Re: JAAS support

[Suhail M. Ahmed]

I couldn't have put it better Sylvain. After prototyping with different  
architectures, I have settled on integrating The rabbit with SJAS 8.1.  
SJAS provides system wide security service as a J2EE app server.  
Practically, this has meant removing the LoginContext dependency from  
RepositoryImpl and use a servlet and loginForm to associate the Subject  
with the Repository session.  As a standalone repository, the current  
implementation is I believe the hassle free way to go. I personally  
feel that Jackrabbit should endeavor to give the user a stress free  
experience out of the box so that they can stress out the API. The  
current implementation is well on the way to becoming such.

However if you consider embedding Jackrabbit into a container, It is  
quite likely that the container will be responsible for dealing with  
the LoginContext. Take Catalina for instance, if one follows the  
standard login scheme, then Tomcat delegates the login to the  
underlying Realm (I use the JAASRealm). It performs the authentication  
and instances the GenericPrincipal. The application layer has no  
standard hook on these objects except via getUserPrincipal and  
isUserInRole. In my own experience in tying JackRabbit to SJAS, I had  
two choices; either re-authenticate the user by providing a dummy  
single sign on in a custom LoginModule or embed the Authentication  
context inside JackRabbit. I chose the latter route. It is testament to  
the cohesiveness of the API and the implementation that I could manage  
this quite easily because Jackrabbits JAAS implementation allowed me to  
easily disable it and retrofit it to rely on SJAS for authentication.

I think the main challenge is going to be in Authorization. Every web  
application worth its salt seems to have their own Authorization and  
Authentication API. I will try and rely on JACC for this bit. Again the  
issues will be the same, how to pass the JACC context into JackRabbit  
AccessManager. I suspect the solution the JackRabbit team will come up  
with will be as transparent as they have for RepositoryImpl.login.

As ever, my fast depreciating 2 cents
Suhail
On Mar 8, 2005, at 7:35 PM, Sylvain Wallez wrote:
Andy Depue wrote:
On Tuesday 08 March 2005 03:32 am, Dominique Pfister wrote:
<snip/>
IMO, the concept of JAAS is abstract enough to handle this situation  
and
it should be possible to implement a custom LoginModule that will add
Principal information to the Subject being authenticated in such a  
way
that authorization calls made on the Subject will actually be  
forwarded
to Acegi.

What you're saying is if someone wants to adapt Jackrabbit to their  
own authentication scheme, they are going to have to create a JAAS  
adapter/implementation?  This is doable, no doubt.  But Ben's idea  
has the advantage of being simple.

Have a look at the LoginModule docs [1]. Does it look so complicated?
Furthermore, using this standard interface potentially allows your  
specific authentication scheme to become part of a larger picture in a  
JAAS-enabled environment. You've written a LoginModule adapter for  
your stuff to be able to use Jackrabbit? Now you can use it  
everywhere. Either in the standard java security file, but also as a  
configuration of other libraries that hopefully rely on the JAAS  
standard interfaces and allow you to provide them with a custom  
LoginModule.

Sylvain
[1]  
http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/spi/ 
LoginModule.html

--
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }