Custom Authentication Handler- trust_credentials_attribute | Community
Skip to main content
M
Mateusz_Chromin
New Participant
October 16, 2015
Solved

Custom Authentication Handler- trust_credentials_attribute

  • October 16, 2015
  • 2 replies
  • 822 views

In my custom authentication handler I'm trying to authenticate user without knowing his password using third party user directory. I can\t store users password inside the CQ so I need a way to pass user through the stack knowing just his name/id.

I used to handle those kind of problems with trust_credentials_attribute set in the repository.xml. However, in AEM 5.6 and 5.6.1, when given solution is used, following log entry appears:

25.11.2013 11:52:10.469 *WARN* [0:0:0:0:0:0:0:1 [1385376730454] POST /content/myapp/en/home/j_security_check HTTP/1.1] org.apache.jackrabbit.core.security.authentication.AbstractLoginModule Usage of deprecated 'trust_credentials_attribute' option. Please note that for security reasons this feature will notbe supported in future releases.

The warning was introduced with a commit for https://issues.apache.org/jira/browse/JCR-3293. The bug is not closed yet and there is no info how the trusted info can/should be avoided. Is it so, that the @deprecated annotation together with log has been introduced, but the workaround is not yet delivered? How can I pass the user through authenticator without knowing its password?

Please advice,
Mateusz

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

preferred solution depends on where/why you make use of the trust_credentials_attribute.

implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

2 replies

Sham_HC
Sham_HCAccepted solution
New Participant
October 16, 2015

preferred solution depends on where/why you make use of the trust_credentials_attribute.

implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

M
Mateusz_ChrominAuthor
New Participant
October 16, 2015

"where/why": as being said - I'm not storing users password in the repository. I'm using my own implementation of AuthenticationHandler to fulfill all user journeys.

Regarding implementation - to paraphrase: JCR via

AbstractLoginModule.isPreAuthenticated(Credentials)

method provides a way to authenticate user without password. This method takes advantage of trust_credentials_attribute. The point of this warning is (when using this 'authenticate without password' feature) to write this snippet from scratch? How does it meet the @deprecated annotation on both isPreAuthenticated() and getPreAuthAttributeName() ?

Terms & ConditionsAccessibility statement

Loading footer...