Finally, i managed to integrate NTLM with nuxeo but it is still a bit ugly...
The solution is embedded in a NTLM login module (NXNtlmLoginModule.sar) which
replaces the standard nuxeo login (NXLoginModule.sar). It contains a NTLM
filter derived from the jcifs NtlmHttpFilter class (this base filter performs
the actual authentication). The filter then performs a Jaas login on the
"nuxeo-ecm" security domain using a NTLM LoginModule instead of the default
JBossLoginModule (but heavily based on it) to retrieve the groups and roles and
create the NuxeoPrincipal. The principal is then added to a
HttpServletRequestWrapper which overloads the getPrincipal method (among other
things) and is then passed to the chain.doFilter.
The problem is that i had to modify the default template web.xml located in
OSGI-INF/templates to:
1) remove the <login-config> and <security-constraints> elements. The first one
is useless and the second one still causes access forbidden exceptions...
2) put my NTLM <filter> & <filter-mapping> manually in order for my
<filter-mapping> to be the first to be executed in the chain (because it seems
that some standard nuxeo filters require access to the Principal). By the way,
it would be great to be able to set the order of the <filter-mapping> when
using the <extension> in the deployment fragment. As it is now, the
%FILTER-MAPPING% marker is placed after the nuxeo standard filter and there is
now way to set the order of the added filters...
I'm still working on it because for the moment a complete login procedure is
executed every time the filter is called (which is often because it is mapped
on "/*"). Though it seems to had very little overhead, it surely can be made
more efficient ;)
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
