Angela, thank you again for helping me with this. >In a non-OSGI-based setup it's probably a bit harder but should still be feasible by either adding the configuration using the protected bind-method or a derived SecurityProvider.
Let me try this and see what I can figure out. >You can't create the token provider from JCR objects. Instead you need to get started from the Oak ContentRepository in order to create a new ContentSession from which you can obtain the Root object. For the SecurityProvider see above. In general though i would try to leave the refresh to the implementation. I was thinking I need to get access to the provider to update the token with a new expire timestamp after each request. So it's a rolling timeout. But I guess with a custom provider I can take care of this when we authenticate the current token. Unfortunately I needed the User Manager which is only accessible from the JCR Repository. And I think their was a 2nd reason, but I don't remember it. So unless there is another way, this seems to be one of those decisions you need to make at the start of the project. Either you create an OAK repository or a JCR Repository and everything else needs to be coded against that API. Since I initialize the JCR with an instance of the Oak, it would be nice to reach in and get the underlaying oak repo. (feature request). Thanks again, --mike On Tue, Apr 7, 2015 at 4:43 AM, Angela Schreiber <[email protected]> wrote: > hi mike > > btw: the documentation already explains the requirements for the > token-creation in the default implementation in setion "Token Creation" > at > http://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanageme > nt.html > >>So this leads me to a few more questions, I hope you don't mind. >> >>1. How can I set the default timeout? I though I could pass it in as >>the 3rd argument to the AppConfigurationEntry, but that doesn't seem >>to change the defaults. > > the configuration parameters belong to the TokenConfiguration. > in an OSGI-base setup you can change the timeout in the corresponding > property. > otherwise, you need to pass the configuration parameters to the security > provider during the repo setup. > > something like > > long timeout = ....; > ConfigurationParameters config = > ConfigurationParameters.of(TokenConfiguration.NAME, > ConfigurationParameters.of(TokenProvider.PARAM_TOKEN_EXPIRATION, timeout)); > > SecurityProvider sp = new > SecurityProviderImpl(getSecurityConfigParameters()) > Repository repo = new Jcr().with(sp).createRepository(); > >>2. If I want to reset the token (with a new timeout) and I'm working >>with a jar repository, how would I do this? The code I found wants an >>Oak Root node not a JCR Node. Also, how do I get a references to the >>Security Provider? When I tried to configure it as a @Bean I get an >>OSGI error (NoClassDefFoundError: org/osgi/framework/BundleContext) >> >>===== >>Node root = session.getRootNode(); // Should be a oak Root >>TokenConfiguration tc = >>securityProvider.getConfiguration(TokenConfiguration.class); >>TokenProvider tp = tc.getTokenProvider(root); >>TokenInfo tokenInfo = tp.createToken(_credentials); >>==== > > You can't create the token provider from JCR objects. Instead you need > to get started from the Oak ContentRepository in order to create a > new ContentSession from which you can obtain the Root object. > For the SecurityProvider see above. > In general though i would try to leave the refresh to the implementation. > >>3. If I wanted to use custom token, such as a JWT token. How do I >>configure it, after I implement TokenProvider? > > You need to make sure you setup (additionally) comes with your custom > TokenConfiguration that returns your own implementation of the > TokenProvider. > In an OSGI-based setup this would mean that you register your > TokenConfiguration > as service. The default setup will automatically pick it up and the right > provider should then issue/manage the tokens based on the 'doCreateToken' > and 'getTokenInfo' calls. > In a non-OSGI-based setup it's probably a bit harder but should still > be feasible by either adding the configuration using the protected > bind-method > or a derived SecurityProvider. > > hope that helps > angela > > >> >> >>Thank you again, >>--mike >> >> >> >>On Wed, Apr 1, 2015 at 11:04 AM, Angela Schreiber <[email protected]> >>wrote: >>> hi mike >>> >>> exactly... i guess, i need to improve the docu ;-) >>> >>> for the time being you can look at the various loginmodule >>> related test cases in oak. >>> >>> e.g. TokenDefaultLoginModuleTest.testTokenCreationAndLogin >>> >>> but it should also work with any other auth-setup that >>> properly validates simplecredentials and has the token-lm >>> being calling during #commit in the configuration. >>> also you may plug your custom tokenprovider implementation >>> in case you have different credentials or need a different >>> token... >>> >>> hope that helps >>> angela >>> >>> On 01/04/15 17:47, "Mike Nimer" <[email protected]> wrote: >>> >>>>thanks for helping me on this. To make sure I understand this, if my >>>>initial login uses simple credentials, and I add an empty ".token" >>>>property >>>>- after login I will have a token value set in the Credentials object. >>>>Assuming the TokenLoginModule is configured correctly. right? And >>>>that's >>>>the token I can pass around in future requests? >>>>--mike >>>> >>>> >>>>On Wed, Apr 1, 2015 at 10:26 AM, Angela Schreiber <[email protected]> >>>>wrote: >>>> >>>>> hi mike >>>>> >>>>> can't help you with spring security but with the second question: >>>>> >>>>> the TokenLoginModule will issue a new login token during the commit >>>>> phase if the shared state contains credentials that are supported by >>>>> the configured token provider. see doCreateToken(Credentials) for >>>>> details. >>>>> >>>>> the default impl of the token provider handles the default jcr >>>>> simplecredentials and issues a new token if the latter contains >>>>> an empty ".token" attribute. that should provide a backwards >>>>> compatible behaviour to jackrabbit 2.x. >>>>> >>>>> hope that helps >>>>> angela >>>>> >>>>> >>>>> On 01/04/15 05:46, "Mike Nimer" <[email protected]> wrote: >>>>> >>>>> >I'm looking for some help configuring the TokenLoginModule with >>>>>Spring >>>>> >Security and I'm hoping someone has some sample code or documentation >>>>>to >>>>> >share. >>>>> > >>>>> >I have added the TokenLoginModule using the spring >>>>> >DefaultJaasAuthenticationProvider & InMemoryConfiguration however I'm >>>>> >getting this error on startup and I'm not sure how to get past it. >>>>> > >>>>> >authorityGranters cannot be null or empty >>>>> > >>>>> >A second question, if I wanted to use a REST service endpoint for >>>>>login >>>>> >how >>>>> >can I create a new Token, for future requests, since the >>>>>TokenProvider >>>>> >class is not public. >>>>> > >>>>> >Thanks, >>>>> >--mike >>>>> >>>>> >>> >
