Le mercredi 04 avril 2007 à 11:53 +0200, Frédéric Thise a écrit : > We are working on an old revision of nuxeo (13835) and the web.xml templates > doesn't have a %FIRST-FILTER% marker.. Can i just add one? Yes, you can. > What is the use of %AUTH-FILTER%? Well, if there are use cases like yours to add authentication filters, this could be interesting to add a marker like that to let projet easily define auth filters that would be declared at start of web.xml.
You can easily test it : just add the marker in the template and use it in you contribution (deployment-fragment.xml) > > Actually, it seems that some JAAS caching is in place but i'm still not sure > about the logic ;) Ah, JAAS :) > > > "Tiry" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > Le mercredi 04 avril 2007 10:24 +0200, Frdric Thise a crit : > > Finally, i managed to integrate NTLM with nuxeo > Great news > > but it is still a bit ugly... > :) > > > > The solution is embedded in a NTLM login module > > (NXNtlmLoginModule.sar) which replaces the standard nuxeo login > > (NXLoginModule.sar). It contains a NTLM filter derived from the jcifs > > NtlmHttpFilter class (this base filter performs the actual > > authentication). The filter then performs a Jaas login on the > > "nuxeo-ecm" security domain using a NTLM LoginModule instead of the > > default JBossLoginModule (but heavily based on it) to retrieve the > > groups and roles and create the NuxeoPrincipal. The principal is then > > added to a HttpServletRequestWrapper which overloads the getPrincipal > > method (among other things) and is then passed to the chain.doFilter. > > > The standard NX Login module already has a simple plugin system. > This plugin system is used to implement CAS SSO authentication. > Is there a way for you to use this extension point ? (we can extent the > plugin model). > > > > The problem is that i had to modify the default template web.xml > > located in OSGI-INF/templates to: > > 1) remove the <login-config> and <security-constraints> elements. The > > first one is useless > Ok, we could make it a contribution from the standard login module. > > and the second one still causes access forbidden exceptions... > Seems to strange to me to have to remove all security constraints. > > > 2) put my NTLM <filter> & <filter-mapping> manually in order for my > > <filter-mapping> to be the first to be executed in the chain (because > > it seems that some standard nuxeo filters require access to the > > Principal). By the way, it would be great to be able to set the order > > of the <filter-mapping> when using the <extension> in the deployment > > fragment. As it is now, the %FILTER-MAPPING% marker is placed after > > the nuxeo standard filter and there is now way to set the order of the > > added filters... > I guess the problem is not the FILTER-MAPPING order but the FILTER > declaration. > We already have a %FILTER-FIRST% pattern in order to be sure that some > filters (like URLRewriter or Ajax4JSF) are first in the chain. > Can you test if it works for you if you add a %AUTH-FILTER% just before > %FIRST-FILTER% in the web.xml of the template. > > > > > I'm still working on it because for the moment a complete login > > procedure is executed every time the filter is called (which is often > > because it is mapped on "/*"). Though it seems to had very little > > overhead, it surely can be made more efficient ;) > This should be cached by JAAS, no ? > > > _______________________________________________ > > ECM mailing list > > [email protected] > > http://lists.nuxeo.com/mailman/listinfo/ecm > > > > _______________________________________________ > ECM mailing list > [email protected] > http://lists.nuxeo.com/mailman/listinfo/ecm > _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm
