Hello,
We have been using openldap as an authentication server without any issues
so far (windows distribution). As far as I learned it's a relatively active
open-source unix project, and you probably should already know about those
unix-geeks: they are perfectionists: P.
I haven't made any performance tests on the openldap server, but I feel
confident it should handle quite well, at least comparable with commercial
implementations. Anyway, it's better than parsing XML documents (like it is
done by slide) and if the openldap performance isn't good enough, you can
still migrate to a commercial implementation (good thing about using
standards!). Last remark... OpenLdap is GPL.
Now, the instructions of slide configuration to take advantage of an
LDAP/Active directory server are already on the slide documentation, witch
also makes some references to the tomcat documentation pages. It's all about
org.apache.catalina.realm.JNDIRealm realm on the web container side
(server.xml) and org.apache.slide.store.txjndi.JNDIPrincipalStore on the
slide webapp (domain.xml).
Although it has been quite discussed in this mailing list, I'm attaching my
domain.xml and server.xml as examples. Also, when adding user info to the
LDAP server, I found quite useful the JExplorer tool. Finally, this are only
tips from where you can start learning.
Best Regards,
Miguel Figueiredo
PS: Is it possible to post your code patches for the 'limit' feature? Many
Thanks!
____
-----Original Message-----
From: Pontus Strand [mailto:[EMAIL PROTECTED]
Sent: ter�a-feira, 18 de Janeiro de 2005 11:34
To: 'Slide Users Mailing List'
Subject: RE: Another performance question
Hello Miguel,
Thank you for you response. The problem with LDAP is that none of us in the
project has worked with LDAP. We will look into it, of course, so any
pointers you may have would be useful to us. For instance, is OpenLDAP any
good or should we look at a commercial LDAP-server? How should we setup
Slide to use LDAP?
Regards,
Pontus
> -----Original Message-----
> From: Miguel Figueiredo [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 18, 2005 11:04 AM
> To: 'Slide Users Mailing List'
> Subject: RE: Another performance question
>
>
>
> Hello Pontus,
>
> First of all, many thanks for your performance enquiries to the slide
> mailing list: I've been consuming them avidly.
> For user aggregation on groups, and group2user or user2group
> traversal for
> authentication/authorization purposes, I would suggest to publish that
> information in a LDAP or Active Directory servers. These
> kinds of servers
> are optimized for just doing that work and the biggest
> performance cost
> associated with requesting a service to these authentication
> servers, would
> be the establishment of a tcp connection. Hope this helps.
>
> Best regards,
> Miguel Figueiredo
>
> -----Original Message-----
> From: Pontus Strand [mailto:[EMAIL PROTECTED]
> Sent: ter�a-feira, 18 de Janeiro de 2005 9:21
> To: Slide Users Mailing List (E-mail)
> Subject: Another performance question
>
> Hello again,
>
> This time I want to ask about users. Are there any known
> problems with large
> numbers of users and/or groups? And are there any nice
> parameters that we
> should know about that improves user management? We haven't
> tested this yet,
> mostly because the somewhat complex user management in Slide.
> My fear is
> that adding large numbers of users to a group could lead to
> slow user access
> verifications, is that a correct assumption?
>
> Regards,
> Pontus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<!-- Example Server Configuration File -->
<!-- Note that component elements are nested corresponding to their
parent-child relationships with each other -->
<!-- A "Server" is a singleton element that represents the entire JVM,
which may contain one or more "Service" instances. The Server
listens for a shutdown command on the indicated port.
Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" or "Loggers" at this level.
-->
<Server port="8005" shutdown="SHUTDOWN" debug="0">
<!-- Comment these entries out to disable JMX MBeans support -->
<!-- You may also configure custom components (e.g. Valves/Realms) by
including your own mbean-descriptor file(s), and setting the
"descriptors" attribute to point to a ';' seperated list of paths
(in the ClassLoader sense) of files to add to the default list.
e.g. descriptors="/com/myfirm/mypackage/mbean-descriptor.xml"
-->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" (and therefore the web applications visible
within that Container). Normally, that Container is an "Engine",
but this is not required.
Note: A "Service" is not itself a "Container", so you may not
define subcomponents such as "Valves" or "Loggers" at this level.
-->
<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Catalina">
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Each Connector passes requests on to the
associated "Container" (normally an Engine) for processing.
By default, a non-SSL HTTP/1.1 Connector is established on port 8080.
You can also enable an SSL HTTP/1.1 Connector on port 8443 by
following the instructions below and uncommenting the second Connector
entry. SSL support requires the following steps (see the SSL Config
HOWTO in the Tomcat 5 documentation bundle for more detailed
instructions):
* If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or
later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and
the keystore itself.
By default, DNS lookups are enabled when a web application calls
request.getRemoteHost(). This can have an adverse impact on
performance, so you can disable it by setting the
"enableLookups" attribute to "false". When DNS lookups are disabled,
request.getRemoteHost() will return the String version of the
IP address of the remote client.
-->
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Note : To use gzip compression you could set the following properties :
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"
-->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8443" debug="0"
protocol="AJP/1.3" />
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
<!-- See proxy documentation for more information about using this. -->
<!--
<Connector port="8082"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false"
acceptCount="100" debug="0" connectionTimeout="20000"
proxyPort="80" disableUploadTimeout="true" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host). -->
<!-- You should set jvmRoute to support load-balancing via JK/JK2 ie :
<Engine name="Standalone" defaultHost="localhost" debug="0" jvmRoute="jvm1">
-->
<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost" debug="0">
<!-- The request dumper valve dumps useful debugging information about
the request headers and cookies that were received, and the response
headers and cookies that were sent, for all requests received by
this instance of Tomcat. If you care only about requests to a
particular virtual host, or a particular application, nest this
element inside the corresponding <Host> or <Context> entry instead.
For a similar mechanism that is portable to all Servlet 2.4
containers, check out the "RequestDumperFilter" Filter in the
example application (the source for this filter may be found in
"$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters").
Request dumping is disabled by default. Uncomment the following
element to enable it. -->
<!--
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-->
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<!-- Because this Realm is here, an instance will be shared globally -->
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<!--<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>-->
<!--
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="slide_login"
userClassNames="org.apache.slide.jaas.spi.SlidePrincipal"
roleClassNames="org.apache.slide.jaas.spi.SlideRole"
name="Slide DAV Server"
namespace="slide"
useContextClassLoader="false" />-->
<!--
userBase="dc=dominio,dc=pt"
userSubtree="true"
userSearch="(uid={0})"
userPassword="userPassword"
-->
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389";
userPattern="uid={0},ou=people,dc=dominio,dc=pt"
roleBase="ou=groups,dc=dominio,dc=pt"
roleName="cn"
roleSearch="(uniqueMember={0})"
digest="SHA"
roleSubtree="true"
/>
<!-- Comment out the old realm but leave here for now in case we
need to go back quickly -->
<!--
<Realm className="org.apache.catalina.realm.MemoryRealm" />
-->
<!-- Replace the above Realm with one of the following to get a Realm
stored in a database and accessed via JDBC -->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/authority"
connectionName="test" connectionPassword="test"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="oracle.jdbc.driver.OracleDriver"
connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
connectionName="scott" connectionPassword="tiger"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!--
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:CATALINA"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
-->
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!-- Defines a cluster for this node,
By defining this element, means that every manager will be changed.
So when running a cluster, only make sure that you have webapps in there
that need to be clustered and remove the other ones.
