Eric, I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? I would like to hear more about it to see how general we can make this initial support.
-Elias [EMAIL PROTECTED] wrote: > +1 > Release 3.0 :):) > > -----Message d'origine----- > De : Dave Johnson [mailto:[EMAIL PROTECTED] > Envoyé : mardi 29 août 2006 02:03 > À : [email protected] > Objet : Re: Roller and SSO via Acegi Security > > +1 for getting this into 3.0 > > Elias sent me a patch containing the small amount of code necessary to > optionally add support for SSO via LDAP -- a much request feature. I think > it's safe to add this to the Roller 3.0 code base because > > - It's optional and effects the new user creation process > - It's a small change to UserFormEx and two new classes > > There is a small change in UserFormEx that is only invoked if SSO is enabled. > If SSO is enabled and SSO data is present, then UserFormEx self-populates > based on that SSO data. > > There are also two new classes that depend on Acegi. > > 1. CustomUserRegistry > - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator > - Populates UserData object with data from LDAP > > 2. RollerAuthoritiesPopulator > > The only piece that's missing is docs. With this new code, what needs to > change in the existing LDAP FAQ? > > - Dave > > > > On 8/27/06, Matt Raible <[EMAIL PROTECTED]> wrote: >> +1 for anything that makes integrating with LDAP easier for companies. >> >> Matt >> >> On 8/27/06, Elias Torres <[EMAIL PROTECTED]> wrote: >>> Hi folks, >>> >>> I'm revisiting the need for LDAP support in Roller and after some >>> investigation on Acegi Security it seems like I could work something >>> in Roller that would benefit not just IBM but other Roller >>> installations such as Yale and N.C. State. Dave pointed me to >>> RollerAndSSO [1] in the wiki and it seems like covers the most >>> common cases of authentication in Roller. I've started reading Acegi >>> Security documentation and was able to succesfully configure Roller >>> 3.0 against our Enterprise Directory, however, there are some >>> remaining issues that I want to share with you for suggestions on how I >>> should proceed. >>> >>> I've configured security.xml to use LDAPAuthProvider. This provider >>> fetches user information and authorities (roles) information. The >>> issue is that our roles "editor" and "admin" are not stored in our >>> secondary LDAP directory (for Groups only). The LDAPProvider does >>> (thankfully) split the provider functions of checking user >>> credentials and fetching role information. Therefore I can write my >>> own AuthoritiesPopulator that access the rest of the information >>> from the RollerDB. Now, writing the AuthoritiesPopulator is not >>> exactly trivial mostly because of simple design of the provider code >>> in Acegi Security. I would have to copy most of the code from the >>> DAO provider to make use of the same declarative features in the >>> security.xml file, but it's not a big deal. >>> >>> My suggestion then is for me to write some sort of >>> [Roller]CompositeProvider that allows basically a pick-your-own >>> combo of features for providing user information. Something like >>> pick either or both LDAP and DAO for either or both credentials and >>> roles. It would duplicate some code from two Acegi Security classes >>> because the code is not properly abstracted, but it will not require >>> changes to Acegi Security and it would always be an optional >>> provider for Roller installations, the default could be what we have in >>> security.xml today. >>> >>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In >>> our IBM internal environment, we have enabled registration, but we >>> don't store password information in Roller. In essence what I >>> suggested to Dave is to password-protect the registration page and >>> when loaded auto-populate the username, name and email address >>> fields (actually make them read-only) and let any authenticated user >>> register in Roller. >>> However, there's a NullPointerException in >>> RollerSession.getRollerSession() because there's an authenticated >>> user but there's no user in the RollerDB. I was hoping I can inject >>> some code there that would use the generic UserDetailsService in Acegi >>> Security to >>> (based on a configurable option) to either auto-insert a record >>> and tweak the registration update to deal with an existing user and >>> just update, or to populate the session with a transient user-object >>> that could be used in the registration page. >>> >>> I hope you can make sense of the long winded message and let me know >>> if I can proceed to add this code (together with whatever >>> tweaks/suggestions you may have) to the 3.0 branch. >>> >>> -Elias >>> >>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO >>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ >>> > ------------------------------------------------------------------------------------------- > "Cette communication (y compris les pieces jointes) est reservee a l'usage > exclusif du destinataire (des destinataires) et peut contenir des > informations privilegiees, confidentielles, exemptees de divulgation selon la > loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, > toute utilisation, divulgation, distribution, reproduction, examen ou copie > (totale ou partielle) est non-autorisee et peut etre illegale. Tout message > electronique est susceptible d'alteration et son integrite ne peut etre > assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message > s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce > message, merci de le detruire immediatement et d'avertir l'expediteur de > l'erreur de distribution et de la destruction du message. Merci. > This transmission (including any attachments) is intended solely for the use > of the addressee(s) and may contain confidential information including trade > secrets which are privileged, confidential, exempt from disclosure under > applicable law and/or subject to copyright. If you are not an intended > recipient, any use, disclosure, distribution, reproduction, review or copying > (either whole or partial) is unauthorized and may be unlawful. E-mails are > susceptible to alteration and their integrity cannot be guaranteed.Sanofi > Pasteur shall not be liable for this e-mail if modified or falsified. If you > are not the intended recipient of this e-mail, please delete it immediately > from your system and notify the sender of the wrong delivery and the mail > deletion. Thank you." > ********************************************************************** > >
