ApacheCon only takes one Roller talk a year/location and it usually is Dave's :-)
-Elias On 2/1/07, Matt Raible <[EMAIL PROTECTED]> wrote:
On 2/1/07, Dave <[EMAIL PROTECTED]> wrote: > > We gained some SSO options back in the 3.0 timeframe, but we never got > any documentation (please correct me if I am wrong) about how to setup > Roller to take advantage of those options. > > By using those SSO options and tweaking the LDAP configuration in > Acegi security.xml, it is possible to get Roller working with LDAP. > With this setup, when a new user registers for Roller we are able to > pull her user information from LDAP and setup a new Roller account for > her. We authentication against LDAP (where passwords are stored) and > keep user info info Roller. > > With our current setup, I believe here's how things should work: > > 1) Enable SSO option > Define a roller-custom.properties file, override the users.sso.enabled > option like so: > users.sso.enabled=true > > 2) Uncomment the LDAP section in Acegi security.xml > Uncomment the section that begins with: > <!-- Sample LDAP/RollerDB hybrid security configuration > > 3) Protect the user registration page via Acegi security.xml > In the XML for the filterInvocationInterceptor bean, add the user > registration page to the list of URL patterns in the > objectDefinitionSource as shown below. The new line is the one that > reads " /roller-ui/user.do*=register". > > What does this do? It requires the user to have the role "register" in > order to view the user registration page. Therefore he user is shown > the login page and expected to enter their LDAP username and password > -- but we don't tell them that so it's pretty confusing. Once the > login, we know their user info so we are able to pre-populate the user > registration form with information from LDAP. > > <bean id="filterInvocationInterceptor" > class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> > <property name="authenticationManager" > ref="authenticationManager"/> > <property name="accessDecisionManager" > ref="accessDecisionManager"/> > <property name="objectDefinitionSource"> > <value> > PATTERN_TYPE_APACHE_ANT > /roller-ui/login-redirect.jsp=admin,editor > /roller-ui/yourProfile**=admin,editor > /roller-ui/createWebsite**=admin,editor > /roller-ui/yourWebsites**=admin,editor > /roller-ui/authoring/**=admin,editor > /roller-ui/admin/**=admin > /roller-ui/user.do*=register > /rewrite-status*=admin > </value> > </property> > </bean> > > 4) Enable LDAP authentication provider via security.xml > In the XML for the authenticationManager bean, comment out the DAO > provider and add in the LDAP provider, as shown below: > > <bean id="authenticationManager" > class="org.acegisecurity.providers.ProviderManager"> > <property name="providers"> > <list> > <!-- <ref local="daoAuthenticationProvider"/> --> > <ref local="ldapAuthProvider"/> > <ref local="anonymousAuthenticationProvider"/> > <!-- rememberMeAuthenticationProvider added > programmatically --> > </list> > </property> > </bean> > > But that's not all I had to do. I also had to do this: > > 5) Add LDAP username and password to Acegi security.xml > I've got my LDAP server (OpenDS - https://opends.dev.java.net/ ) setup > to require authentication. So I had to add two new properties to the > initialDirContextFactory bean, as shown below: > > <bean id="initialDirContextFactory" > class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> > <constructor-arg value="ldap://localhost:1389/dc=example,dc=com"/> > <property name="managerDn"> > <value>cn=Directory Manager</value> > </property> > <property name="managerPassword"> > <value>password</value> > </property> > </bean> > > 6) Change LDAP user search to use uid instead of email in Acegi > security.xml > In the ldapUserSearch bean, I changed mail={0} to uid={0}. Not sure, > but maybe uid is a better default than mail for most users. > > <bean id="ldapUserSearch" > class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> > <constructor-arg index="0"> > <value></value> > </constructor-arg> > <constructor-arg index="1"> > <value>uid={0}</value> > </constructor-arg> > <constructor-arg index="2"> > <ref local="initialDirContextFactory" /> > </constructor-arg> > <property name="searchSubtree"> > <value>true</value> > </property> > </bean> > > 7) Java code change in > Added "request.getSession().invalidate();" after line 186 in > NewUserAction, as shown below. Without this change, the user will > remain logged in, but with only the role "register". The user will > have to close his browser and restart before being able to login with > their new account. > > } else { > // User registered, so go to welcome page > request.setAttribute("contextURL", > RollerRuntimeConfig.getAbsoluteContextURL()); > request.getSession().invalidate(); > return mapping.findForward("welcome.page"); > } > > To solve those problems above, I'd like to change security.xml to > include a comments explaining what needs to be done. I'd like to make > that code change in #7 and I'd like to write up a nice friendly wiki > page explaining how to configure Roller and LDAP. Any comments or suggestions? Sounds like a great idea. If you include instructions on how to setup/populate a sample LDAP directory, I'd be happy to test the instructions. Maybe even write an article on Roller and its security flexibility. ;-) Even though my Roller Tutorial didn't get accepted for ApacheCon, I'm still interested in writing an article on it - and getting Roller to work with OpenID and OpenSSO. Matt - Dave > -- http://raibledesigns.com
