Re: [basedb-devel] External authentication

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 2011-03-01 12:58, Pawel Sztromwasser wrote:
> Hi Nicklas,
>
> I changed the Application.getAuthenticator() to use a separate
> classloader for external login plugin (attached a diff to the ticket
> #1575) and I was able to verify user's credentials using an STS service.

Thanks for the patch. It seems simple enough. I think the exception 
handling might need to be improved since it was assumed that the 
external system always knew if it was a bad login or a bad password.

> I got a bit unexpected behavior of BASE that tried to create a new
> account for the user after it failed finding it by an externalId. Of
> course, I had not set the externalId in advance. The logins of the
> external STS service and BASE account happened to be the same, so the
> whole process failed violating the unique-key constraint on login
> column. This is sth I will need to consider when integrating two sets of
> users from different applications.

The external authentication assumes that no "local" accounts except the 
root user account exists on the BASE server. The root account is handled 
as a special case so that it is possible to access BASE even if the 
external authentication system is down.

> But there is another problem I was struggling with. And apparently not
> only me [1]. Tomcat/axis/java has a problem when two
> axis2-kernel-x.x.jar jars are in the classpath. Even if the versions are
> the same. I tried multiple combinations with axis2 1.4 and 1.5.1. I
> downgraded the plugin to use axis2-1.3 and rampart1.3. I stripped-down
> the set of jars that my plugin uses, trying to use as many libraries
> shipped with BASE as possible. In principle it should work as long as
> all the dependencies were satisfied (by parent classloader of webapp),
> but when axis2-kernel was not loaded by the same classloader as Apache
> Rampart jars, I couldn't get rampart to engage.
>
> It seems like it is impossible to have axis2 in more than one location
> in the classpath. The only way it works is when only one
> axis2-kernel.jar is loaded by tomcat. So I either need to include all
> dependencies of my plugin into the /WEB-INF/lib directory of BASE, and
> use axis2 shipped with BASE; or I remove the axis2-kernel-1.3.jar from
> WEB-INF/lib of BASE and load it together with my plugin and rest of its
> dependencies. The latter one will of course break BASE's Web Services. I
> haven't had problems with other jars, despite I use different version of
> (for example) axiom libraries. No conflicts with other axis2 libraries,
> only axis2-kernel.
>
> I am happy because it works now, although with BASE's axis2 1.3. But I
> can imagine that in some time I might need to use newer axis2, and then
> I will have to try to upgrade it in BASE as well. If it is backwards
> compatible, it should go smooth, and the BASE Web Services will work.
> But it would be still good to test. Is there a test suite available for
> BASE Web Services that I could try? Or maybe you were considering
> upgrade yourself?
>

Class loading can be problematic sometimes. I don't know of any specific 
problems with Axis, but it seems like you have investigated this more 
than me.

We have tried to upgrade to Axis 1.5 but unfortunately there is a bug 
when handling date values. http://base.thep.lu.se/ticket/1353#comment:8
It seems like it has been fixed but for some reason the fix hasn't been 
released yet.

/Nicklas