I am interested in getting involved in this effort as well. I agree with the transparency of the OpenId vs Username field. One of the ideas that I lean towards is following a url pattern, rather than just the host.domain pattern. DHH (the rails guy) talked about this exact subject a few days ago on his blog: http://www.loudthinking.com/arc/000606.html
Following a URL pattern makes it extremely easy to tell the difference between the two. Providing a means in the code to define an 'openIdMatchPattern' that defines a regex to tell the difference would be the best way to go on our end in Acegi. Also, there several openId libraries out there, it would be senseless to build the authentication and delegation functionalities directly into Acegi. I think Robin is definitely on the right track there. I don't like the idea of our OpenID support calling off into our CAS code though, if the functionality there is useful outside of CAS it should get refactored into a new home. Robin, if you would like to get some other folks involved zip up the code and email it to me directly. I'll find a home for it in the sandbox and we can all start taking a look at it. On 3/8/07, Matt Raible <[EMAIL PROTECTED]> wrote: > That's great to hear someone is working on this. However, I'm > wondering if it's possible to make it more transparent to the user. > For example, have some sort of bean or filter that's OpenID aware and > has a list of servers to talk to. If there's two dots in the username, > Acegi attempts to authenticate with open id (through some background > call that's transparent to the user). If not, it attempts normal > authentication. > > Is there any problem with providing this type of transparency? I like > the idea behind having the openid string and username come from the > same text box. > > http://www.pjhyett.com/posts/213-openid-isn-t-going-to-work-unless > > I don't know about the fake e-mail address in the above post, but I > like the idea of assuming openid when no password is entered. > > Matt > > On 3/8/07, Robin.Bramley <[EMAIL PROTECTED]> wrote: > > Hi Matt, > > > > I'm currently working on OpenID ui, provider & adaptor classes for Acegi > > - with the intention of tidying them up and contributing them to the > > project. > > > > I've got a prototype Acegi OpenID consumer authentication working (using > > the JanRain library - I plan to abstract the library support). > > The flow is: > > 1. User requests a secured page and the > > AuthenticationProcessingFilterEntryPoint (configured on the > > ExceptionTranslationFilter) sends the user off to an OpenID login form > > 2. The user enters their OpenID (e.g. rbramley.myopenid.com) and > > submits the form > > 3. The form POSTs to /j_acegi_openid mapped to > > OpenIDLoginInitiationServlet (uses Spring web app context to get the > > JanRain OpenID Store) > > 4. The Consumer.begin method looks up the identity page, associates to > > the server etc. > > 5. The servlet redirects the user to the OpenID server (e.g. > > myopenid.com), setting the return to URL as > > /j_acegi_openid_security_check > > 6. The user logs on and the OpenID server returns the user > > 7. Acegi passes the request to the OpenIDProcessingFilter based on the > > filterProcessesUrl property > > 8. The Consumer.complete method provides a response object which is > > wrapped in an OpenIDAuthenticationToken > > 9. This is passed to the OpenIDAuthenticationProvider (via the > > AuthenticationManager) > > 10. If the response is a successul authentication, the auth provider > > uses the CasAuthoritiesPopulator interface to obtain the UserDetails > > 11. The Authentication is returned and the user sent to the originally > > requested URL (as stored in the > > AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY HttpSession > > attribute by the SecurityEnforcementFilter). > > > > > > The next steps are to finish the OpenID server (may use the openid4java > > library from sxip) backed by Acegi and then look at how to encapsulate > > the registration functionality. > > > > Cheers, > > > > Robin > > > > Robin Bramley > > Opsera > > www.opsera.com <http://www.opsera.com/> > > > > > Matt Raible > > > Fri, 29 Dec 2006 15:34:32 -0800 > > > > > > Are there any plans to support OpenID as a SSO option with Acegi > > Security? > > > > > > http://openid.net <http://openid.net/> > > > > > > We've seen some interest in supporting this with Roller - which uses > > > Acegi for its security. > > > > > > Thanks, > > > > > > Matt > > > > > > -- > > > http://raibledesigns.com <http://raibledesigns.com/> > > > > > > > > > > > > > > > > -- > http://raibledesigns.com > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
