You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Schenk, Andre" <An...@FIZ-Karlsruhe.DE> on 2009/12/08 18:30:37 UTC
RE: OpenID support in JSPWiki?
Hi developers,
just a short message from me, that supplying the WikiEngine to a custom login module now works with JSPWiki 2.8.3. Many thanks for that!!!
Best regards,
André
--------------------------
André Schenk
ePublishing & eScience
Development & Applied Research
Phone +49 7247 808-215
Fax +49 7247 808-133
Andre.Schenk@fiz-karlsruhe.de
FIZ Karlsruhe
Hermann-von-Helmholtz-Platz 1
76344 Eggenstein-Leopoldshafen, Germany
www.fiz-karlsruhe.de
---------------------------------------
> -----Original Message-----
> From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
> Sent: Thursday, March 26, 2009 4:39 AM
> To: jspwiki-dev@incubator.apache.org; Schenk, Andre
> Subject: Re: OpenID support in JSPWiki?
>
> Hi Tilman --
>
> Your analysis is correct. You would need to get obtain the HttpRequest
> from WikiCallbackHandler, which at the moment it does not know how to
> supply. We have had some other questions about this recently, notably
> Andre Schenk's desire to be able to obtain a reference to the
> WikiEngine from inside his custom LoginModule.
>
> In both cases, the common thread is that we need to supply additional
> callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
> by simply adding in support for the HttpRequestCallback. That should
> meet your needs, no?
>
> It should also meet Andre's, indirectly, in the sense that if you have
> an HttpRequest you can fairly easily retrieve the WikiEngine also (by
> passing getSession().getServletContext() to WikiEngine.getInstance()).
>
> Andrew
>
> On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
> <tb...@stud.hs-heilbronn.de> wrote:
> > Hi Andrew,
> >
> > Thanks for your help!
> >
> > Let's see if I got it right:
> >
> > - My OpenidAssertionLoginModule need the data from the HttpPRequest
> > - The way to obtain this data is via HttpReuqestCallback
> >
> > From what I can see so far, the HttpReuqest in HttpRequestCallBack is
> only
> > set in WebContainerCallbackHandler, which is used by:
> >
> > -WebContainerLoginModule
> > -CookieAssertionLoginModule
> > - AnonymousLoginModule
> >
> > So as I get it, I would have to either use this CallBackHandler,
> instead of
> > WikiCallBackHandler
> > or to find a way to set the HttpRequest in HttpRequestCallBack from
> within
> > WikiCallBackHandler.
> >
> > Question is: How can I access the request from within,
> WikiCallBackHandler?
> >
> > I agree on the attribute exchange on login, allthough I would see
> that as a
> > further improvement to the basic OpenID
> > functionality.
> >
> > For the UI side, I attached some mocks. This is what my UI currenlty
> looks
> > like, but it is far from complete. Comments
> > welcome :-)
> >
> >
> >
> >
> >
> >
> >
> >
> > kind regards
> >
> > Tilman Bender
> > Student des Software Engineering
> > Hochschule Heilbronn
> > tbender@stud.hs-heilbronn.de
> >
> >
> >
> > Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
> >
> >> Tilman--
> >>
> >> Thanks for your e-mail, and for your good work.
> >>
> >> Your thought-process on this seems sound. Agreed, the first phase of
> login
> >> (OP discovery + redirect) should be handled by a custom JSP. The
> second
> >> phase (validation) should be handled by JAAS.
> >>
> >> To do this, you will need to get the HttpRequest object. JSPWiki
> does have
> >> an HttpRequestCallback that can supply this, at least in the custom
> >> authentication case. You will need to check to see if
> WikiCallbackHandler
> >> passes that callback. If not, it is trivial to patch the code to do
> this.
> >>
> >> So, I think this is basically in line with what you proposed.
> >>
> >> Some other thoughts:
> >>
> >> At login time, it would be highly desirable to use SREG or OpenID
> >> attribute exchange to pull the user's name and e-mail address and
> use the
> >> returned values to update their profile, which would ensure that
> their
> >> information is always current. The login ID used to look up the
> profile
> >> should be the user's OpenID URL... I think.
> >>
> >> On the UI side, we will need a special OpenID login page (JSP). The
> >> regular login page could include this if desired.
> >>
> >> Andrew
> >>
> >> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-
> heilbronn.de>
> >> wrote:
> >>
> >>> Hey guys,
> >>>
> >>> I am currently plaing with the 2.8.1 code and openid4java.
> >>>
> >>> But I am having a hard time trying to fiugre out where exactly to
> hook in
> >>> the OpenID stuff.
> >>> The problem is (as also described in #JSPWIKI-94), that:
> >>>
> >>> 1. To me it seems you cannot do the whole thing in JAAS:
> >>> OpenID as I understand it has two phases :
> >>>
> >>> Phase I:
> >>> - The user just submitted his openid identifier to our
> login/registration
> >>> from.
> >>> - We do discovery on the identifier to find the Endpoint of his
> OpenID
> >>> Provider (and check if the provider is in our whitelist)
> >>> - We redirect the user to his OpenID provider
> >>>
> >>> So in this phase it makes no sense to me to use a JAAS-Module since
> we
> >>> wouldn't be able to complete the login mehtod
> >>> as we do not know enough about the user yet (we do not know if his
> >>> identity is asserted by the OpenID Provider).
> >>> So I currently do this via JSP and Scriptlets (no custom tag yet).
> >>>
> >>> Phase II:
> >>> - The user is redirected back to us by his OpenID Provider
> >>> - We connect to the OpenID Provider to verify the assertion that
> was
> >>> passed along the request (be it a positive or negative assertion)
> >>> - Now we know enough about the user to log them in.
> >>>
> >>> I currently try to use UserManager.setUserProfile in this
> situation. Now
> >>> here comes my Problem:
> >>>
> >>> I would like to do all the assertion verifiaction in a JAAS-Module,
> but
> >>> for that I need all the request
> >>> data, which I do not have in the setUserProfile-Method.
> >>>
> >>> So currently I am stuck. Before I start to wildly mess the API: Am
> I
> >>> taking the right direction?
> >>>
> >>>
> >>> Tilman Bender
> >>> Student des Software Engineering
> >>> Hochschule Heilbronn
> >>> tbender@stud.hs-heilbronn.de
> >>>
> >>>
> >>>
> >>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
> >>>
> >>>> Hi!
> >>>>
> >>>> Thanks for the effort - sounds like a worthy project!
> >>>>
> >>>> I think you will save yourself a lot of grief if you work on the
> 2.8.1
> >>>> branch, since the trunk is now the subject of a lot of changes -
> but note
> >>>> that we *will* be making some rather major changes for 3.0, so you
> may face
> >>>> a small porting effort towards the end. We certainly wouldn't
> like to land
> >>>> a major feature in 2.8 branch anymore, since it's rather stable.
> >>>>
> >>>> I think the first thing you could do is to outline your plan as to
> how
> >>>> exactly are you planning to hook into our structures - a good
> place to start
> >>>> is probably the Security documentation at
> >>>> http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot of
> questions
> >>>> on this mailing list.
> >>>>
> >>>> Also, since we are talking about a fairly large project here, you
> might
> >>>> want to sign a contributor license agreement (CLA), and depending
> on the
> >>>> German copyright legislation, get also Heilbronn to sign a
> corporate CLA.
> >>>> That, or Heilbronn (or you) need to, at the end of the project,
> give a
> >>>> software grant (SGA) to Apache Software Foundation. But these are
> not
> >>>> biggies and can be tackled if/when we start merging ;-)
> >>>>
> >>>> /Janne
> >>>>
> >>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
> >>>>
> >>>>> Hi JSPWiki Devs,
> >>>>>
> >>>>> I am a student at Heilbronn University in Germany (Some of you
> might
> >>>>> know Christoph Sauer, who worked there.)
> >>>>> As pre-thesis for my diploma I want to enhance JSPWiki with
> OpenID.
> >>>>>
> >>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
> >>>>> I have worked my way through the official OpenID 2.0
> Authentication
> >>>>> standard
> >>>>> and will do as well for Attributes Exchange.
> >>>>>
> >>>>> I would like to base my work on the 2.8.1 tag and
> >>>>> see to get it integrate into the trunk later. Is that the correct
> way
> >>>>> to do it?
> >>>>>
> >>>>> As I see Andrew already spent quite some time on OpenID and did
> some
> >>>>> preparations.
> >>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
> have a
> >>>>> high personal interest
> >>>>> in getting OpenID into JSPWiki.
> >>>>>
> >>>>> Summary:
> >>>>>
> >>>>> * I have time
> >>>>> * I have motivation
> >>>>> * I need some help to get started ;-)
> >>>>>
> >>>>> Any suggestions where to begin? I guess registration/profile
> creation
> >>>>> would be first.
> >>>>>
> >>>>> kind regards
> >>>>>
> >>>>>
> >>>>> Tilman Bender
> >>>>> Student des Software Engineering
> >>>>> Hochschule Heilbronn
> >>>>> tbender@stud.hs-heilbronn.de
> >>>>>
> >>>>>
> >>>>
> >>>
> >
> >
> >
-------------------------------------------------------
Fachinformationszentrum Karlsruhe, Gesellschaft für wissenschaftlich-technische Information mbH.
Sitz der Gesellschaft: Eggenstein-Leopoldshafen, Amtsgericht Mannheim HRB 101892.
Geschäftsführerin: Sabine Brünger-Weilandt.
Vorsitzender des Aufsichtsrats: MinR Hermann Riehl.
Re: OpenID support in JSPWiki?
Posted by Andrew Jaquith <an...@gmail.com>.
Great news. Glad it works for you.
On Dec 8, 2009, at 9:30, "Schenk, Andre" <Andre.Schenk@FIZ-
Karlsruhe.DE> wrote:
Hi developers,
>
> just a short message from me, that supplying the WikiEngine to a
> custom login module now works with JSPWiki 2.8.3. Many thanks for
> that!!!
>
> Best regards,
>
> André
> --------------------------
> André Schenk
> ePublishing & eScience
> Development & Applied Research
> Phone +49 7247 808-215
> Fax +49 7247 808-133
> Andre.Schenk@fiz-karlsruhe.de
>
>
> FIZ Karlsruhe
> Hermann-von-Helmholtz-Platz 1
> 76344 Eggenstein-Leopoldshafen, Germany
>
> www.fiz-karlsruhe.de
> ---------------------------------------
>
>
>> -----Original Message-----
>> From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
>> Sent: Thursday, March 26, 2009 4:39 AM
>> To: jspwiki-dev@incubator.apache.org; Schenk, Andre
>> Subject: Re: OpenID support in JSPWiki?
>>
>> Hi Tilman --
>>
>> Your analysis is correct. You would need to get obtain the
>> HttpRequest
>> from WikiCallbackHandler, which at the moment it does not know how to
>> supply. We have had some other questions about this recently, notably
>> Andre Schenk's desire to be able to obtain a reference to the
>> WikiEngine from inside his custom LoginModule.
>>
>> In both cases, the common thread is that we need to supply additional
>> callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
>> by simply adding in support for the HttpRequestCallback. That should
>> meet your needs, no?
>>
>> It should also meet Andre's, indirectly, in the sense that if you
>> have
>> an HttpRequest you can fairly easily retrieve the WikiEngine also (by
>> passing getSession().getServletContext() to WikiEngine.getInstance
>> ()).
>>
>> Andrew
>>
>> On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
>> <tb...@stud.hs-heilbronn.de> wrote:
>>> Hi Andrew,
>>>
>>> Thanks for your help!
>>>
>>> Let's see if I got it right:
>>>
>>> - My OpenidAssertionLoginModule need the data from the HttpPRequest
>>> - The way to obtain this data is via HttpReuqestCallback
>>>
>>> From what I can see so far, the HttpReuqest in HttpRequestCallBack
>>> is
>> only
>>> set in WebContainerCallbackHandler, which is used by:
>>>
>>> -WebContainerLoginModule
>>> -CookieAssertionLoginModule
>>> - AnonymousLoginModule
>>>
>>> So as I get it, I would have to either use this CallBackHandler,
>> instead of
>>> WikiCallBackHandler
>>> or to find a way to set the HttpRequest in HttpRequestCallBack from
>> within
>>> WikiCallBackHandler.
