Details
-
Improvement
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
Description
I'd like to suggest a minor improvement with regard to SecurityProvider and HippoUserManager APIs, which can make it even easier for developers.
Suppose I set up a custom security provider which is supposed to return a UserManager to return authentication success when an external authentication ticket is valid.
In this case, I just want to delegate every call to the existing SecurityProvider (e.g, RepositorySecurityProvider) and UserManager (e.g, RepositoryUserManager) except of AbstractUserManager#authenticate(Credentials) method.
However, because of AbstractUserManager dependency, it seems more difficult to implement a custom security provider.
Currently, the hippo repo SecurityManager.java casts the user manager to AbstractUserManager to invoke #authenticate(Credentials). This makes it more tedious and coupled with repository-engine module at this moment.
So, I'd like to suggest the following:
(a) Move AbstractUserManager#authenticate(Credentials) method to
HippoUserManager interface.
(b) Move HippoUserManager interface from hippo-repository-engine to
hippo-repository-api module.
(c) Change SecurityManager to cast userManager to HippoUserManager
instead of AbstractUserManager.
(d) Add 'DelegatingSecurityProvider' class and 'DelegatingUserManager' into hippo-repository-builtin module for easier custom security provider implementation. With those, developers can easily implement delegating provider with minimal overrides.
With the improvement, we can simply depend on hippo-repository-api and
hippo-repository-builtin and easily implement a custom security provider.