Hi Glenson,
It appears that using DSpace's auth framework is missing from REST API. Its
hardcoded to use DSpace EPerson password auth.
https://github.com/DSpace/DSpace/blob/master/dspace-rest/src/main/java/org/dspace/rest/TokenHolder.java#L54
public static String login(User user) {
EPerson dspaceUser = EPerson.findByEmail(context, user.getEmail());
if ((dspaceUser == null) ||
(!dspaceUser.checkPassword(user.getPassword()))) {
...
A better solution would be to update the REST API authenticate to use what
SWORD does, and just call the Auth stack...
https://github.com/DSpace/DSpace/blob/master/dspace-swordv2/src/main/java/org/dspace/sword2/SwordAuthenticator.java#L53
public boolean authenticates(Context context, String un, String pw)
{
int auth = AuthenticationManager.authenticate(context, un, pw, null, null);
if (auth == AuthenticationMethod.SUCCESS)
{
return true;
}
return false;
}
We should also add rate limiting to the REST API login api. Something like
fail2ban might help, but repeated failed logins should be prohibited.
________________
Peter Dietz
Longsight
www.longsight.com
[email protected]
p: 740-599-5005 x809
On Wed, Aug 5, 2015 at 5:02 AM, Galupo, Glenson Carlo V. <[email protected]>
wrote:
> I just wanted to know if you are supporting LDAP authorization to login in
> RestAPI.
> Thanks...
>
> --glenson
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Dspace-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/dspace-devel
>
>
------------------------------------------------------------------------------
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
