Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate authentication from the user services? #577

Closed
gitblit opened this issue Aug 12, 2015 · 3 comments
Closed

Separate authentication from the user services? #577

gitblit opened this issue Aug 12, 2015 · 3 comments

Comments

@gitblit
Copy link
Owner

@gitblit gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 281

Consider refactoring external authentication implementations out of the user service
definition.

This will eliminate the need for all realm.NNN.backingUserService settings and may
simplify other bits.  It may also accommodate multiple, simultaneous authentication
implementations.

Ideas:

1. All of the subclasses of GitblitUserService need to become implementations of com.gitblit.IAuthenticationService.
2. GitblitUserService can likely go away
3. IUserService & ConfigUserService will stay, but IUserService will get a new method
to setAuthenticationServices(List<IAuthenticationService>).
4. ConfigUserService.authenticate will need to check if the account is a local account
and if not cycle through the List<IAuthenticationService> and attempt to authenticate
the credentials.
5. IAuthenticationService should have an authenticate(IUserService service, String
username, char [] password) method.  This will allow the authentication service to
callback to the userservice continue creating/updating user models.

There may be some gotchas here - especially supporting multiple authentication services.
 I have not thought this all out.

Reported by James.Moger on 2013-07-25 17:02:18

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

One question to consider is if the local or the external account should take precedence.
The scenario I have in mind is that I connect Gitblit to an external authentication
service with existing users. Now all users existing in that service could log in, but
without additional permissions. In order to set the permissions, I have to edit them
user within Gitblit.
If the local account takes precedence, I have to wait until the user did log in at
least once before I can edit him and add permissions.
If the external account takes precedence, then I can edit the user at any time, add
permissions and attributes, and when the user logs in for the first time, he can still
use his password stored in the external service.

(See the realm.htpasswd.overrideLocalAuthentication setting.)

Reported by f.zschocke on 2013-08-24 14:04:28

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

Authentication has been removed from the IUserService classes and the existing external
services have been refactored into AuthenticationProviders.  There are probably some
scenarios which will need to be accounted for, but I believe the new architecture is
an improvement.

Reported by James.Moger on 2013-12-01 15:50:33

  • Status changed: Queued

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

1.4.0 released.

Reported by James.Moger on 2014-03-09 18:06:21

  • Status changed: Done

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix added this to the 1.4.0 milestone Dec 13, 2016
@flaix flaix added this to the 1.4.0 milestone Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants