I'm not familiar with the auto-create-users code, so the only thing I know for sure about it is that an attempt is made to create a new user node when a user authenticates that doesn't exist in the system. I really don't know how role assignment fits in, though. The second part of my post was about how to make roles unnecessary (at least for basic access).
If you look in the <data> section of your Domain.xml file you'll see a number of write permissions granted to the subject "/roles/users". If you change those subjects to "authenticated" or "all", any user with a valid login to the system will have write access. Since the auto-create-users setting guarantees that any user with a valid login is also a Slide user, this change should be alright. If you want a "guest" user you'll need to fiddle with the permissions to deny write access to the guest account, though. -James On Fri, 2005-01-14 at 14:40 +0100, Paul Hussein wrote: > Thanks for the excellent reply. > > I am struggling to understand the code and the philosophy behind the > code so that I may use slide effectively, and integrate it into Liferay > Portal. > > I understand the first paragraph, and tnaks for explaining the Role > Authorisation philosophy especially the part about the compliancy to > WebDAV ACL spec ( which of course I have not read, which I should do > really ). > > I dont really understand the second part, and this is the most critical > for me. > > I believe that as you say I am authenticating ok, and I think you are > confirming my belief that its just the ACL part that does not work. > > Did you have a look at my second post about > > auto-create-users > > > I had a closer look at the code, and from what I could see, if i set this and > the role correctly in the Domain.xml, then when I try to do a .getPrincipal > the user will be auto created with the default role. > > Is that what you are alluding to when you say the 'slide repository', or do I > need to do something else. > > Thanks for your help. > > > Paul. > > > > > > > > > James Mason wrote: > > >Slide needs to be able to enumerate all of the available roles in order > >to be WebDAV compliant. JAAS integration works great for > >*authentication*, but when it comes to authorization Slide uses other > >methods for discovering role memberships. If you want to provide your > >own Security implementation that uses JAAS for roles as well it > >shouldn't be too hard, but your implementation would not be compliant > >with WebDAV ACL specification (probably not that big of a deal for your > >application). > > > >If you configure your Slide repository so that the "authenticated" > >principal has inherited read permissions to the root node everything > >should work fine (with auto-create-users turned on). > > > >-James > > > >On Tue, 2005-01-11 at 18:00 +0100, Paul Hussein wrote: > > > > > >>I cant believe this is the way it is, as does it not defeat the objective, > >> > >>I thought the objective of JAAS is to allow external authentication. If > >>I need a preconfigured store, then thats not right. > >> > >>Autocreate user autocreates a user with some authentication, so there > >>must be something wrong in the configuration, maybe the wrong user role > >>is being auto created that is not authorised to see stuff. > >> > >> > >>Who wrote this stuff ? Has anyone else written an non Slide JAAS module? > >>Otherwise it seems a lot of effort has been made to create a module that > >>wont work in the correct | clean way. > >> > >> > >>Regards > >> > >>Paul. > >> > >> > >>Oliver Zeigermann wrote: > >> > >> > >> > >>>I see. You will either have to grant the rights to anyone or have a > >>>user store that displays the appropriate rights like James has done in > >>>the JNDI user store, I guess. If so and you are authenticated, but not > >>>authorized, your problem has got nothing to do with JAAS. > >>> > >>>Oliver > >>> > >>> > >>>On Tue, 11 Jan 2005 17:20:41 +0100, Paul Hussein <[EMAIL PROTECTED]> wrote: > >>> > >>> > >>> > >>> > >>>>Thanks for the reply. > >>>> > >>>>The problem I am having is that from the resources I see available to > >>>>give me information on how to write my own login module ( for which I am > >>>>using http://forum.java.sun.com/thread.jspa?threadID=233317&tstart=75 to > >>>>guide me ), all I need to do is replace the Slide login module with my > >>>>own ( which I have done with a hardcoded authentication ) > >>>> > >>>>Add the auto create users/role to the Domain.xml > >>>> > >>>>and the JAAS stuff should log me in ok. > >>>> > >>>>However, I believe I am being authenticated, as the username and > >>>>password dialog pops up, but I am not authorised to look at the contents > >>>>of the slide repository. That is, when I point my browser to > >>>>127.0.0.1:8080/slide/files after entering