I tried the %FILTER-FIRST% but i guess in order to benefit from it we must
upgrade our nuxeo sources...My filter was still called after the nuxeo standard
filters as shown in the following fragment of the generated web.xml:
<filter-mapping>
<filter-name>NuxeoFancyURLMaker</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>sessionExpirationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ajax4jsf</filter-name>
<url-pattern>*.seam</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>ajax4jsf</filter-name>
<url-pattern>*.faces</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Seam Exception Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Seam Redirect Filter</filter-name>
<url-pattern>*.faces</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Seam Redirect Filter</filter-name>
<url-pattern>*.seam</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Seam Servlet Filter</filter-name>
<url-pattern>/FileManageWS</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>NuxeoNtlmHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
"Tiry" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Le mercredi 04 avril 2007 à 11:53 +0200, Frédéric Thise a écrit :
> We are working on an old revision of nuxeo (13835) and the web.xml templates
> doesn't have a %FIRST-FILTER% marker.. Can i just add one?
Yes, you can.
> What is the use of %AUTH-FILTER%?
Well, if there are use cases like yours to add authentication filters,
this could be interesting to add a marker like that to let projet easily
define auth filters that would be declared at start of web.xml.
You can easily test it : just add the marker in the template and use it
in you contribution (deployment-fragment.xml)
>
> Actually, it seems that some JAAS caching is in place but i'm still not sure
> about the logic ;)
Ah, JAAS :)
>
>
> "Tiry" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> Le mercredi 04 avril 2007 10:24 +0200, Frdric Thise a crit :
> > Finally, i managed to integrate NTLM with nuxeo
> Great news
> > but it is still a bit ugly...
> :)
> >
> > The solution is embedded in a NTLM login module
> > (NXNtlmLoginModule.sar) which replaces the standard nuxeo login
> > (NXLoginModule.sar). It contains a NTLM filter derived from the jcifs
> > NtlmHttpFilter class (this base filter performs the actual
> > authentication). The filter then performs a Jaas login on the
> > "nuxeo-ecm" security domain using a NTLM LoginModule instead of the
> > default JBossLoginModule (but heavily based on it) to retrieve the
> > groups and roles and create the NuxeoPrincipal. The principal is then
> > added to a HttpServletRequestWrapper which overloads the getPrincipal
> > method (among other things) and is then passed to the chain.doFilter.
> >
> The standard NX Login module already has a simple plugin system.
> This plugin system is used to implement CAS SSO authentication.
> Is there a way for you to use this extension point ? (we can extent the
> plugin model).
> >
> > The problem is that i had to modify the default template web.xml
> > located in OSGI-INF/templates to:
> > 1) remove the <login-config> and <security-constraints> elements. The
> > first one is useless
> Ok, we could make it a contribution from the standard login module.
> > and the second one still causes access forbidden exceptions...
> Seems to strange to me to have to remove all security constraints.
>
> > 2) put my NTLM <filter> & <filter-mapping> manually in order for my
> > <filter-mapping> to be the first to be executed in the chain (because
> > it seems that some standard nuxeo filters require access to the
> > Principal). By the way, it would be great to be able to set the order
> > of the <filter-mapping> when using the <extension> in the deployment
> > fragment. As it is now, the %FILTER-MAPPING% marker is placed after
> > the nuxeo standard filter and there is now way to set the order of the
> > added filters...
> I guess the problem is not the FILTER-MAPPING order but the FILTER
> declaration.
> We already have a %FILTER-FIRST% pattern in order to be sure that some
> filters (like URLRewriter or Ajax4JSF) are first in the chain.
> Can you test if it works for you if you add a %AUTH-FILTER% just before
> %FIRST-FILTER% in the web.xml of the template.
>
> >
> > I'm still working on it because for the moment a complete login
> > procedure is executed every time the filter is called (which is often
> > because it is mapped on "/*"). Though it seems to had very little
> > overhead, it surely can be made more efficient ;)
> This should be cached by JAAS, no ?
>
> > _______________________________________________
> > ECM mailing list
> > [email protected]
> > http://lists.nuxeo.com/mailman/listinfo/ecm
>
>
>
> _______________________________________________
> ECM mailing list
> [email protected]
> http://lists.nuxeo.com/mailman/listinfo/ecm
>_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
