On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:
On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
Does anyone have a working example of configuring Sling to using an
external LDAP server for authentication?
On 2/21/08, Torgeir Veimo <[EMAIL PROTECTED]> wrote:
I'd assume this is sort of orthogonal to Sling at the moment?
One option would be to employ something like Spring security or
SecurityFilter with an appropriate LDAP realm impl. This would make
sure all requests would return something sane in the
getUserPrincipal() and isUserInRole() calls. You could then code
accordingly in your Sling components.
I see. But using a servlet filter would not enforce security on the
JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
and then handle authorization issues when Sling connects to
Jackrabbit.
If Jackrabbit actually supported any authorisation.. (I assume you
know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171)
. You can store ACLs as node children though (we currently do this,
but we don't enforce security through the AccessManager mechanism
provided by JCR itself but at a higher level).
My general experience is that many application might need the concept
of ownership (eg your blog posts are only editable by you), but that
read permissions are mostly set at world-readable. The concept of
ownership would be integral to your domain model, and should probably
be enforces as part of any DAO layer. If you need anything more
advanced than that, all access to the JCR nodes should go through a
proper DAO layer, also for reading, which would sort of make it wise
to use something else than Sling.
--
Torgeir Veimo
[EMAIL PROTECTED]
