03 Sep, 2014

1 commit


29 Aug, 2014

1 commit


11 Aug, 2014

1 commit


01 Aug, 2014

1 commit


29 Jul, 2014

1 commit


28 Jul, 2014

1 commit


16 Jul, 2014

1 commit


15 Jul, 2014

3 commits


10 Jul, 2014

1 commit


09 Jul, 2014

1 commit


03 Jul, 2014

1 commit


27 Jun, 2014

2 commits


25 Jun, 2014

1 commit


19 Jun, 2014

1 commit


18 Jun, 2014

2 commits


17 Jun, 2014

2 commits

  • Disabling MANAGED_USER auth module for several samples, in favor of PASSTHROUGH to system/ldap/account
    
    Just toggled a boolean config value; no review necessary. Rationale for change:
    
    Previously, we attempted to authenticate using MANAGED_USER first, followed by a few others and then 
    finally PASSTHROUGH. The reason it was first created it this way was so that if there was a fully-
    populated managed/user entry, it would not need to query the remote system. This works fine if you 
    are syncing passwords between managed/user and the remote backend, but as mentioned in OPENIDM-1953, 
    that isn't always the case. To compound this problem, there is also the new function around role 
    calculation; this is per-auth module, and so if you want to calculate roles for a given user you would 
    need to do it for both MANAGED_USER and PASSTHROUGH, if they were both enabled. This redundancy is 
    annoying and a likely source of confusion. So, this change is to just disable the MANAGED_USER auth 
    module, and always use the PASSTHROUGH config.
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3404 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    jake.feasel
     
  • git-svn-id: https://svn.forgerock.org/openidm/trunk@3401 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    laurent.bristiel
     

12 Jun, 2014

2 commits


11 Jun, 2014

1 commit


09 Jun, 2014

1 commit


04 Jun, 2014

3 commits


03 Jun, 2014

3 commits


02 Jun, 2014

2 commits


30 May, 2014

1 commit

  • Support reauth for any auth module configured in authentication.json.
     * AuthenticationService now handles requests on /authentication, replaciing
       AuthFilter which was not a filter, and did not fully handle reauth.
     * Authenticators are used from both JASPI auth modules and AuthenticationService
       to provide the authentication--either with Http headers in the case of the 
       auth modules, or from the authcid in the HttpContext and the reauth header 
       in the case of reauthentication.
     * AuthenticationService now satisfies the AuthenticationConfig service for 
       the purposes of OSGiAuthFilterBuilder's access to the config to build the 
       JASPI CAF.
     * The duplicative managed/user config at the top of the sample authentication.json 
       files are now removed, thus satisfying OPENIDM-1781.
    
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3282 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     

29 May, 2014

1 commit


28 May, 2014

1 commit


27 May, 2014

3 commits

  • Additional decoupling of auth module role calculation and security context 
    population from auth module validation code.  Notably:
    
     * factor out basic auth code to allow PassthroughModule to support both basic auth and X-OpenIDM- header auth.
     * remove IWAPassthroughModule in favor of using auth module configuration to control order of execution
     * separate client cert auth into its own module, supporting an list of "allowedAuthenticationIdPatterns" 
       to compare against the subject DN
     * remove static dependency on OSGIAuthnFilterBuilder for injection of OSGi artifacts - improves testability
    
    
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3261 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    brmiller
     
  • …ct - reviewed by Andi via Skype
    
    git-svn-id: https://svn.forgerock.org/openidm/trunk@3260 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    laurent.bristiel
     
  • git-svn-id: https://svn.forgerock.org/openidm/trunk@3253 d98387aa-ee2c-4292-a9e6-504d2a719fd3
    Lana
     

26 May, 2014

1 commit