-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #5442 - add MultiAuthenticator to support multiple authentication options #12393
base: jetty-12.1.x
Are you sure you want to change the base?
Issue #5442 - add MultiAuthenticator to support multiple authentication options #12393
Conversation
…entication options Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
Show resolved
Hide resolved
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
Show resolved
Hide resolved
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
Show resolved
Hide resolved
...tty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java
Show resolved
Hide resolved
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/AnyUserLoginService.java
Show resolved
Hide resolved
...ore/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
Show resolved
Hide resolved
Signed-off-by: Lachlan Roberts <[email protected]>
...ore/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
Show resolved
Hide resolved
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
Show resolved
Hide resolved
Signed-off-by: Lachlan Roberts <[email protected]>
* <p>This {@link LoginService} does not check credentials, a {@link UserIdentity} will be produced for any | ||
* username provided in {@link #login(String, Object, Request, Function)}.</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Credentials are not checked only if the nested LoginService
is null
, otherwise they are checked, right?
If so, can you clarify?
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/AnyUserLoginService.java
Show resolved
Hide resolved
public class MultiAuthenticator extends LoginAuthenticator | ||
{ | ||
private static final Logger LOG = LoggerFactory.getLogger(MultiAuthenticator.class); | ||
public static final String LOGIN_PATH_PARAM = "org.eclipse.jetty.security.multi.login_path"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make it private
.
Also, group together static
fields, then empty line, then non-static
fields.
{ | ||
if (!loginPath.startsWith("/")) | ||
{ | ||
LOG.warn("login path must start with /"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No warn-level logs. Convert to debug.
if (session == null) | ||
return false; | ||
|
||
synchronized (session) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is unnecessary, following the discussion on #10392.
I'd remove all the synchronized
blocks around the session, as I understand from @janbartel that it is going to be a different instance for every request in any case, so synchronization is useless.
assertThat(response.getContentAsString(), containsString("<h1>Multi Login Page</h1>")); | ||
assertThat(response.getContentAsString(), containsString("/login/openid")); | ||
assertThat(response.getContentAsString(), containsString("/login/form")); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to see:
- for this test, the access to a protected resource should be tried for both authentications.
- a new test for failed authentication, protected resources are not accessible
- a test where one authentication succeeds but the other fails -- can I still access the resource? Basically I would like to know if "multi" has "and" semantic (all authentications but must successful), or "or" semantic (one successful authentication is enough).
Issue #5442
Introduces the
MultiAuthenticator
class which can be used to support multiple authentication options simultaneously for the same webapp.For example you could have an app with the options to login with FORM, OpenID or Ethereum.