Versions Compared

Old Version 15

changes.mady.by.user Dmitriy Kopylenko

Saved on

compared with

New Version 16

changes.mady.by.user Dmitriy Kopylenko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An InteractionManager is the action bean that is responsible for processing authentication managers for silently-gathered credentials and for choosing next right InteractiveCredentialsGatherer to try for the currently-desired level of assurance.
The InteractionManager does this:
  1. Locate all existing Authentication objects (results of past successful authentications)
    1. These are found in the current TicketGrantingTicket
  2. Locate all existing Credentials that have not yet been authenticated
    1. These were gathered by SilentCredentialsGatherer beans in an earlier step of the web flow.
  3. Authenticate all Credentials that haven't yet been authenticated (i.e. silently gathered ones).  If successful, store in the current TGT.  Create a TGT if necessary.  If unsuccessful, store some kind of flag somewhere so we don't try to process the credential again.
  4. Determine all acceptable assurance policy lines, based on incoming parameters, attributes of the registered service, and defaults.
  5. If the current set of Authentications is insufficient to satisfy any acceptable assurance policy lines, determine which types of credentials would be necessary to come into compliance.
  6. If multiple types of credentials would be valid, choose one based on pre-configured preferences/rules.  Place the others into a list and put that list.
  7. Locate the corresponding InteractiveCredentialsGatherer.
  8. Locate InteractiveCredentialsGatherers for all of the alternative possible credentials, and put those into a list.
  9. Show the view for the selected InterativeCredentialsGatherer.

E) Ticket Granting Ticket (update)

The ticket granting ticket needs to be updated to support a list of Authentication objects instead of only a single Authentication object.

F) Authentication manager (update)

The authentication manager takes credentials and returns an authentication.  Currently it is called directly by SpringMVC actions (such as AuthenticationViaFormAction and subclasses of AbstractNonInteractiveCredentialsAction).  Instead, the new CredentialsGatherer beans will be calling the authentication manager.
NOTE: currently the SWF action (AuthenticationViaFormAction) does not use AuthenticationManager directly, but instead the CentralAuthenticationService facade API is used (Dmitriy Kopykenko)
The authentication manager will always store the following attributes in a successful Authentication object:
  • name of the authentication handler
  • name of the credentials type

G) Registered service (update)

So far, a registered service supports attributes : id, name, theme, description, isAnonymous...
New optional attributes:
  • List of acceptable named lines from the assurance policy.
  • Minimum acceptable LOA value
If both are listed, that means: "Accept any value greater than or equal to the minimum, PLUS any lines listed by name."

H) Assurance evaluator (new)

Given a TGT containing a list of successful Authentication objects, the assurance evaluator computes two things:
  • a numeric value indicating the maximum assurance that is guaranteed by this set of Authentication objects.  (This is the row with the maximum value such that all lines with lesser values are also fulfilled.)
  • a list of all lines of the assurance policy that are fulfilled by this set of Authentication objects

...