Thank you so much ! I had not expected such a complete, accurate - and
fast ! - answear :)
If I may go further, I have a few more questions.
I want to allow users to access Slide from a web frontend (actually a
customized Jetspeed portal), from a 'heavy' (client side) Java client
AND from some non-browser clients (e.g OpenOffice.org). I had this
solution in mind:
- The heavy client would access Slide after having authenticated itself
to the CAS. In this case, Slide would only ask the CAS to check the
validity of the ticket;
- The web portal would use CAS as its core authentication service, so
there is no problem here;
- The non-browser clients would access the resource in Slide through an
URL provided by the portal. This URL would contain a portal-generated
session ID and Slide - or the request dispatcher - would detect it and
use it to authenticate the client.
This is summarized in the following architecture (hope it will be
readable - please view with fixed width font):
***-**-*
| Java || Browser || OOo |
| Client |*-**-*
** ^^
^ ^ ||
|\ v|
| v** S.Id |
| *-*---| Portal |--o
| | CAS | ** |
| *-* ^|
| ^||
v vvv
*-*
| S L I D E |
*-*
If I understand well, this approach is quite similar to your third
proposition. Please correct me if not :)
Where should I go for more doc about filters ? I was going to have a
look at Tomcat's documentation and/or J2EE docs at java.sun.com, but it
would be great if I had some precise pointers :)
Again thanks a lot !
Regards,
Jean-Baptiste
Ben Alex wrote:
Hi Jean
I'm using Slide 2.0 within Tomcat 5.0.19, JDK 1.4.2_03. I
would like to use a custom (SSO) authentication mechanism to
control access to the Slide server. Actually, I want to
totally get rid of the simple HTTP auth mechanism and use an
external tool - for information, the Central Authentication
Service (CAS - https://www.yale.edu/tp/cas).
Is there any roadmap to follow / featured API to help with this task ?
I integrated CAS support into the Acegi Security System
(http://acegisecurity.sourceforge.net), which I've also integrated into
Slide, so hopefully I can offer some pointers.
Slide has a utility class, org.apache.slide.webdav.util.WebdavUtils, which
has a method, getSlideToken(). This method obtains the principal from the
web container using the normal request.getUserPrincipal() method, or,
failing that, from a session attribute named
org.apache.slide.webdav.method.principal. This is your magic bridge
between third party authentication systems and Slide. :-)
For this to work, you DON'T authenticate using standard web container
services. So disable web.xml security-constraints etc. You'll need a
filter that detects requests to the WebdavServlet from a user that hasn't
got a HttpSession attribute with the above name. When the unauthenticated
user is detected, you'll redirect them to the CAS server. After login, CAS
will post back to another one of your filters which validates the CAS
service ticket and sets up a valid Principal implementation in the
HttpSession attribute named above. From that point forward, the WebdavUtils
class will be able to extract the Principal. Slide only uses
Principal.getName(), and then relies on its own authorization store to
determine the ACLs that apply.
The most work is in the filters/servlets that tie in the CAS login. Also, of
course, you'll have a problem in that non-web-browser clients cannot obtain
the CAS ticket as they use BASIC authentication which doesn't understand
HTTP redirects (which is central to how CAS works). There are some ways you
can approach it, though:
- Forget about non-browser clients. Ouch...
- Write a filter that detects the BASIC authentication request, then posts
it through to CAS on behalf of the BASIC authentication client, and then
processes the resulting opaque service ticket as described above.
- Have dual authentication methods. For web browsers use native CAS. For
BASIC authentication clients, directly validate against the backend database
from your BASIC authentication processing filter. This is the cleanest
model.
Acegi Security might be worth a look for some code samples. It does BASIC
authentication, CAS integration etc. You could also use it natively to
perform most (if not all) of the above.
Hope this helps.
Ben
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
