We're Hiring!

Problem with adding level of authentication

General and open developer discussion about using OMERO APIs from C++, Java, Python, Matlab and more! Please new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

If you are having trouble with custom code, please provide a link to a public repository, ideally GitHub.

Problem with adding level of authentication

Postby dmm » Tue Aug 27, 2013 5:04 pm

To all,

I am trying to set up a module that allows a different level of authentication other than LDAP and JDBC. I have added the module to the IADMIN.xml file and created the new java program that implements ConfigurablePasswordProvider. However when implementing the application the web app...when logging in defaults to the guest user and password overriding what the user is attempting to log in with. Without the integration of the new application and defaulting to chainedPasswordProvider the login works by default.

Besides the IAdmin spring file and the java program..what else needs to be done so OMERO accepts the custom app?

thanks
dmm
 
Posts: 7
Joined: Tue Aug 27, 2013 4:59 pm

Re: Problem with adding level of authentication

Postby bpindelski » Wed Aug 28, 2013 8:45 am

Hi,

Our documentation outlines the roughly the steps that need to be taken to create a custom authentication class: http://www.openmicroscopy.org/site/supp ... vider.html.

To further help you out with your issue, it would be really helpful to see exactly what has been changed in the server setup. When you say "module" or "application" do you mean a new Django app added to the web client?

Regards,
Blazej
bpindelski
 

Re: Problem with adding level of authentication

Postby dmm » Wed Aug 28, 2013 9:09 pm

bpindelski,

I followed the directions as stated in your link. I extended the ConfigurablePasswordProvider class and added the declaration of the new class with the IAdmin.xml file

What happens is when the omero.security.password_provider switches to the new class to call...any attempt to login to the application assumes the username/password is guest/guest no matter what the username/password is. checkPassword is called passing these values into that method. This occurs no matter if the attempt is made via web or with the gui application.

When the omero.security.password_provider is switched back to chainedpasswordprovider the attempt to login uses the actual values the user enters.
dmm
 
Posts: 7
Joined: Tue Aug 27, 2013 4:59 pm

Re: Problem with adding level of authentication

Postby bpindelski » Thu Aug 29, 2013 8:56 am

Hello,

The "guest" account has limited use and is only relevant in the internals of the server code. The situation you are describing is very unusual.

Would it be possible for me (and anyone else wanting to help out on the thread) to see the code changes you've made? It'd be helpful. Thanks.

Regards,
Blazej
bpindelski
 

Re: Problem with adding level of authentication

Postby dmm » Thu Aug 29, 2013 5:32 pm

Sure.

The checkPassword function is called with checkpassword("guest","guest").

I made a modification to this file:

service-ome.api.IAdmin.xml

<bean id="centrifyPasswordProvider" class="ome.security.auth.CentrifyPasswordProvider">
<constructor-arg ref="passwordUtil"/>
</bean>


and added this file to the directory under components/server/src/ome/security/auth:

package ome.security.auth;
import java.io.IOException;
import java.io.BufferedReader;
import java.io.InputStreamReader;


public class CentrifyPasswordProvider extends ConfigurablePasswordProvider {

public CentrifyPasswordProvider(PasswordUtil util) {
super(util);
}

public CentrifyPasswordProvider(PasswordUtil util, boolean ignoreUnknown) {
super(util, ignoreUnknown);
}

@Override
public boolean hasPassword(String user) {
Long id = util.userId(user);
return id != null;
}


@Override
public Boolean checkPassword(String user, String password, boolean readOnly) {

Long id = util.userId(user);
if (id == null || password == null || password.equals("")) {
return false;
}

String line;
String command = "sh authCentrify.sh " + user + " " + password;
log.info(String.format(
"CENTRIFY: command = %s",
command));

log.error(command);
try {
Runtime rt = Runtime.getRuntime();
Process pr = rt.exec(command);
pr.waitFor();
BufferedReader is = new BufferedReader(new InputStreamReader(pr.getInputStream()));
String item = is.readLine();
log.info(String.format(
"CENTRIFY: item = %s",
item));

if (item != null) {
log.error("centrify");
log.error(item);
if (item.equals("OK")) {
loginAttempt(user, true);
return true;
}
}
} catch (InterruptedException ex) {
String errorMessage = "The command [" + command + "] did not complete due to an unexpected interruption.";
log.error(errorMessage, ex);
throw new RuntimeException(errorMessage, ex);
} catch (IOException ex) {
String errorMessage = "The command [" + command + "] did not complete due to an IO error.";
log.error(errorMessage, ex);
throw new RuntimeException(errorMessage, ex);
}
return super.checkPassword(user, password, readOnly);

}

}
dmm
 
Posts: 7
Joined: Tue Aug 27, 2013 4:59 pm

Re: Problem with adding level of authentication

Postby bpindelski » Fri Aug 30, 2013 12:30 pm

Hello,

Thanks for the code. I went ahead and implemented it on my github "centrify" branch (https://github.com/bpindelski/openmicro ... 763a2c8d60) - it's just a proof-of-concept, it won't make it into the mainline code. I've also added a authCentrify.sh dummy file (it just prints out "OK") to a directory on my PATH (/usr/local/bin). After rebuilding the server code, login works ok, I didn't even need to change the omero.security.password_provider setting - as you can see I placed the centrify provider as the firs item in the chainedPasswordProvider constructor list.

I'm still confused how the guest/guest user gets into the checkPassword() method. What branch have you been using to make your changes - dev_4_4 or develop?

Regards,
Blazej
bpindelski
 

Re: Problem with adding level of authentication

Postby dmm » Fri Aug 30, 2013 2:05 pm

I am using the tag version v.4.4.8p1
dmm
 
Posts: 7
Joined: Tue Aug 27, 2013 4:59 pm

Re: Problem with adding level of authentication

Postby dmm » Fri Aug 30, 2013 2:05 pm

should I be using develop?
dmm
 
Posts: 7
Joined: Tue Aug 27, 2013 4:59 pm

Re: Problem with adding level of authentication

Postby dmm » Fri Aug 30, 2013 2:52 pm

Update:

I have changed to the dev_4_4 branch.

When logging into OMERO web, the problem remains as an attempt at "guest/guest"

When logging to the OMERO unix gui client, the problem clears. The attempt is made on the actual username/password combination.
dmm
 
Posts: 7
Joined: Tue Aug 27, 2013 4:59 pm

Re: Problem with adding level of authentication

Postby bpindelski » Mon Sep 02, 2013 12:10 pm

Hi,

I've tried rebasing my branch on top of the v.4.4.8p1 tag. As it later came out - it shouldn't have made a difference.

The main problem here was the way the centrifyPasswordProvider bean was created in service-ome.api.IAdmin.xml. I committed a change on my branch on Github (https://github.com/bpindelski/openmicro ... d8d6551596). Now a second parameter is being passed to the constructor of the class, which sets the ignoreUnknown class member to true. This way the Centrify provider will return null when an unknown user is encountered and false when an authentication error happens. That allows the upstream chain of providers to be called in sequence when an unknown user is being verified.

Now both OMERO.web and OMERO.insight should work ok.

With kind regards,
Blazej
bpindelski
 

Next

Return to Developer Discussion

Who is online

Users browsing this forum: No registered users and 0 guests