[TYPO3-dev] Services architecture

Christian Lerrahn (Cerebrum) christian.lerrahn at cerebrum.com.au
Tue Apr 5 06:45:21 CEST 2011 

Hi Helmut,
On Mon, 04 Apr 2011 16:44:52 +0200
Helmut Hummel <helmut.hummel at typo3.org> wrote:

> Hi Christian,
> 
> Christian Lerrahn (Cerebrum) wrote:
> 
> > I believe the modifications to rsaauth required to make it
> > "rsatransfer" as you call it would be minor and would be happy to
> > dig into that. However, there is still the problem that currently
> > the transferred credentials are passed to the authentication
> > services by value and can therefore not be returned to the chain
> > without a (minimal) core change. Or did you have a different
> > mechanism in mind?
> 
> As Dmitry and Marcus pointed out, that it does not make sense to
> "hack" the authentication chain to implement a (RSA) transfer service.
> 
> We do not have something like that yet, but I would appreciate if 
> someone is willing to dig into it and find a clean and good solution.
> 
> Repeating the task and the challenges mentioned by Marcus:
> 
>  > Possible use cases:
>  > * credential transfer from a login form (BE/FE)
>  > * transfer of password to set in user setup BE module
>  > * transfer of other confidential data between client&  server
>  > * ...
>  >
>  > The challenges are:
>  > * structure of a "transfer only" service
>  > * how to describe a relationship between authentication and the
>  > transfer service
>  > * ...
> 
> Obviously the transfer/ decryption part must happen before the 
> authentication part.
> 
> If we have that, the rsaauth in the authentication chain would of
> course be obsolete.
> 
> Is it more clear now?

I suppose these were not the things that were unclear to me. ;) Well,
here is an outline of the concept I have in mind. It revolves around a
real authentication chain but could be given a bigger scope, of course.

The authentication chain would become a real chain with the following
order of services

*** old combined transfer/auth services***
- rsaauth (still authenticating as it is now)

*** transfer encryption services ***
- rsatransfer
(- possibly other encryption services)

*** auth services ***
- saltedpasswords
- basic authentication service

The idea would be that saltedpasswords or any other auth service expect
a plain text password (or the old MD5 hashes) in the loginData array
independent of what kind of transfer services have run before. The
transfer services would then just take the login data, decrypt the data
and pass on the plain text password. As the old combined services take
higher priority, they would still work and just stop the service chain
early.

Ideally, one could configure via TSconfig/TS that a field is supposed
to be handled by rsatransfer. rsatransfer would then have to kick in
somewhere when submitted data is being processed (BE and FE). I haven't
dug into that, yet, so I'm unsure where this would be handled best.

Does this clarify what I have in mind? Does this also agree with what
you suggest?

Cheers,
Christian

More information about the TYPO3-dev mailing list