[Grok-dev] LDAP authentication and groups

Jens Adner j.adner at fh-sm.de
Mon Aug 10 04:14:07 EDT 2009

Jeroen Michiel schrieb:

> That is also bothering me, is there a good way to avoid it? Is it safe to
> store the principal in the session data? Currently, I derive from
> SessionCredentialsPlugin for the credentials, so apparently the credentials
> are stored in the session data and are re-authenticated upon each request,
> correct?

Yes, afaik, this works so. Upon each request the credentials are re-read
and the principal will be recreated, assigning roles, permissions and
groups in addition. Every request! So if the users group change in ldap
while user is authenticated and using the app - or the user change
password in ldap - next request the new conditions are working. This
could be also an advantage.

One solution could be packing all the roles and groups stuff in the
login function and logout function, not using the CreatedPrincipal event.

I don't know how to make this better work for ldap auths. Maybe you have
to make your own version of a principal factory. I'm not a programmer,
just a sysadmin. So I'm looking forward to get some cool code from you ;-)

Best regards

++++++++ Jens Adner IuK-Zentrum Fachhochschule Schmalkalden +++++++++
++++++++ Fon: +49 3683688 9201  Fax: +49 3683688 989201     +++++++++

More information about the Grok-dev mailing list