A cluster has the following parameters:
className = the fully qualified name of the cluster class
name = a descriptive name for your cluster, can be anything
debug = the debug level, higher means more output
mcastAddr = the multicast address, has to be the same for all the nodes
mcastPort = the multicast port, has to be the same for all the nodes
mcastBindAddr = bind the multicast socket to a specific address
mcastTTL = the multicast TTL if you want to limit your broadcast
mcastSoTimeout = the multicast readtimeout
mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat
mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received
tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes
tcpListenAddress = the listen address (bind address) for TCP cluster request on this host,
in case of multiple ethernet cards.
auto means that address becomes
InetAddress.getLocalHost().getHostAddress()
tcpListenPort = the tcp listen port
tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS
has a wakup bug in java.nio. Set to 0 for no timeout
printToScreen = true means that managers will also print to std.out
expireSessionsOnShutdown = true means that
useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called.
false means to replicate the session after each request.
false means that replication would work for the following piece of code:
<%
HashMap map = (HashMap)session.getAttribute("map");
map.put("key","value");
%>
replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'.
* Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication.
* Synchronous means that the thread that executes the request, is also the
thread the replicates the data to the other nodes, and will not return until all
nodes have received the information.
* Asynchronous means that there is a specific 'sender' thread for each cluster node,
so the request thread will queue the replication request into a "smart" queue,
and then return to the client.
The "smart" queue is a queue where when a session is added to the queue, and the same session
already exists in the queue from a previous request, that session will be replaced
in the queue instead of replicating two requests. This almost never happens, unless there is a
large network delay.
-->
<!--
When configuring for clustering, you also add in a valve to catch all the requests
coming in, at the end of the request, the session may or may not be replicated.
A session is replicated if and only if all the conditions are met:
1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND
2. a session exists (has been created)
3. the request is not trapped by the "filter" attribute
The filter attribute is to filter out requests that could not modify the session,
hence we don't replicate the session after the end of this request.
The filter is negative, ie, anything you put in the filter, you mean to filter out,
ie, no replication will be done on requests that match one of the filters.
The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to.
filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI
ending with .gif and .js are intercepted.
The deployer element can be used to deploy apps cluster wide.
Currently the deployment only deploys/undeploys to working members in the cluster
so no WARs are copied upons startup of a broken node.
The deployer watches a directory (watchDir) for WAR files when watchEnabled="true"
When a new war file is added the war gets deployed to the local instance,
and then deployed to the other instances in the cluster.
When a war file is deleted from the watchDir the war is undeployed locally
and cluster wide
-->
<!--
<Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster"
managerClassName="org.apache.catalina.cluster.session.DeltaManager"
expireSessionsOnShutdown="false"
useDirtyFlag="true">
<Membership
className="org.apache.catalina.cluster.mcast.McastService"
mcastAddr="228.0.0.4"
mcastPort="45564"
mcastFrequency="500"
mcastDropTime="3000"/>
<Receiver
className="org.apache.catalina.cluster.tcp.ReplicationListener"
tcpListenAddress="auto"
tcpListenPort="4001"
tcpSelectorTimeout="100"
tcpThreadCount="6"/>
<Sender
className="org.apache.catalina.cluster.tcp.ReplicationTransmitter"
replicationMode="pooled"/>
<Valve className="org.apache.catalina.cluster.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.htm;.*\.html;.*\.txt;"/>
<Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer"
tempDir="/tmp/war-temp/"
deployDir="/tmp/war-deploy/"
watchDir="/tmp/war-listen/"
watchEnabled="false"/>
</Cluster>
-->
<!-- Normally, users must authenticate themselves to each web app
individually. Uncomment the following entry if you would like
a user to be authenticated the first time they encounter a
resource protected by a security constraint, and then have that
user identity maintained across *all* web applications contained
in this virtual host. -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
-->
<!-- Access log processes all requests for this virtual host. By
default, log files are created in the "logs" directory relative to
$CATALINA_HOME. If you wish, you can specify a different
directory with the "directory" attribute. Specify either a relative
(to $CATALINA_HOME) or absolute path to the desired directory.
