[NXP-27942] Remove JAAS - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Clean up
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 11.1, 2021.0
Component/s: Authentication

Tags:
- nxFG
Impact type:

API change
Upgrade notes:
Hide

New methods:

Framework.loginSystem()

Framework.loginSystem(originatingUser)

Framework.loginUser(username)

NuxeoPrincipal.getCurrent()

NuxeoPrincipal.isCurrentAdministrator()

The above loginSystem and loginUser methods now return a NuxeoLoginContext that is AutoCloseable and can therefore be used in a try-with-resources.

Deprecated methods:

Framework.login() -> Framework.loginSystem()

Framework.loginAs(originatingUser) -> Framework.loginSystem(originatingUser)

Framework.loginAsUser(username) -> Framework.loginUser(username)

Framework.login(username, password) -> Framework.loginUser(username)

ClientLoginModule.clearThreadLocalLogin() -> LoginComponent.clearPrincipalStack() (INTERNAL)

ClientLoginModule.getThreadLocalLogin() -> LoginComponent (INTERNAL)

ClientLoginModule.getCurrentLogin() -> LoginComponent.getCurrentPrincipal()

ClientLoginModule.getCurrentPrincipal() -> NuxeoPrincipal.getCurrent()

ClientLoginModule.isCurrentAdministrator() -> NuxeoPrincipal.isCurrentAdministrator()

LoginStack

These extension points or part of their contributions are removed:

<loginModulePlugin> in the element <authenticationPlugin> of extension point authenticators of org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService

the extension point domains of org.nuxeo.runtime.LoginComponent (which included registration of LoginModule classes)

the extension point plugin of org.nuxeo.ecm.platform.login.LoginPluginRegistry (which included registration of LoginPlugin classes)

Behavior change:

NuxeoAuthenticationPlugin.handleRetrieveIdentity should now contain all the authentication code, and return a UserIdentificationInfo with credentialsChecked = true (using the 1-arg constructor) if the credentials have already been checked by the auth plugin itself. Otherwise the method may return a UserIdentificationInfo that includes a username and password, to let the generic filter check the password against the UserManager.
Show
New methods: Framework.loginSystem() Framework.loginSystem(originatingUser) Framework.loginUser(username) NuxeoPrincipal.getCurrent() NuxeoPrincipal.isCurrentAdministrator() The above loginSystem and loginUser methods now return a NuxeoLoginContext that is AutoCloseable and can therefore be used in a try-with-resources. Deprecated methods: Framework.login() -> Framework.loginSystem() Framework.loginAs(originatingUser) -> Framework.loginSystem(originatingUser) Framework.loginAsUser(username) -> Framework.loginUser(username) Framework.login(username, password) -> Framework.loginUser(username) ClientLoginModule.clearThreadLocalLogin() -> LoginComponent.clearPrincipalStack() (INTERNAL) ClientLoginModule.getThreadLocalLogin() -> LoginComponent (INTERNAL) ClientLoginModule.getCurrentLogin() -> LoginComponent.getCurrentPrincipal() ClientLoginModule.getCurrentPrincipal() -> NuxeoPrincipal.getCurrent() ClientLoginModule.isCurrentAdministrator() -> NuxeoPrincipal.isCurrentAdministrator() LoginStack These extension points or part of their contributions are removed: <loginModulePlugin> in the element <authenticationPlugin> of extension point authenticators of org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService the extension point domains of org.nuxeo.runtime.LoginComponent (which included registration of LoginModule classes) the extension point plugin of org.nuxeo.ecm.platform.login.LoginPluginRegistry (which included registration of LoginPlugin classes) Behavior change: NuxeoAuthenticationPlugin.handleRetrieveIdentity should now contain all the authentication code, and return a UserIdentificationInfo with credentialsChecked = true (using the 1-arg constructor) if the credentials have already been checked by the auth plugin itself. Otherwise the method may return a UserIdentificationInfo that includes a username and password, to let the generic filter check the password against the UserManager .
Sprint:
nxFG 11.1.10
Story Points:
5

Description

Remove JAAS (the use of LoginContext, security domains, LoginModules, etc.) and just call NuxeoAuthenticationPlugins directly.

We do this because of NXP-27917 which makes usage of LoginContext slow things down.

Note that https://bugs.openjdk.java.net/browse/JDK-8230297 has been opened at the OpenJDK level to fix LoginContext.login() slowness but at the moment this is not resolved nor backported.

Attachments

Issue Links

causes

NXP-30959 Fix sudo/switchuser feature when used with SAML auth plugin

Resolved

NXP-32672 Fix restricted access in maintenance mode

Resolved

is duplicated by

NXP-25951 Clean up Framework.login methods

Resolved

NXP-27941 Remove useless LoginModuleWrapper

Resolved

Is referenced in

PR for 10: #177

PR for 10: #209

PR for 10: #246

(2 Is referenced in)

Activity

People

Assignee:

Florent Guillaume

Reporter:

Florent Guillaume

Participants:

Florent Guillaume, Jenkins

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2019-08-27 21:40

Updated:

2024-06-07 09:37

Resolved:

2019-09-09 16:13

Time Tracking

Estimated:

Remaining:

Logged: