Password Provider¶
A Password Provider is an implementation of the Java interface ome.security.auth.PasswordProvider. Several implementations exist currently:
ome.security.auth.JdbcPasswordProvider is the most common provider, and uses the “password” table for storing passwords hashed using MD5 and salt per user.
ome.security.auth.FilePasswordProvider is rarely used, but in some scenarios may be useful since it permits setting usernames and passwords in a plain text file.
ome.security.auth.LdapPasswordProvider is a highly configurable provider which provides READ-ONLY access to an LDAP server and can create users and groups on the fly. See LDAP plugin design for more information.
The “chainedPasswordProvider”
(ome.security.auth.PasswordProviders)
is configured for use by default in Security
under omero.security.password_provider
. It first checks with the
LdapPasswordProvider
and then falls back to the
JdbcPasswordProvider
.
To write your own provider, you can either subclass from
ome.security.auth.ConfigurablePasswordProvider
as the providers above do, or write your own implementation from
scratch. You will need to define your object in a Spring XML file
matching the pattern ome/services/db-*.xml
. See
Extending OMERO.server more for information.
Things to keep in mind¶
All the existing implementations take care to publish a LoginAttemptMessage so that any LoginAttemptListener implementation can properly react to failed logins. Your implementation should probably do the same.
When dealing with chains of password providers, an implementation can safely return null from
checkPassword
to say “I don’t know anything about this”. This is only important if you configure your own chained password provider with your new implementation as one of the elements.