[jira] [Commented] (ROL-1933) Crowd Login Authentication Roller Integration

[Glen Mazza (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ROL-1933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731008#comment-13731008
 ] 

Glen Mazza commented on ROL-1933:
---------------------------------

Snapshot containing Crowd classes (2 of them):
http://svn.apache.org/viewvc/roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/core/security/?pathrev=1505192

With additional bean added in security.xml:
http://svn.apache.org/viewvc/roller/trunk/app/src/main/webapp/WEB-INF/security.xml?r1=1160051&r2=1243258&pathrev=1505192&diff_format=h

Additional settings needed in roller.properties file:
http://svn.apache.org/viewvc/roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties?r1=1242523&r2=1243258&pathrev=1505192
                
> Crowd Login Authentication Roller Integration
> ---------------------------------------------
>
>                 Key: ROL-1933
>                 URL: https://issues.apache.org/jira/browse/ROL-1933
>             Project: Roller
>          Issue Type: New Feature
>            Reporter: Nick Padilla
>            Assignee: David Johnson
>              Labels: authentication, integration
>             Fix For: 5.1
>
>         Attachments: 2-BasicUserAutoProvision.txt, 
> 2-CrowdAuthenticationProvider.java, 2-CrowdRollerUserDetails.java, 2-pom.xml, 
> 2-roller-properties.txt, 2-security-xml.txt, BasicUserAutoProvision.txt, 
> CrowdAuthenticationProvider.java, crowd.properties, 
> CrowdRollerUserDetails.java, pox-xml.txt, security-xml.txt
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> CROWD:
> 1. First off how do we want to handle the demotion or elevation of 
> permissions,groups rather.  Say an admin goes to just an editor or an editor 
> goes to admin, currently there will be no change on Roller.
> 2. If user has permissions for the application but is not part of a group, 
> currently it gives editor roles; does that work? If not we need to make a 
> that change.
> 3. Old users can continue to use thier Roller accounts, if the user is a user 
> of the Roller application in Crowd they will authenticate through Crowd. This 
> is as long as the two accounts have the same
> user name.  Once authenticated through Crowd, Roller Authentication will not 
> work. So if Crowd goes down and all users are in Crowd then no one will be 
> able to enter the site.  Recommendation is to have 
> at least one admin user that doesn't have an account in Crowd, this way there 
> will always be a way in.  
> 4. If the crowd.properties file is not on the classpath then we never use 
> crowd to authenticate, however if you have users that were authenticated 
> through crowd then they will not be able to login.  
> 5. If the user exists in Crowd and has permissions to access Roller and 
> Roller doesn't contain this user account then a new user will be registered 
> automatically; if no groups are setup then the user
> will have editor role, if the user is part of a group that contains the 
> string "admin" or "ADMIN" then that user will be given Admin rights. 
> 6. Here is an example crowd.properties file, currently we get the file every 
> time there is a need for it; so that resource will be continually accessed.  
> If this is problem, which I can understand I can
> create a singleton that will hanlde the crowd.properties file and only load 
> it once.  This means if any changes are made to the file we have to restart 
> the application.
>               #required fields
>               crowd.application.name=roller
>               crowd.application.password=password
>               crowd.port=8095
>               crowd.host=localhost
>               crowd.context=crowd
>               #end required fields
>               #this setting allows the use of https, defaults to false; not 
> present we will use plain socket.
>               crowd.useSecureConnection=false
>               crowd.default.timezone=
>               crowd.default.locale=
> You can add this file the same way you add the roller-custom.properties. 
> TimeZone and Locale are not required, but standard format.
> 7. These are the settings that need to be set in the roller-custom.properties 
> to enable the use of Crowd Authentication:
>               # Crowd Auth, need these settings to be enabled
>               users.sso.enabled=true
>               users.sso.autoProvision.enabled=true
> If these are not set Crowd authentication will not work correctly.  The 
> AutoProvision is what makes this all work, the users from Crowd and not in 
> Roller will be saved to Rollers db the first time the log in. The reason this 
> is needed 
> is so that permissions can be written for Roller. Will still need to add some 
> code to ensure when users get promoted or demoted, those changes make it to 
> the Roller DB.
> Please see attached files as they contain these changes and are in sync with 
> Trunk, as of today.  We can extend this functionality but here is working 
> starting point.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira