Hi Dan Thank you for the feedback! I will look into your comments, and might follow up with you later. - Cris
> On Feb 25, 2020, at 9:52 PM, Daniel Klco <daniel.k...@gmail.com> wrote: > > Hey Chris, > > This looks like a really good start! A couple of thoughts: > > - It looks like a lot of exceptions are re-thrown as Runtime exceptions > which IMO tends to obscure expected exception handling, it looks like this > is WIP, but wanted to call it out > - You may want to look at the Dynamic Class Loader Manager: > > https://sling.apache.org/apidocs/sling8/org/apache/sling/commons/classloader/DynamicClassLoaderManager.html > - One thing to think about is how to store group membership. Due to a > certain project that some of the Jackrabbit folks are aware of, I've found > out quite painfully that the default Jackrabbit group membership has a hard > limit to the number of user -> group associations before performance gets > geometrically worse. You'll want to make sure your implementation supports > dynamic group membership if your user count is going to get into the > hundreds of thousands: > > https://jackrabbit.apache.org/oak/docs/security/authentication/external/dynamic.html > > Hope this helps and thanks for taking this on! > > On Tue, Feb 25, 2020 at 5:14 AM Robert Munteanu <romb...@apache.org> wrote: > >> Hi Cris, >> >> I am away until 9/3, I'll only be able to look into this then. Thanks! >> Robert >> >> Sent from Nine >> ________________________________ >> From: Cris Rockwell <cmroc...@umich.edu> >> Sent: Monday, 24 February 2020 19:07 >> To: users@sling.apache.org >> Subject: Re: OIDC or SAML2 for Sling >> >> Hi Robert >> >> I sent an email to d...@sling.apache.org <mailto:d...@sling.apache.org> on >> 2/20/2020, but I can’t find my message in the Dev Sling Mail Archive < >> http://apache-sling.73963.n3.nabble.com/template/NamlServlet.jtp?macro=search_page&node=73966&query=SAML2&days=0>…. >> Maybe this email group only allows messages from certain approved people. >> Whatever the reason, I’m responding to you again over Sling Users. >> >> I continue my work on to donate 'SAML2 Authentication Handler for Apache >> Sling’ to the Apache Sling Whiteboard. The project is is located at... >> >> https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler >> < >> https://github.com/cmrockwell/sling-whiteboard-saml/tree/sling-saml2-service-provider/saml-handler> >> >> >> 1. the implementation of the sample project < >> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/> >> from A Guide to OpenSAML V3 eBook <https://payhip.com/b/41Tw> is added >> and functional as an AuthenticationHandler within Apache Sling, I will open >> a PR. I can recommend this book to anyone looking for a useful and concise >> primer for the OpenSAML V3 Java library. >> 2. next I will try to make use of the Default Sync Handler < >> https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html> >> to manage group membership and user attributes >> 3. also on the todo list, the HTTP POST binding vs SOAP Binding. The >> implementation in step 1 uses SOAP bindings >> >> It would be an honor if any you experienced Sling developers and security >> professionals would review and contribute your thoughts. >> >> Best regards >> Cris Rockwell >> Applications Architect Sr >> College of Literature, Science, and the Arts | University of Michigan >> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann >> Arbor, MI I 48109 >> Desk: 734.763.6818 | Email: cmroc...@umich.edu >> >> >> >>> On Feb 17, 2020, at 5:32 AM, Robert Munteanu <romb...@apache.org> >> wrote: >>> >>> Hi Cris, >>> >>> (Feel free to send back to dev@sling as well, replying privately as you >>> wrote privately). >>> >>> The POM looks good to me. I would suggest moving to the latest parent >>> bundle ( sling-bundle-parent 37 I think ) as it gives you Java 11 >>> support and better tooling. >>> >>> Also, we should not introduce new Maven repositories as part of our >>> bundles, since that does not work for every setup. For instance, >>> building behind a 'catch-all' Maven mirror that does not have the >>> custom repository set up will fail. I see that the artifacts you >>> referenced are already on Maven Central, so it's probably just a >>> leftover. >>> >>> As