I will like to know more about this auto-provisioning feature and how to implement it my personal project. Thanks
Elias Torres <[EMAIL PROTECTED]> wrote: Right. I have not coded NTLM support, but like you said it can be done and easily integrated into the Acegi Security framework. The main thing my patch does is that if you configure your security.xml to request authentication for user.do?method=registerUser, then if a user hits the registration page it will load the user information (from NTLM+LDAP) from the Acegi SecurityContextHolder and pre-populate the form and disabling of course the username field (since you already have one) and hiding the password fields as well. Now, if you are interested in auto-provisioning, I can enable a hook that will automatically register a user and deploy a blog with (their username as their handle) as soon as they authenticate. What do you think? -Elias [EMAIL PROTECTED] wrote: > Hi, > > Today, for roller, i'm only using the LDAP authentification. > But, lot of our applications here use a NTLM authentification through a > filter (tomcat) that calls a webservice connected to our LDAP. > I hope that with your new classes, i will be able to modify a bit my filter > so that it would only tell to Roller "yes, the user is known, let him go". > > Eric > > -----Message d'origine----- > De : Elias Torres [mailto:[EMAIL PROTECTED] De la part de Elias Torres > Envoyé : mardi 29 août 2006 14:55 > À : [email protected] > Objet : Re: Roller and SSO via Acegi Security > > Eric, > > I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? > I would like to hear more about it to see how general we can make this > initial support. > > -Elias > > [EMAIL PROTECTED] wrote: >> +1 >> Release 3.0 :):) >> >> -----Message d'origine----- >> De : Dave Johnson [mailto:[EMAIL PROTECTED] Envoyé : mardi 29 août >> 2006 02:03 À : [email protected] Objet : Re: Roller and >> SSO via Acegi Security >> >> +1 for getting this into 3.0 >> >> Elias sent me a patch containing the small amount of code necessary to >> optionally add support for SSO via LDAP -- a much request feature. I >> think it's safe to add this to the Roller 3.0 code base because >> >> - It's optional and effects the new user creation process >> - It's a small change to UserFormEx and two new classes >> >> There is a small change in UserFormEx that is only invoked if SSO is >> enabled. If SSO is enabled and SSO data is present, then UserFormEx >> self-populates based on that SSO data. >> >> There are also two new classes that depend on Acegi. >> >> 1. CustomUserRegistry >> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator >> - Populates UserData object with data from LDAP >> >> 2. RollerAuthoritiesPopulator >> >> The only piece that's missing is docs. With this new code, what needs to >> change in the existing LDAP FAQ? >> >> - Dave >> >> >> >> On 8/27/06, Matt Raible wrote: >>> +1 for anything that makes integrating with LDAP easier for companies. >>> >>> Matt >>> >>> On 8/27/06, Elias Torres wrote: >>>> Hi folks, >>>> >>>> I'm revisiting the need for LDAP support in Roller and after some >>>> investigation on Acegi Security it seems like I could work something >>>> in Roller that would benefit not just IBM but other Roller >>>> installations such as Yale and N.C. State. Dave pointed me to >>>> RollerAndSSO [1] in the wiki and it seems like covers the most >>>> common cases of authentication in Roller. I've started reading Acegi >>>> Security documentation and was able to succesfully configure Roller >>>> 3.0 against our Enterprise Directory, however, there are some >>>> remaining issues that I want to share with you for suggestions on how I >>>> should proceed. >>>> >>>> I've configured security.xml to use LDAPAuthProvider. This provider >>>> fetches user information and authorities (roles) information. The >>>> issue is that our roles "editor" and "admin" are not stored in our >>>> secondary LDAP directory (for Groups only). The LDAPProvider does >>>> (thankfully) split the provider functions of checking user >>>> credentials and fetching role information. Therefore I can write my >>>> own AuthoritiesPopulator that access the rest of the information >>>> from the RollerDB. Now, writing the AuthoritiesPopulator is not >>>> exactly trivial mostly because of simple design of the provider code >>>> in Acegi Security. I would have to copy most of the code from the >>>> DAO provider to make use of the same declarative features in the >>>> security.xml file, but it's not a big deal. >>>> >>>> My suggestion then is for me to write some sort of >>>> [Roller]CompositeProvider that allows basically a pick-your-own >>>> combo of features for providing user information. Something like >>>> pick either or both LDAP and DAO for either or both credentials and >>>> roles. It would duplicate some code from two Acegi Security classes >>>> because the code is not properly abstracted, but it will not require >>>> changes to Acegi Security and it would always be an optional >>>> provider for Roller installations, the default could be what we have in >>>> security.xml