Followup to IRC conversation with hpottinger. Please remind me why we do this. If there are two stacked AuthenticationMethods which happen to use the same identifiers, we could ignore the user's choice and always authenticate using the first one. At most one method is allowed to succeed before AuthenticationManager.authenticate() returns, so the reason can't be to let every method get a look at the login request.
Should we not rather have an AuthenticationMethod.authorize() in addition to .authenticate()? A UI would tell AuthenticationManager which method to use for authentication, and then AuthenticationManager would call authorize() on every method. authenticate would *only* verify credentials; authorize() would be for whatever a method would like to do, such as decorating the session with additional information, updating the EPerson or other records, etc. It might be sensible to have authorize() take up the function of adding special groups to the session. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Dspace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-devel