to your choice of library, I think that is fine. I am not very much >>> aware of the current landscape anyway, but as long as the license is >>> fine, it does what we need and has a reasonable community behind it, >>> all is well. >>> >>> What I think would also be helpful is a high-level diagram/explanation >>> of the goals of the bundle, e.g. >>> >>> - will allow Sling applications to authenticate users against Oauth2 >>> servers such as .... >>> - will allow sync of user attributes from OIDC providers such as ... >>> >>> (I may have gotten these totally wrong due to my lack of knowledge: -) >>> ) >>> >>> Thanks! >>> >>> Robert >>> >>> >>> On Fri, 2020-02-14 at 16:33 -0500, Cris Rockwell wrote: >>>> Hi Robert >>>> >>>> I’ve just started the project. Perhaps you can advise about the >>>> project setup. >>>> >>>> The pom.xml >>>> >> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/pom.xml >>>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2- >>>> service-provider/saml-handler/pom.xml> >>>> >>>> One test >>>> >> https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2-service-provider/saml-handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java >>>> <https://github.com/cmrockwell/sling-whiteboard/blob/sling-saml2- >>>> service-provider/saml- >>>> handler/src/test/java/org/apache/sling/auth/saml2/JCETest.java> >>>> >>>> Regards >>>> Cris Rockwell >>>> Application Architect Senior >>>> College of Literature, Science, and the Arts | University of >>>> Michigan >>>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann >>>> Arbor MI 48109 >>>> p: 734.763.6818 >>>> >>>> >>>> >>>> >>>>> On Feb 13, 2020, at 1:16 PM, Cris Rockwell <cmroc...@umich.edu> >>>>> wrote: >>>>> >>>>> Thanks for feedback, Robert. I could not agree more with you >>>>> suggestions. >>>>> >>>>> In terms of selecting a vetted library to do the bulk of the work; >>>>> >>>>> The University of Michigan is member of Internet2 and the >>>>> Shibboleth Consortium. These organizations maintain OpenSaml, >>>>> which is Apache licensed. I am very comfortable with the library’s >>>>> license, origin and maintenance. >>>>> >> https://www.internet2.edu/communities-groups/members/higher-education/all/all/all >>>>> <https://www.internet2.edu/communities-groups/members/higher- >>>>> education/all/all/all> >>>>> https://www.shibboleth.net/consortium/ < >>>>> https://www.shibboleth.net/consortium/> >>>>> OpenSaml is a very widely used Java library even outside of higher >>>>> education. A quick search shows many Apache projects including it >>>>> as a dependency. Such as: Apache Web Services Security for Java, >>>>> Apache Service Mix, Apache TomEE, an others. >>>>> >> https://issues.apache.org/jira/browse/CXF-5015?jql=text%20~%20%22opensaml%22 >>>>> <https://issues.apache.org/jira/browse/CXF- >>>>> 5015?jql=text%20~%20%22opensaml%22> >>>>> MVN shows usages at least 164 usages of V2 ( >>>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages < >>>>> https://mvnrepository.com/artifact/org.opensaml/opensaml/usages>;). >>>>> Version 3 of the library is modular, and each of the modules (Core, >>>>> SAML Provider API, etc) are listed separately ( >>>>> https://mvnrepository.com/artifact/org.opensaml < >>>>> https://mvnrepository.com/artifact/org.opensaml>;) >>>>> >>>>> In terms of selecting a vetted library, I think OpenSaml V3 meets >>>>> the criteria. But how else would you vet the library? >>>>> >>>>> As you probably know, OpenSAML is a low level library useful for >>>>> building SAML solutions and not complete product by itself. For >>>>> example, Shibboleth is an open source product implemented in part >>>>> using OpenSAML. This is good from an open development perspective, >>>>> because features can be developed using a piecemeal process. The >>>>> Sling maintainers should not need to take a leap of faith about >>>>> anything related to the framework's security. >>>>> >>>>> >>>>> Regarding Whiteboard development, I am reviewing the examples about >>>>> how this works. >>>>> https://github.com/apache/sling-whiteboard/pull/14 < >>>>> https://github.com/apache/sling-whiteboard/pull/14> I forked Sling >>>>> Whiteboard and will create a branch for developing the feature. >>>>> >>>>> I have to give more thought about how to make the module easy to >>>>> test and incorporate in the Sling starter. >>>>> >>>>> Regards >>>>> Cris Rockwell >>>>> Application Architect Senior >>>>> College of Literature, Science, and the Arts | University of >>>>> Michigan >>>>> LSA Technology Services | 6503 Haven Hall, 505 S. State Street, Ann >>>>> Arbor MI 48109 >>>>> p: 734.763.6818 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Feb 13, 2020, at 10:13 AM, Robert Munteanu <romb...