}} | {{..default..}} | ..description.. | <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">|
{{path}} | -- | Repository path for which this authentication handler should be used by Sling.
If this is empty, the authentication handler will be disabled. | <br>| {{openid.login.form}}
| {{/system/sling/openid/login}} | This should provide a way to capture the user&#39;s
OpenID identifier.  This is not the OpenID Provider&#39;s login page, however, it does
not have to be a local URL. If it is a local Sling URL, it must be accessible by the anonymous
user. The user is HTTP Redirect&#39;ed to this URL.  This page should POST back the user&#39;s
OpenID identifier (as named by the &quot;OpenID identifier form field&quot; property)
to the originally requested URL set in the &quot;resource&quot; request parameter.
| <br>| {{openid.login.identifier}} | {{openid_identifier}} | The name of the form parameter
that provides the user&#39;s OpenID identifier. By convention this is {{openid_identifier}}.
Only change this if you have a very good reason to do so. | <br>| {{openid.external.url.prefix}}
| -- | The prefix of URLs generated for the {{ReturnTo}} and {{TrustRoot}} properties of the
OpenID request to the OpenID provider. Thus this URL prefix should bring back the authenticated
user to this Sling instance. Configuring this property is usually necessary when running Sling
behind a proxy (like Apache) since proxy mapping is not performed on the OpenID ReturnTo and
TrustRoot URLs as they are sent to the OpenID Provider as form parameters.  If this property
is empty, the URLs are generated using the hostname found in the original request.| <br>|
{{openid.use.cookie}} | {{true}} |  Whether to use a regular Cookie or an HTTP Session to
cache the OpenID authentication details. By default a regular cookie is used to prevent use
of HTTP Sessions. | <br>| {{openid.cookie.domain}} | -- | Domain of cookie used to persist
authentication. This defaults to the host name of the Sling server but may be set to a different
value to share the cookie amongst a server farm or if the server is running behind a proxy.
Only used if &#39;Use Cookie&#39; is checked. | <br>| {{openid.cookie.name}}
| {{sling.openid}} | Name of cookie used to persist authentication. Only used if &#39;Use
Cookie&#39; is checked. | <br>| {{openid.cookie.secret.key}} | {{secret}} | Secret
key used to create a signature of the cookie value to prevent tampering. Only used if &#39;Use
Cookie&#39; is true. | <br>| {{openid.user.attr}} | {{openid.user}} | Name of the
JCR SimpleCredentials attribute to to set with the OpenID User data. This attribute is used
by the OpenID LoginModule to validate the OpenID user authentication data. | <br>| {{openid.property.identity}}
| {{openid.identity}} |  The name of the JCR User attribute listing one or more OpenID Identity
URLs with which a user is associated. The property may be a multi- or single-valued. To resolve
a JCR user ID from an OpenID identity a user is searched who lists the identity in this property.
| <br></td></tr>
            <tr><td class="diff-unchanged" > <br> <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h3.
Integration with Jackrabbit <br> <br>The OpenID authentication handler can be
integrated in two ways into the Jackrabbit authentication mechanism which is based on JAAS
{{LoginModule}}. One integration is by means of a {{LoginModulePlugin}} which plugs into the
extensible {{LoginModule}} architecture supported by the Sling Jackrabbit Embedded Repository
bundle. <br> <br>The other integration option is the {{trusted_credentials_attribute}}
mechanism supported by the Jackrabbit {{DefaultLoginModule}}. By setting the {{trusted_credentials_attribute}}
parameter of the Jackrabbit {{DefaultLoginModule}} and the {{openid.user.attr}} configuration
property of the OpenID Authentication Handler to the same value, the existence of an attribute
of that name in the {{SimpleCredentials}} instance provided to the {{Repository.login}} method
signals pre-authenticated credentials, which need not be further checked by the {{DefaultLoginModule}}.
<br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h3. Security Considerations <br>
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" ># User name and password are transmitted
in plain text in the initial form submission. <br># The Cookie used to provide the authentication
state or the HTTP Session ID may be stolen. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">#
When using the {{trusted_credentials_attribute}} mechanism, any intruder knowing the attribute
name may log into the repository as any existing JCR user. The better option is to be based
on the {{LoginModulePlugin}} mechanism. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>To prevent eavesdroppers
from sniffing the credentials or stealing the Cookie a secure transport layer should be used
such as TLS/SSL, VPN or IPSec. <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="OpenIDAuthenticationHandler-OpenIDAuthenticationHandler"></a>OpenID
AuthenticationHandler</h1>

