Re: [Phpwiki-talk] stacked or strict or pre-defined password method order?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

For actual authentication, I think we should avoid the stacked system.  But we 
probably want to keep the stacking of Anon and Bogo if they are defined.

jbw

Reini Urban wrote:

> Hi
> I'm just finishing the new wikiuser authcode and came to this question:
> 
> In the current code the authentification methods are "stacked", that 
> means, that the methods are searched in a predefined search order
> (e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth).
> 
> The first method which returns true is taken. False is only returned if 
> all defined methods will fail.
> 
> With my new code we allow even more auth methods:
>   internal db, external db, file
> 
> Now how should the admin configure his authentification:
> 1)  Should he be able to define the search order?
> 2)  Should he be able to define stacked (policy c) or strict (policy b) 
> or pre-defined method order (policy a)?
> 
> The problem is that the user may exist with the current method but the 
> password is wrong, which brings him to the next method. This might not 
> be wished for certain auth methods were the username and password must 
> match and no other methods may be tried if the username exists in the 
> databse but with the wrong password. For example the database password 
> is wrong, but a file password matches is ok.
> 
> Currently the order of first three methods is fixed:
>     Anon if defined, Bogo if defined, User if defined.
> Those three methods are stacked.
> 
> With the new methods in the new auth classes (called if 
> ALLOW_USER_PASSWORDS is defined and the previous methods failed) one 
> could define policy c: a stacked scheme ("try next method if it fails"), 
> or policy b: a stricter scheme ("check user and if she exists the 
> password, on failure try no other methods").
> To make thing even more complicate my current code makes use of only one 
> pre-defined external auth method (policy a), which simply upgrades the 
> user class in the constructor, and not in the checkUser() or 
> UserExists() methods.
> 
> How to define the auth policies in index.php?
> 
> One could easily define a new config variable like
>   define('FAIL_ON_WRONG_PASSWORD',true);
> which defines the strict scheme, and if not defined
> the stacked scheme will be used.
> The simple problem is that then we will have to define one more method 
> for all user classes:
>   $user->UserExists():
> Currently we need only ->checkPass() and optionally ->storePass().
> 
> The code for a simple predefined scheme, (not-stacked) scheme is now 
> ready, were only one auth method is predefined, for all users.