Menu
▾
▴
Re: [Unity-idm-discuss] custom servlet endpoint authentication
|
From: Krzysztof B. <go...@ic...> - 2015-01-27 09:43:24
|
Hi,
W dniu 26.01.2015 o 23:35, Terefang Verigorn pisze:
> hi!
>
> seams that i have to revisit the BindingAuthn contract game, because
> some call traffic causes authentication errors.
>
>
> ah, some thoughts that have come up during consuming the unity code:
>
> * dont you intend to move the "public AuthenticationResult
> getAuthenticationResult();" method to the BindingAuthn interface, since
> every other derived interface defines (and needs) it anyway?
No, not every. In some situations the retrieval of AuthenticationResult
is more complicated, e.g. async. See Vaadin authn (for the web UI).
> * as far a i have understood is that all "*Management" interfaces need
> some authorization to check.
>
> wouldnt it be logical to implement the actual functionality in a
> "*Helper" and let the "*Management" impl check for security and then
> delegate to the "*Helper".
>
> so server code may choose if they are doing administrative work, hence
> using "*Helper" beans directly
> or are subject to authorization, hence using "*Management" beans.
This is implemented in a cleaner way.
To have a manager which doesn't authorize, simply inject it with
@Qualifier("insecure").
*Management is in general business logic including authZ. Helpers are
helpers - with code shared between different managers. In couple of
cases the authZ is more tightly bound to the logic so separating this is
not that easy (e.g. if you have higher capabilities you will get more
complete results).
> * wouldnt it make sense to have a "public static AuthenticatorImpl
> create(IdentityResolver idRes, AuthenticatorsRegistry authReg,
> AuthenticatorInstance instDescr);" in class AuthenticatorImpl ?
>
> so you can keep create code in one place and not all over.
>
Currently this 'all over' == AuthenticatorLoader. So the answer is
rather not, as direct use of such method would anyway call for a helper
bean which will have both bean dependencies injected - otherwise you
have to inject 2 instead of 1;-) Yup, minimal difference.
BTW your approach would require more args (sql session to be able to
join the running transaction) and more versions of create.
> * your code refers to a LICENSE.txt but neither the rpm nor the git-repo
> contain one.
>
> i have read on the webpage that unity-idm is licensed under permissive bsd,
> yet there are several (http://en.wikipedia.org/wiki/BSD_licenses)
>
> unless there a definitive LICENSE.txt i can refer to, i cant publish my
> code (open source it)
> under my preferred Apache License (http://choosealicense.com/licenses/)
Yes, it is BSD, and LICENSE.txt should be also in distribution. Will be
fixed, thanks for the remainder.
Best,
Krzysztof
|
