[commits] [Wiki] changed: ActiveSync/Development

Wed Nov 23 15:36:12 UTC 2016

mrubinsk  Wed, 23 Nov 2016 15:36:11 +0000

Modified page: https://wiki.horde.org/ActiveSync/Development
New Revision:  2
Change log:  Save early, save often.

@@ -52,8 +52,17 @@
  : Cmd : This is the command or request type. E.g., SYNC, PING, FOLDESYNC
  : !DeviceId : This is a unique identifier for the client. This value  
is only unique to the client, not to the account. I.e., the same  
physical device/application will have the same !DeviceId. Multiple  
users can be associated with the same !DeviceId.

  Flow is turned over to //**Horde_ActiveSync::handleRequest()**//.  
This is where the interesting stuff starts to happen.
+
++++Authentication
+First, we perform some checks, normalization, and call the  
versionCallback hook if it's present. If all is well, we finally  
attempt authentication. Authentication to Horde is a massive topic and  
it's only complicated more by layering ActiveSync on top of it. I will  
try to give a brief overview here. For a more detailed description of  
the general Horde authentication layer, see Jan's excellent series of  
posts on his [http://janschneider.de blog].
+
+Thanks to broken clients, different supported authentication  
mechanisms and other idiosyncrasies, we need to perform some magic to  
make sure we have the user's credentials. For this, there is  
//Horde_ActiveSync_Credentials//. This class, when constructed and  
injected with the //Horde_ActiveSync// object, will have two  
properties set: ''username'' and ''password''. For the purposes of  
this page, we will assume a typical setup where the client properly  
sends credentials using HTTP BASIC and we are NOT using X509  
certificates.
+
+Once we have found the credentials, we call  
//**Horde_ActiveSync::authenticate()**//. This performs a few checks  
then ultimately passes control to  
//**Horde_Core_ActiveSync_Driver::authenticate()**//. Since some  
broken clients always send the email address as the username, plus the  
fact the Autodiscover requests ALWAYS use the email address, we need  
to normalize the username to the correct form. This is handled in  
//**Horde_Core_ActiveSync_Driver::getUsernameFromEmail()**// and is  
partially affected by the  
$GLOBALS['conf']['activesync']['autodiscovery'] setting (yes, this  
name is misleading since it is now used for more than just  
autodiscovery).
+
+Once in //**Horde_Core_ActiveSync_Driver::authenticate()**// we use  
the //Horde_Core_ActiveSync_Auth// object that was injected when the  
driver was created to perform the actual authentication. The reason  
for this authentication wrapper is to allow for combinations of a  
"normal" Horde auth driver along with a transparent driver like X509  
to support clients that allow for certificates along WITH credentials.  
For this page, we will assume a "normal" authentication.


  ++ Life Cycle of a Client.


