On Wed, Feb 9, 2011 at 4:54 PM, Alessandro Novarini <[email protected]> wrote: > Hello list, > > As promised, here a quick update and a not-so-quick question. > > I think we're almost done with the modeshape-server bundle, we fought a lot > with the class loading but now it looks good. > > But... > > We started this work assuming that replacing the jackrabbit-server bundle was > enough to have a sling working, as Carl also confirmed right below. > Probably we still miss something, but we are now struggling with > authentication and authorization; in particular two issues: > > ModeShape relies on JAAS to check for valid credentials, and at the moment > it's complaining that no configuration is found. > We tried to add a jaas config file, made Sling point to that file, but we > don't know if there are LoginModules already available or if we need to add > one to the classpath (we asked to ModeShape forum and they suggested to look > at JBoss Picketbox [1]). > > So at the moment we replaced the mechanism of authentication with a custom > one, and ModeShape is quite happy with that, even though we would like to > align the functionality with what Sling is using and is expecting by > jackrabbit. > We came across a strange side-effect there, because now from the web console > we cannot do anything without having Sling asking for a login. > Useless to say that whatever we enter, the login fails :( > > Going a step further... we're examining the class > org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider, > the one that tries to login to the repository passing a SimpleCredentials > (triggering the JAAS mechanism skipping our custom one) - method > authenticate(String, String). > > What scared us was the code just after the repository.login(creds): it seems > a bit implementation-dependent, since all the code is into an if (session > instanceof JackrabbitSession), otherwise the method will return null (no > success). > > Do you confirm what we are thinking, that even fixing our current issue, > we're going to have a "broken" web console?
AFAIK, the Web Console Security Provider bundle is completely optional. You can simply leave it out, and the web console will fall back to the standard authentication method (a configured single username/password pair, by default admin/admin). -- Vidar S. Ramdal <[email protected]> - http://www.idium.no Sommerrogata 13-15, N-0255 Oslo, Norway + 47 22 00 84 00 Quando omni flunkus moritatus!
