Actually, the getting started with Domain.xml page is very good:
http://wiki.apache.org/jakarta-slide/Getting_Started_Domain%2eXML
It gives a specific example of how "user2" can be linked with the "editor" role
and can therefore inherit permissions. So, my question is either:
1. How can I avoid having to define this sort of node:
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/roles">
<objectnode
classname="org.apache.slide.structure.SubjectNode" uri="/roles/editor">
<revision>
<property name="group-member-set"><![CDATA[<D:href
xmlns:D='DAV:'>/primary/users/user2</D:href>]]></property>
</revision>
</objectnode>
</objectnode>
I want a user's role to be assigned by JAAS, not by the configuration in
Domain.xml.
Or
2. Is there a setting that I can use to bodge a mapping to "user" for every new
user that logs in using JAAS? The documentation mentions it, but I can't get it
to work. Where's the definitive documentation for this?
Thanks again,
Dave
-----Original Message-----
From: Boden, David
Sent: Thursday, October 12, 2006 11:27 AM
To: 'Slide Users Mailing List'
Subject: RE: Install question
Hi,
I'd like to have the following setup:
1. I use JAAS to authenticate a user and assign them a role (guest, user,
admin).
2. Have general access permissions granted by Slide based on the Domain.xml and
the role that the user has.
3. Implement a ContentInterceptor to specifically decide whether a user is
authorised to access a particular role (i.e. custom authorization).
Is this possible? I've tried setting Slide up so that it will automatically
create users, but it keeps telling me that there's no information found for
/users/dboden when I successfully authenticate using "dboden" as a username.
Is there a definitive guide to setting up authentication in this way? Do you
know of any company / individuals that could offer paid commercial support for
Slide so that I could get this job done?
Thanks,
Dave
Here's my implementation of the ContentInterceptor which aims to authorise a
user:
package com.lehman.fiet.ark.server;
import java.security.Principal;
import org.apache.slide.common.NamespaceAccessToken;
import org.apache.slide.common.ServiceAccessException;
import org.apache.slide.common.SlideToken;
import org.apache.slide.content.AbstractContentInterceptor;
import org.apache.slide.content.NodeRevisionContent;
import org.apache.slide.content.NodeRevisionDescriptor;
import org.apache.slide.content.NodeRevisionDescriptors;
import org.apache.slide.content.NodeRevisionNumber;
import org.apache.slide.lock.ObjectLockedException;
import org.apache.slide.security.AccessDeniedException;
import org.apache.slide.structure.LinkedObjectNotFoundException;
import org.apache.slide.structure.ObjectNotFoundException;
import org.apache.slide.util.logger.Logger;
import com.lehman.architech.elmo.ElmoClient;
/**
* This class is configured as a content interceptor in the domain configuration
* file. It looks up the group corresponding to the directory of the file that
* is being retrieved, stored or removed. It looks up the current user and
decides
* whether the user has permissions to access the content.
*
* @author dboden
*/
public class AuthorizationContentInterceptor extends AbstractContentInterceptor
{
/**
* This is the ELMO context used to permission ark.
*/
private static final String ELMO_ARK = "ark";
/**
* This is the artifacts root under the ark
* permissioning structure.
*/
private static final String ARK_ARTIFACTS = "artifacts";
//The permission types configured in ELMO which correspond to the
//actions that users will request.
static enum ArkPermission {
RETRIEVE ("retrieve"),
STORE ("store"),
REMOVE ("remove");
private final String elmoString;
ArkPermission(String elmoString) {
this.elmoString = elmoString;
}
public String getElmoString() {
return elmoString;
}
}
static {
//Production by default - comment these lines out for normal use:
//System.setProperty("Elmo.Server", "elmostage.lehman.com:1812");
//Stage
System.setProperty("Elmo.Server", "elmoqa.lehman.com:1812"); //QA
}
ElmoClient elmo;
public AuthorizationContentInterceptor() {
elmo = new ElmoClient(ELMO_ARK);
}
@Override
public void postRetrieveContent(SlideToken token, NodeRevisionDescriptors
revisionDescriptors, NodeRevisionDescriptor revisionDescriptor,
NodeRevisionContent revisionContent) throws AccessDeniedException,
ObjectNotFoundException, LinkedObjectNotFoundException, ObjectLockedException,
ServiceAccessException {
NamespaceAccessToken namespace = getNamespace();
Logger logger = namespace.getLogger();
logger.log("postRetrieveContent", Logger.DEBUG);
Principal principal = token.getCredentialsToken().getPrincipal();
String resource = revisionDescriptors.getUri();
checkPrincipalHasPermissionsSlideWrapper(logger, principal,
ArkPermission.RETRIEVE, resource);
}
@Override
/**
* This method doesn't get fired!
*/
public void preRetrieveContent(SlideToken token, NodeRevisionDescriptors
revisionDescriptors, NodeRevisionNumber revisionNumber, NodeRevisionDescriptor
revisionDescriptor) throws AccessDeniedException, ObjectNotFoundException,
LinkedObjectNotFoundException, ObjectLockedException, ServiceAccessException {
NamespaceAccessToken namespace = getNamespace();
Logger logger = namespace.getLogger();
logger.log("postRetrieveContent", Logger.DEBUG);
Principal principal = token.getCredentialsToken().getPrincipal();
String resource = revisionDescriptors.getUri();
checkPrincipalHasPermissionsSlideWrapper(logger, principal,
ArkPermission.RETRIEVE, resource);
}
@Override
public void preStoreContent(SlideToken token, NodeRevisionDescriptors
revisionDescriptors, NodeRevisionDescriptor revisionDescriptor,
NodeRevisionContent revisionContent) throws AccessDeniedException,
ObjectNotFoundException, LinkedObjectNotFoundException, ObjectLockedException,
ServiceAccessException {
NamespaceAccessToken namespace = getNamespace();
Logger logger = namespace.getLogger();
logger.log("preStoreContent", Logger.DEBUG);
Principal principal = token.getCredentialsToken().getPrincipal();
String resource = revisionDescriptors.getUri();
checkPrincipalHasPermissionsSlideWrapper(logger, principal,
ArkPermission.STORE, resource);
}
@Override
public void preRemoveContent(SlideToken token, NodeRevisionDescriptors
revisionDescriptors, NodeRevisionDescriptor revisionDescriptor) throws
AccessDeniedException, ObjectNotFoundException, LinkedObjectNotFoundException,
ObjectLockedException, ServiceAccessException {
NamespaceAccessToken namespace = getNamespace();
Logger logger = namespace.getLogger();
logger.log("preRemoveContent", Logger.DEBUG);
Principal principal = token.getCredentialsToken().getPrincipal();
String resource = revisionDescriptors.getUri();
checkPrincipalHasPermissionsSlideWrapper(logger, principal,
ArkPermission.REMOVE, resource);
}
/**
* Calls checkPrincipalHasPermissions and converts the SecurityException
* into a meaningful Slide AccessDeniedException that can be returned
* to the webdav client.
*
* @param logger
* @param principal
* @param permission
* @param resource
* @throws AccessDeniedException
*/
void checkPrincipalHasPermissionsSlideWrapper(Logger logger, Principal
principal, ArkPermission permission, String resource)
throws AccessDeniedException {
if(principal == null || principal.getName() == null) {
logger.log("All users should be authenticated before accessing this
content. " +
"Please ensure that authentication is specified in
web.xml", Logger.ERROR);
throw new AccessDeniedException(resource, null,
permission.getElmoString());
}
try {
checkPrincipalHasPermissions(logger, principal, permission,
resource);
} catch(SecurityException ex) {
throw new AccessDeniedException(resource, principal.getName(),
permission.getElmoString());
}
}
/**
* Throws a SecurityException and logs an error message at the appropriate
* level if the user does not have permissions to access the resource or
* if there is a problem with ELMO.
