You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by vk...@apache.org on 2008/10/28 11:11:23 UTC
svn commit: r708504 [1/3] - in
/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security: ./
images/ images/ldap/
Author: vkumar
Date: Tue Oct 28 03:11:22 2008
New Revision: 708504
URL: http://svn.apache.org/viewvc?rev=708504&view=rev
Log:
Moving components jetspeed-security xdoc document to new location
Added:
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/config.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/hierarchy.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/high-level-services.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/add-user.jpg (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/arch-overview.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/atn-arch-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/atn-provider-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/atn-spi-arch-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/atz-provider-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/components.jpg (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/credential-handler-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/default-login-module-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/group-security-handler-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/j2-admin-user-mgt.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap-client-connection.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/GroupFilterBase.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/GroupMembershipAttributes1.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/GroupMembershipAttributes2.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/GroupMembershipForRoleAttributes1.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/GroupMembershipForRoleAttributes2.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/GroupObjectClasses.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/IdAttributes.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/ObjectFilterBase.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/RoleFilterBase.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/RoleGroupMembershipForRoleAttributes1.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/RoleGroupMembershipForRoleAttributes2.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/RoleMembershipAttributes1.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/RoleMembershipAttributes2.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/RoleObjectClasses.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserFilterBase.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserGroupMembershipAttributes1.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserGroupMembershipAttributes2.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserIdAttribute.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserObjectClasses.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserRoleMembershipAttributes1.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/UserRoleMembershipAttributes2.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/rootPassword.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/ldap/userUidAttribute.png (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/password-expiration.jpg (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/permission-mgr-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/permissions-principals-om-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/permissions-principals-schema.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/principals-credentials-schema.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/rdbms-policy-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/rdbms-policy-overview-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/role-security-handler-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/security-locator.jpg (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/security-mapping-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/security-provider-c.gif (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/images/user-detail-prefs.jpg (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/index.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/ldap.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/login-module.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/permission.xml (with props)
portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/tasks.xml (with props)
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Architecture Overview</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Architecture Overview">
+ <p>
+ Jetspeed 2 security leverages J2EE authentication and authorization standards for both authentication
+ and authorization through the implementation of a default <code>LoginModule</code> and a default authorization
+ <code>Policy</code>.
+ </p>
+ <p>
+ Authentication establishes the identity of the user and populates the <code>Subject</code> with all
+ the user principals. In a portal context, the populated <code>Subject</code> is added to the session
+ in the <code>org.apache.jetspeed.security.SecurityValve</code> implementation. The <code>Subject</code>
+ principals are then used to authorize the user's access to a given resource. It leverages JAAS authorization
+ by checking the user's permission with the
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html">AccessController</a>. More details
+ on authorization are provided in the <a href="atz-jaas.html">JAAS authorization section</a> of this documentation.
+ </p>
+ <p>
+ The following diagram describes the high level security architecture:
+ </p>
+ <p align="center">
+ <img src="images/arch-overview.gif" border="0" />
+ </p>
+ <p>
+ Configuration files for each component areas are specified. For more information, go to the documentation
+ section on <a href="config.html">configuration</a>.
+ </p>
+ <p>
+ Jetspeed security architecture is fully JAAS compliant. Developers can replace Jetspeed security
+ architecture with their own <code>LoginModule</code> and <code>Policy</code> implementation. Jetspeed
+ implementation provides management programming and user interfaces as well as an SPI model to facilitate
+ its extension.
+ </p>
+ </section>
+ </body>
+</document>
\ No newline at end of file
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/arch.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,93 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Authentication SPI</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Authentication SPI Overview">
+ <p>
+ The authentication SPI provides the implementation for managing user principals and their credentials and provides the underlying
+ <code>UserManager</code>
+ coarsed service implementation.
+ </p>
+ <p>
+ The authentication SPI also provides a mechanism for managing users across multiple datastore. The class diagram below describes how the
+ authentication SPI relates to the
+ <code>UserManager</code>
+ .
+ </p>
+ <p>
+ <img src="images/atn-spi-arch-c.gif" border="0" />
+ </p>
+ </section>
+ <section name="Authentication SPI Components">
+ <p>The authentication SPI implements the following components:</p>
+ <table>
+ <tr>
+ <th>Component</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>
+ <code>AuthenticationProviderProxy</code>
+ </td>
+ <td>
+ A proxy to the various
+ <code>AuthenticationProvider</code>
+ implementations. The
+ <code>AuthenticationProviderProxy</code>
+ is responsible of invoking the correct
+ <code>AuthenticationProvider</code>
+ to authenticate or manage a specific user against a specific data store.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <code>AuthenticationProvider</code>
+ </td>
+ <td>
+ Exposes a specific authentication and user management services implementation. Jetspeed 2
+ provides 2 implementations: RDBMS and LDAP. Multiple authentication providers
+ can be provided through configuration. For more information,
+ see the <a href="config.html#security-providers_xml">security providers</a> configuration.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <code>CredentialHandler</code>
+ </td>
+ <td>
+ See <a href="config.html#security-spi-atn_xml">security-spi-atn.xml</a> configuration.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <code>UserSecurityHandler</code>
+ </td>
+ <td>
+ See <a href="config.html#security-spi-atn_xml">security-spi-atn.xml</a> configuration.