-->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
-->
<!-- Logger shared by all Contexts related to this virtual host. By
default (when using FileLogger), log files are created in the "logs"
directory relative to $CATALINA_HOME. If you wish, you can specify
a different directory with the "directory" attribute. Specify either a
relative (to $CATALINA_HOME) or absolute path to the desired
directory.-->
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="localhost_log." suffix=".txt"
timestamp="true"/>
</Host>
</Engine>
</Service>
</Server>
<?xml version="1.0"?>
<slide>
<namespace name="slide">
<definition><!--
<store name="tx">
<parameter name="tlock-timeout">120</parameter>
<nodestore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter name="rootpath">store/metadata</parameter>
<parameter name="workpath">work/metadata</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</nodestore>
<sequencestore classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore classname="org.apache.slide.store.txfile.TxFileContentStore">
<parameter name="rootpath">store/content</parameter>
<parameter name="workpath">work/content</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</contentstore>
</store>
<scope match="/" store="tx"/>-->
<store name="tx">
<parameter name="tlock-timeout">120</parameter>
<nodestore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter name="rootpath">store/metadata</parameter>
<parameter name="workpath">work/metadata</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</nodestore>
<sequencestore classname="org.apache.slide.store.txfile.FileSequenceStore">
<parameter name="rootpath">store/sequence</parameter>
</sequencestore>
<securitystore>
<reference store="nodestore"/>
</securitystore>
<lockstore>
<reference store="nodestore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore classname="org.apache.slide.store.txfile.TxFileContentStore">
<parameter name="rootpath">store/content</parameter>
<parameter name="workpath">work/content</parameter>
<parameter name="defer-saving">true</parameter>
<parameter name="timeout">120</parameter>
</contentstore>
<!-- uncomment if you want to use the sample Indexer -->
<!-- be sure to have Lucene in your classpath -->
<!--
<contentindexer classname="org.apache.slide.index.SampleTxtContainsIndexer">
<parameter name="indexpath">./index</parameter>
</contentindexer>
-->
</store>
<store name="users">
<nodestore classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter name="jndi.container">ou=people,dc=dominio,dc=pt</parameter>
<parameter name="jndi.attributes.rdn">uid</parameter>
<parameter name="jndi.search.filter">(objectClass=inetOrgPerson)</parameter>
<parameter name="jndi.search.scope">SUBTREE_SCOPE</parameter> <!-- estava onelevel -->
<parameter name="jndi.search.attributes">postalCode,initials,givenName,uid,mail,fullName,telephoneNumber,title,facsimileTelephoneNumber,groupMembership,l,sn,cn</parameter>
<parameter name="java.naming.provider.url">ldap://localhost:389</parameter>
<parameter name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter>
<parameter name="java.naming.security.principal">cn=Manager,dc=dominio,dc=pt</parameter>
<parameter name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">segredo</parameter>
<parameter name="cache.refresh.checkrate">15</parameter>
<parameter name="cache.refresh.rate">800</parameter>
<parameter name="cache.refresh.threshold">15000</parameter>
</nodestore>
<!-- Use a Tx Store to store security and lock information -->
<securitystore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter name="rootpath">users/store/metadata</parameter>
<parameter name="workpath">users/work/metadata</parameter>
</securitystore>
<lockstore>
<reference store="securitystore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
<!-- Use a JNDIPrincipalStore for roles -->
<store name="roles">
<nodestore classname="org.apache.slide.store.txjndi.JNDIPrincipalStore">
<parameter name="jndi.container">ou=groups,dc=dominio,dc=pt</parameter>
<parameter name="jndi.attributes.rdn">cn</parameter>
<parameter name="jndi.attributes.groupmemberset">uniqueMember</parameter>
<parameter name="jndi.search.filter">(objectClass=groupOfUniqueNames)</parameter>
<parameter name="jndi.search.scope">SUBTREE_SCOPE</parameter>
<parameter name="jndi.search.attributes">cn</parameter>
<parameter name="java.naming.provider.url">ldap://localhost:389</parameter>
<parameter name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</parameter>
<parameter name="java.naming.security.principal">cn=Manager,dc=dominio,dc=pt</parameter>
<parameter name="java.naming.security.authentication">simple</parameter>
<parameter name="java.naming.security.credentials">segredo</parameter>
<parameter name="cache.refresh.checkrate">15</parameter>
<parameter name="cache.refresh.rate">800</parameter>
<parameter name="cache.refresh.threshold">15000</parameter>
</nodestore>
<!-- Use a Tx Store to store security and lock information -->
