2005.02.04 Yale Discussion
From generated class diagrams we examined interfaces and packages. This increased our collective understanding of the current code and led to some recommendations.
Authentication Module
There are several classes in the Authentication module (package) which handle validation not authentication. These should be renamed and moved to a new package named validation.
current package.class |
new package.class |
|---|---|
authentication.AuthenticationSpecification |
validation.ValidationSpecification |
authentication.Cas10ProtocolAuthenticationSpecification |
validation.Cas10ProtocolValidationSpecification |
authentication.Cas20ProtocolAuthenticationSpecification |
validation.Cas20ProtocolValidationSpecification |
authentication.Assertion |
validation.Assertion |
authentication.AssertionImpl |
validation.AssertionImpl |
Web Tier
Spring Validator(s)
The BasicCredentialsValidator should be in the web package since it is not related to authentication nor to ticket validation but is a part of form validation.
current package.class |
new package.class |
|---|---|
authentication.BasicCredentialsValidator |
web.LoginFormValidator |
Login Controller
Non-form based authentication is an important feature of CAS3. We are expecting to provide at least one other LoginController for handling non form based authentication. To be clear about the function of the current controller it should be renamed.
current package.class |
new package.class |
|---|---|
web.LoginController |
web.LoginFormController |
Ticket Module
We propose that the Authentication type never retain or return credentials.
The entire authentication object is available from the ticket and is used during validation. This keeps around the primary Credentials and even has a method to retrieve them anytime in the future. Keeping primary credentials in memory - and even on disk if using a cache makes CAS an extremely attractive target for hacking. There is no reason that we know of to keep these.