+ </td>
+ </tr>
+ </table>
+ </section>
+ </body>
+</document>
\ No newline at end of file
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn-spi.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,78 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Login Module</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Authentication Architecture Overview">
+ <p>
+ For authentication, Jetspeed 2 leverages Java
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/spi/LoginModule.html">LoginModule</a>
+ architecture. It provides a <a href="login-module.html">DefaultLoginModule</a> implementation and a
+ flexible architecture to be able to authenticate user against multiple user repositories and provide user
+ management capabilities across those repository. A <code>UserManager</code> provides a set of coarsed
+ services for authenticating and managing users. The class diagram below illustrates how the
+ <code>UserManager</code> provides authentication to the <code>DefaultLoginModule</code> and leverages
+ the <a href="atn-spi.html">Authentication SPI</a> to interact with various implementation and user stores.
+ </p>
+ <p>
+ <img src="images/atn-arch-c.gif" border="0" />
+ </p>
+ <p>
+ The various components described above fulfill the following functions:
+ <table>
+ <tr>
+ <th>Component</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td><code>DefaultLoginModule</code></td>
+ <td>Jetspeed 2 default <a href="login-module.html">LoginModule</a> implementation which
+ leverages the <code>authenticate()</code> method of the <code>UserManager</code> to provide
+ authentication against the various <code>AuthenticationProvider</code> implementation currently
+ configured.</td>
+ </tr>
+ <tr>
+ <td><code>UserManager</code></td>
+ <td>Coarsed service providing authentication and user management. The <code>UserManager</code>code>
+ leverages the various <code>AuthenticationProvider</code> implementations exposed to it through
+ the <code>AuthenticationProviderProxy</code> through the <code>SecurityProvider</code>.
+ </td>
+ </tr>
+ <tr>
+ <td><code>SecurityProvider</code></td>
+ <td>Provides access to the security providers exposing SPI implementation to the coarsed security
+ services.
+ </td>
+ </tr>
+ <tr>
+ <td><code>AuthenticationProviderProxy</code></td>
+ <td>A proxy to the various <code>AuthenticationProvider</code> implementations. The <code>AuthenticationProviderProxy</code>
+ is responsible of invoking the correct <code>AuthenticationProvider</code> to authenticate or manage
+ a specific user against a specific data store.</td>
+ </tr>
+ </table>
+ </p>
+ </section>
+
+ </body>
+</document>
\ No newline at end of file
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atn.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,177 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Login Module</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Overview of JAAS Authorization">
+ <p>
+ A good overview of JAAS authorization is provided on
+ <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc2.html">Sun's web site</a>
+ . At a high level, JAAS authorization leverages:
+ <ul>
+ <li>
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Permission.html">Permission</a>
+ that associates actions to resources.
+ </li>
+ <li>
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Principal.html">Principal</a>
+ that represents an entity in the system. In Jetspeed 2, 3 principals are used to represent users, roles and groups.
+ </li>
+ <li>
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Policy.html">Policy</a>
+ that associates principals to permissions.
+ </li>
+ </ul>
+ </p>
+ <p>
+ Jetspeed 2 provides a custom policy implemention that allow the portal to secure resources as follow:
+ <source>
+ <![CDATA[
+grant principal o.a.j.security.UserPrincipal "theUserPrincipal" {
+ permission o.a.j.security.PagePermission "mypage", "view";
+ permission o.a.j.security.PortletPermission "myportlet", "view,edit,minimize,maximize";
+ permission o.a.j.security.TabPermission "mytab", "view";
+};
+
+grant principal o.a.j.security.RolePrincipal "theRolePrincipal" {
+ permission o.a.j.security.PagePermission "mypage", "view";
+ permission o.a.j.security.PortletPermission "myportlet", "view,edit,minimize,maximize";
+ permission o.a.j.security.TabPermission "mytab", "view";
+};
+
+grant principal o.a.j.security.GroupPrincipal "theGroupPrincipal" {
+ permission o.a.j.security.PagePermission "mypage", "view";
+ permission o.a.j.security.PortletPermission "myportlet", "view,edit,minimize,maximize";
+ permission o.a.j.security.TabPermission "mytab", "view";
+};]]>
+ </source>
+ </p>
+ <p>
+ The custom security policy provides a
+ <code>java.security.Policy</code>
+ implementation that stores the association between principals and permissions in a relational database as opposed to leveraging the default JDK
+ policy. In the case of Sun's JDK, the default policy is
+ <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html#DefaultImpl">sun.security.provider.PolicyFile</a>
+ a file based policy.
+ </p>
+ <p>
+ In the code sample above, the
+ <code>UserPrincipal</code>
+ identify with the
+ <code>Principal.getName()</code>
+ "theUserPrincipal" has permission to "view" the page called "mypage", to "view,edit,minimize,maximize"
+ the portlet portlet called "myportlet"
+ </p>
+ <p>
+ The
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html">AccessController</a>
+ validates a
+ <code>Subject</code>
+ permissions. For instance, a page permission check would perform the following check:
+ <source>
+ <![CDATA[
+PagePermission permission = new PagePermission(path, actions);
+AccessController.checkPermission(permission);
+ ]]>
+ </source>
+ </p>
+ </section>
+ <section name="Jetspeed JAAS Policy">
+ <p>
+ The
+ <code>RdbmsPolicy</code>
+ implements
+ <code>java.security.Policy</code>
+ . It leverages the
+ <code>PermissionManager</code>
+ to get the permissions associated with a given
+ <code>Subject</code>
+ principals.
