On 24/04/11 17:23, jlist9 wrote:
Brian,
Thanks a lot for the instructions! I'm not familiar with container
security so the list looks somewhat daunting to me :-)
I was also looking at JForum's code - it does LDAP authentication.
I suppose its security mechanism isn't implemented the same way
as it uses some internal simple classes to verify user information
via JNDI. Is it possible to implement something like this in jspwiki
without having to do a lot of modifications?
Your question made me wonder... I've just checked my jspwiki.properties
and am surprised to discover that I have left the default custom
authentication definitions active IN ADDITION to my container-managed
security-constraints. I have therefore got two layers of security: the
container layer, and the default empty userdatabase.xml. Perhaps this
goes some way to explaining why I had to do so much work defining the
web-resource-collections for each role??? I'll have to look into that
aspect when I have time to spare.
Anyway, to answer your question, I've written a lot of custom ldap java
authentication and authorisation code over the years, so I have a lot of
experience and useful source available. I decided the best approach was
to use the existing container managed ldap security rather than invent
my own. It is complex to deal with cases you might not care about. It
might not even be an optimal solution. However, I strongly recommend
sticking with the existing standards and reference implementations!
On the other hand, if you don't already have a commitment to use ldap,
you should stick with the simple standalone default jspwiki
implementation of authentication and authorisation.
Brian
