Hi there, i have been reading about Jackrabbit and it's authentication and authorization capabilities. For the sake of clarity i will directly split and* limit my questions to the authentication part*.
Since Jackrabbit uses JAAS and i had no idea about how JAAS works i read (and understood i think) and executed successfully the sample in http://download.oracle.com/javase/1.5.0/docs/guide/security/jaas/tutorials/index.html. Then i have tried to extrapolate what i learned to Jackrabbit and i established the following similarities (<=> means correspond): - the sample code in JAAS tutorial is executed through the following command (relevant fields are coloured): java -classpath SampleAzn.jar:SampleAction.jar:SampleLM.jar *-Djava.security.manager * *-Djava.security.policy==/path/to/sampleazn.policy* *-Djava.security.auth.login.config==/path/to/sample_jaas.config* sample.SampleAcn - SimpleSecurityManager (specified in repository.xml) <=> SecurityManager specified by the *-Djava.security.manager *. Not relevant so far for authentication, isn't it? - security.xml <=> *-Djava.security.policy==/path/to/sampleazn.policy* . The policy is specified in security.xml file. By the way, i did not find any link to security.xml syntax nor samples are provided with Jackrabbit distributions, any useful link? - SimpleLoginModule (specified in repository.xml and *always return true*, regardless what parameters it gets) <=> * -Djava.security.auth.login.config==/path/to/sample_jaas.config* pointing to SampleLoginModule (a custom class provided in the JAAS tutorial which performs a very simple authentication which checks if the given username and password correspond to fixed strings). - AccessManager (specified in repository.xml): not relevant so far for authentication, isn't it? So, having the sources from Jackrabbit downloaded and checking what happens using Eclipse debugger i would say that i must implement my own "SimpleLoginModule" with my own logic to determine whether authentication succeeds or not (looking for username and password in a database, for example). Then specify it in repository.xml file for Jackrabbit to use it. Would my guess be correct? Would be the procedure i described the most convenient way to catch every authentication try (when getting the repository via webdav, rmi, jndi or accessing the contents through HTTP) or should i go deeper??? Any hint about correctness and convenience of my approach will be welcome, of course!!!! Thanks in advance for your attention!
