On Fri, May 30, 2008 at 8:29 PM, Allen Gilliland <[EMAIL PROTECTED]> wrote: > Dave wrote: >> Sure thing. Here it is on the wiki: >> http://cwiki.apache.org/confluence/x/2lMB >>> I spent a while learning Acegi stuff so that I could create a custom SSO >>> integration with our identity system at Sun, so I could add quite a bit >>> more detail about "Whats going on in security.xml". >> >> Please do, that would be great. > > k ... I added a more complete description of how the Acegi filterChain works > along with a description of each of the filters.
Nice. > I also noted that webservice authentication is completely separate, which is > also an important thing to note for people trying to tie into other identity > systems. Currently we don't do a good job with that :/ Yes, that needs to be fixed. I filed a but on it recently: https://issues.apache.org/roller/browse/ROL-1718 For MetaWeblog API, which requires username/password in every call the only fix is programmatic login, which I believe is supported by Acegi (but not by CMA/Servlet Authentication). For AtomPub, which can use HTTP Basic Authentication, we can probably just ask Acegi (or CMA) to protect the AtomPub URL patterms via Basic Auth. (and optionally HTTPS). >>> There is also no mention of what happens beyond Acegi, which is an >>> important >>> part of understanding how authentication works in Roller. In particular >>> you >>> need to know about the RollerSession object and some of the other code in >>> the ui.core.security package, such as auto provisioning. i.e. how an >>> authentic user becomes a Roller User object the system can make use of. >> >> I didn't do anything to cover SSO or LDAP integration yet, which is >> where auto-provision comes in, no? > > Yes and No. Auto provision only makes sense if you are integrating with a > 3rd party identity system, but just because you are using ldap or SSO > doesn't mean you have to do provisioning. This is effectively the heart of > your External User Management proposal right? Right. If a user is logged in via SSO but there is no user in the User Manager, then you'd want to do autoprovision. If a there is a custom User Manager in place, then the fact that you are logged in via SSO almost certainly means that you are already registered that User Manager. > What I meant by "beyond Acegi" is that Roller identifies users by using our > User pojo. Acegi doesn't know about our User pojo, it uses it's own classes > and objects. Somewhere in between there is a translation that happens, > which is the RollerSession. We basically take request.getUserPrincipal() > and translate that into a Roller User pojo so the rest of the Roller code > can know about the user. > > This is an extremely important part of the authentication process. And > truth be told I think we need to make some improvements here because we are > not entirely consistent in how this works. I'm curious. Where is the inconsistency? - Dave