+ <source>
+ <![CDATA[
+pms.getPermissions(user.getPrincipals());
+ ]]>
+ </source>
+ The class diagram below illustrate the association between the
+ <code>RdbmsPolicy</code>
+ and the
+ <code>PermissionManager</code>
+ .
+ </p>
+ <p>
+ A good article on custom policies implementation is available on
+ <a href="http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442">IBM web site</a>
+ .
+ </p>
+ <p>
+ <img src="images/rdbms-policy-c.gif" border="0" />
+ </p>
+ <p>
+ To get more detail about the implementation of the
+ <code>PermissionManager</code>
+ , see
+ <a href="permission.html">PermissionManager Overview</a>
+ .
+ </p>
+ <p>
+ <u>Note:</u>
+ The current
+ <code>RdbmsPolicy</code>
+ manages the policies to apply. It applies
+ <code>RdbmsPolicy</code>
+ in conjunction with the default policy configured in the runtime environment. Jetspeed 2 should explore providing
+ <a href="http://java.sun.com/j2ee/javaacc/index.html">JACC</a>
+ adapters for its custom policy for specific application servers.
+ </p>
+ </section>
+ <section name="Authorization Provider and Policy Configuration">
+ <p>
+ The
+ <code>AuthorizationProvider</code>
+ configures the authorization policies to be used by Jetspeed 2 and keeps the list of such policies in the
+ <code>SecurityPolicies</code>
+ singleton. The
+ <code>RdbmsPolicy</code>
+ when getting the permissions for access control will execute its policy as well as all the policies configured in
+ <code>SecurityPolicies</code>
+ . If the
+ <code>AuthorizationProvider</code>
+ was constructed with
+ <code>useDefaultPolicy</code>
+ set to true, the default JDK or application server policy will be applied when getting the permissions.
+ </p>
+ <p>
+ <u>Note:</u>
+ The
+ <code>RbmsPolicy</code>
+ permission check is concerned about the principals associated to the
+ <code>Subject</code>, therefore where performing an access control check,
+ the check should be performed with the following call:
+ <code>doAsPrivileged(theSubject, anAction, null)</code>. By passing a null
+ <code>AccessContolContext</code>, the caller is essentially saying:
+ "I don't care who called me, the only important thing is whether I have permission when associated with the
+ given subject".
+ </p>
+ </section>
+ </body>
+</document>
\ No newline at end of file
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-jaas.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,88 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Authorization/Security Mapping SPI</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Authorization/Security Mapping SPI Overview">
+ <p>
+ The authorization SPI provides the implementation to support Jetspeed 2 users, roles and groups associations and the roles/groups hierarchy
+ policy. It provides the underlying mechanism to support the implementation of the
+ <code>RoleManager</code>
+ and
+ <code>GroupManager</code>
+ .
+ </p>
+ <p>
+ As described in the
+ <a href="index.html">security overview</a>
+ , Jetspeed support hierarchical role based access control with configurable hierarchy policies.
+ </p>
+ <p>First, let's have a look at a class diagram of the authorization SPI:</p>
+ <p>
+ <img src="images/security-mapping-c.gif" border="0" />
+ <br />
+ <br />
+ <img src="images/role-security-handler-c.gif" border="0" />
+ <br />
+ <br />
+ <img src="images/group-security-handler-c.gif" border="0" />
+ <br />
+ <br />
+ </p>
+ </section>
+ <section name="Authorization SPI Components">
+ <p>The authorization SPI implements the following components:</p>
+ <table>
+ <tr>
+ <th>Component</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.SecurityMappingHandler</td>
+ <td>
+ See <a href="config.html#security-spi-atz_xml">security-spi-atz.xml</a> configuration.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.HierarchyResolver</td>
+ <td>
+ See <a href="hierarchy.html">hierarchy management</a>.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.RoleSecurityHandler</td>
+ <td>
+ See <a href="config.html#security-spi-atz_xml">security-spi-atz.xml</a> configuration.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.GroupSecurityHandler</td>
+ <td>
+ See <a href="config.html#security-spi-atz_xml">security-spi-atz.xml</a> configuration.
+ </td>
+ </tr>
+
+ </table>
+ </section>
+ </body>
+</document>
\ No newline at end of file
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz-spi.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Login Module</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Authorization Overview">
+ <p>
+ For auhorization, Jetspeed 2 implements its own
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Policy.html">java.security.Policy</a> using
+ a relation database store to manage associations between principals and permissions.
+ </p>
+ <p align="center">
+ <img src="images/rdbms-policy-overview-c.gif" border="0" />
+ </p>
+ <p>
+ The <code>PermissionManager</code> provides access to the permissions associated to given principals.
+ </p>
+ <p>
+ <ul>
+ <li>The <a href="atz-jaas.html">JAAS Authorization</a> provides an overview of the authorization aspect of JAAS.</li>
+ <li>The <a href="permission.html">PermissionManager Overview</a> documents the <code>PermissionManager</code> implementation.</li>
+ </ul>
+ </p>
+ </section>
+
+ </body>
+</document>
\ No newline at end of file
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/atz.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/config.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/config.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/config.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/config.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,366 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security Services Configuration</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ <person name="Ate Douma" email="ate@douma.nu" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Default configuration">
+ <p>
+ Jetspeed 2 default security services configuration leverages a relational database as its default persitent datastore for security information.
+ Jetspeed 2 security service provider interface provides a mechanism to replace the default datastore configured.
+ </p>
+ <p>
+ 3 files are involved when configuring Jetspeed 2 security SPI. All the SPI configuration files are located under
+ <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i>
+ .
