[JDEV] Passwords

DJ Adams dj.adams at pobox.com
Mon Jun 25 13:05:17 CDT 2001

On Mon, Jun 25, 2001 at 11:27:31AM -0400, Tony Byers wrote:
> Hello, 
> Could anyone tell me why the server needs to pass through authreg.c twice
> for a sign on?  And why does it have the username but not the password
> on the first pass?  Lastly, is there any way to get the password on the
> first pass?  I would like to see if the user comes up as null, then do
> an automatic register (assuming they pass a kerberos check).  If anyone
> knows of a better way to do this, I would really appreciate any advice.

(1) twice, because of an iq-get to discover authentication methods available,
    followed by an iq-set to send the credentials

(2) it only has the username on the first pass as this is the iq-get, and
    the username is needed (nothing else) to look up the user's spool data,
    so the auth modules can see if the appropriate data is stored for that
    user and that method

(3) auto-register, "comes up as null"?  - hmm. If a user doesn't exist, 
    you get a 401 unauthorized, not a null, on an authentication (iq-set)
    attempt. One way would be to look into how iq:register works - e.g. if
    you try and register an *existing* user you get an error (409 Not
    Available, I think) whereas if the user doesn't exist, the registration
    is successful. I'm not sure this is a good idea anyway, I'm just 
    thinking aloud. 

    There's also the <auth/> 'hack' which allows you to substitute your
    own-rolled authentication mechanism(s), which you might want to look 
    into, as it would give you more control over things.

Hope that helps

More information about the JDev mailing list