[TYPO3-project-4-3] Making RSA Auth default login method?

Michael Stucki michael at typo3.org
Wed May 6 11:30:21 CEST 2009 

Hi Dmitry,

>> That's all. Any value that changes that setting will be loaded
>> after this file and thus overrides successfully.
> 
> This should be in the rsaauth extension, not anywhere else. Rsaauth
> should be the only one who contains all logic and all checks.
> Otherwise we will get a second "workspaces" thing that is all over
> the system and no one knows where it is exactly :) I really want
> TYPO3 to be modular, each module 100% responsible for its functions.

I absolutely agree with you. And I think it should be possible to do so:

EXT:rsaauth/ext_localconf.php:

if (!$EXTCONF['notTryToSetAsDefault']) {
   if ($openssl_is_active) {
     $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] = 'rsa';
   }
}

How about this? So the default settings in config_default.php would not 
be touched.

> The check for the RSA availability must use the backends I described
> in the previous paragraphs. Checks must not be outside of the
> backends because backends contain the logic to determine if they can
> run. Moving this logic outside breaks integrity and will cause
> duplicate code.

I see. You want to keep the availability check of OpenSSL (PHP or 
cmdline) within the corresponding backend. Makes sense.

> Yet another problem in the "if" above is that it forces RSA auth.
> What if I want to use LDAP auth instead? I will not be able to do it
> because RSA will be forced.

Allow to exclude this using an EXTCONF setting (see above).

> So if the check you propose is implemented, it:
 > - must be in the rsaauth extension

Agree.

 > - must call RSA backends to check if they are available (= use factory
 > to get a backend, null means "not available")

If the extension must be installed explicitely, I think it is acceptable 
to die with a meaningful warning. Users can react easily by unloading 
"rsaauth". They don't need to look for OpenSSL or order installation 
permissions first.

 > - must not force rsa method but remove it if the method is set but
 > unavailable

Not necessary then.

Here is a new proposal, trying to put everything together:

- rsaauth is not loaded by default (left out of RequiredExtList)
- rsaauth is added to ExtList for new sites (see dummy.tar.gz)
- When rsaauth is loaded, it will be enabled by default using the check
   above (well, remove the line with the check about openssl
   availability)
- If enabled and the backend misses OpenSSL => die greatly (no fallback)
- If user wants to switch back, he just needs to unload the extension

What do you think?

- michael
-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/

More information about the TYPO3-project-4-3 mailing list