+ </p>
+ <subsection name="security-atn.xml">
+ <p>
+ This configuration file provides the login module configuration. Not everyone needs this, as some application may decide to use another
+ login module other than the one provided.
+ </p>
+ </subsection>
+ <subsection name="security-atz.xml">
+ <p>
+ This configuration file configures the authorization policy, in J2's case
+ <a href="atz-jaas.html">RdbmsPolicy</a>
+ .
+ </p>
+ </subsection>
+ <subsection name="security-managers.xml">
+ <p>This configuration file configures all the managers for security purpose.</p>
+ </subsection>
+ <subsection name="security-providers.xml">
+ <p>This configuration file configures the various providers and weaves the SPI together.</p>
+ <ul>
+ <li>
+ <code>AuthenticationProviderProxy</code>
+ : Configures the list of
+ <code>AuthenticationProvider</code>
+ and the default authenticator.
+ <source>
+ <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthenticationProviderProxy"
+ class="org.apache.jetspeed.security.impl.AuthenticationProviderProxyImpl">
+ <constructor-arg >
+ <list>
+ <ref bean="org.apache.jetspeed.security.AuthenticationProvider"/>
+ </list>
+ </constructor-arg>
+ <constructor-arg><value>DefaultAuthenticator</value></constructor-arg>
+</bean>]]>
+ </source>
+ </li>
+ <li>
+ <code>AuthenticationProvider</code>
+ : Configures the authentication providers for the current portal implementation. The example below configures the default authenticator
+ that uses the RDBMS to manage/store user information.
+ <source>
+ <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthenticationProvider"
+ class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl">
+ <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>
+ <constructor-arg index="1"><value>The default authenticator</value></constructor-arg>
+ <constructor-arg index="2"><value>login.conf</value></constructor-arg>
+ <constructor-arg index="3">
+ <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>
+ </constructor-arg>
+ <constructor-arg index="4">
+ <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ </li>
+ <li>
+ <code>AuthorizationProvider</code>
+ : Configures the policies and instantiates the
+ <code>SecurityPolicies</code>
+ that are used for enforcing permissions. By default, Jetspeed 2 does not load any other
+ security policies that may have been configured. In order to use default policies, set
+ <code>useDefaultPolicy</code> to <code>true</code>
+ <source>
+ <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthorizationProvider"
+ class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl">
+ <constructor-arg index="0">
+ <ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/>
+ </constructor-arg>
+ <!-- Does not use the default policy as a default behavior -->
+ <constructor-arg index="1"><value>false</value></constructor-arg>
+</bean>]]>
+ </source>
+ </li>
+ </ul>
+ </subsection>
+ <subsection name="security-spi.xml">
+ <p>This configuration file contains configuration that are common to the authentication and authorization SPIs.</p>
+ <table>
+ <tr>
+ <th>Bean</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.SecurityAccess</td>
+ <td>
+ Used internally by the default OJB based SPI. Provide access to common action/methods for the various SPI implementations. The
+ <i>SecurityAccess</i>
+ bean is used by both the Authentication and Authorization SPIs.
+ </td>
+ </tr>
+ </table>
+ </subsection>
+ <subsection name="security-spi-atn.xml">
+ <p>This configuration file contains all the configurations for configuring the authentication SPI.</p>
+ <table>
+ <tr>
+ <th>Bean</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.CredentialHandler</td>
+ <td>
+ The
+ <i>CredentialHandler</i>
+ encapsulates the operations involving manipulation of credentials. The default implementation provides support for password
+ protection as defined by the
+ <i>PasswordCredentialProvider</i>
+ ; as well as lifecycle management of credentials through
+ <i>InternalPasswordCredentialInterceptor</i>
+ which can be configured to manages parameters such as maximum number of authentication
+ failures, maximum life span of a credential in days and how much history to retain for a
+ given credential.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.UserSecurityHandler</td>
+ <td>
+ The
+ <i>UserSecurityHandler</i>
+ encapuslated all the operations around the user principals.
+ </td>
+ </tr>
+ </table>
+ <p>
+ The following simple <code>CredentialHandler</code> configuration is currently provided
+ by default with Jetspeed:</p>
+ <source><![CDATA[
+<!-- require a non-empty password -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
+ class="org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator"/>
+
+<!-- MessageDigest encode passwords using SHA-1 -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
+ class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
+ <constructor-arg index="0"><value>SHA-1</value></constructor-arg>
+</bean>
+
+<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler -->
+<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+ class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+ <constructor-arg index="0">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent store is required to be changed -->
+ <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+ <!-- ensure preset cleartext passwords in the persistent store will be encoded on first use -->
+ <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+ </list>
+ </constructor-arg>
+</bean>
+
+<bean id="org.apache.jetspeed.security.spi.PasswordCredentialProvider"
+ class="org.apache.jetspeed.security.spi.impl.DefaultPasswordCredentialProvider">
+ <constructor-arg index="0">
+ <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordValidator"/>
+ </constructor-arg>
+ <constructor-arg index="1">
+ <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/>
+ </constructor-arg>
+</bean>
+
+<bean id="org.apache.jetspeed.security.spi.CredentialHandler"
+ class="org.apache.jetspeed.security.spi.impl.DefaultCredentialHandler">
+ <constructor-arg index="0">
+ <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>
+ </constructor-arg>
+ <constructor-arg index="1">
+ <ref bean="org.apache.jetspeed.security.spi.PasswordCredentialProvider"/>
+ </constructor-arg>
+ <constructor-arg index="2">
+ <ref bean="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"/>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ <p>
+ The above configuration requires not much more than that a password should not be
+ empty and MessageDigest encode it using SHA-1.</p>
+ <p>
+ Before the 2.0-M4 release, Jetspeed came configured with a much stricter configuration, but for
+ first time users of the Portal this was a bit overwelming and also quite difficult to configure
+ differently.</p>
+ <p>
+ With the 2.0-M4 release, the previously provided, and rather complex,
+ <code>InternalPasswordCredentialInterceptor</code> implementations are split up in single atomic
+ interceptors which can much easier be configured indepedently.</p>
+ <p>
+ An overview of the new interceptors and how related request processing pipeline valves can be
+ configured to provide feedback to the user is provided in the <a href="credentials.html">
+ Credentials Management</a> document.</p>
+ <p>
+ Since the "old" (pre 2.0-M4) interceptors are no longer provided with Jetspeed, the example below
+ shows how to "restore" the old setup using the new interceptors:</p>
+ <source><![CDATA[
+<!-- require a password of minimum length 6 and at least two numeric characters -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
+ class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator">
+ <constructor-arg index="0"><value>6</value></constructor-arg>
+ <constructor-arg index="1"><value>2</value></constructor-arg>
+</bean>
+
+<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler -->
+<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+ class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+ <constructor-arg index="0">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent store is required to be changed -->
+ <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+ <!-- ensure preset cleartext passwords in the persistent store will be encoded on first use -->
+ <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+
+ <!-- remember the last 3 passwords used and require a new password to be different from those -->
+ <bean class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor">
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+ </bean>
+
+ <!-- Automatically expire a password after 60 days -->
+ <bean class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
+ <constructor-arg index="0"><value>60</value></constructor-arg>
+ </bean>
+
+ <!-- Automatically disable a password after 3 invalid authentication attempts in a row -->
+ <bean class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+ </bean>
+ </list>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ <p>
+ And, make sure something like the following configuration is set for the security related valves in
+ pipelines.xml:</p>
+ <source><![CDATA[
+<bean id="passwordCredentialValve"
+ class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl"
+ init-method="initialize">
+ <constructor-arg>
+ <!-- expirationWarningDays -->
+ <list>
+ <value>2</value>
+ <value>3</value>
+ <value>7</value>
+ </list>
+ </constructor-arg>
+</bean>
+
+<bean id="loginValidationValve"
+ class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
+ init-method="initialize">
+ <!-- maxNumberOfAuthenticationFailures
+ This value should be in sync with the value for
+ org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor
+ (if used) to make sense.
+ Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT
+ error code when only one last attempt is possible before the credential
+ will be disabled after the next authentication failure.
+ -->
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+</bean>]]>
+ </source>
+ <p>
+ Also, make sure the above valves are configured in the <code>jetspeed-pipeline</code> bean.</p>
+ <p>
+ See the <a href="credentials.html#User_interaction">User Interaction</a> section in the
+ Credentials Management document for a description of these valves and their relation to the
+ interceptors configuration.</p>
+ </subsection>
+ <subsection name="security-spi-atz.xml">
+ <p>This configuration file contains all the configurations for configuring the authorization SPI.</p>
+ <table>
+ <tr>
+ <th>Bean</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.RoleSecurityHandler</td>
+ <td>
+ The
+ <i>RoleSecurityHandler</i>
+ encapsulates all the operations around the role principals.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.GroupSecurityHandler</td>
+ <td>
+ The
+ <i>GroupSecurityHandler</i>
+ encapsulates all the operations around the group principals.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.SecurityMappingHandler</td>
+ <td>
+ The
+ <i>SecurityMappingHandler</i>
+ encapsulates all the operations involving mapping between principals. It contains the logic managing hierarchy resolution for
+ hierarchical principals (roles or groups). The default hierarchy resolution provided is a hierarchy by generalization (see overview
+ for definitions). A
+ <i>contructor-arg</i>
+ can be added to the
+ <i>SecurityMappingHandler</i>
+ to change the hierarchy resolution strategy. Jetspeed 2 also support a hierarchy resolution by aggregation.
+ </td>
+ </tr>
+ </table>
+ <p>
+ A sample
+ <code>SecurityMappingHandler</code>
+ configuration could be:
+ <source><![CDATA[
+<!-- Security SPI: SecurityMappingHandler -->
+<bean id="org.apache.jetspeed.security.spi.SecurityMappingHandler"
+ class="org.apache.jetspeed.security.spi.impl.DefaultSecurityMappingHandler">
+ <constructor-arg >
+ <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>
+ </constructor-arg>
+ <!-- Default role hierarchy strategy is by generalization.
+ Add contructor-arg to change the strategy. -->
+ <!-- Default group hierarchy strategy is by generalization.
