Menu
▾
▴
Re: [Unity-idm-discuss] custom servlet endpoint authentication
|
From: Krzysztof B. <go...@ic...> - 2015-01-23 09:44:35
|
Hi, W dniu 23.01.2015 o 01:44, Terefang Verigorn pisze: > (9) public Collection<String> authenticateUser(String userName, String > password); > (10) public Collection<String> authenticateUser(String userName, String > password, String context); > --- > will return the list of principal names if authenticated(9) or only if > user is assigned to context(10) else return null. > > in unity this means to use some credentialverifier > > If you want to retrieve the authenticators configured for your > endpoint you can get them with getAuthenticators() method > inherited from AbstractEndpoint base class. Returns list of > authenticator sets with mirroring what you have configured in > endpoint's config in unityServer.conf. From the endpoint's > description you can retrieve the bare names of authenticators. > > > the endpoints authenticator cannot be used, since it is only configured > for (service) users (with the right) supposed to make calls to the endpoint. > > regular (real-life) users are not authorized to make calls to the > endpoints, but need to be authenticated via the > 'authenticateUser' method. > * what i need is a way to enumberate all configured authenticaters (not > only those of the endpoint). > > * make a guess which authenticators credentialverifier to use and call > it -- i could either: > > configure the authenticators name in the endpoints private config > OR > use a global attribute on the entity to decide which authenticator to use > (can use a input profile to map the proper attribute during ldap-auth) > > > no i am not having only "one" ldap based authenticator, > but around 10 of differing ads/openldap/sun/oracle/ibm (prod/qa/test). > > see my dilemma? OK, now much more clear. So what you need here is to get CredentialVerificators which implement PasswordExchange as this is the only credential you want to verify. CredentialVerificator is a part of Authenticator (together with retrieval which you don't need). So now you have two ways to proceed: 1) Either use AuthenticationManagement to retrieve authenticators and use them. To get the expected functionality you will have to implement a trivial (noop in fact) retrieval (supporting some pseudo binding) that will directly expose the underlying verificator to your code. Then you can use it. Such authenticators won't work with any real endpoint but this shouldn't be a problem. 2) Or check the AuthenticationManagementImpl nad AuthenticatorImpl classes and reimplement their part that are responsible for creating CredentialVerificators. Create them in your code and that's all. In both cases you need some configuration as you wrote to know which authenticators/verificators should be used. In (1) it can be probably simplified: you can use all authenticators supporting your pseudo binding. Cheers, Krzysztof |
