Hi all, Am Donnerstag, den 21.02.2008, 16:50 +0100 schrieb David Nuescheler: > I would argue that a proper architecture would be to use the > repository authentication to go directly to ldap. Since this would > allow you to use the repository users for access control. > > This is exactly how we integrated it in our commercial content > repository [1] (which is based on jackrabbit) and I would argue that > this is the only proper way of dealing with authentication in sling since this > would allow the repository to reflect particularly read privileges properly > for example in search results. > > In my mind one of the main purposes of using a content repository > is to be able to ignore access control all together on the application > layer.
And this is how we do it in Sling: We authenticate against the repository and leave it to the repository how users are configured or authentication is done down there. Having said that, I suggest you look around in the Jackrabbit Mail Archives. One solution might be to make use of Jackrabbit's internal JAAS LoginModule support. See [1] or [2] for more on this. Regards Felix [1] http://markmail.org/message/ovdsh2tuiq7tq4vw [2] http://jackrabbit.apache.org/frequently-asked-questions.html#FrequentlyAskedQuestions-HowdoIuseLDAP%2CKerberos%2CorsomeotherauthenticationmechanismwithJackrabbit%3F > > regards, > david > > > > [1] http://www.day.com/crx (testdrive here: http://jcr.day.com ) > > > On 2/21/08, Torgeir Veimo <[EMAIL PROTECTED]> wrote: > > > > On 21 Feb 2008, at 22:47, Vidar Ramdal wrote: > > > > >> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote: > > >>> Does anyone have a working example of configuring Sling to using an > > >>> external LDAP server for authentication? > > > On 2/21/08, Torgeir Veimo <[EMAIL PROTECTED]> wrote: > > >> I'd assume this is sort of orthogonal to Sling at the moment? > > >> > > >> One option would be to employ something like Spring security or > > >> SecurityFilter with an appropriate LDAP realm impl. This would make > > >> sure all requests would return something sane in the > > >> getUserPrincipal() and isUserInRole() calls. You could then code > > >> accordingly in your Sling components. > > > > > > I see. But using a servlet filter would not enforce security on the > > > JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP, > > > and then handle authorization issues when Sling connects to > > > Jackrabbit. > > > > > > > > If Jackrabbit actually supported any authorisation.. (I assume you > > know it's planned for JCR 2.0, see also > > https://issues.apache.org/jira/browse/JCR-1171) > > . You can store ACLs as node children though (we currently do this, > > but we don't enforce security through the AccessManager mechanism > > provided by JCR itself but at a higher level). > > > > My general experience is that many application might need the concept > > of ownership (eg your blog posts are only editable by you), but that > > read permissions are mostly set at world-readable. The concept of > > ownership would be integral to your domain model, and should probably > > be enforces as part of any DAO layer. If you need anything more > > advanced than that, all access to the JCR nodes should go through a > > proper DAO layer, also for reading, which would sort of make it wise > > to use something else than Sling. > > > > > > -- > > > > Torgeir Veimo > > [EMAIL PROTECTED] > > > > > > > > > >
