Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orion-dev] Guide for authentication

Thanks Mark, 
This confirms what I figured out as well, It looks like introducing own authentication is only possible by adding own IAuthenticationService and forking the /mixloginstatic/* . I was really hoping that I could add my server bundle or both a server and client plugin without needing to fork. 


[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=433681
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=433992
[3] https://bugs.eclipse.org/bugs/show_bug.cgi?id=358266

On Thu, May 1, 2014 at 7:07 PM, Mark Macdonald <mamacdon@xxxxxxxxx> wrote:
Hi Gorkem,

I'm not an auth expert but I'll do my best to answer. Hopefully a seasoned Orion auth person can provide more insight. From what I've seen the auth stuff does not look terribly easy to replace or customize.

What really happens when there is more than one "orion.core.auth" plugin exists? Which one gets picked?

Which one gets picked is not defined. In practice, it will usually be whichever auth plugin is installed earliest. In a stock Orion this will usually be authenticationPlugin.html since it is installed very early in the page lifecycle, owing to its being in defaults.pref. But the internal data structures are using unordered object keys, so this is not guaranteed.

defaults.perf is the other problem. Even if the need to fork /mixloginstatic/ is  fixed one needs to fork that defaults.perf to add his/her own services. And there is, of course, a bug report for that [3] 

 

Does the server configuration for "orion.auth.name" affect what is returned from ServiceRegistry.getService("orion.core.auth") ?

No. The client side (orion.core.auth) and server side are separate, despite containing some of the same values in both places (like the login URL, for example).

I wonder if this is potentially a security problem? Could we have a  malicious plugin that provides some cool candy service but hijacks your passwords? In any case, filed [2] so that it is tied to what server understands. 
 

What is the preferred way to change the login form? I can see that "orion.core.auth" plugin has a function for retrieving the url for the form is that enough?

That is necessary but it's not enough. From the looks of it, you would have to return a different URL from getAuthForm(), but there are also plugins in the client code that are aware of the form URL that is used to authenticate that plugin. For example, preferencesPlugin.html and fileClientPlugin.html are aware of the default form URL. So effectively these are coupled to the default auth plugin.

Already had  a bug for the fixed URL plugins. 
 

Also the default auth service in the Orion server adds a "SignInLocation" header on any 401 response that it sends. This header again contains the default form URL, so you'd have to override that too. (The code that does this is in FormOpenIdAuthenticationService.java in the server repo.)

I see redirects on the server components too. Does one need both for a custom login form?

Yes, I believe you would have to change both (see answer to previous question).

Regards,
Mark

On Thu, May 1, 2014 at 7:25 AM, Gorkem Ercan <gorkem.ercan@xxxxxxxxx> wrote:
After doing some more research on this, I see that that there is an orion plugin "orion.core.auth" and on the server side IAuthenticationService. Here are some questions that I could not find answers to easily.

1. What really happens when there is more than one "orion.core.auth" plugin exists? Which one gets picked? Does the server configuration for "orion.auth.name" affect what is returned from ServiceRegistry.getService("orion.core.auth") ?

2. What is the preferred way to change the login form? I can see that "orion.core.auth" plugin has a function for retrieving the url for the form is that enough? I see redirects on the server components too. Does one need both for a custom login form?

--
Gorkem



On Mon, Apr 28, 2014 at 8:58 AM, Gorkem Ercan <gorkem.ercan@xxxxxxxxx> wrote:
Hi,
Is there a documentation that describes how to add (or replace the existing) authentication service? I could hardly find any information on authentication plugin and adding an authentication plugin did not help much.
Thanks,
--
Gorkem



Sent from Acompli



_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev



_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev



Back to the top