[TYPO3-project-4-3] Making RSA Auth default login method?

Dmitry Dulepov dmitry.dulepov at gmail.com
Tue May 5 16:41:48 CEST 2009 

Hi!

Michael Stucki wrote:
> Hi Dmitry,
> 
> Dmitry Dulepov schrieb:
>> The fallback can be implemented but it will need a change in the
>> login form (introducing priorities to hooks in the login form).
>> Please, check also my answer to Steffen a minute ago where I describe
>> it in details.
> 
> Then I suggest to change the default setting only if loginSecurityLevel
> is "" or "superchallenged".
> 
> This won't require any changes except in t3lib/config_default.php. See
> there how an if condition already overrides the defaults of various GFX
> settings. I imagine it could be done similar for this case:
> 
> $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] = ''; // like before
> 
> ...
> 
> if ($openssl_is_active) {
>     $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] = 'rsa';
> }
> 
> That's all. Any value that changes that setting will be loaded after
> this file and thus overrides successfully.

This should be in the rsaauth extension, not anywhere else. Rsaauth should be the only one who contains all logic and all checks. Otherwise we will get a second "workspaces" thing that is all over the system and no one knows where it is exactly :) I really want TYPO3 to be modular, each module 100% responsible for its functions.

Rsaauth uses two ways to create keys: PHP extension or command line. Those ways are coded in two backends. These backends hide all logic. They are derived from a common interface. Upper level modules in the rsaauth work with unctions defined in the interface. It is an abstraction and it is good. If we ever want to remove or add an RSA backend, it will be very easy. Also if we want to rewrite or remove rsaauth, it is also easy: just change the extension, not anything else in the core.

The check for the RSA availability must use the backends I described in the previous paragraphs. Checks must not be outside of the backends because backends contain the logic to determine if they can run. Moving this logic outside breaks integrity and will cause duplicate code.

Yet another problem in the "if" above is that it forces RSA auth. What if I want to use LDAP auth instead? I will not be able to do it because RSA will be forced.

So if the check you propose is implemented, it:
- must be in the rsaauth extension
- must call RSA backends to check if they are available (= use factory to get a backend, null means "not available")
- must not force rsa method but remove it if the method is set but unavailable

:)

-- 
Dmitry Dulepov
In TYPO3 blog: http://dmitry-dulepov.com/reviews/magento-beginners-guide-by-william-rice.html
LinkedIn: http://www.linkedin.com/in/dmitrydulepov
Twitter: http://twitter.com/dmitryd
Skype: liels_bugs

More information about the TYPO3-project-4-3 mailing list