@apache.org >>>>>> <mailto:romb...@apache.org>> wrote: >>>>>> >>>>>> Hi Cris, >>>>>> >>>>>> I would be very happy to see OIDC/SAML2 support in Sling. As >>>>>> mentioned, >>>>>> there were a couple of initiatives, but none of them completed. >>>>>> >>>>>> If anyone decides to give the implementation a shot, it would be >>>>>> important to: >>>>>> >>>>>> - use vetted libraries that do the bulk of the work. I think this >>>>>> was a >>>>>> problem with some of the earlier approaches >>>>>> - develop as much in the open as possible. The sling whiteboard >>>>>> is a >>>>>> good option, also a personal repo is ok if the intention is to >>>>>> contribute to Sling >>>>>> - make the module easy to test and incorporate in the Sling >>>>>> starter >>>>>> >>>>>> I am available to review and incorporate this contribution, and >>>>>> definitely there are others around. >>>>>> >>>>>> Thanks, >>>>>> Robert >>>>>> >>>>>> On Wed, 2020-02-12 at 16:27 -0500, Cris Rockwell wrote: >>>>>>> Hi Robert >>>>>>> >>>>>>> I would like to follow up with you about adding SAML2 SP >>>>>>> (Service >>>>>>> Provider) support to Apache Sling. >>>>>>> >>>>>>> Our team reviewed security requirements with the leading >>>>>>> identity >>>>>>> provider (IDP) administrator at the University. His suggestion >>>>>>> was to >>>>>>> use SAML2 (or OIDC) and skip the LDAP authentication idea. We >>>>>>> have >>>>>>> been using SAML2 for many years with other applications. It >>>>>>> seems >>>>>>> SAML2 for open and closed source Java Enterprise applications >>>>>>> is very >>>>>>> common, so I feel good about requesting SAML2 SP support for >>>>>>> Apache >>>>>>> Sling. >>>>>>> >>>>>>> To start, I am studying the eBook OpenSAML V3 mentioned on the >>>>>>> Shibboleth website < >>>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home < >>>>>>> https://wiki.shibboleth.net/confluence/display/OS30/Home>>;;. >>>>>>> The eBook >>>>>>> discusses a sample project < >>>>>>> >> https://bitbucket.org/srasmusson/webprofile-ref-project-v3/src/master/ >>>>>>> <https://bitbucket.org/srasmusson/webprofile-ref-project- >>>>>>> v3/src/master/> >>>>>>>> and covers various aspects of using OpenSaml3 Java library. >>>>>>> >>>>>>> * Authentication request using HTTP Redirect Binding >>>>>>> * Assertion transported using HTTP Artifact Binding >>>>>>> * SAML Artifact transported using HTTP Redirect Binding >>>>>>> >>>>>>> If you or others have thoughts or recommendations for me about >>>>>>> how to >>>>>>> make this happen, please let me know. >>>>>>> >>>>>>> Thanks >>>>>>> Cris Rockwell, App Sys Analyst/Programmer Sr >>>>>>> College of Literature, Science, and the Arts | University of >>>>>>> Michigan >>>>>>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street >>>>>>> | Ann >>>>>>> Arbor, MI I 48109 >>>>>>> Desk: 734.763.6818 | Email: cmroc...@umich.edu <mailto: >>>>>>> cmroc...@umich.edu> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Dec 19, 2019, at 12:00 PM, Robert Munteanu < >>>>>>>> romb...@apache.org <mailto:romb...@apache.org>> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Cris, >>>>>>>> >>>>>>>> Hopefully the LDAP authentication will fulfill your >>>>>>>> requirements. >>>>>>>> Once >>>>>>>> you're done, it would be interesting to discuss (privately, >>>>>>>> if you >>>>>>>> prefer) what gaps you identified in the authentication >>>>>>>> support we >>>>>>>> offer. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Robert >>>>>>>> >>>>>>>> On Thu, 2019-12-12 at 09:45 -0500, Cris Rockwell wrote: >>>>>>>>> Hi Robert >>>>>>>>> >>>>>>>>> Thank you for your offer to guide an OIDC and/or SAML2 >>>>>>>>> Sling >>>>>>>>> Authentication Handler implementation. Long term, I could >>>>>>>>> also >>>>>>>>> see >>>>>>>>> contributing to a peer reviewed initiative to securely add >>>>>>>>> the >>>>>>>>> features to Sling applications. After some thought, I might >>>>>>>>> follow up >>>>>>>>> with you about this out of band. >>>>>>>>> >>>>>>>>> In the short run, perhaps Oak’s LDAP authentication will >>>>>>>>> support >>>>>>>>> the >>>>>>>>> features we need. >>>>>>>>> >> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html >>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>>>> ation/ldap.html> >>>>>>>>> < >>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>>>> < >>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>>>>> >>>>>>>>> ldap.html> >>>>>>>>> < >>>>>>>>> >> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap >>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>>>> ation/ldap> >>>>>>>>> < >>>>>>>>> >> https://jackrabbit.apache.org/oak/docs/security/authentication/ldap >>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>>>> ation/ldap> >>>>>>>>> .html> >>>>>>>>> >> https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html >>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>>>> ation/externalloginmodule.html> >>>>>>>>> < >>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>>>> < >>>>>>>>> https://jackrabbit.apache.org/oak/docs/security/authentication/ >>>>>>>>>> >>>>>>>>> externalloginmodule.html> >>>>>>>>> < >>>>>>>>> >> https://jackrabbit.apache.org/oak/docs/security/authentication/exte >>>>>>>>> <https://jackrabbit.apache.org/oak/docs/security/authentic >>>>>>>>> ation/exte> >>>>>>>>> rnalloginmodule.html> >>>>>>>>> >>>>>>>>> Thanks all. >>>>>>>>> Cris R >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Dec 11, 2019, at 11:58 AM, Robert Munteanu < >>>>>>>>>> romb...@apache.org> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> On Wed, 2019-12-11 at 11:38 -0500, Cris Rockwell wrote: >>>>>>>>>>> "What exactly would you need to manage JCR-based >>>>>>>>>>> controls? I >>>>>>>>>>> would >>>>>>>>>>> imagine that mapping users to JCR groups based on >>>>>>>>>>> whatever >>>>>>>>>>> data >>>>>>>>>>> your >>>>>>>>>>> identity solution provides and then creating access >>>>>>>>>>> based on >>>>>>>>>>> ACLs >>>>>>>>>>> only >>>>>>>>>>> would satisfy your request." >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> We need to manage a few things at the identity >>>>>>>>>>> provider: >>>>>>>>>>> 1. User attributes: username, name, email, phone, maybe >>>>>>>>>>> a few >>>>>>>>>>> other >>>>>>>>>>> pieces of data about the user. >>>>>>>>>>> 2. Group membership >>>>>>>>>>> >>>>>>>>>>> When the user signs in, with SAML2 there is encrypted >>>>>>>>>>> metadata >>>>>>>>>>> which >>>>>>>>>>> contains that information. Upon sign in, Sling users >>>>>>>>>>> should >>>>>>>>>>> be >>>>>>>>>>> created, their user attributes updated and the user >>>>>>>>>>> should be >>>>>>>>>>> added >>>>>>>>>>> or removed from Sling group membership. Once the user >>>>>>>>>>> has >>>>>>>>>>> signed >>>>>>>>>>> in, >>>>>>>>>>> then access is granted as usual using JCR-based ACL’s >>>>>>>>>>> applied >>>>>>>>>>> for >>>>>>>>>>> the >>>>>>>>>>> groups. >>>>>>>>>> >>>>>>>>>> Right, I see that there is no support for that in the >>>>>>>>>> keycloak >>>>>>>>>> handler, >>>>>>>>>> as it was presented [1]. >>>>>>>>>> >>>>>>>>>> I don't think there is any out-of-the-box support for >>>>>>>>>> what >>>>>>>>>> you're >>>>>>>>>> looking for. >>>>>>>>>> >>>>>>>>>> I would be happy to guide anyone willing to implement >>>>>>>>>> such >>>>>>>>>> functionality though. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Robert >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1]: >>>>>>>>>> >> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak >>>>>>>>>> < >>>>>>>>>> >> https://github.com/netdava/adapt-to-2018-keycloak-sling-presentation/tree/master/adapt-to-2018-sling-keycloak/org-apache-sling-auth-keycloak >>>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak- >>>>>>>>>> sling-presentation/tree/master/adapt-to-2018-sling- >>>>>>>>>> keycloak/org-apache-sling-auth-keycloak> >>>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling- >>>>>>>>>> <https://github.com/netdava/adapt-to-2018-keycloak-sling- >>>>>>>>>>> >>>>>>>>>> presentation/tree/master/adapt-to-2018-sling- >>>>>>>>>> keycloak/org- >>>>>>>>>> apache-sling-auth-keycloak> >>> >> >>
