I opened Bug #2845102 "RC 7 when try to authenticate using blank
credentials / data" for you at
http://sourceforge.net/tracker/?func=detail&atid=407381&aid=2845102&group_id=33142
--------------------------------------------------------------
Sharon Lucas
IBM Austin, luc...@us.ibm.com
(512) 286-7313 or Tieline 363-7313
----- Forwarded by Sharon Lucas/Austin/IBM on 08/26/2009 01:19 PM -----
Sharon Lucas/Austin/IBM
08/25/2009 02:28 PM
To
"jander...@talentex.co.uk" <jander...@talentex.co.uk>
cc
staf <staf-users@lists.sourceforge.net>
Subject
Re: [staf-users] Authenticator on local and remote
Jan,
I suspect that you did something wrong in the authenticator that you
wrote. But, I also think there's a bug in STAFHandleManager where it
should be returning RC 53 (Handle Authentication Denied) instead of RC 7
(Invalid Request String) in this situation.
First, make sure that you have your authenticator registered on the remote
and local machine as the same name. And, if you have a user properties
file (or something like this that contains user ids and passwords), it
must be available on both the remote and local machine.
When an authenicated handle submits a remote STAF service request,
STAFProc calls STAFHandleManager's authenticate() method (see source code
in src/staf/stafproc/STAFHandleManager.cpp) passing the authentication
data that is provided under the covers via the STAF request. The
STAFHandleManager::authenticate() method submits an AUTHENTICATE request
to the Authenticator service to re-authenticate (if the authentication
data isn't already cached and hasn't changed) using the DATA option
(instead of the CREDENTIALS option) to provide the authentication data
passed to it. That is, the STAFHandleManager will submit a request like
the following to the authenticator service on the remote machine:
STAF local <AuthenticatorService> AUTHENTICATE USER <userIdentifier>
DATA <authenticationData>
So, your authenticator must support an AUTHENTICATE request with the DATA
option specified (in addition to supporting an AUTHENTICATE request with
the CREDENTIALS option specfied). If the DATA option is specified, then
your authenticator should verify that the authentication data provided is
valid.
When your authenticator handles an AUTHENTICATE request with the
CREDENTIALS option specified, if the authentication is successful, it
should be returning the authentication data in the result. This
authentication data could be the actual credentials (e.g. the password),
which is what the sample authenticator does, or it could be encrypted
credentials (if your authenticator wanted to implement this). The
STAFHandleManager caches this authentication data so it can use it for
subsequent authentication requests.
So, my guess is that your authenticator is not setting the result to the
authentication data when handing an AUTHENTICATE request with the
CREDENTIALS option specified. See the sample authenticator's
handleAuthenticate() method for an example. Some of the code from this
method is shown below. See the line in blue which sets the result to the
credentials value, as it uses the credentials value (e.g. the password)
for the authentication data.
STAFResult result = new STAFResult(STAFResult.Ok, "");
...
// Get the CREDENTIALS or DATA option value
if (parsedRequest.optionTimes("CREDENTIALS") != 0)
credentialsValue = parsedRequest.optionValue("credentials");
else
dataValue = parsedRequest.optionValue("data");
// If CREDENTIALS specified, verify match in fUserProperties
if (parsedRequest.optionTimes("CREDENTIALS") != 0)
{
if (fUserProperties.getProperty(userValue) == null)
{
return new STAFResult(
STAFResult.HandleAuthenticationDenied,
"User " + userValue + " is not a valid user");
}
else if (!(fUserProperties.getProperty(userValue)).equals(
credentialsValue))
{
return new STAFResult(
STAFResult.HandleAuthenticationDenied,
"Invalid credentials for user " + userValue);
}
else
{
// Authenticated successfully.
// XXX: Could "encrypt" the credentials and return and
// store the encrypted credentials as the authentication
// data instead of returning the actual credentials.
result.result = credentialsValue;
}
}
else
{ // DATA specified, so verify match in fUserProperties
// XXX: If encrypted the credentials, would verify match with
// encrypted credentials instead.
if (fUserProperties.getProperty(userValue) == null)
{
return new STAFResult(
STAFResult.HandleAuthenticationDenied,
"User " + userValue + " is not a valid user");
}
else if (!(fUserProperties.getProperty(userValue)).equals(
dataValue))
{
return new STAFResult(
STAFResult.HandleAuthenticationDenied,
"Invalid data for user " + userValue);
}
}
However, this brings up a good point. STAFHandleManager is submitting an
AUTHENTICATE request to your authenticator with a blank value for the DATA
option. Since the DATA option requires a value, the AUTHENTICATE request
submitted by the STAFHandleManager is returning RC 7 (Invalid Request
String). But, I think an authentication failure return code, RC 53
(Handle Authentication Denied) should be returned instead of RC 7. To
make this happen we should change STAFHandleManager::authenticate() to
"wrap" the DATA option's value in STAF's colonLengthColon format, so that
the DATA option would have had a blank value instead of no value. We
should also make a similar change to "wrap" the CREDENTIAL and USER option
values to avoid the RC 7. For example, we should make the following
change at line 1003 in stafproc/STAFHandleManager.cpp:
request += " DATA " + authenticationData;
to:
request += " DATA " + STAFHandle::wrapData(authenticationData);
so that the following AUTHENTICATE request is submitted:
STAF local <AuthenticatorService> AUTHENTICATE USER <userIdentifier>
DATA :0:
instead of:
STAF local <AuthenticatorService> AUTHENTICATE USER <userIdentifier>
DATA
Please open a bug via http://staf.sourceforge.net called something like
"RC 7 when authenticator returns blank authentication data". Or, let me
know if you prefer I open a bug for you.
--------------------------------------------------------------
Sharon Lucas
IBM Austin, luc...@us.ibm.com
(512) 286-7313 or Tieline 363-7313
"jander...@talentex.co.uk" <jander...@talentex.co.uk>
08/25/2009 07:38 AM
To
staf <staf-users@lists.sourceforge.net>
cc
Subject
[staf-users] Authenticator on local and remote
I am writing an authenticator, starting from the sample one. I am at the
stage where it seems to basically work on local. However, when I try to
use it to authenticate on a remote machine, it fails with a peculiar
message, but I suspect it is just me doing something wrong. This is the
scenario (from the command line):
1. I create a static handle and set STAF_STATIC_HANDLE
2. I authenticate against local, gaining user trust level 5
3. I submit a command to a remote machine, which requires trust level 5
4. I get the followign message back:
Error submitting request, RC: 7
Additional info
---------------
Option, DATA, requires a value
So, apparently DATA should be set when authenticating against a remote
services, but how do I achieve that? The sample authenticator doesn't
seem to do anything about it.
/jan
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008
30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
staf-users mailing list
staf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/staf-users
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
staf-users mailing list
staf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/staf-users