* @param logger
* @param principal
* @param permission
* @param resource
* @throws SecurityException
*/
void checkPrincipalHasPermissions(Logger logger, Principal principal,
ArkPermission permission, String resource) throws SecurityException {
String elmoResource = resource.trim();
if(elmoResource.equals("/")) {
elmoResource = ARK_ARTIFACTS;
}
else if(resource.startsWith("/")) {
elmoResource = ARK_ARTIFACTS + resource;
}
else {
elmoResource = ARK_ARTIFACTS + "/" + resource;
}
int result;
try {
result = elmo.checkAccess(elmoResource, permission.getElmoString(),
principal.getName());
} catch(Exception ex) {
String errorMessage = "ELMO has thrown an Exception";
logger.log(errorMessage, ex, getClass().getName(), Logger.CRITICAL);
throw new SecurityException(errorMessage, ex);
}
String errorMessage;
switch(result) {
case ElmoClient.GRANT:
logger.log("Access granted", Logger.DEBUG);
return;
case ElmoClient.DENY:
errorMessage = "Access denied for user " + principal.getName()
+ " resource " + resource;
logger.log(errorMessage, Logger.INFO);
throw new SecurityException(errorMessage);
case ElmoClient.UNKNOWN:
errorMessage = "ELMO does not know about this resource: " +
resource;
logger.log(errorMessage, Logger.WARNING);
throw new SecurityException(errorMessage);
case ElmoClient.EXCEPTION:
errorMessage = "ELMO has reported an Exception";
logger.log(errorMessage, Logger.CRITICAL);
throw new SecurityException(errorMessage);
default:
errorMessage = "Unknown return code provided by ELMO: " +
result;
logger.log(errorMessage, Logger.CRITICAL);
throw new SecurityException(errorMessage);
}
}
}
-----Original Message-----
From: Zeitler, Bernd [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 12, 2006 7:44 AM
To: Slide Users Mailing List
Subject: RE: Install question
Hi,
You probably missed the installation samples in the wiki. Phil Burnside did a
good job writing down all basic steps about deployment and configuration:
http://wiki.apache.org/jakarta-slide/InstallationWithSamples.
Quote:
"You need to uncomment the security-constraint section to enable the
authentication to SLIDE. If you don't do this, you will not authenticate to the
servlet and will be treated as a 'guest', greatly reducing user priviledges."
I recommend the JAAS way ;-)
Greetings,
Bernd
-----------------------------------------------------------
Human beings, who are almost unique in having the ability to learn from the
experience of others, are also remarkable for their apparent disinclination to
do so.
Douglas Adams
-----Ursprüngliche Nachricht-----
Von: Patrick Duda [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 11. Oktober 2006 19:19
An: [email protected]
Betreff: Install question
Hi,
I am trying to get slide up and running.
I already had tomcat 5.5.17 installed and running on my server. So, I
downloaded the slide binaries and moved the slide.war and slide-doc.war into
the webapps directory. I then restarted tomcat.
When I used my browser to access slide, I got a list of directories.
However, when I tried using DAVExplorer things didn't go as stated. I was
following "Creating Users" tutorial and used DAVExplorer to access slide. I
was able to connect but I was never asked for a user name or password. Also,
when it brought up the information, there was no "users"
directory.
I am assuming I missed something in the configuration but at this point I don't
know what it could be.
Has anyone got any advice?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------------
This message is intended only for the personal and confidential use of the
designated recipient(s) named above. If you are not the intended recipient of
this message you are hereby notified that any review, dissemination,
distribution or copying of this message is strictly prohibited. This
communication is for information purposes only and should not be regarded as an
offer to sell or as a solicitation of an offer to buy any financial product, an
official confirmation of any transaction, or as an official statement of Lehman
Brothers. Email transmission cannot be guaranteed to be secure or error-free.
Therefore, we do not represent that this information is complete or accurate
and it should not be relied upon as such. All information is subject to change
without notice.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
