I've stepped closer - the '403 not authorized' for http://localhost:8080/slide/files with the default ACL was a misconfiguration of the JAAS module (and, for reference, could also be a web.xml <security-constraint> problem in identifying roles that your JAAS subject contains). This part is now working fine.
I would like some direction regarding how to establish an ACL using roles from the JAAS module (web.xml is easy, it's the domain.xml ACL that I need help). Note that <auto-create-*> continues the behavior of not creating /slide/user/* or /slide/role/* metadata records. -D > -----Original Message----- > From: Darren Hartford [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 02, 2006 8:41 AM > To: [email protected] > Subject: Slide and external JAAS modules > > Hey all, > I'm still evaluating Slide based on some requirements. One of > the requirements is to use an external system for > authentication/authorization (authorization as in getting > roles), but still maintain the fine-grain ACL security built > into Slide. Forgive the length, but I don't want to miss > anything that might be relevant to the questions below. > ================== > Can anyone share any stories, or preferably, examples of > successful implementation of Slide using external JAAS modules? > > http://www.mail-archive.com/[email protected]/msg0 > 8654.html > > http://www.mail-archive.com/[email protected]/msg1 > 1675.html > > http://www.mail-archive.com/[email protected]/msg1 > 1589.html > > http://www.mail-archive.com/[email protected]/msg0 > 8546.html > > http://www.mail-archive.com/[email protected]/msg1 > 1499.html > > http://www.mail-archive.com/[email protected]/msg0 > 8310.html > > http://www.mail-archive.com/[email protected]/msg0 > 7984.html > > http://www.mail-archive.com/[email protected]/msg0 > 7964.html > > Ones that clearly re-state similar challenge: > http://www.mail-archive.com/[email protected]/msg0 > 8450.html > http://www.mail-archive.com/[email protected]/msg0 > 7964.html > > > So far, this is a skeleton that closly resembles the > http://jakarta.apache.org/slide/howto-jaas.html but puts some > missing or assumed pieces together: > ================================= > *Compile a JAAS-enabled version of Slide ('ant webapp-jaas-dist'). > > *Copy the dist/webapp/slide.war (which should have the slide-jaas JAR > included) to Tomcat container. Tomcat 5.5 has unresolved JAAS > issues according to the mailing list, so sticking with 5.0.28. > > *Create or copy an existing jaas.conf file - must use the realm name > 'slide_login': > slide_login { > com.somecompany.security.auth.module.MyCustomLoginModule required > option1=false > option2=true; > }; > > *??Where to put the libraries for custom LoginModules? > According to http://jakarta.apache.org/slide/howto-jaas.html > doesn't seem to matter, but a recommended location would be > preferred. I've been using the $TOMCAT_HOME/common/lib directory. > > > *Modify the Tomcat server.xml per > http://jakarta.apache.org/slide/howto-jaas.html EXACTLY, but > watch for location (engine versus host, etc): > <Realm className="org.apache.catalina.realm.JAASRealm" > appName="slide_login" > userClassNames="org.apache.slide.jaas.spi.SlidePrincipal" > roleClassNames="org.apache.slide.jaas.spi.SlideRole" > debug="99" > useContextClassLoader="false" > /> > > *Modify startup.bat/startup.sh scripts to add commandline > option to point to config: > -Djava.security.auth.login.config=path-to-jaas.config > > *Modify the slide.war web.xml <security-constraints> with the > appropriate roles coming from your custom JAAS login module. > > *Modify your domain.xml with <auto-*> tags <namespace> > <definition> > ... > </definition> > <configuration> > ... > <auto-create-users>true</auto-create-users> > <auto-create-users-role>true</auto-create-users-role> > </configuration> > > *??How do you modify per-store ACL's in domain.xml with the > new roles from the JAAS login modules? Or, with the > auto-create, does the roles get re-populated into the /roles/ > path and simply follow the existing examples? > ===================== > > The questions. > > ? - I can authenticate, but I get 403 not authorized when > trying to view any items, even though my LoginModule roles > match the roles defined in web.xml <security-constraints>. > I've tested this with the usernames/passwords from my > LoginModule, and incorrect passwords fail while correct > passwords get 403. What am I missing? I'm not sure how to > configure the ACL's... > > ? - The <auto-create-users> does NOT create any users in the > /slide/users path (nor in the store/content/metadata/users folder). > > ? - The <auto-create-users-role> 'documentation' gave varying > examples, one was 'true', another was > 'slideroles.basic.UserRoleImpl', and supposedly is not > required as there is a default if <auto-create-users> is > enabled but <auto-create-users-roles> is not defined. Tried > all of these options, none of which seemed to do anything (no > new /slide/roles or store/content/metadata/roles folder...and > since there are no new users files no changes there). I would > *prefer* Slide simply used the roles passed from the > LoginModule (and allow me to change with web.xml > link-ref's) versus explicily creating a single,defined role > for every new user. > > > Environment - Win2000 and WinXP test, basic Fedora4 tests, > Tomcat 5.0.28 with Sun JDK5, SVN-snapshot of 2/27/2006, built > with 'ant webapp-jaas-dist' modified only as above > (everything else is as-is). > > Again, sorry for the length but wanted to make sure I'm not > missing anything. This is a very important feature for > enterprise usage. > > Thanks, > -D > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
