Re: [basedb-devel] External authentication

2011-03-01 Thread Nicklas Nordborg
On 2011-03-01 12:58, Pawel Sztromwasser wrote:
> Hi Nicklas,
>
> I changed the Application.getAuthenticator() to use a separate
> classloader for external login plugin (attached a diff to the ticket
> #1575) and I was able to verify user's credentials using an STS service.

Thanks for the patch. It seems simple enough. I think the exception 
handling might need to be improved since it was assumed that the 
external system always knew if it was a bad login or a bad password.

> I got a bit unexpected behavior of BASE that tried to create a new
> account for the user after it failed finding it by an externalId. Of
> course, I had not set the externalId in advance. The logins of the
> external STS service and BASE account happened to be the same, so the
> whole process failed violating the unique-key constraint on login
> column. This is sth I will need to consider when integrating two sets of
> users from different applications.

The external authentication assumes that no "local" accounts except the 
root user account exists on the BASE server. The root account is handled 
as a special case so that it is possible to access BASE even if the 
external authentication system is down.

> But there is another problem I was struggling with. And apparently not
> only me [1]. Tomcat/axis/java has a problem when two
> axis2-kernel-x.x.jar jars are in the classpath. Even if the versions are
> the same. I tried multiple combinations with axis2 1.4 and 1.5.1. I
> downgraded the plugin to use axis2-1.3 and rampart1.3. I stripped-down
> the set of jars that my plugin uses, trying to use as many libraries
> shipped with BASE as possible. In principle it should work as long as
> all the dependencies were satisfied (by parent classloader of webapp),
> but when axis2-kernel was not loaded by the same classloader as Apache
> Rampart jars, I couldn't get rampart to engage.
>
> It seems like it is impossible to have axis2 in more than one location
> in the classpath. The only way it works is when only one
> axis2-kernel.jar is loaded by tomcat. So I either need to include all
> dependencies of my plugin into the /WEB-INF/lib directory of BASE, and
> use axis2 shipped with BASE; or I remove the axis2-kernel-1.3.jar from
> WEB-INF/lib of BASE and load it together with my plugin and rest of its
> dependencies. The latter one will of course break BASE's Web Services. I
> haven't had problems with other jars, despite I use different version of
> (for example) axiom libraries. No conflicts with other axis2 libraries,
> only axis2-kernel.
>
> I am happy because it works now, although with BASE's axis2 1.3. But I
> can imagine that in some time I might need to use newer axis2, and then
> I will have to try to upgrade it in BASE as well. If it is backwards
> compatible, it should go smooth, and the BASE Web Services will work.
> But it would be still good to test. Is there a test suite available for
> BASE Web Services that I could try? Or maybe you were considering
> upgrade yourself?
>

Class loading can be problematic sometimes. I don't know of any specific 
problems with Axis, but it seems like you have investigated this more 
than me.

We have tried to upgrade to Axis 1.5 but unfortunately there is a bug 
when handling date values. http://base.thep.lu.se/ticket/1353#comment:8
It seems like it has been fixed but for some reason the fix hasn't been 
released yet.

/Nicklas

--
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel


Re: [basedb-devel] External authentication

2011-03-01 Thread Pawel Sztromwasser
Hi Nicklas,

I changed the Application.getAuthenticator() to use a separate 
classloader for external login plugin (attached a diff to the ticket 
#1575) and I was able to verify user's credentials using an STS service.

I got a bit unexpected behavior of BASE that tried to create a new 
account for the user after it failed finding it by an externalId. Of 
course, I had not set the externalId in advance. The logins of the 
external STS service and BASE account happened to be the same, so the 
whole process failed violating the unique-key constraint on login 
column. This is sth I will need to consider when integrating two sets of 
users from different applications.

But there is another problem I was struggling with. And apparently not 
only me [1]. Tomcat/axis/java has a problem when two 
axis2-kernel-x.x.jar jars are in the classpath. Even if the versions are 
the same. I tried multiple combinations with axis2 1.4 and 1.5.1. I 
downgraded the plugin to use axis2-1.3 and rampart1.3. I stripped-down 
the set of jars that my plugin uses, trying to use as many libraries 
shipped with BASE as possible. In principle it should work as long as 
all the dependencies were satisfied (by parent classloader of webapp), 
but when axis2-kernel was not loaded by the same classloader as Apache 
Rampart jars, I couldn't get rampart to engage.

