Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Orion/Documentation/Developer Guide/Plugin authentication

Overview

Orion supports plugins that require authentication: for example, a filesystem plugin might require authentication before it can write to any files. The authentication contract is based on a few key points:

  • Plugins can be associated with a login page
  • Service calls may fail because the user is not authenticated
  • The login page authenticates a user with a plugin

Details

When a plugin is loaded, it registers headers with the framework by calling new PluginProvider(headers). Among the headers, it can provide a login field. The login field gives a URL that, when visited by the user, allows the user to somehow authenticate with the plugin. Orion doesn't mandate any particular authentication technology: anything can be used, so long as the contract with the framework is upheld.

The login page need not be unique to the plugin: for example, in the default Orion Java server installation, logging in to the login page LoginWindow.html will set a session cookie that authenticates the user with many plugins in one shot.

When the framework performs a method call to a service provided by the plugin, the plugin can signal to the framework that the call failed because the user needs to authenticate. To do this, it rejects the service call with an object having a status: 401 field. For example:

  1. var provider = new PluginProvider({
  2.     login: "http://example.org/login"  // Login page for this plugin
  3. });
  4.  
  5. provider.registerService("some.orion.service", {
  6.     writeFile: function() {
  7.         var d = new Deferred();
  8.         if (notLoggedIn) {
  9.             d.reject({ status: 401 }); // error 401 (unauthorized)
  10.         } else {
  11.             /* write the file */
  12.             d.resolve();
  13.         }
  14.         return d;
  15.     }
  16. }, { /*properties*/ });
  17.  
  18. provider.connect();

The Orion UI has special handling of rejected service promises with status == 401. When one occurs, the UI displays a message like this containing a link to the plugin's login page:

Authentication required for: My Great Plugin. Login and re-retry the request.

The user is then expected to navigate to the login page, log in, and then return to Orion and retry the action they originally attempted. This time, the plugin should perform the action successfully.

Back to the top