the username and password i get > >>>>: > >>>> > >>>>HTTP Status 403 - Access to the requested resource has been denied > >>>> > >>>>As described ( unclearly !!! ) below. > >>>> > >>>>If you could point to where I am going wrong, or could look, or if this > >>>>is a bug I would be greatful. > >>>> > >>>>Cheers > >>>> > >>>>Paul. > >>>> > >>>> > >>>>Oliver Zeigermann wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>Now this is a question I understand. I guess you are right. I was able > >>>>>to switch on user auto creation by adding > >>>>> > >>>>><auto-create-users>true</auto-create-users> > >>>>><auto-create-users-role>org.apache.slide.structure.SubjectNode</auto-create-users-role> > >>>>> > >>>>>to the configuration section of Domain.xml > >>>>> > >>>>>Oliver > >>>>> > >>>>>On Tue, 11 Jan 2005 11:25:49 +0100, Paul Hussein <[EMAIL PROTECTED]> > >>>>>wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>The JAAS authentication for me is working happily. > >>>>>> > >>>>>>However, I wish to remove the custom authentication within the slide > >>>>>>login module and replace it with my own authentication. > >>>>>> > >>>>>>At the moment a fixed username and password 'jaas' jaas' > >>>>>> > >>>>>>I would like to know how to do this, as I believe ther is a complication > >>>>>>associated with auto creating users, that when I authenticate, I need to > >>>>>>tell slide to auto create a user and role for mt foreign authenticated > >>>>>>user. > >>>>>> > >>>>>>What parts do I need to retain in the login module and what parts can I > >>>>>>remove ? > >>>>>> > >>>>>>Regards > >>>>>> > >>>>>>Paul. > >>>>>> > >>>>>> > >>>>>>Oliver Zeigermann wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>Hi Paul, > >>>>>>> > >>>>>>>if the original JAAS authentication did work for you this does not > >>>>>>>seem to be a Slide related problem. I have no idea what parts of the > >>>>>>>Sun tutorial you used or what you even want ot achieve. The > >>>>>>>information you provide does not give me a clue either. > >>>>>>> > >>>>>>>Oliver > >>>>>>> > >>>>>>> > >>>>>>>On Tue, 04 Jan 2005 15:11:49 +0100, Paul Hussein <[EMAIL PROTECTED]> > >>>>>>>wrote: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>I am having a slight problem configuring a simple JAAS authentication > >>>>>>>>using slide 2.1rc1 ( tomcat binary ) and the example code from the > >>>>>>>>JAAS > >>>>>>>>tutorial > >>>>>>>> > >>>>>>>>http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html > >>>>>>>> > >>>>>>>>I have downloaded and build the example code from above and jar'd that > >>>>>>>>up and placed it in common/lib > >>>>>>>> > >>>>>>>>I have modified the jaas.conf to be > >>>>>>>> > >>>>>>>>slide_login { > >>>>>>>>sample.module.SampleLoginModule required > >>>>>>>>namespace=slide; > >>>>>>>>}; > >>>>>>>> > >>>>>>>>And through some debug i have added to the sample login module I can > >>>>>>>>see > >>>>>>>>that the login method takes the credentials and returns true. > >>>>>>>> > >>>>>>>>However i still get > >>>>>>>> > >>>>>>>>HTTP Status 403 - Access to the requested resource has been denied > >>>>>>>> > >>>>>>>>------------------------------------------------------------------------ > >>>>>>>> > >>>>>>>>*type* Status report > >>>>>>>> > >>>>>>>>*message* _Access to the requested resource has been denied_ > >>>>>>>> > >>>>>>>>*description* _Access to the specified resource (Access to the > >>>>>>>>requested > >>>>>>>>resource has been denied) has been forbidden._ > >>>>>>>> > >>>>>>>>------------------------------------------------------------------------ > >>>>>>>> > >>>>>>>> Apache Tomcat/5.0.28 > >>>>>>>> > >>>>>>>>I have read from the lists that maybe i need to set : > >>>>>>>> > >>>>>>>><auto-create-users>true</auto-create-users> > >>>>>>>><auto-create-users-role>user</auto-create-users-role> > >>>>>>>> > >>>>>>>>Which I have done but I still get the same error. > >>>>>>>> > >>>>>>>>Is there another setting I am missing to get this simple sample JAAS > >>>>>>>>authentication working with Slide. > >>>>>>>> > >>>>>>>>Regards > >>>>>>>> > >>>>>>>>Paul. > >>>>>>>> > >>>>>>>>--------------------------------------------------------------------- > >>>>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>--------------------------------------------------------------------- > >>>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>--------------------------------------------------------------------- > >>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>--------------------------------------------------------------------- > >>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>--------------------------------------------------------------------- > >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>> > >>> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