It seems like it is impossible to have axis2 in more than one location 
in the classpath. The only way it works is when only one 
axis2-kernel.jar is loaded by tomcat. So I either need to include all 
dependencies of my plugin into the /WEB-INF/lib directory of BASE, and 
use axis2 shipped with BASE; or I remove the axis2-kernel-1.3.jar from 
WEB-INF/lib of BASE and load it together with my plugin and rest of its 
dependencies. The latter one will of course break BASE's Web Services. I 
haven't had problems with other jars, despite I use different version of 
(for example) axiom libraries. No conflicts with other axis2 libraries, 
only axis2-kernel.

I am happy because it works now, although with BASE's axis2 1.3. But I 
can imagine that in some time I might need to use newer axis2, and then 
I will have to try to upgrade it in BASE as well. If it is backwards 
compatible, it should go smooth, and the BASE Web Services will work. 
But it would be still good to test. Is there a test suite available for 
BASE Web Services that I could try? Or maybe you were considering 
upgrade yourself?

Pawel

[1] https://issues.apache.org/jira/browse/AXIS2-2972



Nicklas Nordborg wrote:
> I added a ticket:http://base.thep.lu.se/ticket/1575
>
> /Nicklas
>
> --
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> ___
> basedb-devel mailing list
> basedb-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/basedb-devel
>


--
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel


Re: [basedb-devel] External authentication

2011-02-01 Thread Nicklas Nordborg
On 2011-02-01 13:24, Pawel Sztromwasser wrote:
> Sorry, just noticed that you mentioned the
> ...basedb.util.JarClassLoader, not a regular Java class loader as I
> initially  thought.

Check the code for DataFileType.getValidator(): 
http://base.thep.lu.se/browser/tags/2.16.1/src/core/net/sf/basedb/core/DataFileType.java#L629

It is more or less something like that that you need.

/Nicklas

--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel


Re: [basedb-devel] External authentication

2011-02-01 Thread Pawel Sztromwasser
Sorry, just noticed that you mentioned the 
...basedb.util.JarClassLoader, not a regular Java class loader as I 
initially  thought.

On 01/02/11 13:17, Pawel Sztromwasser wrote:
> Thanks for a quick reply. I really wanted to avoid selecting jars and so
> on since BASE has over 50 of them, and maven downloads over 60 for my
> plugin. Lots of manual work that needs to be done every time BASE is
> upgraded.
>
> I will try to change the Application class as you suggested. I have
> already located the place which needs a fix, but was unsure of playing
> so close to the core of the application. What about using the
> net.sf.basedb.util.JarClassLoader, as regular plugins do?
>
> I will post a patch when ready and tested.
> Cheers,
> Pawel
>
> On 01/02/11 13:03, Nicklas Nordborg wrote:
>> On 2011-02-01 11:29, Pawel Sztromwasser wrote:s
>>> Hi,
>>>
>>> I am working on an external authentication plugin for BASE that will use
>>> an STS Web service to authenticate users. The plugin uses a bunch of
>>> external jars for WS communication, but with different versions then
>>> BASE. I was hoping for the same classloading mechanism as for regular
>>> plugins (separate classloaders), but it looks like external
>>> authentication plugins uses the default classloader of the webapp. Could
>>> this be changed? How else could I install my plugin, without messing
>>> with BASE's jars?
>> That part of BASE is not very "pluginified". I am not aware of any real
>> case that uses external authentication so it would be very interesting
>> to see if you succeed.
>>
>> It's quite common that there are dependencies to different versions of
>> 3rd-party JAR files, but it usually works if the latest one is used. But
>> of course, it may not work if the API has changed in an incompatible way.
>>
>> If you can't get it to work by clever selection of JAR files, then you
>> might have to modify the Application.getAuthenticator() method so that
>> it uses a different class loader. It shouldn't be too difficult. It
>> could for example pick up a JAR path from the base.config file and then
>> use the net.sf.basedb.util.JarClassLoader.getInstance(path) to create a
>> class loader. Dependencies need to be listed in the MANIFEST.MF in the
>> same way as for plug-ins. There is a short notice about this at
>> http://base.thep.lu.se/chrome/site/latest/html/developerdoc/plugin_developer/plugin_developer.organize.html
>> and
>> http://base.thep.lu.se/chrome/site/latest/api/net/sf/basedb/util/JarClassLoader.html
>>
>> As always, patches are welcome :)
>>
>> /Nicklas
>>
>> --
>> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> Finally, a world-class log management solution at an even better price-free!
>> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> February 28th, so secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsight-sfd2d
>> ___
>> basedb-devel mailing list
>> basedb-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/basedb-devel
>
> --
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> ___
> basedb-devel mailing list
> basedb-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/basedb-devel


--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel


Re: [basedb-devel] External authentication

2011-02-01 Thread Pawel Sztromwasser
Thanks for a quick reply. I really wanted to avoid selecting jars and so 
on since BASE has over 50 of them, and maven downloads over 60 for my 
plugin. Lots of manual work that needs to be done every time BASE is 
upgraded.