+ Add contructor-arg to change the strategy. -->
+</bean>]]>
+ </source>
+ </p>
+ </subsection>
+ </section>
+ </body>
+</document>
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/config.xml
------------------------------------------------------------------------------
svn:keywords = Id
Added: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml?rev=708504&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml (added)
+++ portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml Tue Oct 28 03:11:22 2008
@@ -0,0 +1,339 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security - Credentials Management</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ <person name="Ate Douma" email="ate@douma.nu" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Credentials Management Overview">
+ <subsection name="DefaultCredentialHandler Features">
+ <p>
+ With the Jetspeed <a href="apidocs/org/apache/jetspeed/security/spi/impl/DefaultCredentialHandler.html">
+ <code>DefaultCredentialHandler</code></a> special management of password credentials can
+ easily be configured. Through the provided
+ <a href="apidocs/org/apache/jetspeed/security/spi/PasswordCredentialProvider.html">
+ <code>PasswordCredentialProvider</code></a> and
+ <a href="apidocs/org/apache/jetspeed/security/spi/InternalPasswordCredentialInterceptor.html">
+ <code>InternalPasswordCredentialInterceptor</code></a> components custom logic can be plugged in for:</p>
+ <ul>
+ <li>providing a custom
+ <a href="../jetspeed-api/apidocs/org/apache/jetspeed/security/PasswordCredential.html">
+ <code>PasswordCredential</code></a> implementation</li>
+ <li>password encoding<br/>
+ If an
+ <a href="apidocs/org/apache/jetspeed/security/spi/CredentialPasswordEncoder.html">
+ <code>CredentialPasswordEncoder</code></a> is available from the
+ <code>PasswordCredentialProvider</code> passwords will be encoded with it before they are persisted.
+ The provided
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/MessageDigestCredentialPasswordEncoder.html">
+ <code>MessageDigestCredentialPasswordEncoder</code></a> uses
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/MessageDigest.html">
+ <code>MessageDigest</code></a> hash algorithms for the password encryption, and can for example be
+ configured to use <code>SHA-1</code> and <code>Base64</code>.
+ </li>
+ <li>enforcing password value rules<br/>
+ If an
+ <a href="apidocs/org/apache/jetspeed/security/spi/CredentialPasswordValidator.html">
+ <code>CredentialPasswordValidator</code></a> is available from the
+ <code>PasswordCredentialProvider</code>, passwords will be validated with it before they are persisted.
+ The
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/DefaultCredentialPasswordValidator.html">
+ <code>DefaultCredentialPasswordValidator</code></a> for example enforces non-emtpy password. And
+ with the
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/SimpleCredentialPasswordValidator.html">
+ <code>SimpleCredentialPasswordValidator</code></a> a minimum length and a minum number of numeric
+ characters can be enforced.
+ </li>
+ <li>intercepting
+ <a href="../jetspeed-api/apidocs/org/apache/jetspeed/security/om/InternalCredential.html">
+ <code>InternalCredential</code></a> lifecycle events<br/>
+ If the <code>DefaultCredentialHandler</code> is provided with an
+ <code>InternalPasswordCredentialInterceptor</code>, it will invoke this interceptor (or an arbirary
+ set if
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/InternalPasswordCredentialInterceptorsProxy.html">
+ <code>InternalPasswordCredentialInterceptorsProxy</code></a> is used) on:
+ <ul>
+ <li>after loading a credential from the persistent store</li>
+ <li>after authenticating a user</li>
+ <li>before a new credential is saved to the persistent store</li>
+ <li>before a new password is save for the credential</li>
+ </ul>
+ Jetspeed already provides a basic set of interceptors, ready to be used:
+ <ul>
+ <li>
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/ValidatePasswordOnLoadInterceptor.html">
+ <code>ValidatePasswordOnLoadInterceptor</code></a><br/>
+ This interceptor can be used to validate (pre)set passwords in the persistent store and force
+ a required change by the user if invalid. It uses the configured <code>CredentialPasswordValidator</code>
+ of the <code>PasswordCredentialProvider</code>, the same as used when a password is changed.
+ </li>
+ <li>
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/EncodePasswordOnFirstLoadInterceptor.html">
+ <code>EncodePasswordOnFirstLoadInterceptor</code></a><br/>
+ This interceptor can be used if passwords needs to be preset in the persistent store or
+ migrated unencoded from a different store. With this interceptor, these cleartext password
+ will automatically be encoded the first time they are loaded from the database, using the
+ <code>CredentialPasswordEncoder</code> from the <code>PasswordCredentialProvider</code>
+ </li>
+ <li>
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/PasswordExpirationInterceptor.html">
+ <code>PasswordExpirationInterceptor</code></a><br/>
+ This interceptor can be used to enforce a maximum lifespan for passwords.
+ It manages the <code>expiration_date</code> and <code>is_expired</code> members of the
+ <code>InternalCredential</code> and sets the expired flag when on authentication of a user
+ its (valid) password is expired. The authentication will then fail.<br/>
+ Note: A Jetspeed pipeline Valve, the <code>PasswordCredentialValveImpl</code> can be
+ used to request or even enforce users to change their password in time to prevent a password
+ expiration (described further below).
+ </li>
+ <li>
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/MaxPasswordAuthenticationFailuresInterceptor.html">
+ <code>MaxPasswordAuthenticationFailuresInterceptor</code></a><br/>
+ This interceptor can be used to prevent password hacking by enforcing a maximum number of
+ invalid password attempts in a row. Once this number of authentication failures is reached,
+ the credential will be disabled. On a successful authentication though, this count
+ will automatically be reset to zero again by the <code>DefaultCredentialHandler</code>.
+ </li>
+ <li>
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/PasswordHistoryInterceptor.html">
+ <code>PasswordHistoryInterceptor</code></a><br/>
+ This interceptor can be used to enforce usage of unique new passwords in respect to a certain
+ number of previous used passwords. When a new password is set, the current password is saved
+ in a FIFO stack of used passwords. When a user itself changes its password, it must be different
+ from all the onces thus saved, otherwise a
+ <a href="../jetspeed-api/apidocs/org/apache/jetspeed/security/PasswordAlreadyUsedException.html">
+ <code>PasswordAlreadyUsedException</code></a> will be
+ thrown. But setting a new password through the administrative interface still allows any
+ password (when otherwise valid) to be set.