<securitystore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore">
<parameter name="rootpath">roles/store/metadata</parameter>
<parameter name="workpath">roles/work/metadata</parameter>
</securitystore>
<lockstore>
<reference store="securitystore"/>
</lockstore>
<revisiondescriptorsstore>
<reference store="nodestore"/>
</revisiondescriptorsstore>
<revisiondescriptorstore>
<reference store="nodestore"/>
</revisiondescriptorstore>
<contentstore>
<reference store="nodestore"/>
</contentstore>
</store>
<scope match="/" store="tx"/>
<scope match="/users" store="users"/>
<scope match="/roles" store="roles"/>
</definition>
<configuration>
<!-- Actions mapping -->
<read-object>/actions/read</read-object>
<create-object>/actions/write</create-object>
<remove-object>/actions/write</remove-object>
<grant-permission>/actions/write-acl</grant-permission>
<revoke-permission>/actions/write-acl</revoke-permission>
<read-permissions>/actions/read-acl</read-permissions>
<read-own-permissions>/actions/read-current-user-privilege-set</read-own-permissions>
<lock-object>/actions/write</lock-object>
<kill-lock>/actions/unlock</kill-lock>
<read-locks>/actions/read</read-locks>
<read-revision-metadata>/actions/read</read-revision-metadata>
<create-revision-metadata>/actions/write-properties</create-revision-metadata>
<modify-revision-metadata>/actions/write-properties</modify-revision-metadata>
<remove-revision-metadata>/actions/write-properties</remove-revision-metadata>
<read-revision-content>/actions/read</read-revision-content>
<create-revision-content>/actions/write-content</create-revision-content>
<modify-revision-content>/actions/write-content</modify-revision-content>
<remove-revision-content>/actions/write-content</remove-revision-content>
<bind-member>/actions/bind</bind-member>
<unbind-member>/actions/unbind</unbind-member>
<!-- Paths configuration -->
<userspath>/users</userspath>
<rolespath>/roles</rolespath>
<actionspath>/actions</actionspath>
<filespath>/files</filespath>
<parameter name="dav">true</parameter>
<parameter name="standalone">true</parameter>
<parameter name="acl_inheritance_type">path</parameter>
<!-- Nested roles: 0 means no nesting (default), 1 means one sublevel, etc. -->
<parameter name="nested_roles_maxdepth">0</parameter>
<!-- Can be "off", "write" and "full" -->
<parameter name="sequential-mode">full</parameter>
<!-- "false" lets all read-only methods be executed outside of transactions -->
<parameter name="all-methods-in-transactions">true</parameter>
<!-- Setting this to true will force Slide to internally convert the username a user
enters at login to lowercase. This is useful for users who can't be bothered
with turning off their capslock key before logging in. -->
<parameter name="force-lowercase-login">false</parameter>
</configuration>
<data>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/">
<!-- Subject can be:
any user "all"
authenticated user "authenticated"
unauthenticated user "unauthenticated"
self "self"
owner of resource "owner"
a user "/users/john"
a role "/roles/admin"
-->
<permission action="all" subject="/roles/root" inheritable="true"/>
<permission action="/actions/read-acl" subject="all" inheritable="true" negative="true"/>
<permission action="/actions/write-acl" subject="all" inheritable="true" negative="true"/>
<permission action="/actions/unlock" subject="all" inheritable="true" negative="true"/>
<permission action="/actions/read" subject="all" inheritable="true"/>
<!-- /users -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users">
<permission action="all" subject="self" inheritable="true"/>
<permission action="all" subject="/roles/projector" inheritable="true"/>
<permission action="all" subject="unauthenticated" inheritable="true" negative="true"/>
<!-- /users/root represents the administrator -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/root">
<revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password">root</property>
</revision>
</objectnode>
<!-- /users/john and /users/john2 represent authenticated users -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/bruno">
<revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password">bruno</property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/agda">
<revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password">agda</property>
</revision>
</objectnode>
<!-- /users/guest represents an authenticated or unauthenticated guest user -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/guest">
<revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password">guest</property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/projector">
<revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password">projector</property>
</revision>
</objectnode>
</objectnode>
<!-- /roles -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles">
<permission action="all" subject="self" inheritable="true"/>
<permission action="all" subject="/roles/projector" inheritable="true"/>
