Authentication subsystem

This page covers the following JIRA issues: UPT-2

Goals

In general, uPortal3 authentication subsystem should allow for flexible configuraiton of multiple authentication sources. More specifically, for the release we'll need to demonstrate examples of supporting authentication types currently available in uPortal2 (note: we don't have to, for example, support uPortal2 database implementation, but we would need to provide an example of local authentication against DB tables).
Existing uPortal2 authentication subsystem provides the minimal level of flexibility we're looking for. Some of the less trivial feature sinvolve security context chaining and opaque credientials. We would like, however, to avoid having to maintain this implementation in uPortal3 if a comparable functionality exists in a readily available library, and we think Acegi might fulfill these requirements.

Preparation

In designing an implementation for the uPortal3, we should analyze what, if any, flexibility is being lost. For that, we should analyze ISecurityContext in uPortal2 and determine which of that information can be made available to the portal if we're using Acegi. Also determine what additional information Acegi might provide.
We should determine what other pieces would be required to support

  • local authentication (i.e. a simple authentication DAO against DB)
  • LDAP authentication
  • CAS 2.0 authentication
  • Login portlet (i.e. Authentication servlet in uPortal2 to which the portlet will send params, if required)

Implementation pieces

Framework access to the authentication information

The uPortal3 framework is interested in the following pieces of information that the authentication subsystem can provide:

  1. Identity of the user
  2. Level of user authentication
  3. Opaque credentials of the user (for passing on to other subsystems)

The framework will use IUserController implementation to access that information. An existing (UserControllerImpl) implementation relies on the http session to retrieve authentication information. The interface will be extended to provide access to extended authentication information (some analog of the uPortal2's ISecurityContext).