IntegratingAigaion/ExternalLogin/DetailedDesign
From AigaionWiki
< IntegratingAigaion | ExternalLogin
Contents |
Detailed Design of Login Modules
Introduction: Modes of Login
Given the Case descriptions on IntegratingAigaion/ExternalLogin, and the requirements collected on the IntegratingAigaion/ExternalLogin/Requirements page, this section presents the detailed design. The basic model of the Aigaion login modules is as follows.
There are three 'modes' in which login can work.
The first is based on only enabling the Aigaion internal login module, possibly with anonymous login facilities.
The second is based on the possibility of delegating the password checking to an external system. One can optionally configure Aigaion to use the internal login modules as fallback for accounts that have been designated as 'Aigaion internal only'; as final fallback, anonymous login may still be possible. This mode covers Case I completely.
The third and final mode of operation is much more complex, and involves not only checking whether a user/password combination is valid in the external system, but more specifically whether a certain user is at this moment logged in the external system from the client computer from which Aigaion is being accessed. Case II involves a combination of features from the second and third mode.
Selecting Operating Mode of Login System
There are a number of configuration settings that determine in which mode the login system of Aigaion is running. Note that these settings depend on two properties of accounts:
- A non-anonymous account can be designated as 'externally managed'. Such accounts cannot be logged in through submitting a login form but only using mode 2 or 3.
- An account can be designated 'anonymous'. Anonymous accounts can never be logged in through submitting a login form.
The following settings determine the running mode of the login system:
| LOGIN_ENABLE_DELEGATED_LOGIN | This setting enables the delegated password checks of mode 2 |
| LOGIN_DISABLE_INTERNAL_LOGIN | This setting disables the internal login module. Makes only sense if mode 2 or 3 are enabled. If set, one cannot login using internally managed accounts. |
| LOGIN_ENABLE_ANON | If set, visitors who did not log in using a 'real' user/password account get anonymous access to Aigaion |
| LOGIN_???_??? | Put Aigaion into mode 3 login |
Other settings determine exactly how each mode is configured; those are described in the subsections for the different modes.
Basic Login Module And Anonymous Login (mode 1)
This login module functions as described in the introduction of IntegratingAigaion/ExternalLogin.
| LOGIN_DISABLE_INTERNAL_LOGIN | This setting disables the internal login module. Makes only sense if mode 2 or 3 are enabled. If set, one cannot login using internally managed accounts. |
| LOGIN_ENABLE_ANON | If set, visitors who did not log in using a 'real' user/password account get anonymous access to Aigaion |
| LOGIN_DEFAULT_ANON | The default account used for anonymous access. Must be an account designated 'anonymous'. |
Delegated Password Checking (mode 2)
It is possible to delegate the password checking to some external system, rather than using the passwords stored in the Aigaion tables. One can define an ordered list of delegates that are checked one by one until one of the delegates indicates that this is a valid user/password combination. If a delegate finds the password OK, the Aigaion account with the user name is looked up. If that is an externally managed account (type=external), the account is used to log the visitor in in Aigaion. If it does not exist yet in Aigaion, Aigaion may be configured to create it on the spot. If the account does exist, but is not externally managed (type=normal|anon), the user cannot be logged in!
If none of the password checking delegates allow the username/password combination, Aigaion may be configured to check the internally managed accounts (type=normal), too. Finally, a visitor can still be logged in as anonymous user, if that has been enabled.
| LOGIN_ENABLE_DELEGATED_LOGIN | This setting enables the delegated password checks of mode 2 |
| LOGIN_DELEGATES | A comma separated list of the external classes used to check passwords (DrupalPasswordCheker, IMAPPasswordChecker, etc) |
| LOGIN_CREATE_MISSING_USERS | If set, any user whose password checks out OK through a delegate but who does not exist in Aigaion yet, automatically gets a new Aigaion account |
| LOGIN_DISABLE_INTERNAL_LOGIN | This setting disables the internal login module. Makes only sense if mode 2 or 3 are enabled. If set, one cannot login using internally managed accounts. |
| LOGIN_ENABLE_ANON | If set, visitors who did not log in using a 'real' user/password account get anonymous access to Aigaion |
Classes
PasswordChecker[] -- abstract superclass / interface for password checking delegates. Given a username/password combination, a PasswordChecker will return an array with information about the user that can log in using that uname/pwd combination. The returned array may contain:
- uname (mandatory, needed to find corresponding Aigaion account. If login combination was not valid, this field will be empty "")
- First name
- Surname
- institute
- etc
Any array value that is not null or empty can be used by Aigaion to update the corresponding Aigaion account.
[DR 2008.08.29] Note: LOGIN_MANAGE_GROUPS_THROUGH_EXTERNAL_MODULE will be optional config in Aigaion
DrupalPasswordChecker[PasswordChecker] -- Delegates password checking to Drupal installation.
Configuration:
- Drupal database settings?
HardcodedPasswordChecker[PasswordChecker] -- A uname/pwd is checked by looking in a hard coded array inside the class. Useful to test the login mechanism.
Configuration:
- nothing (except the hard coded uname/pwd)
MediawikiPasswordChecker[PasswordChecker] -- etc
IMAPPasswordChecker[PasswordChecker] -- etc
LDAPPasswordChecker[PasswordChecker] -- etc
TWikiPasswordChecker[PasswordChecker] -- etc
External Login (mode 3)
More to follow...