>>>
>>> Question is: How can I access the request from within,
>> WikiCallBackHandler?
>>>
>>> I agree on the attribute exchange on login, allthough I would see
>> that as a
>>> further improvement to the basic OpenID
>>> functionality.
>>>
>>> For the UI side, I attached some mocks. This is what my UI currenlty
>> looks
>>> like, but it is far from complete. Comments
>>> welcome :-)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> kind regards
>>>
>>> Tilman Bender
>>> Student des Software Engineering
>>> Hochschule Heilbronn
>>> tbender@stud.hs-heilbronn.de
>>>
>>>
>>>
>>> Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
>>>
>>>> Tilman--
>>>>
>>>> Thanks for your e-mail, and for your good work.
>>>>
>>>> Your thought-process on this seems sound. Agreed, the first phase
>>>> of
>> login
>>>> (OP discovery + redirect) should be handled by a custom JSP. The
>> second
>>>> phase (validation) should be handled by JAAS.
>>>>
>>>> To do this, you will need to get the HttpRequest object. JSPWiki
>> does have
>>>> an HttpRequestCallback that can supply this, at least in the custom
>>>> authentication case. You will need to check to see if
>> WikiCallbackHandler
>>>> passes that callback. If not, it is trivial to patch the code to do
>> this.
>>>>
>>>> So, I think this is basically in line with what you proposed.
>>>>
>>>> Some other thoughts:
>>>>
>>>> At login time, it would be highly desirable to use SREG or OpenID
>>>> attribute exchange to pull the user's name and e-mail address and
>> use the
>>>> returned values to update their profile, which would ensure that
>> their
>>>> information is always current. The login ID used to look up the
>> profile
>>>> should be the user's OpenID URL... I think.
>>>>
>>>> On the UI side, we will need a special OpenID login page (JSP). The
>>>> regular login page could include this if desired.
>>>>
>>>> Andrew
>>>>
>>>> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-
>> heilbronn.de>
>>>> wrote:
>>>>
>>>>> Hey guys,
>>>>>
>>>>> I am currently plaing with the 2.8.1 code and openid4java.
>>>>>
>>>>> But I am having a hard time trying to fiugre out where exactly to
>> hook in
>>>>> the OpenID stuff.
>>>>> The problem is (as also described in #JSPWIKI-94), that:
>>>>>
>>>>> 1. To me it seems you cannot do the whole thing in JAAS:
>>>>> OpenID as I understand it has two phases :
>>>>>
>>>>> Phase I:
>>>>> - The user just submitted his openid identifier to our
>> login/registration
>>>>> from.
>>>>> - We do discovery on the identifier to find the Endpoint of his
>> OpenID
>>>>> Provider (and check if the provider is in our whitelist)
>>>>> - We redirect the user to his OpenID provider
>>>>>
>>>>> So in this phase it makes no sense to me to use a JAAS-Module
>>>>> since
>> we
>>>>> wouldn't be able to complete the login mehtod
>>>>> as we do not know enough about the user yet (we do not know if his
>>>>> identity is asserted by the OpenID Provider).
>>>>> So I currently do this via JSP and Scriptlets (no custom tag
>>>>> yet).
>>>>>
>>>>> Phase II:
>>>>> - The user is redirected back to us by his OpenID Provider
>>>>> - We connect to the OpenID Provider to verify the assertion that
>> was
>>>>> passed along the request (be it a positive or negative assertion)
>>>>> - Now we know enough about the user to log them in.
>>>>>
>>>>> I currently try to use UserManager.setUserProfile in this
>> situation. Now
>>>>> here comes my Problem:
>>>>>
>>>>> I would like to do all the assertion verifiaction in a JAAS-
>>>>> Module,
>> but
>>>>> for that I need all the request
>>>>> data, which I do not have in the setUserProfile-Method.
