Re: [ApacheDS] Authenticator selection

Wed, 22 Apr 2015 09:38:16 -0700 

+1 to your suggestion.

And please remove the AuthenticationInterceptorTest I added yesterday,
probably it doesn't make too much sense.

Kind Regards,
Stefan


On 04/22/2015 12:08 PM, Emmanuel Lécharny wrote:
> Hi,
> 
> yesterday, we were hit by a bus, and it was expected for a very long
> time. The way we handle authenticators is far from ebing perfect.
> 
> Here is the current code :
> 
>     public void bind( BindOperationContext bindContext ) throws
> LdapException
>     {
>         ...
>             for ( Authenticator authenticator : authenticators )
>             {
>                 try
>                 {
>                     // perform the authentication
>                     LdapPrincipal principal =
> authenticator.authenticate( bindContext );
>                     ...
> 
> We have many instances of Authenticator :
> - AnonymousAuthenticator
> - DelegatingAuthenticator
> - SimpleAuthenticator
> - StrongAuthenticator
> 
> The list of authenticator we will use is determinated by the type of
> requested authentication (one of none, simple, or strong). Here is the
> list of the associated authentication we currently support.
> 
> Level     Authenticator
> Simple -> SimpleAuthenticator, DelegatingAuthenticator
> None   -> AnonymousAuthenticator
> Strong -> StrongAuthenticator
> 
> 
> As we can see, the 'Simple' bind will try two authenticator at least
> (this is true for any authentication level, assuming some additional
> Authenticator instance has been added for a specific level).
> 
> So how can we proceed ? Currently, we expect the authenticator to be
> checked one after the other, even if it's a waste (typically, we will
> try to do an authentication using the SimpleAuthenticator, even if the
> Bind DN is part of the DelegatedAuthenticator area).
> 
> I think we should add a selector in the Authenticator interface, that
> tells if the Authenticator instance has to be called or not. All in all,
> we should *never* call two authenticator instances.
> 
> A method like :
> 
>     Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level )
> 
> which would select the unique authenticator instance that will be used
> to authenticate the session would be a good addition, IMO.
> 
> WDYT ?
>

Reply via email to