Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #5442 - add MultiAuthenticator to support multiple authentication options #12393

Open
wants to merge 6 commits into
base: jetty-12.1.x
Choose a base branch
from
Open

Issue #5442 - add MultiAuthenticator to support multiple authentication options #12393

wants to merge 6 commits into from

Conversation

lachlan-roberts
Copy link
Contributor

Issue #5442

Introduces the MultiAuthenticator class which can be used to support multiple authentication options simultaneously for the same webapp.

For example you could have an app with the options to login with FORM, OpenID or Ethereum.

@lachlan-roberts lachlan-roberts self-assigned this Oct 16, 2024
@lachlan-roberts
PR #12393 - adding javadoc from review
1b0437c 
Signed-off-by: Lachlan Roberts <[email protected]>
@lachlan-roberts lachlan-roberts requested a review from gregw October 30, 2024 13:18
sbordet
sbordet requested changes Dec 12, 2024
View reviewed changes
jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/AnyUserLoginService.java
Comment on lines +29 to +30
* <p>This {@link LoginService} does not check credentials, a {@link UserIdentity} will be produced for any
* username provided in {@link #login(String, Object, Request, Function)}.</p>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credentials are not checked only if the nested LoginService is null, otherwise they are checked, right?
If so, can you clarify?

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/AnyUserLoginService.java
import org.eclipse.jetty.server.Session;

/**
* A {@link LoginService} which allows unknown users to be authenticated.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please expand on why this LoginService would be useful with an example usage?

Basically this javadoc says: "this is a LoginService that just authenticates users without checking credentials", which seems like a security issue, so one more paragraph explaining that this class should not be used blindly, but perhaps in conjunction with something else?

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
public class MultiAuthenticator extends LoginAuthenticator
{
private static final Logger LOG = LoggerFactory.getLogger(MultiAuthenticator.class);
public static final String LOGIN_PATH_PARAM = "org.eclipse.jetty.security.multi.login_path";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make it private.

Also, group together static fields, then empty line, then non-static fields.

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
{
if (!loginPath.startsWith("/"))
{
LOG.warn("login path must start with /");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No warn-level logs. Convert to debug.

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/MultiAuthenticator.java
if (session == null)
return false;

synchronized (session)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unnecessary, following the discussion on #10392.

I'd remove all the synchronized blocks around the session, as I understand from @janbartel that it is going to be a different instance for every request in any case, so synchronization is useless.

tests/test-integration/src/test/java/org/eclipse/jetty/test/MultiAuthenticatorTest.java
assertThat(response.getContentAsString(), containsString("<h1>Multi Login Page</h1>"));
assertThat(response.getContentAsString(), containsString("/login/openid"));
assertThat(response.getContentAsString(), containsString("/login/form"));
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to see:

  • for this test, the access to a protected resource should be tried for both authentications.
  • a new test for failed authentication, protected resources are not accessible
  • a test where one authentication succeeds but the other fails -- can I still access the resource? Basically I would like to know if "multi" has "and" semantic (all authentications but must successful), or "or" semantic (one successful authentication is enough).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet requested changes

@gregw gregw gregw approved these changes

Assignees

@lachlan-roberts lachlan-roberts

Labels
None yet
Projects
Jetty 12.1.0
Status: 👀 In review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lachlan-roberts @gregw @sbordet