>>>>>
>>>>> So currently I am stuck. Before I start to wildly mess the API: Am
>> I
>>>>> taking the right direction?
>>>>>
>>>>>
>>>>> Tilman Bender
>>>>> Student des Software Engineering
>>>>> Hochschule Heilbronn
>>>>> tbender@stud.hs-heilbronn.de
>>>>>
>>>>>
>>>>>
>>>>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>>>>>
>>>>>> Hi!
>>>>>>
>>>>>> Thanks for the effort - sounds like a worthy project!
>>>>>>
>>>>>> I think you will save yourself a lot of grief if you work on the
>> 2.8.1
>>>>>> branch, since the trunk is now the subject of a lot of changes -
>> but note
>>>>>> that we *will* be making some rather major changes for 3.0, so
>>>>>> you
>> may face
>>>>>> a small porting effort towards the end. We certainly wouldn't
>> like to land
>>>>>> a major feature in 2.8 branch anymore, since it's rather stable.
>>>>>>
>>>>>> I think the first thing you could do is to outline your plan as
>>>>>> to
>> how
>>>>>> exactly are you planning to hook into our structures - a good
>> place to start
>>>>>> is probably the Security documentation at
>>>>>> http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot
>>>>>> of
>> questions
>>>>>> on this mailing list.
>>>>>>
>>>>>> Also, since we are talking about a fairly large project here, you
>> might
>>>>>> want to sign a contributor license agreement (CLA), and depending
>> on the
>>>>>> German copyright legislation, get also Heilbronn to sign a
>> corporate CLA.
>>>>>> That, or Heilbronn (or you) need to, at the end of the project,
>> give a
>>>>>> software grant (SGA) to Apache Software Foundation. But these
>>>>>> are
>> not
>>>>>> biggies and can be tackled if/when we start merging ;-)
>>>>>>
>>>>>> /Janne
>>>>>>
>>>>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>>>>>
>>>>>>> Hi JSPWiki Devs,
>>>>>>>
>>>>>>> I am a student at Heilbronn University in Germany (Some of you
>> might
>>>>>>> know Christoph Sauer, who worked there.)
>>>>>>> As pre-thesis for my diploma I want to enhance JSPWiki with
>> OpenID.
>>>>>>>
>>>>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>>>>>> I have worked my way through the official OpenID 2.0
>> Authentication
>>>>>>> standard
>>>>>>> and will do as well for Attributes Exchange.
>>>>>>>
>>>>>>> I would like to base my work on the 2.8.1 tag and
>>>>>>> see to get it integrate into the trunk later. Is that the
>>>>>>> correct
>> way
>>>>>>> to do it?
>>>>>>>
>>>>>>> As I see Andrew already spent quite some time on OpenID and did
>> some
>>>>>>> preparations.
>>>>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
>> have a
>>>>>>> high personal interest
>>>>>>> in getting OpenID into JSPWiki.
>>>>>>>
>>>>>>> Summary:
>>>>>>>
>>>>>>> * I have time
>>>>>>> * I have motivation
>>>>>>> * I need some help to get started ;-)
>>>>>>>
>>>>>>> Any suggestions where to begin? I guess registration/profile
>> creation
>>>>>>> would be first.
>>>>>>>
>>>>>>> kind regards
>>>>>>>
>>>>>>>
>>>>>>> Tilman Bender
>>>>>>> Student des Software Engineering
>>>>>>> Hochschule Heilbronn
>>>>>>> tbender@stud.hs-heilbronn.de
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>
>
>
> -------------------------------------------------------
>
> Fachinformationszentrum Karlsruhe, Gesellschaft für wissenschaftlich
> -technische Information mbH.
> Sitz der Gesellschaft: Eggenstein-Leopoldshafen, Amtsgericht
> Mannheim HRB 101892.
> Geschäftsführerin: Sabine Brünger-Weilandt.
> Vorsitzender des Aufsichtsrats: MinR Hermann Riehl.
>
>