Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #5442 - add MultiAuthenticator to support multiple authentication options #12393

Open
wants to merge 6 commits into
base: jetty-12.1.x
Choose a base branch
from

Conversation

lachlan-roberts
Copy link
Contributor

Issue #5442

Introduces the MultiAuthenticator class which can be used to support multiple authentication options simultaneously for the same webapp.

For example you could have an app with the options to login with FORM, OpenID or Ethereum.

@lachlan-roberts lachlan-roberts self-assigned this Oct 16, 2024
Signed-off-by: Lachlan Roberts <[email protected]>
@lachlan-roberts lachlan-roberts requested a review from gregw October 30, 2024 13:18
Comment on lines +29 to +30
* <p>This {@link LoginService} does not check credentials, a {@link UserIdentity} will be produced for any
* username provided in {@link #login(String, Object, Request, Function)}.</p>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credentials are not checked only if the nested LoginService is null, otherwise they are checked, right?
If so, can you clarify?

public class MultiAuthenticator extends LoginAuthenticator
{
private static final Logger LOG = LoggerFactory.getLogger(MultiAuthenticator.class);
public static final String LOGIN_PATH_PARAM = "org.eclipse.jetty.security.multi.login_path";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make it private.

Also, group together static fields, then empty line, then non-static fields.

{
if (!loginPath.startsWith("/"))
{
LOG.warn("login path must start with /");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No warn-level logs. Convert to debug.

if (session == null)
return false;

synchronized (session)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unnecessary, following the discussion on #10392.

I'd remove all the synchronized blocks around the session, as I understand from @janbartel that it is going to be a different instance for every request in any case, so synchronization is useless.

assertThat(response.getContentAsString(), containsString("<h1>Multi Login Page</h1>"));
assertThat(response.getContentAsString(), containsString("/login/openid"));
assertThat(response.getContentAsString(), containsString("/login/form"));
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to see:

  • for this test, the access to a protected resource should be tried for both authentications.
  • a new test for failed authentication, protected resources are not accessible
  • a test where one authentication succeeds but the other fails -- can I still access the resource? Basically I would like to know if "multi" has "and" semantic (all authentications but must successful), or "or" semantic (one successful authentication is enough).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: 👀 In review
Development

Successfully merging this pull request may close these issues.

3 participants