Le mercredi 04 avril 2007 à 10:24 +0200, Frédéric Thise a écrit : > Finally, i managed to integrate NTLM with nuxeo Great news > but it is still a bit ugly... :) > > The solution is embedded in a NTLM login module > (NXNtlmLoginModule.sar) which replaces the standard nuxeo login > (NXLoginModule.sar). It contains a NTLM filter derived from the jcifs > NtlmHttpFilter class (this base filter performs the actual > authentication). The filter then performs a Jaas login on the > "nuxeo-ecm" security domain using a NTLM LoginModule instead of the > default JBossLoginModule (but heavily based on it) to retrieve the > groups and roles and create the NuxeoPrincipal. The principal is then > added to a HttpServletRequestWrapper which overloads the getPrincipal > method (among other things) and is then passed to the chain.doFilter. > The standard NX Login module already has a simple plugin system. This plugin system is used to implement CAS SSO authentication. Is there a way for you to use this extension point ? (we can extent the plugin model). > > The problem is that i had to modify the default template web.xml > located in OSGI-INF/templates to: > 1) remove the <login-config> and <security-constraints> elements. The > first one is useless Ok, we could make it a contribution from the standard login module. > and the second one still causes access forbidden exceptions... Seems to strange to me to have to remove all security constraints.
> 2) put my NTLM <filter> & <filter-mapping> manually in order for my > <filter-mapping> to be the first to be executed in the chain (because > it seems that some standard nuxeo filters require access to the > Principal). By the way, it would be great to be able to set the order > of the <filter-mapping> when using the <extension> in the deployment > fragment. As it is now, the %FILTER-MAPPING% marker is placed after > the nuxeo standard filter and there is now way to set the order of the > added filters... I guess the problem is not the FILTER-MAPPING order but the FILTER declaration. We already have a %FILTER-FIRST% pattern in order to be sure that some filters (like URLRewriter or Ajax4JSF) are first in the chain. Can you test if it works for you if you add a %AUTH-FILTER% just before %FIRST-FILTER% in the web.xml of the template. > > I'm still working on it because for the moment a complete login > procedure is executed every time the filter is called (which is often > because it is mapped on "/*"). Though it seems to had very little > overhead, it surely can be made more efficient ;) This should be cached by JAAS, no ? > _______________________________________________ > ECM mailing list > [email protected] > http://lists.nuxeo.com/mailman/listinfo/ecm _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm
