[Catalyst] Catalyst and Shibboleth authentication
Jay K
jayk at ion0.com
Mon Mar 17 23:16:34 GMT 2008
On Mar 17, 2008, at 4:40 PM, Alex Povolotsky wrote:
> Jay K wrote:
>>> That page is slightly incorrect.
>>> In C::A::Store::Null -based class, apparently $storeclass-
>>> >can('find_user') returns 0 (called from
>>> C::A::Authentication::Realm.pm line 85) so Realm tries to construct
>>> find_user by itself, without success.
>> Yes. Null does not implement find_user - you have to. Which is
>> why
>> the wiki page says subclass and add find_user.
> Hmm... I guess you should read Null.pm, especially lines 29-32.
Ah. I see that you are correct. A
Catalyst::Authentication::Store::Null object should return true to
can('find_user') I'd be interested in seeing a test where that fails.
>> For SSO - you can hook at any of those points. The store is the
>> easiest, really - because Credential::Password has a 'passthrough'
>> mode by telling it password_type='none' - effectively delegating the
>> entire auth process cleanly to the store's find_user method. Since
>> you will probably need to provide some type of user information -
>> overriding the store gives you the ideal spot to handle both at the
>> same time.
>>
> Well, I still think that SSO is for CREDENTIAL VALIDATION, so we
> need to override Credential.
>> Actually, I've done an extremly simple SSO (but it works good
>> enough!) and store authenticated users in DBIx::Class, and happy
>> with it :)
>>
>> Surely one could override Realm, or Catalyst itself, or rewrite
>> Catalyst from scratch, but I've explained my position.
As I mention in my previous post - It really depends on the complexity
of your SSO system and what it grants access to in your app. It could
also very easily be considered user retrieval - in which case a store
could be considered more appropriate.
My point is simply that I built the Auth module to allow the most
flexibility for customization without the need to 'rewrite Catalyst
from scratch' as you put it. Any of the hook points I mentioned can
be appropriate, and indeed for an SSO such as OpenID, which is much
more complex than validating a hash in a cookie - overriding at $realm-
>authenticate() may be the best option.
Jay
---
"May we not return to those scoundrels of old, the illustrious
founders of superstition and fanaticism, who first took the knife from
the altar to make victims of those who refused to be their disciples."
- Voltaire
More information about the Catalyst
mailing list