+1 to your suggestion. And please remove the AuthenticationInterceptorTest I added yesterday, probably it doesn't make too much sense.
Kind Regards, Stefan On 04/22/2015 12:08 PM, Emmanuel Lécharny wrote: > Hi, > > yesterday, we were hit by a bus, and it was expected for a very long > time. The way we handle authenticators is far from ebing perfect. > > Here is the current code : > > public void bind( BindOperationContext bindContext ) throws > LdapException > { > ... > for ( Authenticator authenticator : authenticators ) > { > try > { > // perform the authentication > LdapPrincipal principal = > authenticator.authenticate( bindContext ); > ... > > We have many instances of Authenticator : > - AnonymousAuthenticator > - DelegatingAuthenticator > - SimpleAuthenticator > - StrongAuthenticator > > The list of authenticator we will use is determinated by the type of > requested authentication (one of none, simple, or strong). Here is the > list of the associated authentication we currently support. > > Level Authenticator > Simple -> SimpleAuthenticator, DelegatingAuthenticator > None -> AnonymousAuthenticator > Strong -> StrongAuthenticator > > > As we can see, the 'Simple' bind will try two authenticator at least > (this is true for any authentication level, assuming some additional > Authenticator instance has been added for a specific level). > > So how can we proceed ? Currently, we expect the authenticator to be > checked one after the other, even if it's a waste (typically, we will > try to do an authentication using the SimpleAuthenticator, even if the > Bind DN is part of the DelegatedAuthenticator area). > > I think we should add a selector in the Authenticator interface, that > tells if the Authenticator instance has to be called or not. All in all, > we should *never* call two authenticator instances. > > A method like : > > Authenticator selectAuthenticator( DN bindDn, AuthenticatorLevel level ) > > which would select the unique authenticator instance that will be used > to authenticate the session would be a good addition, IMO. > > WDYT ? >