<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16"
align="absmiddle" alt="" border="0"></td><td>This page is work in progress
and not complete yet</td></tr></table></div>

<div><a href='#OpenIDAuthenticationHandler-AuthenticationHandlerimplementation'>AuthenticationHandler
implementation</a> | <a href='#OpenIDAuthenticationHandler-AuthenticationHandlerFeedbackimplementation'>AuthenticationHandlerFeedback
implementation</a> | <a href='#OpenIDAuthenticationHandler-Phase1%3AFormSubmission'>Phase
1: Form Submission</a> | <a href='#OpenIDAuthenticationHandler-Phase2%3AAuthenticatedRequests'>Phase
2: Authenticated Requests</a> | <a href='#OpenIDAuthenticationHandler-Configuration'>Configuration</a>
| <a href='#OpenIDAuthenticationHandler-IntegrationwithJackrabbit'>Integration with
Jackrabbit</a> | <a href='#OpenIDAuthenticationHandler-SecurityConsiderations'>Security
Considerations</a></div>

<p>The OpenID Authentication Handler supports authentication of request users using
the <a href="http://www.openid.net" class="external-link" rel="nofollow">OpenID</a>
authentication protocol. If the user has successfully authenticated with his OpenID provider
a signed OpenID identity is further used to identify the user.</p>

<p>Since generally an OpenID identity is an URL and URLs may not be used as JCR user
names, an association mechanism is used by the OpenID authentication handler to associate
an OpenID identity with an existing JCR user: The OpenID identity URL is set as the value
of a JCR user property. When a user authenticates with his OpenID identity the matching user
searched for by looking for a match in this property.</p>

<p><em>NOTE:</em> This association currently only works with Jackrabbit
(or Jackrabbit based repositories) because user management is not part of the JCR 2 specification
and the OpenID authentication handler uses the Jackrabbit <tt>UserManager</tt>
to find users by a user property value.</p>

<p>The OpenID Authentication Handler is maintained in the <a href="http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/openidauth"
class="external-link" rel="nofollow">Sling SVN</a></p>

<h3><a name="OpenIDAuthenticationHandler-AuthenticationHandlerimplementation"></a>AuthenticationHandler
implementation</h3>


<ul>
	<li><tt>extractCredentials</tt> &#8211; ...</li>
	<li><tt>requestCredentials</tt> &#8211; ...</li>
	<li><tt>dropCredentials</tt> &#8211; ...</li>
</ul>



<h3><a name="OpenIDAuthenticationHandler-AuthenticationHandlerFeedbackimplementation"></a>AuthenticationHandlerFeedback
implementation</h3>

<ul>
	<li><tt>authenticationFailed</tt> &#8211; ...</li>
	<li><tt>authenticationSucceeded</tt> &#8211; ...</li>
</ul>



<h3><a name="OpenIDAuthenticationHandler-Phase1%3AFormSubmission"></a>Phase
1: Form Submission</h3>

<p>The form is rendered by redirecting the client to the URL indicated by the <tt>form.login.form</tt>
configuration parameter. This redirection request may accompanyied by the following parameters:</p>

