Chris,
thanks a lot for your extensive explanation! However, one of my problems
seems to remain (unless I missed something in your mail). As I mentioned, I
want to programmatically perform the login from my main portal page and
prevent orion from bringing up the login form (or login popup for BASIC
auth). I do want to keep the security-constraints and have orion perform
automatic authentication in case a user directly accesses any of the
protected pages.
This means that after programmatical login I need to enter some information
into the session object (or anywhere else) to notify orion that login has
already been performed. JRun, for example, keeps an AuthenticatedPrincipal
in the session (although it is undocumented under what attribute name).
Hints? Am I missing something?
thanks, Christian
-----Original Message-----
From: Chris Miller <[EMAIL PROTECTED]>
To: Orion-Interest <[EMAIL PROTECTED]>
Date: Dienstag, 17. Oktober 2000 16:44
Subject: Re: custom user management
>There should be a tutorial arriving for this 'shortly', however in the
>meantime this should be enough to get you going:
>
>Implement the UserManager, User, and Group classes. (for example,
>MyUserManager, MyUser, MyGroup).
>
>The UserManager probably just needs to look like this for now:
>
>public class MyUserManager extends AbstractUserManager {
> public User getUser(String userName) {
> if (userName == null)
> return null;
> return new MyUser(userName);
> }
>
> public Group getGroup(String groupName) {
> if (groupName == null)
> return null;
> return new MyGroup(groupName);
> }
>}
>
>You may need to implement some of the other methods too depending on your
>requirements, but that should be a good start.
>
>
>For the MyUser class, just implementing the constructor, authenticate() and
>isMemberOf() should be enough for starters:
>
>public class MyUser implements User {
>
>
> private String username;
>
> public MyUser(String username) {
> this.username = username;
> }
>
> public boolean authenticate(String password) {
> if (username == null)
> return false;
> // Lookup the user 'username', and compare the password supplied
> // with their real password (possibly using a password hashing
>function).
> // ...
> return ((password != null) && (password.equals(realPassword)));
> }
>
> public boolean isMemberOf(Group group) {
> if (username == null)
> return false;
> // Do whatever you need to do to see if the user is in the group,
> // and return true or false accordingly. Eg, find the username and
> // the groupname as a matching pair in a user<->group mapping table.
> }
>}
>
>
>The Group class can be very simple, for example as a minimum you can get
>away with:
>
>public class MyGroup implements Group {
> String groupname;
>
> public MyGroup(String groupname) {
> this.groupname = groupname;
> }
>
> public String getName() {
> return groupName;
> }
>}
>
>
>Now you need to set up your orion-application.xml and web.xml files as per
>the <orion>/docs/orion-application-xml.html and <orion>/docs/web-xml.html
>files.
>
>Eg, add to orion-application.xml your role->group mappings, eg:
> <security-role-mapping name="sr_editor">
> <group name="editor" />
> </security-role-mapping>
>
>and the the UserManager class, eg:
> <user-manager class="com.mycompany.security.MyUserManager">
> </user-manager>
>
>In web.xml, add your <security-constraint> tags, the <login-config>, and
>your <security-role> tags. There are examples of these tags that come with
>orion I think, plus there's the docs, so you should be able to figure this
>out easily enough. As a tip, start with BASIC authentication, and change it
>to form based or whatever once that is working properly.
>
>That's about it (well, as far as I can remember, there could be a couple of
>other minor steps?).
>Anyway, orion will now see that a protected resource has been asked for
>(because of the <security-constraint> tags), and know to create an instance
>of your UserManager class (thanks to the <user-manager> tag). It will use
>this to get a User and a Group, and will attempt to authenticate that the
>user falls into the correct group (which in turn maps to the correct role).
>
>Apologies for any typo's/errors in the above, I've bashed it out pretty
>quickly, but it should definitely point you in the right direction. Good
>luck!
>
>
>----- Original Message -----
>From: "Christian Sell" <[EMAIL PROTECTED]>
>To: "Orion-Interest" <[EMAIL PROTECTED]>
>Sent: Tuesday, October 17, 2000 10:54 AM
>Subject: custom user management
>
>
>> Hi there,
>>
>> I want to customize orions authentication mechanism to use an existing
>user
>> database. So far, I understand that I have to create my own UserManager
>> class and register it in orion-application.xml. What I dont understand
is:
>>
>> - how do I access the user manager at runtime (e.g., to create users)
>> - how do I perform programmatical login (bypassing the login-config from
>> web.xml, e.g. from a home page with a login field)
>>
>> any hints, URLs?
>>
>> TIA,
>> Christian
>>
>>
>>
>
>
