Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-367

processing of Authentication methods is independent of the chosen Login method (when multiple are available)

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.6.0
    • Fix Version/s: None
    • Component/s: DSpace API
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Needed

      Description

      When using multiple authentication methods, e.g.

      plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
      org.dspace.authenticate.PasswordAuthentication, \
      org.dspace.authenticate.LDAPAuthentication, \
      org.dspace.authenticate.ShibAuthentication

      The user is presented with a choice of authentication methods when trying to log-in.

      If the user chooses LDAPAuthentication, the entered credentials will be processed by ShibAuthentication, PasswordAuthentication and LDAPAuthentication in that order.
      The implementation simply tries all implicit methods first, and hereafter all explicit methods until one mechanism authorizes the user.

      Whether implicit methods should be used by default, independent of whether the user wants that authentication to be used, is somewhat of a policy question.
      But if automatic processing of implicit methods is always used, it is not sensible to ask a user for a login method, and when the user chooses PasswordAuthentication and enters their username and password, the system at that point decides to log the user in using their ShibAuthentication credentials after all.

      So either the implicit methods should be attempted before offering the user the choices of authentication types (and the implicit authentication types should be removed from the list as stated in http://jira.dspace.org/jira/browse/DS-64), or the implicit methods should remain listed and only be used if the user requests one of those to be used.

      If none of the implicit methods do authorize a user to log in, all of the explicit methods are being tested, again independent of the chosen login method. This normally doesn't pose an issue, as the odds for an authentication to be a success with the wrong explicit authentication method are slim.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                benbosman Ben Bosman
              • Votes:
                2 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: