On 21 Jun 2010, at 11:28, Felix Meschberger (JIRA) wrote: > > [ > https://issues.apache.org/jira/browse/SLING-860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12880776#action_12880776 > ] > > Felix Meschberger commented on SLING-860: > ----------------------------------------- > > To be able to properly authenticate with OpenID the JCR users must be > associated with the actual OpenID Identity of the user. > > Currently there is no easy GUI support to do this, but you may use curl and > the Sling user management functionality to set this property, e.g.: > > curl -u admin:admin -F:name=username -Fpwd= -FpwdConfirm= \ > -Fopen.id.identifier=http://OpenIDIdentity \ > http://localhost:8888/system/userManager/user.create.html > > WDYT ?
Wouldn't it make more sense to have an PrincipalManager that resolved and OpenID principal to a Principal and a User Manager that would create valid User objects for an open ID principal (or Principal). Unfortunately this might require changes to the Jackrabbit UserManager which IIRC hard binds to UserImpl and GroupImpl and changes to GroupImpl which only allows members of type UserImpl. ? Having a JCR node as the only way to represent a User object means that all User have to be inside JCR before they can be used. I realise that making the existing JR UserManager work for externally provisioned users is a major task and may simply be out of scope, in which case the open.id.identifier is a reasonable solution. > > >> OpenId authenticator problem >> ---------------------------- >> >> Key: SLING-860 >> URL: https://issues.apache.org/jira/browse/SLING-860 >> Project: Sling >> Issue Type: Bug >> Components: Extensions >> Reporter: Michael Marth >> Priority: Minor >> >> this is probably a configuration problem, but I do not know how to get >> around this: >> Using the OpenId authenticator I cannot write to the repository. >> -- >> How to reproduce: >> - install bundle espblog from samples >> - install bundle openid from extensions >> - in system config switch off "allow anon access" as described in >> openid-authenticator description >> - do openid login (and make sure you have no http basic auth credentials in >> the request) >> - try to write to repository -> javax.jcr.AccessDeniedException: /: not >> allowed to modify item >> -- >> I believe the openid_user has no write acccess which would explain this >> behaviour. But how do I get around it? Do I have to write my own >> AccessManager? Do I miss something? > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. >
