[QFJ-177] Provide support classes for inserting authentication information in logon messages Created: 14/May/07  Updated: 17/Jun/20  Resolved: 14/May/20

Status: Closed
Project: QuickFIX/J
Component/s: None
Affects Version/s: None
Fix Version/s: 2.2.0

Type: Improvement Priority: Minor
Reporter: Toli Kuznets Assignee: Christoph John
Resolution: Fixed Votes: 0
Labels: None

Attachments: Text File logon.patch    

 Description   

What do you think of modifying the logic for sending Logon messages to optionally include the username/password?

While it's possible use QFJ to construct our own Logon message and send it out in the application logic, it's rather non-trivial to do so.

I propose to add 2 new parameters to SessionSettings (username/password) that, if exist (and if DataDictionary has these fields for the given FIX version) would include the username/password in the logon message.

See the attached patch. I couldn't figure out how to create the acceptance tests for it. I also realize that we may want to add extra logic to make sure debug messages don't print the password fields, and maybe a better way to encrypt/obfuscate the password.

 Comments   
Comment by Steve Bate [ 19/May/07 ]

What do you think about doing this at the application level? Typically someone would do it in an application callback:

http://www.quickfixj.org/confluence/display/qfj/Implementing+Custom+Logons

However, we could create an AuthenticatingApplication implementation to implement this behavior or create some type of utility class that can be used with another concrete Application to easily implement the behavior.

Comment by Toli Kuznets [ 21/May/07 ]

Steve, i see you point.
I was originally thinking that it would make sense to do it in the Session since the values (username/password) may be coming from the same config file as the rest of the session descriptor.
However,that may not be the case, as people may not want to store the password in a plain-text config file.

So i'm actually ambivalent about this now - I can easily be convinced that this feature is better left up to individual implementors to be done in the toAdmin() callback.

Having an abstract AuthenticatingApplication is a good idea, it could be something that has to implement a getUser() and getPassword() function and would know how to implement the logon correctly.
Then we take care of doing the logon logic, and the user is still required to implement getPassword() which will enable them to do it in a secure way.

I'm leaving the decision up to you - we can close it as "won't fix" and leave as-is, or we can change it to create the AuthenticatingApplication instead.

Comment by Steve Bate [ 21/May/07 ]

The user could provide the SessionSettings to the authenticated application implementation or extract the user name and password from the SessionSettings and inject them into the application. I like the idea of having some ready-to-go capabilities at the application level. At the same time, I'd like to keep the Session itself as lean and simple as possible.

Comment by Toli Kuznets [ 21/May/07 ]

I agree. So let's brand this as an RFE to create an easy-to-use out-of-the-box AuthenticatingApplication subclass.

Comment by Christoph John [ 14/May/20 ]

Closing this due to https://github.com/quickfix-j/quickfixj/pull/285
Not quite an AuthenticatingApplication but given the fact that no-one implemented this in all these years we've aimed for a simple solution. Users requiring a more sophisticated approach could still do this in their toAdmin() method.

Generated at Sun Apr 28 19:41:58 UTC 2024 using JIRA 7.5.2#75007-sha1:9f5725bb824792b3230a5d8716f0c13e296a3cae.