+ </li>
+ </ul>
+ <p>
+ The <code>DefaultCredentialHandler</code> only supports one interceptor to be configured.
+ But, with the
+ <a href="apidocs/org/apache/jetspeed/security/spi/impl/InternalPasswordCredentialInterceptorsProxy.html">
+ <code>InternalPasswordCredentialInterceptorsProxy</code></a>, a list of interceptors can
+ be configured which then will be invoked sequentially.</p>
+ <p>
+ Jetspeed comes out of the box with several of these interceptors configured, and its very easy to
+ change and extend.See the <a href="config.html#security-spi-atn_xml">security-spi-atn.xml</a>
+ section in the <a href="config.html">Security Services Configuration</a> document for a description
+ of the default configuration. Also provided there is an example how to setup the interceptors to
+ restore the "old" (and much more restrict) configuration provided with the 2.0-M3 release and
+ earlier.</p>
+ </li>
+ </ul>
+ </subsection>
+ <subsection name="Credentials Management Implementation">
+ <p>
+ The class diagram below describes the components used for the
+ <code>DefaultCredentialHandler</code>
+ implementation.
+ </p>
+ <p align="center">
+ <img src="images/credential-handler-c.gif" border="0" />
+ </p>
+ <p>
+ The OJB mappings for the default credentials implementation are described in
+ <code>security_repository.xml</code>:
+ <ul>
+ <li><code>InternalCredential</code>: Maps to the SECURITY_CREDENTIAL table.</li>
+ </ul>
+ The following database schema is used to stored credentials and their associations to principals.
+ </p>
+ <p align="center">
+ <img src="images/principals-credentials-schema.gif" border="0" />
+ </p>
+ </subsection>
+ </section>
+ <section name="User interaction">
+ <p>
+ Although the <code>DefaultCredentialHandler</code> provides fine-grained management of credentials, it cannot
+ provide direct feedback to the user like presenting a warning that the current password is soon to be expired.
+ But, special request processing pipeline valves provided with jetspeed allow to do just that.</p>
+ <p>
+ The configuration for these valves can be found and set in the <code>pipelines.xml</code> spring
+ configuration file.</p>
+ <subsection name="LoginValidationValveImpl">
+ <p>
+ The <a href="../jetspeed-portal/apidocs/org/apache/jetspeed/security/impl/LoginValidationValveImpl.html">
+ <code>LoginValidationValveImpl</code></a> provides feedback to the user about the cause of an failed login
+ attempt.</p>
+ <p>
+ It retrieves the <code>UserPrincipal</code> and its current <code>PasswordCredential</code> for the
+ specified user name, and (if found) determines an specific error code based on its state.
+ This error code is communicated back to through the session so an appropriate error message can be
+ presented to the user.</p>
+ <p>
+ The following possible error codes can be returned (all defined in the
+ <a href="../jetspeed-api/apidocs/org/apache/jetspeed/login/LoginConstants.html">
+ <code>LoginConstants</code></a> interface):</p>
+ <ol>
+ <li>ERROR_UNKNOWN_USER</li>
+ <li>ERROR_INVALID_PASSWORD</li>
+ <li>ERROR_USER_DISABLED</li>
+ <li>ERROR_FINAL_LOGIN_ATTEMPT</li>
+ <li>ERROR_CREDENTIAL_DISABLED</li>
+ <li>ERROR_CREDENTIAL_EXPIRED</li>
+ </ol>
+ <p>
+ Of the above error codes, the <code>ERROR_FINAL_LOGIN_ATTEMPT</code> will only be reported if the valve
+ is configured with the same <code>maxNumberOfAuthenticationFailures</code> value as used for the
+ related <code>MaxPasswordAuthenticationFailuresInterceptor</code> described above:
+ <source><![CDATA[
+ <bean id="loginValidationValve"
+ class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
+ init-method="initialize">
+ <!-- maxNumberOfAuthenticationFailures
+ This value should be in sync with the value for
+ org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor
+ (if used) to make sense.
+ Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT
+ error code when only one last attempt is possible before the credential
+ will be disabled after the next authentication failure.
+ -->
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+</bean>]]>
+ </source>
+ </p>
+ </subsection>
+ <subsection name="PasswordCredentialValveImpl">
+ <p>
+ The <a href="../jetspeed-portal/apidocs/org/apache/jetspeed/security/impl/PasswordCredentialValveImpl.html">
+ <code>PasswordCredentialValveImpl</code></a> is meant to be used together with a special Portlet on a
+ special Portal Page (PSML) to automatically request or even require a user to change its password.</p>
+ <p>
+ This valve evaluates <code>PasswordCredential.isUpdateRequired()</code> and optionally the
+ <code>expirationDate</code>, <code>lastAuthenticationDate</code> and <code>previousAuthenticationDate</code>
+ fields to determine if a user is required or just be asked to change its password.</p>
+ <p>
+ This valve can optionally be configured with a list of <code>expirationWarningDays</code> numbers in
+ its constructor:
+ <source><![CDATA[
+<bean id="passwordCredentialValve"
+ class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl"
+ init-method="initialize">
+ <constructor-arg>
+ <!-- expirationWarningDays -->
+ <list>
+ <value>2</value>
+ <value>3</value>
+ <value>7</value>
+ </list>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ These numbers each represent a day before the current <code>expirationDate</code> of the password credential
+ when a user should be warned its password is soon to expire and be asked to change it. The
+ <code>lastAuthenticationDate</code> and the <code>previousAuthenticationDate</code> are used to determine
+ when this should happen. It will be done only once for each configured <code>expirationWarningDay</code>.
