[jira] [Commented] (OAK-3508) External login module should reduce LDAP lookups for pre-authenticated users

Tue, 13 Oct 2015 07:49:28 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-3508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14955049#comment-14955049
 ] 

Tobias Bocanegra commented on OAK-3508:
---------------------------------------

no quite. our SSO module only sets the shared credentials, it does not return 
*TRUE* on login:

{code}
    public boolean login() throws LoginException {
        Credentials credentials = getCredentials();
        if (credentials instanceof SSOCredentials) {
            userId = ((SSOCredentials) credentials).getUserId();
            if (userId == null) {
                log.debug("Could not extract userId/credentials");
            } else {
                // we just set the login name and rely on the following login 
modules to populate the subject
                sharedState.put(SHARED_KEY_PRE_AUTH_LOGIN, new 
PreAuthenticatedLogin(userId));
                sharedState.put(SHARED_KEY_CREDENTIALS, new 
SimpleCredentials(userId, new char[0]));
                sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
                log.debug("login succeeded with trusted user: {}", userId);
            }
        }
        return false;
    }
{code}

This was done this ways to keep the entire user lookup and subject populating 
in the default login module, i.e. make the SSO login module user manager 
agnostic.

The only other option is to swap the default and external login module and keep 
them sufficient. this way the external login module always is treated first. 
the only fear is with uid collisions for users that exist in LDAP and the local 
repository (e.g. admin). but since they are lacking the {{ref:externalId}} 
flag, the external login module should ignore them.

> External login module should reduce LDAP lookups for pre-authenticated users
> ----------------------------------------------------------------------------
>
>                 Key: OAK-3508
>                 URL: https://issues.apache.org/jira/browse/OAK-3508
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>    Affects Versions: 1.2, 1.4, 1.0.22
>            Reporter: Tobias Bocanegra
>            Assignee: Tobias Bocanegra
>
> consider the following JAAS setup:
> - *sufficient* SSO Login Module
> - *optional* Default Login Module
> - *sufficient* External Login Module
> This causes each login() to reach the external login module (which is 
> desired) but causes an IDP lookup for each login, even if the user is already 
> synced with the repository.
> ideally the login module could pass the {{ExternalIdentityRef}} to the sync 
> handler and to a tentative sync. the {{lastSyncTime}} should be respected in 
> this case.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to