<ul>
	<li><tt>resource</tt> &#8211; The resource to which the user should
be redirected after successful login. This request parameter should be submitted back to the
server as the <tt>resource</tt> parameter.</li>
	<li><tt>j_reason</tt> &#8211; This parameter indicates the reason for
rendering the login form. If this parameter is set, it is set to the name of any of the <tt>OpenIDFailure</tt>
constants. The login form servlet/script can present the user with an appropriate message.</li>
</ul>


<p>The Form Based Authentication handlers supports the following request parameters
submitted by the HTML form:</p>

<ul>
	<li><tt>openid_identifier</tt> &#8211; OpenID Claimed Identifier. This
may be any actual OpenID identity URL or the URL of OpenID Provider such as <a href="https://www.google.com/accounts/o8/id"
class="external-link" rel="nofollow">https://www.google.com/accounts/o8/id</a>, <a
href="https://me.yahoo.com" class="external-link" rel="nofollow">https://me.yahoo.com</a>,
or <a href="https://www.myopenid.com" class="external-link" rel="nofollow">https://www.myopenid.com</a>.</li>
	<li><tt>sling:authRequestLogin</tt> &#8211; This request parameter
is recommended to be set with a hidden field to the value <em>OpenID</em> to ensure
the request is handled by the OpenID Authentication Handler.</li>
	<li><tt>resource</tt> &#8211; The <tt>resource</tt> request
parameter should be sent back to ensure the user is finally redirected to requested target
resource after successful authentication.</li>
</ul>


<p>The OpenID Authentication Handler provides a default login form registered at <tt>/system/sling/openid/login</tt>.</p>


<h3><a name="OpenIDAuthenticationHandler-Phase2%3AAuthenticatedRequests"></a>Phase
2: Authenticated Requests</h3>


<p>Work in progress ....</p>


<h3><a name="OpenIDAuthenticationHandler-Configuration"></a>Configuration</h3>

<p>The OpenID AuthenticationHandler is configured with configuration provided by the
OSGi Configuration Admin Service using the <tt>org.apache.sling.openidauth.OpenIdAuthenticationHandler</tt>
service PID.</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> Parameter </th>
<th class='confluenceTh'> Default </th>
<th class='confluenceTh'> Description </th>
</tr>
<tr>
<td class='confluenceTd'> <tt>path</tt> </td>
<td class='confluenceTd'> &#8211; </td>
<td class='confluenceTd'> Repository path for which this authentication handler should
be used by Sling. If this is empty, the authentication handler will be disabled. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.login.form</tt> </td>
<td class='confluenceTd'> <tt>/system/sling/openid/login</tt> </td>
<td class='confluenceTd'> This should provide a way to capture the user's OpenID identifier.
 This is not the OpenID Provider's login page, however, it does not have to be a local URL.
If it is a local Sling URL, it must be accessible by the anonymous user. The user is HTTP
Redirect'ed to this URL.  This page should POST back the user's OpenID identifier (as named
by the "OpenID identifier form field" property) to the originally requested URL set in the
"resource" request parameter. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.login.identifier</tt> </td>
<td class='confluenceTd'> <tt>openid_identifier</tt> </td>
<td class='confluenceTd'> The name of the form parameter that provides the user's OpenID
identifier. By convention this is <tt>openid_identifier</tt>. Only change this
if you have a very good reason to do so. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.external.url.prefix</tt> </td>
<td class='confluenceTd'> &#8211; </td>
<td class='confluenceTd'> The prefix of URLs generated for the <tt>ReturnTo</tt>
and <tt>TrustRoot</tt> properties of the OpenID request to the OpenID provider.
Thus this URL prefix should bring back the authenticated user to this Sling instance. Configuring
this property is usually necessary when running Sling behind a proxy (like Apache) since proxy
mapping is not performed on the OpenID ReturnTo and TrustRoot URLs as they are sent to the
OpenID Provider as form parameters.  If this property is empty, the URLs are generated using
the hostname found in the original request.</td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.use.cookie</tt> </td>
<td class='confluenceTd'> <tt>true</tt> </td>
<td class='confluenceTd'>  Whether to use a regular Cookie or an HTTP Session to cache
the OpenID authentication details. By default a regular cookie is used to prevent use of HTTP
Sessions. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.cookie.domain</tt> </td>
<td class='confluenceTd'> &#8211; </td>
<td class='confluenceTd'> Domain of cookie used to persist authentication. This defaults
to the host name of the Sling server but may be set to a different value to share the cookie
amongst a server farm or if the server is running behind a proxy. Only used if 'Use Cookie'
is checked. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.cookie.name</tt> </td>
<td class='confluenceTd'> <tt>sling.openid</tt> </td>
<td class='confluenceTd'> Name of cookie used to persist authentication. Only used if
'Use Cookie' is checked. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.cookie.secret.key</tt> </td>
<td class='confluenceTd'> <tt>secret</tt> </td>
<td class='confluenceTd'> Secret key used to create a signature of the cookie value
to prevent tampering. Only used if 'Use Cookie' is true. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.user.attr</tt> </td>
<td class='confluenceTd'> <tt>openid.user</tt> </td>
<td class='confluenceTd'> Name of the JCR SimpleCredentials attribute to to set with
the OpenID User data. This attribute is used by the OpenID LoginModule to validate the OpenID
user authentication data. </td>
</tr>
<tr>
<td class='confluenceTd'> <tt>openid.property.identity</tt> </td>
<td class='confluenceTd'> <tt>openid.identity</tt> </td>
<td class='confluenceTd'>  The name of the JCR User attribute listing one or more OpenID
Identity URLs with which a user is associated. The property may be a multi- or single-valued.
To resolve a JCR user ID from an OpenID identity a user is searched who lists the identity
in this property. </td>
</tr>
</tbody></table>
</div>