<permission action="all" subject="unauthenticated" inheritable="true" negative="true"/>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/root">
<revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/root</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/user">
<revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/john</D:href><D:href xmlns:D='DAV:'>/users/john2</D:href><D:href xmlns:D='DAV:'>/users/root</D:href><D:href xmlns:D='DAV:'>/users/projector</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/guest">
<revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/guest</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/projector">
<revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/root</D:href><D:href xmlns:D='DAV:'>/users/projector</D:href>]]></property>
</revision>
</objectnode>
</objectnode>
<!-- action -->
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions">
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read">
<revision>
<property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/read-acl</D:href> <D:href xmlns:D='DAV:'>/actions/read-current-user-privilege-set</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read-acl">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read-current-user-privilege-set">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write">
<revision>
<property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/write-acl</D:href> <D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href xmlns:D='DAV:'>/actions/write-content</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-acl">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-properties">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-content">
<revision>
<property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/bind</D:href> <D:href xmlns:D='DAV:'>/actions/unbind</D:href>]]></property>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/bind">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/unbind">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/unlock">
<revision>
<property name="privilege-member-set"/>
</revision>
</objectnode>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/files">
<permission action="all" subject="unauthenticated" inheritable="true"/>
<permission action="/actions/write" subject="/roles/user" inheritable="true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/projector">
<permission action="all" subject="unauthenticated" inheritable="true"/>
<permission action="/actions/write" subject="/roles/projector" inheritable="true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"/>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/projector/work">
</objectnode>
</objectnode>
<!-- DeltaV: default history and workspace paths -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/history">
<permission action="all" subject="unauthenticated" inheritable="true"/>
<permission action="/actions/write" subject="/roles/user" inheritable="true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workspace">
<permission action="all" subject="unauthenticated" inheritable="true"/>
<permission action="/actions/write" subject="/roles/user" inheritable="true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"/>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workingresource">
<permission action="all" subject="unauthenticated" inheritable="true"/>
<permission action="/actions/write" subject="/roles/user" inheritable="true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"/>
</objectnode>
</objectnode>
</data>
</namespace>
<!--
DeltaV global parameters
========================
* historypath (mandatory=no, default="/history"):
Specifies a Slide path which determines the location where this DeltaV
server stores history data.
* workspacepath (mandatory=no, default="/workspace"):
Specifies a Slide path which determines the location where this DeltaV
server allows workspaces to reside.
* workingresourcepath (mandatory=no, default="/workingresource"):
Specifies a Slide path which determines the location where this DeltaV
server stores working resources.
* auto-version (mandatory=no, default="checkout-checkin"):
Controls the DeltaV auto-version behaviour.
* auto-version-control (mandatory=no, default="false"):
Indicates if a resource just created by a PUT should be set under
version-control.
* versioncontrol-exclude (mandatory=no, default=""):
Specifies a Slide path which determines resources which are excluded from version-control.
The default value "" makes no path being excluded.
* checkout-fork (mandatory=no, default="forbidden"):
Controls the DeltaV check-out behaviour when a version is already
checked-out or has a successor.
* checkin-fork (mandatory=no, default="forbidden"):
Controls the DeltaV check-out behaviour when a version has already a
successor.
* standardLivePropertiesClass (mandatory=no,
default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"):
Determines the "agent" knowing about what the standard live properties are.
