Login process

From KnowledgeTree Document Management Made Simple

Contents 1 Stages 2 Login interceptors 3 Auto-signup 4 performLogin 5 do_checkCookie

Stages

The usual stages of login are:

1. Display the login page (do_main)
2. Attempt a user login (do_login)
3. The "Check Cookie" stage (do_checkCookie)

Login interceptors

Login interceptors can be added by plugins to change the login process. They can override the first two stages, and either log in a user (for example, by checking a cookie, or an Apache mod_auth_* header), or display a totally different page to the user (for example, for external authentication like CAS).

There are two stages for login interceptors in both the do_main and do_login methods.

1. Pre-authenticate a user - return a user object that has been authenticated by some means
2. Take over control of the login process

Each login interceptor is given an opportunity in each stage to do their work. They can return null if they didn't receive the information they expected or if they otherwise don't want to authenticate a user or take over the login process. All interceptors are tried in each stage until one of them authenticates a user or takes over the login process.

Auto-signup

If no login interceptor authenticates a user or takes over the process, the "standard" authentication using passwords authenticated via authentication sources is performed. If a user is not authenticated because the user does not exist, each authentication source set up in KnowledgeTree has the option to automatically sign up the user. For example, if authentication happens through LDAP or Active Directory, a user can be created from the information in LDAP or Active Directory, and the administrator does not need to create the account before they can log in.

The autoSignup utility function on KTAuthenticationUtil is used. This calls the autoSignup method on the authentication provider for each authentication source. By default, this method does nothing, but it can be overridden.

performLogin

The performLogin method of LoginDispatcher performs the full login of a user. The user should be authenticated before this method is called. Generally, nobody but do_main and do_login would call this. No other means of logging a user in should be used.

It creates the user's session (including some initial values), and redirects to do_checkCookie, passing a test value in the CookieTestCookie cookie, and in the cookieVerify query parameter.

do_checkCookie

This action ensures that all access into KnowledgeTree has cookies set. This is so that sessions work, as many parts of KnowledgeTree store values in the session.