-----Original Message-----
From: Andrew Jaquith [mailto:[email protected]]
Sent: Thursday, March 26, 2009 4:39 AM
To: [email protected]; Schenk, Andre
Subject: Re: OpenID support in JSPWiki?
Hi Tilman --
Your analysis is correct. You would need to get obtain the
HttpRequest
from WikiCallbackHandler, which at the moment it does not know how to
supply. We have had some other questions about this recently, notably
Andre Schenk's desire to be able to obtain a reference to the
WikiEngine from inside his custom LoginModule.
In both cases, the common thread is that we need to supply additional
callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
by simply adding in support for the HttpRequestCallback. That should
meet your needs, no?
It should also meet Andre's, indirectly, in the sense that if you
have
an HttpRequest you can fairly easily retrieve the WikiEngine also (by
passing getSession().getServletContext() to WikiEngine.getInstance
()).
Andrew
On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
<[email protected]> wrote:
Hi Andrew,
Thanks for your help!
Let's see if I got it right:
- My OpenidAssertionLoginModule need the data from the HttpPRequest
- The way to obtain this data is via HttpReuqestCallback
From what I can see so far, the HttpReuqest in HttpRequestCallBack
is
only
set in WebContainerCallbackHandler, which is used by:
-WebContainerLoginModule
-CookieAssertionLoginModule
- AnonymousLoginModule
So as I get it, I would have to either use this CallBackHandler,
instead of
WikiCallBackHandler
or to find a way to set the HttpRequest in HttpRequestCallBack from
within
WikiCallBackHandler.
Question is: How can I access the request from within,
WikiCallBackHandler?
I agree on the attribute exchange on login, allthough I would see
that as a
further improvement to the basic OpenID
functionality.
For the UI side, I attached some mocks. This is what my UI currenlty
looks
like, but it is far from complete. Comments
welcome :-)
kind regards
Tilman Bender
Student des Software Engineering
Hochschule Heilbronn
[email protected]
Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
Tilman--
Thanks for your e-mail, and for your good work.
Your thought-process on this seems sound. Agreed, the first phase
of
login
(OP discovery + redirect) should be handled by a custom JSP. The
second
phase (validation) should be handled by JAAS.
To do this, you will need to get the HttpRequest object. JSPWiki
does have
an HttpRequestCallback that can supply this, at least in the custom
authentication case. You will need to check to see if
WikiCallbackHandler
passes that callback. If not, it is trivial to patch the code to do
this.
So, I think this is basically in line with what you proposed.
Some other thoughts:
At login time, it would be highly desirable to use SREG or OpenID
attribute exchange to pull the user's name and e-mail address and
use the
returned values to update their profile, which would ensure that
their
information is always current. The login ID used to look up the
profile
should be the user's OpenID URL... I think.
On the UI side, we will need a special OpenID login page (JSP). The
regular login page could include this if desired.
Andrew
On Mar 18, 2009, at 7:02, Tilman Bender <[email protected]
heilbronn.de>
wrote:
Hey guys,
I am currently plaing with the 2.8.1 code and openid4java.
But I am having a hard time trying to fiugre out where exactly to
hook in
the OpenID stuff.
The problem is (as also described in #JSPWIKI-94), that:
1. To me it seems you cannot do the whole thing in JAAS:
OpenID as I understand it has two phases :
Phase I:
- The user just submitted his openid identifier to our
login/registration
from.
- We do discovery on the identifier to find the Endpoint of his
OpenID
Provider (and check if the provider is in our whitelist)
- We redirect the user to his OpenID provider
So in this phase it makes no sense to me to use a JAAS-Module
since
we
wouldn't be able to complete the login mehtod
as we do not know enough about the user yet (we do not know if his
identity is asserted by the OpenID Provider).
So I currently do this via JSP and Scriptlets (no custom tag
yet).
Phase II:
- The user is redirected back to us by his OpenID Provider
- We connect to the OpenID Provider to verify the assertion that
was
passed along the request (be it a positive or negative assertion)
- Now we know enough about the user to log them in.
I currently try to use UserManager.setUserProfile in this
situation. Now
here comes my Problem:
I would like to do all the assertion verifiaction in a JAAS-
Module,
but
for that I need all the request
data, which I do not have in the setUserProfile-Method.
So currently I am stuck. Before I start to wildly mess the API: Am
I
taking the right direction?
Tilman Bender
Student des Software Engineering
Hochschule Heilbronn
[email protected]
Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
Hi!
Thanks for the effort - sounds like a worthy project!
I think you will save yourself a lot of grief if you work on the
2.8.1
branch, since the trunk is now the subject of a lot of changes -
but note
that we *will* be making some rather major changes for 3.0, so
you
may face
a small porting effort towards the end. We certainly wouldn't
like to land
a major feature in 2.8 branch anymore, since it's rather stable.
I think the first thing you could do is to outline your plan as
to
how
exactly are you planning to hook into our structures - a good
place to start
is probably the Security documentation at
http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot
of
questions
on this mailing list.
Also, since we are talking about a fairly large project here, you
might
want to sign a contributor license agreement (CLA), and depending
on the
German copyright legislation, get also Heilbronn to sign a
corporate CLA.
That, or Heilbronn (or you) need to, at the end of the project,
give a
software grant (SGA) to Apache Software Foundation. But these
are
not
biggies and can be tackled if/when we start merging ;-)
/Janne
On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
Hi JSPWiki Devs,
I am a student at Heilbronn University in Germany (Some of you
might
know Christoph Sauer, who worked there.)
As pre-thesis for my diploma I want to enhance JSPWiki with
OpenID.
I am still pretty new to JSPWIki, OpenID and JAAS.
I have worked my way through the official OpenID 2.0
Authentication
standard
and will do as well for Attributes Exchange.
I would like to base my work on the 2.8.1 tag and
see to get it integrate into the trunk later. Is that the
correct
way
to do it?
As I see Andrew already spent quite some time on OpenID and did
some
preparations.
Since I plan to get my diploma somday soon (say in 2009 ;-)), I
have a
high personal interest
in getting OpenID into JSPWiki.
Summary:
* I have time
* I have motivation
* I need some help to get started ;-)
Any suggestions where to begin? I guess registration/profile
creation
would be first.
kind regards
Tilman Bender
Student des Software Engineering
Hochschule Heilbronn
[email protected]
