Hey all, I'm still evaluating Slide based on some requirements. One of the requirements is to use an external system for authentication/authorization (authorization as in getting roles), but still maintain the fine-grain ACL security built into Slide. Forgive the length, but I don't want to miss anything that might be relevant to the questions below. ================== Can anyone share any stories, or preferably, examples of successful implementation of Slide using external JAAS modules?
http://www.mail-archive.com/[email protected]/msg08654.html http://www.mail-archive.com/[email protected]/msg11675.html http://www.mail-archive.com/[email protected]/msg11589.html http://www.mail-archive.com/[email protected]/msg08546.html http://www.mail-archive.com/[email protected]/msg11499.html http://www.mail-archive.com/[email protected]/msg08310.html http://www.mail-archive.com/[email protected]/msg07984.html http://www.mail-archive.com/[email protected]/msg07964.html Ones that clearly re-state similar challenge: http://www.mail-archive.com/[email protected]/msg08450.html http://www.mail-archive.com/[email protected]/msg07964.html So far, this is a skeleton that closly resembles the http://jakarta.apache.org/slide/howto-jaas.html but puts some missing or assumed pieces together: ================================= *Compile a JAAS-enabled version of Slide ('ant webapp-jaas-dist'). *Copy the dist/webapp/slide.war (which should have the slide-jaas JAR included) to Tomcat container. Tomcat 5.5 has unresolved JAAS issues according to the mailing list, so sticking with 5.0.28. *Create or copy an existing jaas.conf file - must use the realm name 'slide_login': slide_login { com.somecompany.security.auth.module.MyCustomLoginModule required option1=false option2=true; }; *??Where to put the libraries for custom LoginModules? According to http://jakarta.apache.org/slide/howto-jaas.html doesn't seem to matter, but a recommended location would be preferred. I've been using the $TOMCAT_HOME/common/lib directory. *Modify the Tomcat server.xml per http://jakarta.apache.org/slide/howto-jaas.html EXACTLY, but watch for location (engine versus host, etc): <Realm className="org.apache.catalina.realm.JAASRealm" appName="slide_login" userClassNames="org.apache.slide.jaas.spi.SlidePrincipal" roleClassNames="org.apache.slide.jaas.spi.SlideRole" debug="99" useContextClassLoader="false" /> *Modify startup.bat/startup.sh scripts to add commandline option to point to config: -Djava.security.auth.login.config=path-to-jaas.config *Modify the slide.war web.xml <security-constraints> with the appropriate roles coming from your custom JAAS login module. *Modify your domain.xml with <auto-*> tags <namespace> <definition> ... </definition> <configuration> ... <auto-create-users>true</auto-create-users> <auto-create-users-role>true</auto-create-users-role> </configuration> *??How do you modify per-store ACL's in domain.xml with the new roles from the JAAS login modules? Or, with the auto-create, does the roles get re-populated into the /roles/ path and simply follow the existing examples? ===================== The questions. ? - I can authenticate, but I get 403 not authorized when trying to view any items, even though my LoginModule roles match the roles defined in web.xml <security-constraints>. I've tested this with the usernames/passwords from my LoginModule, and incorrect passwords fail while correct passwords get 403. What am I missing? I'm not sure how to configure the ACL's... ? - The <auto-create-users> does NOT create any users in the /slide/users path (nor in the store/content/metadata/users folder). ? - The <auto-create-users-role> 'documentation' gave varying examples, one was 'true', another was 'slideroles.basic.UserRoleImpl', and supposedly is not required as there is a default if <auto-create-users> is enabled but <auto-create-users-roles> is not defined. Tried all of these options, none of which seemed to do anything (no new /slide/roles or store/content/metadata/roles folder...and since there are no new users files no changes there). I would *prefer* Slide simply used the roles passed from the LoginModule (and allow me to change with web.xml link-ref's) versus explicily creating a single,defined role for every new user. Environment - Win2000 and WinXP test, basic Fedora4 tests, Tomcat 5.0.28 with Sun JDK5, SVN-snapshot of 2/27/2006, built with 'ant webapp-jaas-dist' modified only as above (everything else is as-is). Again, sorry for the length but wanted to make sure I'm not missing anything. This is a very important feature for enterprise usage. Thanks, -D --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
