Jonathan --
Very interesting. I'll look into this. Thanks for investigating. --
Andrew
On Jul 16, 2009, at 10:10, jonathan <[email protected]> wrote:
update/fix:
I've added a new role "person", via userRoleName="objectClass" in my
server.xml realm configuration (as well as appropriate adds in
web.xml). I also had to add a connectionName and connectionPassword
since we don't allow anonymous searches of the directory.
I now get assigned the "person" role by the container, in addition
to "Authenticated":
2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@ee3aa7,
princpal=com.ecyrd.jspwiki.auth.authorize.Role person,
target=com.ecyrd.jspwiki.wikisess...@6d06b0]
2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@ee3aa7,
princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated,
target=com.ecyrd.jspwiki.wikisess...@6d06b0]
I no longer get "Forbidden". I'm unsure why this manually
configured role works differently than the default "Authenticated",
but this is a workable solution.
curious point: with jspwiki.cookieAssertions=true in
jspwiki.properties, I'm forced to login twice (at which point
everything works). With it false, I get properly authenticated the
first time. strange.
jonathan.
jonathan wrote:
heya too!
The wiki page on container auth has been very, very helpful, yes.
Upon further investigation, I think my issues are currently more
role-related than UserDatabase related.
Container has been set up to authenticate to ldap, no roles have
been configured, web.xml is default container-managed config. As
soon as I log in, I end up getting a forbidden page (on Login.jsp?
redirect=Main). If I click "Better luck next time", I end up back
on the main page, "authenticated" (much like this problem: http://www.mail-archive.com/[email protected]/msg01892.html
- except I'm using Tomcat 5.5.15).
If I look at my security log, I get the following entries only
*after* I click the "Better luck..." link on the Forbidden page:
2009-07-15 17:11:07,547 INFO -
WikiSecurityEvent.LOGIN_AUTHENTICATED
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
2009-07-15 17:11:07,547 DEBUG -
WikiSecurityEvent.LOGIN_AUTHENTICATED
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
[source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245,
princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated,
target=com.ecyrd.jspwiki.wikisess...@1f55105]
It looks like I now should have the "Authenticated" role from the
container (though I don't seem to have it (according to the log,
anyway) immediately after clicking "login" which is strange).
However, I still get "Forbidden" if I try and go to Edit.jsp or
similar (the "Authenticated area" in web.xml).
After the initial "Forbidden", my wiki acls seem to work properly,
but the container-given Role ("Authenticated") doesn't seem to be
working, even though the logs appear to indicate that the role has
been assigned.
Thoughts on where to go from here?
as always, many thanks,
jonathan.
Janne Jalkanen wrote:
Heya!
Does this help?
http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
/Janne
On 14 Jul 2009, at 21:37, jonathan wrote:
Has anyone successfully done this?
In 2.4 I'm using Kaukolu LDAPUserDatabase implementation to get
user data, so I have no local userdatabse.xml file to fall back
on. The existing LDAPUserDatabase doesn't work with 2.8, of
course.
If you've done this, how are you handling the userdatabase
portion under 2.8? We have a very large ldap database, but a
relatively small number of JSPWiki users, so migrating the ldap
info into an xml (or even mysql) userdatabase seems a bit like
overkill (though this may be the simplest route to take given my
relative inability to recode the LDAPUserDatabase stuff).
Any thoughts appreciated.