It should be a loadable class containing the following static methods:
- boolean isLiveProperty(String propName)
- boolean isProtectedProperty(String propName)
- boolean isComputedProperty(String propName)
- Set getAllLiveProperties()
- Set getAllProtectedProperties()
- Set getAllComputedProperties()
* uriRedirectorClass (mandatory=no,
default="org.apache.slide.webdav.util.DeltavUriRedirector"):
Determines the URI redirector class. The DeltaV URI redirector is in
charge of the following redirections:
- version URI to history URI, e.g. /history/2/1.4 to /history/2
- latest revision number for history resource to 0.0
- latest revision number for version resource to last URI token,
e.g. /history/2/1.4 to 1.4
It should be a loadable class containing the following static methods:
- String redirectUri(String uri)
- NodeRevisionNumber redirectLatestRevisionNumber(String uri)
-->
<parameter name="historypath">/history</parameter>
<parameter name="workspacepath">/workspace</parameter>
<parameter name="workingresourcepath">/workingresource</parameter>
<parameter name="auto-version">checkout-checkin</parameter>
<parameter name="auto-version-control">false</parameter>
<parameter name="versioncontrol-exclude"/>
<parameter name="checkout-fork">forbidden</parameter>
<parameter name="checkin-fork">forbidden</parameter>
<!-- Extractor configuration -->
<extractors>
<extractor classname="org.apache.slide.extractor.SimpleXmlExtractor" uri="/files/articles/test.xml">
<configuration>
<instruction property="title" xpath="/article/title/text()" />
<instruction property="summary" xpath="/article/summary/text()" />
</configuration>
</extractor>
<extractor classname="org.apache.slide.extractor.OfficeExtractor" uri="/files/docs/">
<configuration>
<instruction property="author" id="SummaryInformation-0-4" />
<instruction property="application" id="SummaryInformation-0-18" />
</configuration>
</extractor>
</extractors>
<!-- Event configuration -->
<events>
<event classname="org.apache.slide.webdav.event.WebdavEvent" enable="true" />
<event classname="org.apache.slide.event.ContentEvent" enable="true" />
<event classname="org.apache.slide.event.ContentEvent" method="retrieve" enable="false" />
<event classname="org.apache.slide.event.EventCollection" enable="true" />
<event classname="org.apache.slide.event.TransactionEvent" enable="true" />
<event classname="org.apache.slide.event.MacroEvent" enable="true"/>
<!--listener classname="org.apache.slide.util.event.EventLogger" /-->
<listener classname="org.apache.slide.event.VetoableEventCollector" />
<listener classname="org.apache.slide.event.TransientEventCollector" />
<listener classname="org.apache.slide.webdav.event.NotificationTrigger">
<configuration>
<notification include-events="false" />
<persist-subscriptions filename="subscriptions.xml" />
</configuration>
</listener>
<listener classname="org.apache.slide.extractor.PropertyExtractorTrigger" />
<listener classname="org.apache.slide.search.IndexTrigger">
<configuration>
<indexer classname="org.apache.slide.search.LoggingIndexer" synchronous="false" uri="/files/articles" />
</configuration>
</listener>
<!-- Uncomment for cluster support. Be sure to local-host and repository-host -->
<!--
<listener classname="org.apache.slide.cluster.ClusterCacheRefresher">
<configuration>
<node local-host="local.host.domain"
local-port="4444"
repository-host="remote.host.domain"
repository-port="8080"
repository-protocol="http"
username="root"
password="root"
base-uri="/files/"
/>
</configuration>
</listener>
-->
<listener classname="org.apache.slide.macro.MacroPropertyUpdater">
<!-- Listener that updates some properties if resources are
copied or moved. This requires MacroEvents enabled (at
least methods copy and move) -->
<configuration>
<update-displayname>true</update-displayname>
<update-owner-on-move>false</update-owner-on-move>
<update-owner-on-copy>true</update-owner-on-copy>
</configuration>
</listener>
</events>
</slide>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
