Hello,
I did some messing a while ago and managed to get spring-security to work
well using the below configuration. Seemed to remember it needed two
separate files for it to work, applicationContext-service.xml, and
applicationContext-security.xml below.
this may need tweeking also:
<form-login login-page="/login-redirect.action"
login-processing-url="/roller_j_security_check"
authentication-failure-url="/roller-ui/login.rol?error=true"
default-target-url="/" />
Did not know how to test the ldap stuff so did not add this.
Will need also to update some of the programs as the package names have
changed.
hope this helps.
####
Modified config loaded via the class path:
web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
WEB-INF/applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<import resource="classpath:applicationContextClasspath.xml" />
</beans>
WEB-INF/classes/applicationContextClasspath.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<import resource="applicationContext-service.xml" />
<import resource="applicationContext-security.xml" />
</beans>
################
WEB-INF/classes/applicationContext-service.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
<!-- Log failed authentication attempts to commons-logging -->
<bean id="loggerListener" class=
"org.springframework.security.event.authentication.LoggerListener"/>
<!-- ======================== AUTHENTICATION ======================= -->
<bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<!-- rememberMeAuthenticationProvider added
programmatically -->
</list>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class=
"org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="jdbcAuthenticationDao" />
<property name="userCache" ref="userCache" />
</bean>
<bean id="jdbcAuthenticationDao" class="
org.apache.roller.weblogger.ui.core.security.RollerUserDetailsService" />
<bean id="userCache"
class=
"org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache">
<bean
class=
"org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<bean class=
"org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
</property>
<property name="cacheName" value="userCache" />
</bean>
</property>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="anonymous"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class=
"org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"
>
<property name="key" value="rollerlovespringsecutity"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
<!-- Used to override the prefix ROLE_ in pattern/access check in <http/>
-->
<bean id="accessDecisionManager" class=
"org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
</list>
</property>
</bean>
</beans>
###############
WEB-INF/classes/applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:beans="http://www.springframework.org/schema/beans";
xsi:schemaLocation=
"http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.xsd";>
<http auto-config="true" lowercase-comparisons="false"
access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/roller-ui/login-redirect**" access=
"admin,editor"/>
<intercept-url pattern="/roller-ui/profile**" access=
"admin,editor"/>
<intercept-url pattern="/roller-ui/createWeblog**" access=
"admin,editor"/>
<intercept-url pattern="/roller-ui/menu**" access="admin,editor"/>
<intercept-url pattern="/roller-ui/authoring/**"
access="admin,editor"/>
<intercept-url pattern="/roller-ui/admin/**" access="admin"/>
<intercept-url pattern="/rewrite-status*" access="admin"/>
<form-login login-page="/login-redirect.action"
login-processing-url="/roller_j_security_check"
authentication-failure-url="
/roller-ui/login.rol?error=true"
default-target-url="/" />
</http>
<authentication-provider user-service-ref="jdbcAuthenticationDao"/>
</beans:beans>
Cheers Greg
"Matt Raible" <[EMAIL PROTECTED]>
29/05/2008 03:49
Please respond to
[email protected]
To
[email protected]
cc
Subject
Re: How authentication works in Roller
I believe it's possible for me to upgrade Roller to use Spring
Security 2.0 in an hour or two, so if that should be done sooner than
later - please let me know.
Matt
On Wed, May 28, 2008 at 6:03 PM, Allen Gilliland
<[EMAIL PROTECTED]> wrote:
> I like Google Docs, but can we get that put into the wiki?
>
> I spent a while learning Acegi stuff so that I could create a custom SSO
> integration with our identity system at Sun, so I could add quite a bit
more
> detail about "Whats going on in security.xml".
>
> There is also no mention of what happens beyond Acegi, which is an
important
> part of understanding how authentication works in Roller. In particular
you
> need to know about the RollerSession object and some of the other code
in
> the ui.core.security package, such as auto provisioning. i.e. how an
> authentic user becomes a Roller User object the system can make use of.
>
> As it turns out, we have had a fairly high priority request come in to
add
> comment authentication to our installation, so I am going to be working
on
> that very soon. So I should be able to help out with this proposal a
bit.
>
> A few quick comments on the proposal ...
>
> * Adding columns to the db for "openid_*" seems a little hokey to me. Is
it
> not better to find a generic (meaning non-openid specific) way of
> accomplishing this? We are bound to run into a situation like this
again in
> the future and I don't think messing with the schema every time is the
best
> solution.
>
> * Is it expected that openid users will get a local account provisioned?
or
> are we planning this such that these users would be managed externally,
> similar to an ldap directotry scenario?
>
> * A tricky part that will need more consideration is the comment
> authentication part. In particular, Roller currently does not allow a
> situation where an authentic user is not also available via lookup in
the
> UserManager. This will need some revising.
>
> -- Allen
>
>
> Dave wrote:
>>
>> I just did this write-up for Tatyana to help her understand how auth
>> works in Roller:
>> http://docs.google.com/Doc?id=dg2cfnzw_11fcjbbgdz
>>
>> The latest version of the OpenID proposal she is working on is here:
>> http://cwiki.apache.org/confluence/x/zVAB
>>
>> As always, feedback is welcome.
>>
>> - Dave
>
--
http://raibledesigns.com
Share our environment commitment - conserve resources and contribute to the
reduction of CO2 emissions by not printing the email unless absolutely
necessary to do so.
Any opinions expressed are those of the author, not Ricoh UK Ltd. This
communication does not constitute either offer or acceptance of any
contractually binding agreement. Such offer or acceptance must be communicated
in writing. It is the responsibility of the recipient to ensure this email and
attachments are free from computer viruses before use and the sender accepts no
responsibility or liability for any such computer viruses.
Ricoh UK Ltd. may monitor the content of emails sent and received via its
network for the purpose of ensuring compliance with its policies and
procedures. This communication contains information, which may be confidential
or privileged. The information is intended solely for the use of the individual
or entity named above. If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of this information is
prohibited. If you have received this communication in error, please notify the
sender immediately by return email with a copy to [EMAIL PROTECTED] . Please
contact us on +44 (0) 208 261 4000 if you need assistance.
Registered in England No: 1505381
VAT No: GB 354 2816 54
