Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
Read More.
SOLVED

Custom Authentication Handler- trust_credentials_attribute

Avatar

Level 2
Level 2
10/15/15 7:28:32 PM

In my custom authentication handler I'm trying to authenticate user without knowing his password using third party user directory. I can\t store users password inside the CQ so I need a way to pass user through the stack knowing just his name/id.

I used to handle those kind of problems with trust_credentials_attribute set in the repository.xml. However, in AEM 5.6 and 5.6.1, when given solution is used, following log entry appears:

25.11.2013 11:52:10.469 *WARN* [0:0:0:0:0:0:0:1 [1385376730454] POST /content/myapp/en/home/j_security_check HTTP/1.1] org.apache.jackrabbit.core.security.authentication.AbstractLoginModule Usage of deprecated 'trust_credentials_attribute' option. Please note that for security reasons this feature will notbe supported in future releases.

The warning was introduced with a commit for https://issues.apache.org/jira/browse/JCR-3293. The bug is not closed yet and there is no info how the trusted info can/should be avoided. Is it so, that the @deprecated annotation together with log has been introduced, but the workaround is not yet delivered? How can I pass the user through authenticator without knowing its password?

Please advice,
Mateusz

Views

547

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:32 PM

preferred solution depends on where/why you make use of the trust_credentials_attribute.

implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

View solution in original post

Views

481

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:32 PM

preferred solution depends on where/why you make use of the trust_credentials_attribute.

implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

Views

482

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
10/15/15 7:28:32 PM

"where/why": as being said - I'm not storing users password in the repository. I'm using my own implementation of AuthenticationHandler to fulfill all user journeys.

Regarding implementation - to paraphrase: JCR via

AbstractLoginModule.isPreAuthenticated(Credentials)

method provides a way to authenticate user without password. This method takes advantage of trust_credentials_attribute. The point of this warning is (when using this 'authenticate without password' feature) to write this snippet from scratch? How does it meet the @deprecated annotation on both isPreAuthenticated() and getPreAuthAttributeName() ?

Views

500

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Questions about text (v2), including pictures, custom color fonts, etc. Please help! Solved

Views

219

Likes

0

Replies

6
AEM as cloud Sonarqube Custom Rules Solved

Views

152

Likes

0

Replies

1
How to automate repo sync between customer managed git repo (we are using git hub) and Cloud manager repo. Solved

Views

193

Likes

0

Replies

5
Is there ability to run a report on search terms a customer is using when visiting website? Solved

Views

170

Likes

0

Replies

4
How to create Composite Multifield in Content Fragment without custom JS

Views

148

Likes

0

Replies

2