Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

Custom Authentication Handler- trust_credentials_attribute

Avatar

Level 2

In my custom authentication handler I'm trying to authenticate user without knowing his password using third party user directory. I can\t store users password inside the CQ so I need a way to pass user through the stack knowing just his name/id.

I used to handle those kind of problems with trust_credentials_attribute set in the repository.xml. However, in AEM 5.6 and 5.6.1, when given solution is used, following log entry appears:

25.11.2013 11:52:10.469 *WARN* [0:0:0:0:0:0:0:1 [1385376730454] POST /content/myapp/en/home/j_security_check HTTP/1.1] org.apache.jackrabbit.core.security.authentication.AbstractLoginModule Usage of deprecated 'trust_credentials_attribute' option. Please note that for security reasons this feature will notbe supported in future releases.

The warning was introduced with a commit for https://issues.apache.org/jira/browse/JCR-3293. The bug is not closed yet and there is no info how the trusted info can/should be avoided. Is it so, that the @deprecated annotation together with log has been introduced, but the workaround is not yet delivered? How can I pass the user through authenticator without knowing its password?

Please advice,
Mateusz

1 Accepted Solution

Avatar

Correct answer by
Level 10

preferred solution depends on where/why you make use of the trust_credentials_attribute.

implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

View solution in original post

2 Replies

Avatar

Correct answer by
Level 10

preferred solution depends on where/why you make use of the trust_credentials_attribute.

implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

Avatar

Level 2

"where/why": as being said - I'm not storing users password in the repository. I'm using my own implementation of AuthenticationHandler to fulfill all user journeys.

Regarding implementation - to paraphrase: JCR via

AbstractLoginModule.isPreAuthenticated(Credentials)

method provides a way to authenticate user without password. This method takes advantage of trust_credentials_attribute. The point of this warning is (when using this 'authenticate without password' feature) to write this snippet from scratch? How does it meet the @deprecated annotation on both isPreAuthenticated() and getPreAuthAttributeName() ?