I will try to change the Application class as you suggested. I have 
already located the place which needs a fix, but was unsure of playing 
so close to the core of the application. What about using the 
net.sf.basedb.util.JarClassLoader, as regular plugins do?

I will post a patch when ready and tested.
Cheers,
Pawel

On 01/02/11 13:03, Nicklas Nordborg wrote:
> On 2011-02-01 11:29, Pawel Sztromwasser wrote:s
>> Hi,
>>
>> I am working on an external authentication plugin for BASE that will use
>> an STS Web service to authenticate users. The plugin uses a bunch of
>> external jars for WS communication, but with different versions then
>> BASE. I was hoping for the same classloading mechanism as for regular
>> plugins (separate classloaders), but it looks like external
>> authentication plugins uses the default classloader of the webapp. Could
>> this be changed? How else could I install my plugin, without messing
>> with BASE's jars?
> That part of BASE is not very "pluginified". I am not aware of any real
> case that uses external authentication so it would be very interesting
> to see if you succeed.
>
> It's quite common that there are dependencies to different versions of
> 3rd-party JAR files, but it usually works if the latest one is used. But
> of course, it may not work if the API has changed in an incompatible way.
>
> If you can't get it to work by clever selection of JAR files, then you
> might have to modify the Application.getAuthenticator() method so that
> it uses a different class loader. It shouldn't be too difficult. It
> could for example pick up a JAR path from the base.config file and then
> use the net.sf.basedb.util.JarClassLoader.getInstance(path) to create a
> class loader. Dependencies need to be listed in the MANIFEST.MF in the
> same way as for plug-ins. There is a short notice about this at
> http://base.thep.lu.se/chrome/site/latest/html/developerdoc/plugin_developer/plugin_developer.organize.html
> and
> http://base.thep.lu.se/chrome/site/latest/api/net/sf/basedb/util/JarClassLoader.html
>
> As always, patches are welcome :)
>
> /Nicklas
>
> --
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> ___
> basedb-devel mailing list
> basedb-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/basedb-devel


--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel


Re: [basedb-devel] External authentication

2011-02-01 Thread Nicklas Nordborg
I added a ticket: http://base.thep.lu.se/ticket/1575

/Nicklas

--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel


Re: [basedb-devel] External authentication

2011-02-01 Thread Nicklas Nordborg
On 2011-02-01 11:29, Pawel Sztromwasser wrote:
> Hi,
>
> I am working on an external authentication plugin for BASE that will use
> an STS Web service to authenticate users. The plugin uses a bunch of
> external jars for WS communication, but with different versions then
> BASE. I was hoping for the same classloading mechanism as for regular
> plugins (separate classloaders), but it looks like external
> authentication plugins uses the default classloader of the webapp. Could
> this be changed? How else could I install my plugin, without messing
> with BASE's jars?

That part of BASE is not very "pluginified". I am not aware of any real 
case that uses external authentication so it would be very interesting 
to see if you succeed.

It's quite common that there are dependencies to different versions of 
3rd-party JAR files, but it usually works if the latest one is used. But 
of course, it may not work if the API has changed in an incompatible way.

If you can't get it to work by clever selection of JAR files, then you 
might have to modify the Application.getAuthenticator() method so that 
it uses a different class loader. It shouldn't be too difficult. It 
could for example pick up a JAR path from the base.config file and then 
use the net.sf.basedb.util.JarClassLoader.getInstance(path) to create a 
class loader. Dependencies need to be listed in the MANIFEST.MF in the 
same way as for plug-ins. There is a short notice about this at 
http://base.thep.lu.se/chrome/site/latest/html/developerdoc/plugin_developer/plugin_developer.organize.html
 
and 
http://base.thep.lu.se/chrome/site/latest/api/net/sf/basedb/util/JarClassLoader.html

As always, patches are welcome :)

/Nicklas

--
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
___
basedb-devel mailing list
basedb-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/basedb-devel