Hi
I'm just finishing the new wikiuser authcode and came to this question:
In the current code the authentification methods are "stacked", that
means, that the methods are searched in a predefined search order
(e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth).
The first method which returns true is taken. False is only returned if
all defined methods will fail.
With my new code we allow even more auth methods:
internal db, external db, file
Now how should the admin configure his authentification:
1) Should he be able to define the search order?
2) Should he be able to define stacked (policy c) or strict (policy b)
or pre-defined method order (policy a)?
The problem is that the user may exist with the current method but the
password is wrong, which brings him to the next method. This might not
be wished for certain auth methods were the username and password must
match and no other methods may be tried if the username exists in the
databse but with the wrong password. For example the database password
is wrong, but a file password matches is ok.
Currently the order of first three methods is fixed:
Anon if defined, Bogo if defined, User if defined.
Those three methods are stacked.
With the new methods in the new auth classes (called if
ALLOW_USER_PASSWORDS is defined and the previous methods failed) one
could define policy c: a stacked scheme ("try next method if it fails"),
or policy b: a stricter scheme ("check user and if she exists the
password, on failure try no other methods").
To make thing even more complicate my current code makes use of only one
pre-defined external auth method (policy a), which simply upgrades the
user class in the constructor, and not in the checkUser() or
UserExists() methods.
How to define the auth policies in index.php?
One could easily define a new config variable like
define('FAIL_ON_WRONG_PASSWORD',true);
which defines the strict scheme, and if not defined
the stacked scheme will be used.
The simple problem is that then we will have to define one more method
for all user classes:
$user->UserExists():
Currently we need only ->checkPass() and optionally ->storePass().
The code for a simple predefined scheme, (not-stacked) scheme is now
ready, were only one auth method is predefined, for all users.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
|
