Menu
▾
▴
Re: [Unity-idm-discuss] custom servlet endpoint authentication
|
From: Terefang V. <ter...@gm...> - 2015-01-23 00:44:49
|
hi!
ok some explaination, i will try to do this also for unity context
---
(1) public boolean userExists(String userName);
(2) public boolean userExists(String userName, String context);
---
will return true if users exists(1) or exists in context(2)
in unity this means either implicit context (1 == "/") or assigned to group
context (2 for example "/A/B/C")
---
(3) public Collection<String> resolveGroups(String userName);
(4) public Collection<String> resolveGroups(String userName, String
context);
---
will return the groups the user is assigned to(3) or filtered by context(4)
in unity this means either return all assigned groups of user(3) or
filtered with context used as prefix (4)
example: context="/" will return all groups of user
example: context="/A" will return [/A/B/C, /A/B, /A] of a user assigned to
/A/B/C and /D/E/F
---
(5) public Collection<String> resolveRoles(String userName);
(6) public Collection<String> resolveRoles(String userName, String context);
---
will return the roles the user is assigned to globally(5) or in context(6)
in unity this means to map certain defined attributes to the return list
how this should be done is TBD, but i currently have the following ideas:
* map each attribute with key starting with "role:"
string =
"${key}=${attr[key]}".substring(5).toUppercase().replaceAll("[^A-Z0-9]+","_")
* use a configured unity output profile to map attributes to role names
(need research).
* use a configured groovy-script (bsf or jsr223) to map attributes to role
names (already have knowledge).
---
(7) public Map<String,String> resolveAttributes(String userName);
(8) public Map<String,String> resolveAttributes(String userName, String
context);
---
will return the defined attributes of a user globally(7) or in context(8)
in unity this means either implicit context (attributes in "/") or group
context (attributes from for example "/A/B")
optionally, i would use a configured groovy-script (bsf or jsr223) to
translate/map attributes
---
(9) public Collection<String> authenticateUser(String userName, String
password);
(10) public Collection<String> authenticateUser(String userName, String
password, String context);
---
will return the list of principal names if authenticated(9) or only if user
is assigned to context(10) else return null.
in unity this means to use some credentialverifier
If you want to retrieve the authenticators configured for your endpoint you
>> can get them with getAuthenticators() method inherited from
>> AbstractEndpoint base class. Returns list of authenticator sets with
>> mirroring what you have configured in endpoint's config in
>> unityServer.conf. From the endpoint's description you can retrieve the bare
>> names of authenticators.
>
>
the endpoints authenticator cannot be used, since it is only configured for
(service) users (with the right) supposed to make calls to the endpoint.
regular (real-life) users are not authorized to make calls to the
endpoints, but need to be authenticated via the
'authenticateUser' method.
* what i need is a way to enumberate all configured authenticaters (not
only those of the endpoint).
* make a guess which authenticators credentialverifier to use and call it
-- i could either:
configure the authenticators name in the endpoints private config
OR
use a global attribute on the entity to decide which authenticator to use
(can use a input profile to map the proper attribute during ldap-auth)
no i am not having only "one" ldap based authenticator,
but around 10 of differing ads/openldap/sun/oracle/ibm (prod/qa/test).
see my dilemma?
cheers,
--
terefang
--
Schonmal davon gehoert, dass nicht jeder linux user gleich ein
programmierer ist, der alles, was er selber braucht, auch selber
programmiert, installiert, patched, hacked oder portiert?
Urks? Das ist doch nur eine Legende.....
|