<h3><a name="OpenIDAuthenticationHandler-IntegrationwithJackrabbit"></a>Integration
with Jackrabbit</h3>

<p>The OpenID authentication handler can be integrated in two ways into the Jackrabbit
authentication mechanism which is based on JAAS <tt>LoginModule</tt>. One integration
is by means of a <tt>LoginModulePlugin</tt> which plugs into the extensible <tt>LoginModule</tt>
architecture supported by the Sling Jackrabbit Embedded Repository bundle.</p>

<p>The other integration option is the <tt>trusted_credentials_attribute</tt>
mechanism supported by the Jackrabbit <tt>DefaultLoginModule</tt>. By setting
the <tt>trusted_credentials_attribute</tt> parameter of the Jackrabbit <tt>DefaultLoginModule</tt>
and the <tt>openid.user.attr</tt> configuration property of the OpenID Authentication
Handler to the same value, the existence of an attribute of that name in the <tt>SimpleCredentials</tt>
instance provided to the <tt>Repository.login</tt> method signals pre-authenticated
credentials, which need not be further checked by the <tt>DefaultLoginModule</tt>.</p>


<h3><a name="OpenIDAuthenticationHandler-SecurityConsiderations"></a>Security
Considerations</h3>

<p>Work in progress ....</p>

<p>OpenIDAuthentication has some limitations in terms of security:</p>

<ol>
	<li>User name and password are transmitted in plain text in the initial form submission.</li>
	<li>The Cookie used to provide the authentication state or the HTTP Session ID may
be stolen.</li>
	<li>When using the <tt>trusted_credentials_attribute</tt> mechanism, any
intruder knowing the attribute name may log into the repository as any existing JCR user.
The better option is to be based on the <tt>LoginModulePlugin</tt> mechanism.</li>
</ol>


<p>To prevent eavesdroppers from sniffing the credentials or stealing the Cookie a secure
transport layer should be used such as TLS/SSL, VPN or IPSec.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/SLINGxSITE/OpenID+AuthenticationHandler">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=13271694&revisedVersion=4&originalVersion=3">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/SLINGxSITE/OpenID+AuthenticationHandler?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message