Prashanth Gujjeti wrote:
David,
Thanks for your earlier response. As I am proceeding with our custom
Security Valve implementation, I ran into issues with
Authentication/Authorization. First, let me explain the way we are
trying to implement authentication.
We have a default page for the role "guest", so that all anonymous users
get to see that page. Within that, there is a single custom Portlet for
login. It collects the login info, and posts to the same portlet
(invoking processAction() ). The authentication is done inside the
processAction() method of the portlet, and a custom object containing
all the User info is stored as an attribute in RequestContext's session.
Now, I have a custom security valve that is derived from
AbstractSecurityValve. Within the getSubject() method, I access
RequestContext's session attributes to determine if this user is
authenticated. If so, I get the custom object with the user info from
the Session, and create the javax.security.auth.Subject object if
necessary (for the first time). All my PSML constraints work fine and
the profiling works fine as well. Please be assured that the pipeline
configuration is all fine (pipelines.xml inlined below, and acl-pipeline
is the default pipeline in jetspeed.properties)
The problem is with accessing the RenderRequest.isUserInRole(),
RenderRequest.getUserPrinicpal() from say, doView() of a portlet. They
return "false" and "null" all the time, indicating that some thing is
wrong with the authentication's integration with servlet container
(Tomcat, in this case). Could you guide me as to how could I possibly
access the roles and user principal from within the Portlets? Any help
is highly appreciated.
Sounds like your security valve is not calling userManager.getUser. The
User Manager delegates to the securityMappingHandler, and then to the
Role Handler SPI to retrieve your roles for the user. Look at the
default security valve:
User user = userMgr.getUser(userPrincipal.getName());
if ( user != null )
{
subject = user.getSubject();
}
The subject will be populated with all roles for the user, and the
portlet api can then reference this subject in role checks.
If you want to provide your own roles (not Jetspeed's), then replace the
Jetspeed's RoleSecurityHandler with your own in the Spring config.
--
David Sean Taylor
Bluesunrise Software
[EMAIL PROTECTED]
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