today. >>>> >>>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In >>>> our IBM internal environment, we have enabled registration, but we >>>> don't store password information in Roller. In essence what I >>>> suggested to Dave is to password-protect the registration page and >>>> when loaded auto-populate the username, name and email address >>>> fields (actually make them read-only) and let any authenticated user >>>> register in Roller. >>>> However, there's a NullPointerException in >>>> RollerSession.getRollerSession() because there's an authenticated >>>> user but there's no user in the RollerDB. I was hoping I can inject >>>> some code there that would use the generic UserDetailsService in Acegi >>>> Security to >>>> (based on a configurable option) to either auto-insert a record >>>> and tweak the registration update to deal with an existing user and >>>> just update, or to populate the session with a transient user-object >>>> that could be used in the registration page. >>>> >>>> I hope you can make sense of the long winded message and let me know >>>> if I can proceed to add this code (together with whatever >>>> tweaks/suggestions you may have) to the 3.0 branch. >>>> >>>> -Elias >>>> >>>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO >>>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ >>>> >> ---------------------------------------------------------------------- >> --------------------- "Cette communication (y compris les pieces >> jointes) est reservee a l'usage exclusif du destinataire (des destinataires) >> et peut contenir des informations privilegiees, confidentielles, exemptees >> de divulgation selon la loi ou protegees par les droits d'auteur. Si vous >> n'etes pas un destinataire, toute utilisation, divulgation, distribution, >> reproduction, examen ou copie (totale ou partielle) est non-autorisee et >> peut etre illegale. Tout message electronique est susceptible d'alteration >> et son integrite ne peut etre assuree. Sanofi Pasteur decline toute >> responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si >> vous n'etes pas destinataire de ce message, merci de le detruire >> immediatement et d'avertir l'expediteur de l'erreur de distribution et de la >> destruction du message. Merci. >> This transmission (including any attachments) is intended solely for the use >> of the addressee(s) and may contain confidential information including trade >> secrets which are privileged, confidential, exempt from disclosure under >> applicable law and/or subject to copyright. If you are not an intended >> recipient, any use, disclosure, distribution, reproduction, review or >> copying (either whole or partial) is unauthorized and may be unlawful. >> E-mails are susceptible to alteration and their integrity cannot be >> guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or >> falsified. If you are not the intended recipient of this e-mail, please >> delete it immediately from your system and notify the sender of the wrong >> delivery and the mail deletion. Thank you." >> ********************************************************************** >> >> > ------------------------------------------------------------------------------------------- > "Cette communication (y compris les pieces jointes) est reservee a l'usage > exclusif du destinataire (des destinataires) et peut contenir des > informations privilegiees, confidentielles, exemptees de divulgation selon la > loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, > toute utilisation, divulgation, distribution, reproduction, examen ou copie > (totale ou partielle) est non-autorisee et peut etre illegale. Tout message > electronique est susceptible d'alteration et son integrite ne peut etre > assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message > s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce > message, merci de le detruire immediatement et d'avertir l'expediteur de > l'erreur de distribution et de la destruction du message. Merci. > This transmission (including any attachments) is intended solely for the use > of the addressee(s) and may contain confidential information including trade > secrets which are privileged, confidential, exempt from disclosure under > applicable law and/or subject to copyright. If you are not an intended > recipient, any use, disclosure, distribution, reproduction, review or copying > (either whole or partial) is unauthorized and may be unlawful. E-mails are > susceptible to alteration and their integrity cannot be guaranteed.Sanofi > Pasteur shall not be liable for this e-mail if modified or falsified. If you > are not the intended recipient of this e-mail, please delete it immediately > from your system and notify the sender of the wrong delivery and the mail > deletion. Thank you." > ********************************************************************** > > Ransford Segu-Baffoe [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.noqturnalmediasystems.com/ http://www.noqturnalmediasystems.com/Serenade/ https://serenade.dev.java.net/ --------------------------------- How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
