PKP Support

[namehta]

Hi,

I created the following auth plugin.

Code: Select all

class MyAuthPlugin extends AuthPlugin {
   
   function register($category, $path) {
      $success = parent::register($category, $path);
      $this->addLocaleData();      
      return $success;
   }
   
   function getName() {
      return 'MyPlugin';
   }
   

   function getDisplayName() {
      return 'My Authentication Plugin';
   }
   
   function getDescription() {
      return 'Plugin for authenticating users registered in the My database';
   }
   
   
   //
   // Core Plugin Functions
   // (Must be implemented by every authentication plugin)
   //
   
   function &getInstance($settings, $authId) {
      $returner =& new MyAuthPlugin($settings, $authId);
      error_log("Gave instance", 3, "err_My.log");
      return $returner;
   }

   function authenticate($username, $password) {
      $valid = false;

      //TODO:
      error_log("I am called for auth", 3, "err_My.log");

      //return $valid;
      return true;
   }
}


This plugin appears in the "Authentication Sources" section and I added and configured it as the default. But the log messages do not appear in the log file that suggest that the hook methods get called. Also, the default return of "true" in the authenticate method should allow any user to proceed, but this doesn't happen.

I looked at the code in the "Validate" class and what I understood from it is that users in the external source should also be registered in the local DB with an AuthID indicating what auth source to use. Is this true?

Also, what is the default role assigned to a user from a custom source. Can I map other roles to such a user?

- Nirav Mehta

[namehta]

I went through the code in the Validate class and came to this comclusion. Users are mapped in the local databased to the authorization plugin to be used. So does that mean that every user in the remote source should have atleast the username entry and auth source id in the local database?

- Nirav

[asmecher]

Hi Nirav,

Yes, a local entry is required in the database in order to ensure referential integrity. This is likely to remain true going forward, as a major component of OJS is record-keeping and the local users table is the heart of that; however, we will be working over the coming months to improve OJS's interoperability with other systems so that although a local users table is required, it can be synchronized with an external source. That synchronization currently takes place in part but if an account is created externally it cannot simply be imported into OJS.

Regards,
Alec Smecher
Public Knowledge Project Team

[namehta]

Hi Alec,

I was thinking of working on something similar to a "logon stack" the way JAAS works.

Just a thought: For a journal system that may be used by corporate or group subscriptions, it would be a good idea to provide ready to use authentication plugins for URL logon, etc, maybe even including an additional authentication parameter for the "group_id" or something.

- Nirav

[asmecher]

Hi Nirav,

Agreed -- that would be an excellent addition to OJS and OCS and would go a long way towards improving interoperability between PKP software and other applications. If you'd like to discuss design or approaches, I'd be happy to work through it with you.

Regards,
Alec Smecher
Public Knowledge Project Team

[namehta]

Hi Alec,

This is how I thought of approaching it:
You already have the AuthPlugin which is perfect. It would be a good idea to treat even the local authentication mechanism as a plugin in the Validation code.

Here is a code that I started with and it ...

Code: Select all

   function &login_new($username, $password, &$reason, $remember = false) {
      $result = false;
      $authDao = &DAORegistry::getDAO('AuthSourceDAO');
      $authSources = &$authDao->getSources();
      
      $nCount = $authSources->getCount();
      for ($iCtr=0; $iCtr<$nCount; $iCtr++) {
         $authSource = $authSources->next();
         
         $authPlugin = $authDao->getPlugin($authSource->getAuthId());
         $result = $authPlugin->authenticate($username, $password);
         if ($result) {
            break;
         }
      }
      return $result;
   }


I called this method from the original "login" method and got rid of the code which was based on the "auth_id". I'm a Java guy and just started with PHP .. basically learning the language on the fly. At this stage the authentication code is working perfect. Next is the authorization part...

