Open Microscopy Environment

[dmm]

To all,

I am trying to set up a module that allows a different level of authentication other than LDAP and JDBC. I have added the module to the IADMIN.xml file and created the new java program that implements ConfigurablePasswordProvider. However when implementing the application the web app...when logging in defaults to the guest user and password overriding what the user is attempting to log in with. Without the integration of the new application and defaulting to chainedPasswordProvider the login works by default.

Besides the IAdmin spring file and the java program..what else needs to be done so OMERO accepts the custom app?

thanks

[bpindelski]

Hi,

Our documentation outlines the roughly the steps that need to be taken to create a custom authentication class: http://www.openmicroscopy.org/site/supp ... vider.html.

To further help you out with your issue, it would be really helpful to see exactly what has been changed in the server setup. When you say "module" or "application" do you mean a new Django app added to the web client?

Regards,
Blazej

[dmm]

bpindelski,

I followed the directions as stated in your link. I extended the ConfigurablePasswordProvider class and added the declaration of the new class with the IAdmin.xml file

What happens is when the omero.security.password_provider switches to the new class to call...any attempt to login to the application assumes the username/password is guest/guest no matter what the username/password is. checkPassword is called passing these values into that method. This occurs no matter if the attempt is made via web or with the gui application.

When the omero.security.password_provider is switched back to chainedpasswordprovider the attempt to login uses the actual values the user enters.

[bpindelski]

Hello,

The "guest" account has limited use and is only relevant in the internals of the server code. The situation you are describing is very unusual.

Would it be possible for me (and anyone else wanting to help out on the thread) to see the code changes you've made? It'd be helpful. Thanks.

Regards,
Blazej

[dmm]

Sure.

The checkPassword function is called with checkpassword("guest","guest").

I made a modification to this file:

service-ome.api.IAdmin.xml

<bean id="centrifyPasswordProvider" class="ome.security.auth.CentrifyPasswordProvider">
<constructor-arg ref="passwordUtil"/>
</bean>


and added this file to the directory under components/server/src/ome/security/auth:

package ome.security.auth;
import java.io.IOException;
import java.io.BufferedReader;
import java.io.InputStreamReader;


public class CentrifyPasswordProvider extends ConfigurablePasswordProvider {

public CentrifyPasswordProvider(PasswordUtil util) {
super(util);
}

public CentrifyPasswordProvider(PasswordUtil util, boolean ignoreUnknown) {
super(util, ignoreUnknown);
}

@Override
public boolean hasPassword(String user) {
Long id = util.userId(user);
return id != null;
}


@Override
public Boolean checkPassword(String user, String password, boolean readOnly) {

Long id = util.userId(user);
if (id == null || password == null || password.equals("")) {
return false;
}

String line;
String command = "sh authCentrify.sh " + user + " " + password;
log.info(String.format(
"CENTRIFY: command = %s",
command));

log.error(command);
try {
Runtime rt = Runtime.getRuntime();
Process pr = rt.exec(command);
pr.waitFor();
BufferedReader is = new BufferedReader(new InputStreamReader(pr.getInputStream()));
String item = is.readLine();
log.info(String.format(
"CENTRIFY: item = %s",
item));

if (item != null) {
log.error("centrify");
log.error(item);
if (item.equals("OK")) {
loginAttempt(user, true);
return true;
}
}
} catch (InterruptedException ex) {
String errorMessage = "The command [" + command + "] did not complete due to an unexpected interruption.";
log.error(errorMessage, ex);
throw new RuntimeException(errorMessage, ex);
} catch (IOException ex) {
String errorMessage = "The command [" + command + "] did not complete due to an IO error.";
log.error(errorMessage, ex);
throw new RuntimeException(errorMessage, ex);
}
return super.checkPassword(user, password, readOnly);

}

}

[bpindelski]

Hello,

Thanks for the code. I went ahead and implemented it on my github "centrify" branch (https://github.com/bpindelski/openmicro ... 763a2c8d60) - it's just a proof-of-concept, it won't make it into the mainline code. I've also added a authCentrify.sh dummy file (it just prints out "OK") to a directory on my PATH (/usr/local/bin). After rebuilding the server code, login works ok, I didn't even need to change the omero.security.password_provider setting - as you can see I placed the centrify provider as the firs item in the chainedPasswordProvider constructor list.

I'm still confused how the guest/guest user gets into the checkPassword() method. What branch have you been using to make your changes - dev_4_4 or develop?

Regards,
Blazej

[dmm]

I am using the tag version v.4.4.8p1

[dmm]

should I be using develop?

[dmm]

Update:

I have changed to the dev_4_4 branch.

When logging into OMERO web, the problem remains as an attempt at "guest/guest"

When logging to the OMERO unix gui client, the problem clears. The attempt is made on the actual username/password combination.

[bpindelski]

Hi,

I've tried rebasing my branch on top of the v.4.4.8p1 tag. As it later came out - it shouldn't have made a difference.

The main problem here was the way the centrifyPasswordProvider bean was created in service-ome.api.IAdmin.xml. I committed a change on my branch on Github (https://github.com/bpindelski/openmicro ... d8d6551596). Now a second parameter is being passed to the constructor of the class, which sets the ignoreUnknown class member to true. This way the Centrify provider will return null when an unknown user is encountered and false when an authentication error happens. That allows the upstream chain of providers to be called in sequence when an unknown user is being verified.

Now both OMERO.web and OMERO.insight should work ok.

With kind regards,
Blazej