Hi, Today, for roller, i'm only using the LDAP authentification. But, lot of our applications here use a NTLM authentification through a filter (tomcat) that calls a webservice connected to our LDAP. I hope that with your new classes, i will be able to modify a bit my filter so that it would only tell to Roller "yes, the user is known, let him go".
Eric -----Message d'origine----- De : Elias Torres [mailto:[EMAIL PROTECTED] De la part de Elias Torres Envoyé : mardi 29 août 2006 14:55 À : [email protected] Objet : Re: Roller and SSO via Acegi Security Eric, I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? I would like to hear more about it to see how general we can make this initial support. -Elias [EMAIL PROTECTED] wrote: > +1 > Release 3.0 :):) > > -----Message d'origine----- > De : Dave Johnson [mailto:[EMAIL PROTECTED] Envoyé : mardi 29 août > 2006 02:03 À : [email protected] Objet : Re: Roller and > SSO via Acegi Security > > +1 for getting this into 3.0 > > Elias sent me a patch containing the small amount of code necessary to > optionally add support for SSO via LDAP -- a much request feature. I > think it's safe to add this to the Roller 3.0 code base because > > - It's optional and effects the new user creation process > - It's a small change to UserFormEx and two new classes > > There is a small change in UserFormEx that is only invoked if SSO is enabled. > If SSO is enabled and SSO data is present, then UserFormEx self-populates > based on that SSO data. > > There are also two new classes that depend on Acegi. > > 1. CustomUserRegistry > - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator > - Populates UserData object with data from LDAP > > 2. RollerAuthoritiesPopulator > > The only piece that's missing is docs. With this new code, what needs to > change in the existing LDAP FAQ? > > - Dave > > > > On 8/27/06, Matt Raible <[EMAIL PROTECTED]> wrote: >> +1 for anything that makes integrating with LDAP easier for companies. >> >> Matt >> >> On 8/27/06, Elias Torres <[EMAIL PROTECTED]> wrote: >>> Hi folks, >>> >>> I'm revisiting the need for LDAP support in Roller and after some >>> investigation on Acegi Security it seems like I could work something >>> in Roller that would benefit not just IBM but other Roller >>> installations such as Yale and N.C. State. Dave pointed me to >>> RollerAndSSO [1] in the wiki and it seems like covers the most >>> common cases of authentication in Roller. I've started reading Acegi >>> Security documentation and was able to succesfully configure Roller >>> 3.0 against our Enterprise Directory, however, there are some >>> remaining issues that I want to share with you for suggestions on how I >>> should proceed. >>> >>> I've configured security.xml to use LDAPAuthProvider. This provider >>> fetches user information and authorities (roles) information. The >>> issue is that our roles "editor" and "admin" are not stored in our >>> secondary LDAP directory (for Groups only). The LDAPProvider does >>> (thankfully) split the provider functions of checking user >>> credentials and fetching role information. Therefore I can write my >>> own AuthoritiesPopulator that access the rest of the information >>> from the RollerDB. Now, writing the AuthoritiesPopulator is not >>> exactly trivial mostly because of simple design of the provider code >>> in Acegi Security. I would have to copy most of the code from the >>> DAO provider to make use of the same declarative features in the >>> security.xml file, but it's not a big deal. >>> >>> My suggestion then is for me to write some sort of >>> [Roller]CompositeProvider that allows basically a pick-your-own >>> combo of features for providing user information. Something like >>> pick either or both LDAP and DAO for either or both credentials and >>> roles. It would duplicate some code from two Acegi Security classes >>> because the code is not properly abstracted, but it will not require >>> changes to Acegi Security and it would always be an optional >>> provider for Roller installations, the default could be what we have in >>> security.xml today. >>> >>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In >>> our IBM internal environment, we have enabled registration, but we >>> don't store password information in Roller. In essence what I >>> suggested to Dave is to password-protect the registration page and >>> when loaded auto-populate the username, name and email address >>> fields (actually make them read-only) and let any authenticated user >>> register in Roller. >>> However, there's a NullPointerException in >>> RollerSession.getRollerSession() because there's an authenticated >>> user but there's no user in the RollerDB. I was hoping I can inject >>> some code there that would use the generic UserDetailsService in Acegi >>> Security to >>> (based on a configurable option) to either auto-insert a record >>> and tweak the registration update to deal with an existing user and >>> just update, or to populate the session with a transient user-object >>> that could be used in the registration page. >>> >>> I hope you can make sense of the long winded message and let me know >>> if I can proceed to add this code (together with whatever >>> tweaks/suggestions you may have) to the 3.0 branch. >>> >>> -Elias >>> >>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO >>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ >>> > ---------------------------------------------------------------------- > --------------------- "Cette communication (y compris les pieces > jointes) est reservee a l'usage exclusif du destinataire (des destinataires) > et peut contenir des informations privilegiees, confidentielles, exemptees de > divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes > pas un destinataire, toute utilisation, divulgation, distribution, > reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut > etre illegale. Tout message electronique est susceptible d'alteration et son > integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite > au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas > destinataire de ce message, merci de le detruire immediatement et d'avertir > l'expediteur de l'erreur de distribution et de la destruction du message. > Merci. > This transmission (including any attachments) is intended solely for the use > of the addressee(s) and may contain confidential information including trade > secrets which are privileged, confidential, exempt from disclosure under > applicable law and/or subject to copyright. If you are not an intended > recipient, any use, disclosure, distribution, reproduction, review or copying > (either whole or partial) is unauthorized and may be unlawful. E-mails are > susceptible to alteration and their integrity cannot be guaranteed.Sanofi > Pasteur shall not be liable for this e-mail if modified or falsified. If you > are not the intended recipient of this e-mail, please delete it immediately > from your system and notify the sender of the wrong delivery and the mail > deletion. Thank you." > ********************************************************************** > > ------------------------------------------------------------------------------------------- "Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci. This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you." **********************************************************************