For every authentication source, there should be a provision to assign default journal assignments and corresponding roles. There are 2 issues I need help with:
1. Session Handling: It seems that the session store just the "userId" and "userName" attributes. If another user logs in with the same userId from another auth source, will there be an issue with the session handling? I'm assuming that it wouldn't cause the browser session will be unique for the 2.
2. Dynamic profile building: Can objects be stored in the PHP session? If so, then in the "User" object, we need to include details such as "journal assignments" and corresponding "role assignments". This object itself can be stored in the session and used in the rest of the access control codes.

Do let me know if you have any other ideas.

- Nirav

[GennadyK]

Hi,
We have Adobe Connect (former Macromedia Breeze) integrated with SSO (JOSSO).
Acrobat Connect XML Web Services API can be used for portal integration:
http://help.adobe.com/en_US/Connect/6.0 ... s/help.pdf

For login to the system we just need to call url (HTTP Request) like this:
http://cme.ojs.com/api/xml?action=login ... ord=my_pwd
And if ok we will get HTTP Response:

<?xml version="1.0" encoding="utf-8"?>
<results><status code="ok"/></results>

In case of error:
<?xml version="1.0" encoding="utf-8"?>
<results><status code="no-data"/></results>

When a user logs in, Connect Enterprise returns a cookie that
identifies the user’s session. You need to pass the cookie back to the server on all calls made to
the server during the user’s session. Then, when the user logs out, the server makes the cookie
expire and you should invalidate it.

This mechanism works pretty good with JOSSO:
Page we want to access: http://cme.ojs.com/Sep07c
We passing it as targetUrl to JOSSO agent for Adobe Connect:
http://www.ojs.com/sso/cme.asp?targetUr ... com/Sep07c

Inside of http://www.ojs.com/sso/cme.asp:
If user successfully logged on into JOSSO, then we do HTTP Request to Adobe Connect:
http://cme.ojs.com/api/xml?action=login ... ord=my_pwd

From HTTP Response getting status and user’s session cookie.
Finally redirecting user to targetUrl:
url=targetUrl+"?session="+user_session_cookie
Response.Redirect(url)

Would it be hard to make something like this for OJS? As I can see web services is a very common interface for all kinds of systems. And you can add new calls later, like to show journal's statistics on the portal.

We envision it as this:
URL for API: http://www.website.com/api
For method call use word: do or method
For object use: with or object
For parameters - name of parameters
For scope - either system-wide(all) or just for one or few journals: scope or journal

First priority methods we need are:
1. Login User
http://www.website.com/api?do=login&use ... ord=my_pwd
- for method login by default object or with=user and scope journal=all
2. Create User
http://www.website.com/api?do=create&wi ... la@ojs.com
- for Create User method by default role=Reader and scope journal=all
3. Change User - username as email could be changed if someone has, as we have, username=email and password.
Could be called only after user/admin logon
http://www.website.com/api?do=change&wi ... la@ojs.com
4. Search Journal Content - to display list of articles on the portal page, with links to forward the user to the content.


The api.php will be not that difficult to build as it will just parse parameters, use one of the OJS methods to get results, and build an XML response the same way that the XML export does.
And we are willing to put our efforts in it, once OJS development team will be OK with it. We don't want it to be considered as a separate part, but as part of OJS, so that it will be updated/incorporated with future versions of OJS.

Thank you,
Gennady

[namehta]

Hi Gennady,

This is a great idea. Until then, this is what I am planning to do:

Create an authentication plugin with a variable parameter like 'source'. Create a Java servlet which accepts username/password and a source ID. This servlet will basically extend calls to logon modules based on the authentication and source. This is the logon method I'll follow now is:

1. User tries to logon to OJS.
2. OJS calls all sources configured with the plugin.
3. Plugin calls the servlet with these parameters.
4. Servlet delegates to respective Java modules which can make JDBC calls or whatever and returns the authentication result.
5. Servlet returns the result to OJS.
6. If a match is found, OJS will pick a preconfigured userid/passwd for the source which has all the relevant journal assignments and subscription details and mask the authentication to that user instead.

This way, we can achieve authentication with external sources as well as avoid making any serious changes to the authorization mechanism.

- Nirav

[GennadyK]

Login API:
viewtopic.php?f=8&t=2397