Hi, Yes, this is why I just use this mechanism ;-)
In addition it is also fully transparent down the road with respect to setting ACLs etc. Regards Felix On 21.06.2010 12:44, Ian Boston wrote: > > On 21 Jun 2010, at 11:28, Felix Meschberger (JIRA) wrote: > >> >> [ >> https://issues.apache.org/jira/browse/SLING-860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12880776#action_12880776 >> ] >> >> Felix Meschberger commented on SLING-860: >> ----------------------------------------- >> >> To be able to properly authenticate with OpenID the JCR users must be >> associated with the actual OpenID Identity of the user. >> >> Currently there is no easy GUI support to do this, but you may use curl and >> the Sling user management functionality to set this property, e.g.: >> >> curl -u admin:admin -F:name=username -Fpwd= -FpwdConfirm= \ >> -Fopen.id.identifier=http://OpenIDIdentity \ >> http://localhost:8888/system/userManager/user.create.html >> >> WDYT ? > > > Wouldn't it make more sense to have an PrincipalManager that resolved and > OpenID principal to a Principal and a User Manager that would create valid > User objects for an open ID principal (or Principal). Unfortunately this > might require changes to the Jackrabbit UserManager which IIRC hard binds to > UserImpl and GroupImpl and changes to GroupImpl which only allows members of > type UserImpl. ? > > Having a JCR node as the only way to represent a User object means that all > User have to be inside JCR before they can be used. > > I realise that making the existing JR UserManager work for externally > provisioned users is a major task and may simply be out of scope, in which > case the open.id.identifier is a reasonable solution. > > >> >> >>> OpenId authenticator problem >>> ---------------------------- >>> >>> Key: SLING-860 >>> URL: https://issues.apache.org/jira/browse/SLING-860 >>> Project: Sling >>> Issue Type: Bug >>> Components: Extensions >>> Reporter: Michael Marth >>> Priority: Minor >>> >>> this is probably a configuration problem, but I do not know how to get >>> around this: >>> Using the OpenId authenticator I cannot write to the repository. >>> -- >>> How to reproduce: >>> - install bundle espblog from samples >>> - install bundle openid from extensions >>> - in system config switch off "allow anon access" as described in >>> openid-authenticator description >>> - do openid login (and make sure you have no http basic auth credentials in >>> the request) >>> - try to write to repository -> javax.jcr.AccessDeniedException: /: not >>> allowed to modify item >>> -- >>> I believe the openid_user has no write acccess which would explain this >>> behaviour. But how do I get around it? Do I have to write my own >>> AccessManager? Do I miss something? >> >> -- >> This message is automatically generated by JIRA. >> - >> You can reply to this email to add a comment to the issue online. >> > >
