-
Type: New Feature
-
Status: Open
-
Priority: Minor
-
Resolution: Unresolved
-
Affects Version/s: 5.6-SNAPSHOT
-
Fix Version/s: QualifiedToSchedule
-
Component/s: Security / Rights
-
Tags:
Use case
There are some cases where it is relevant to use both CAS and FORM authentication.
Typically if we have a multi-user directory (LDAP + SQL): we would like the people who belong to the LDAP directory to login through the CAS login page, redirecting them to Nuxeo once authenticated as it behaves normally, and the external users (ie. who don't belong to the LDAP directory but exist in the SQL one) to login through the standard FORM login page (/nuxeo/login.jsp).
Indeed, their login attempt would obviously fail through the CAS authentication, and maybe we also don't want them to see/access to the CAS login page which is usually dedicated to internal users.
Basic approach
One solution to achieve this is to have the following authentication chain:
<authenticationChain> <plugins> <plugin>BASIC_AUTH</plugin> <plugin>CAS2_AUTH</plugin> <plugin>FORM_AUTH</plugin> </plugins> </authenticationChain>
In this case, we can provide the CAS login page URL to the internal users (in fact, the default Nuxeo URL since the CAS plugin is first in the chain), and provide the /nuxeo/login.jsp URL to the external users to force them to login through the FORM auth.
This can be done by just "telling" them to use this URL otherwise they won't be able to login, or by displaying a login link for external users in the CAS login page, but we can't really control this since this page is hosted by the CAS server.
This works but there are 2 main drawbacks when trying to log in from the Nuxeo login page:
- If the login fails, the user is redirected to the CAS login page.
- Once logged in, the logout link also redirects to the CAS login page.
Better approach
What we need here is to flag the user's browser to keep in memory the type of authentication to be used with Nuxeo, by setting a dedicated cookie, let's call it nuxeo_auth_mode. Then both CAS2_AUTH and FORM_AUTH plugins should be made aware of this cookie to read it and process the login/logout according to its value. Basically, if the cookie is set to "form":
- The CAS plugin should "forward" the authentication and logout to the FORM plugin.
- The FORM plugin should redirect to login.jsp in case of a bad login or logout.
But maybe there is a way to do this at a lower level (NuxeoAuthenticationFilter) without having to touch to the authentication plugins?
To set the cookie:
- A simple way would be to set it to "form" in the login.jsp page.
- A more generic way would be to display, if no cookie is set, a simple page allowing the user to choose the authentication mode, let's say CAS or FORM for now (it could also be dynamic depending on the plugins defined in the auth chain). The choice would set the nuxeo_auth_mode cookie, and redirect to the Nuxeo login action, depending on the auth chain. This would be the purpose of a new SELECTABLE_AUTH authentication plugin.
To sum up
We need:
- A new SELECTABLE_AUTH authentication plugin.
- To adapt the existing authentication plugins (mostly CAS and FORM but maybe others?).
- depends on
-
NXP-10622 Allow CAS plugin to use an alternative authentication plugin if related cookie is set
- Resolved