+ If a user logs on for the first time (after several days) with the above example configuration, 6 days
+ before the password expires, he or she will be warned about it. And again when 3 or 2 days are left.</p>
+ <p>
+ When a user logs on the last day before the password expires <em>or</em> when <code>updateRequired</code>
+ is <code>true</code>, the user will be required to change the password, regardless if expirationWarningDays
+ are configured or not.</p>
+ <p>
+ To be able to automatically provide the user with this information and allow or require the password to
+ be changed directly after login, a special <code>ProfileLocator</code>
+ <a href="../jetspeed-api/apidocs/org/apache/jetspeed/profiler/ProfileLocator.html#SECURITY_LOCATOR">
+ <code>SECURITY_LOCATOR</code></a> is used. The <code>PageProfilerValve</code> (which should be configed
+ <em>after</em> this valve in the pipeline) will then use this enforced locator to be used to find the
+ related portal page to present to the user.</p>
+ <p>
+ For this to work, a <code>"security"</code> Profiler rule must have been setup like the default one
+ provided by Jetspeed:</p>
+ <p align="center">
+ <img src="images/security-locator.jpg" border="0"/>
+ </p>
+ <p>
+ As can seen from the above image, the default page which will be presented to the user is the
+ <code>/my-account.psml</code> located in the root.</p>
+ <p>
+ This default page contains only one portlet, the <code>ChangePasswordPortlet</code> from the security
+ Portlet Application.</p>
+ <p>
+ The <code>ChangePasswordPortlet</code> works together with the <code>PasswordCredentialValveImpl</code>
+ as it checks for the
+ <a href="../jetspeed-api/apidocs/org/apache/jetspeed/security/PasswordCredential.html#PASSWORD_CREDENTIAL_DAYS_VALID_REQUEST_ATTR_KEY">
+ <code>PASSWORD_CREDENTIAL_DAYS_VALID_REQUEST_ATTR_KEY</code></a> request parameter which will be set by
+ this valve with the number of days the password is still valid. For a required password change this will
+ be set to Integer(0).</p>
+ <p>
+ The default <code>my-account.psml</code> page contains <em>only</em> the <code>ChangePasswordPortlet</code>
+ to make sure a user which is <em>required</em> to change the password cannot interact with the portal any
+ other way then after the password is changed.</p>
+ <p>
+ Although the user might be attempted to select a link to a different page (from a portal menu for exampl),
+ this valve will make sure only the configured "security" locator page is returned if it is required.
+ But, once the password is changed the then targeted page in the url will be navigated to automatically.
+ </p>
+ </subsection>
+ <subsection name="Managing Password Expiration">
+ <p>
+ If the <code>PasswordExpirationInterceptor</code> is used, password expiration for a certain user can be
+ directly managed through the <code>UserDetailPortlet</code> provided with the <code>security</code>
+ portlet application.</p>
+ <p>
+ If enabled, this portlet can display the current expiration date of a password and also allows to change
+ its value:</p>
+ <p align="center">
+ <img src="images/password-expiration.jpg" border="0"/>
+ </p>
+ <p>
+ As you can see, through the radio group, the password expiration date can be changed to:</p>
+ <table>
+ <tr><th>Action</th><th>Expires</th></tr>
+ <tr><td>Expired</td><td>today</td></tr>
+ <tr>
+ <td>Extend</td>
+ <td>today + <code>maxLifeSpanInDays</code> as configured for the PasswordExpirationInterceptor</td>
+ </tr>
+ <tr><td>Extend Unlimited</td><td>January 1, 8099 (the maximum value allowed for java.sql.Date)</td></tr>
+ </table>
+ <p>
+ This feature can be enabled through the edit/preferences page of the <code>UserDetailsPortlet</code>:</p>
+ <p align="center">
+ <img src="images/user-detail-prefs.jpg" border="0"/>
+ </p>
+ <p>
+ Note: when a new password value is specified selected password expiration action <code>Expired</code>
+ will be ignored!</p>
+ </subsection>
+ <subsection name="Setting default 'Change Password required on First Login'">
+ <p>
+ Through the same <code>UserDetailsPortlet</code> preferences as show above, the default
+ <code>updateRequired</code> property of a password credential for a new user can be configured too.</p>
+ <p>
+ And, if you always need the same setting for all users, you can even suppress the selection box normally
+ displayed on the <code>Add User</code> dialog.</p>
+ <p>
+ With the preferences set as in the example shown above, the <code>Add User</code> dialog will look like this:</p>
+ <p align="center">
+ <img src="images/add-user.jpg" border="0"/>
+ </p>
+ <p>
+ A user added with the example preferences set, will have the <code>updateRequired</code> property set to
+ true, the <code>User</code> role assigned and use the <code>role-fallback</code> profiling rule.</p>
+ </subsection>
+ </section>
+ </body>
+</document>
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: portals/jetspeed-2/portal/trunk/xdocs/components/jetspeed-security/credentials.xml
------------------------------------------------------------------------------
svn:keywords = Id
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org