Details
-
New Feature
-
Status: Closed
-
Should
-
Resolution: Fixed
-
None
-
None
-
Medium
-
Burke's Test Sprint
Description
In order to support LDAP and other authentication schemes (e.g., CGI-based authentication), UserContext should support a new AuthenticationScheme interface with the default implementation of BasicAuthenticationScheme (username and password) implemented out of the box. New authentication schemes could be introduced by writing a new implementation of AuthenticationScheme and then wiring it in through the API configuration files. Ideally, substitution (or addition) of the authentication scheme would be protected (e.g., limited to the configuration file setting or not easily done through the API) so that random code could not easily substitute a bogus authentication scheme to subvert proper authentication.
public interface UserContext { /* Maintain support in API for simple authentication */ public User authenticate(String username, String password) throws ContextAuthenticationException; /* Also support any future authentication scheme */ public Authenticated authenticate(Credentials credentials) throws ContextAuthenticationException; // Registration or removal of authentication schemes are protected protected void addAuthenticationScheme(AuthenticationScheme scheme); protected void removeAuthenticationScheme(AuthenticationScheme scheme); } /* * Authentication schemes define their own credentials. * Any client authenticating against a given scheme must * supply appropriate credentials. */ public interface Credentials { /* * Credentials will contains scheme-specific properties, but * all credentials must declare their scheme. */ public String getAuthenticationScheme(); } /* Defines an authentication scheme that can be used by the API. */ public interface AuthenticationScheme { /* * Returns the authenticated user for the API, but may return * additional information (e.g., an authentication token that * can be used for subsequent authentication). */ public Authenticated authenticate(Credentials credentials) throws ContextAuthenticationException; } /* Used to allow more than just a user to be returned by authentication */ public interface Authenticated { // Scheme through which user was authenticated public String getAuthenticationScheme(); // OpenMRS user account that was authenticated public User getUser(); // ... any additional data return by scheme (e.g., token) ... }
Initial design discussions occurred in this thread. Additional notes on this developers forum.
Talk thread: https://talk.openmrs.org/t/openmrs-and-sso/1757
Gliffy Diagrams
Attachments
Issue Links
- caused
-
TRUNK-5486 CacheException thrown with application context locations set on subclasses of BaseContextSensitiveTest
-
- Ready for Work
-
- is depended on by
-
TRUNK-20
LDAP Integration
-
- Closed
-
-
-
- Closed
-
- relates to
-
TRUNK-20
LDAP Integration
-
- Closed
-
- links to
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
