Roller and SSO via Acegi Security

[Elias Torres <el...@torrez.us>]

Hi folks,

I'm revisiting the need for LDAP support in Roller and after some
investigation on Acegi Security it seems like I could work something in
Roller that would benefit not just IBM but other Roller installations
such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the
wiki and it seems like covers the most common cases of authentication in
Roller. I've started reading Acegi Security documentation and was able
to succesfully configure Roller 3.0 against our Enterprise Directory,
however, there are some remaining issues that I want to share with you
for suggestions on how I should proceed.

I've configured security.xml to use LDAPAuthProvider. This provider
fetches user information and authorities (roles) information. The issue
is that our roles "editor" and "admin" are not stored in our secondary
LDAP directory (for Groups only). The LDAPProvider does (thankfully)
split the provider functions of checking user credentials and fetching
role information. Therefore I can write my own AuthoritiesPopulator that
access the rest of the information from the RollerDB. Now, writing the
AuthoritiesPopulator is not exactly trivial mostly because of simple
design of the provider code in Acegi Security. I would have to copy most
of the code from the DAO provider to make use of the same declarative
features in the security.xml file, but it's not a big deal.

My suggestion then is for me to write some sort of
[Roller]CompositeProvider that allows basically a pick-your-own combo of
features for providing user information. Something like pick either or
both LDAP and DAO for either or both credentials and roles. It would
duplicate some code from two Acegi Security classes because the code is
not properly abstracted, but it will not require changes to Acegi
Security and it would always be an optional provider for Roller
installations, the default could be what we have in security.xml today.

Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our
IBM internal environment, we have enabled registration, but we don't
store password information in Roller. In essence what I suggested to
Dave is to password-protect the registration page and when loaded
auto-populate the username, name and email address fields (actually make
them read-only) and let any authenticated user register in Roller.
However, there's a NullPointerException in
RollerSession.getRollerSession() because there's an authenticated user
but there's no user in the RollerDB. I was hoping I can inject some code
there that would use the generic UserDetailsService in Acegi Security to
   (based on a configurable option) to either auto-insert a record and
tweak the registration update to deal with an existing user and just
update, or to populate the session with a transient user-object that
could be used in the registration page.

I hope you can make sense of the long winded message and let me know if
I can proceed to add this code (together with whatever
tweaks/suggestions you may have) to the 3.0 branch.

-Elias

[1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
[2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ

Re: Roller and SSO via Acegi Security

[Elias Torres <el...@torrez.us>]

Dave Johnson wrote:
> 
> The only piece that's missing is docs. With this new code, what needs
> to change in the existing LDAP FAQ?
> 
> - Dave
> 
> 
> 

I have a sample security.xml with how it would work when using LDAP and
the RollerAuthoritiesPopulator. I can explain the LDAP configuration
from Acegi, plus the adding of user.do?method=register as an
authenticated URL and finally the roller.properties settings that would
enable SSO.

-Elias

Re: Roller and SSO via Acegi Security

[Elias Torres <el...@torrez.us>]

Matt +1
Dave +1

I was wondering if anybody else had any objections with this feature
before I start working on the branch.

-Elias

Dave Johnson wrote:
> +1 for getting this into 3.0
> 
> Elias sent me a patch containing the small amount of code necessary to
> optionally add support for SSO via LDAP -- a much request feature. I
> think it's safe to add this to the Roller 3.0 code base because
> 
> - It's optional and effects the new user creation process
> - It's a small change to UserFormEx and two new classes
> 
> There is a small change in UserFormEx that is only invoked if SSO is
> enabled. If SSO is enabled and SSO data is present, then UserFormEx
> self-populates based on that SSO data.
> 
> There are also two new classes that depend on Acegi.
> 
> 1. CustomUserRegistry
> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
> - Populates UserData object with data from LDAP
> 
> 2. RollerAuthoritiesPopulator
> 
> The only piece that's missing is docs. With this new code, what needs
> to change in the existing LDAP FAQ?
> 
> - Dave
> 
> 
> 
> On 8/27/06, Matt Raible <mr...@gmail.com> wrote:
>> +1 for anything that makes integrating with LDAP easier for companies.
>>
>> Matt
>>
>> On 8/27/06, Elias Torres <el...@torrez.us> wrote:
>> > Hi folks,
>> >
>> > I'm revisiting the need for LDAP support in Roller and after some
>> > investigation on Acegi Security it seems like I could work something in
>> > Roller that would benefit not just IBM but other Roller installations
>> > such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the
>> > wiki and it seems like covers the most common cases of
>> authentication in
>> > Roller. I've started reading Acegi Security documentation and was able
>> > to succesfully configure Roller 3.0 against our Enterprise Directory,
>> > however, there are some remaining issues that I want to share with you
>> > for suggestions on how I should proceed.
>> >
>> > I've configured security.xml to use LDAPAuthProvider. This provider
>> > fetches user information and authorities (roles) information. The issue
>> > is that our roles "editor" and "admin" are not stored in our secondary
>> > LDAP directory (for Groups only). The LDAPProvider does (thankfully)
>> > split the provider functions of checking user credentials and fetching
>> > role information. Therefore I can write my own AuthoritiesPopulator
>> that
>> > access the rest of the information from the RollerDB. Now, writing the
>> > AuthoritiesPopulator is not exactly trivial mostly because of simple
>> > design of the provider code in Acegi Security. I would have to copy
>> most
>> > of the code from the DAO provider to make use of the same declarative
>> > features in the security.xml file, but it's not a big deal.
>> >
>> > My suggestion then is for me to write some sort of
>> > [Roller]CompositeProvider that allows basically a pick-your-own
>> combo of
>> > features for providing user information. Something like pick either or
>> > both LDAP and DAO for either or both credentials and roles. It would
>> > duplicate some code from two Acegi Security classes because the code is
>> > not properly abstracted, but it will not require changes to Acegi
>> > Security and it would always be an optional provider for Roller
>> > installations, the default could be what we have in security.xml today.
>> >
>> > Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our
>> > IBM internal environment, we have enabled registration, but we don't
>> > store password information in Roller. In essence what I suggested to
>> > Dave is to password-protect the registration page and when loaded
>> > auto-populate the username, name and email address fields (actually
>> make
>> > them read-only) and let any authenticated user register in Roller.
>> > However, there's a NullPointerException in
>> > RollerSession.getRollerSession() because there's an authenticated user
>> > but there's no user in the RollerDB. I was hoping I can inject some
>> code
>> > there that would use the generic UserDetailsService in Acegi
>> Security to
>> >    (based on a configurable option) to either auto-insert a record and
>> > tweak the registration update to deal with an existing user and just
>> > update, or to populate the session with a transient user-object that
>> > could be used in the registration page.
>> >
>> > I hope you can make sense of the long winded message and let me know if
>> > I can proceed to add this code (together with whatever
>> > tweaks/suggestions you may have) to the 3.0 branch.
>> >
>> > -Elias
>> >
>> > [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
>> > [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>> >
>>
> 

Re: Roller and SSO via Acegi Security

[Elias Torres <el...@torrez.us>]

Basically, what we have done in IBM's intranet is that as soon as a new
user login, we register her (create UserData/WebsiteData) automatically.
 We have completely removed the register page and users are forced to
authenticate to comment, so when they login, they are registered.
Additionally, throughout all of our blogs we have login links that help
break down the barriers of entry for new employees to start blogging.

-Elias

paksegu wrote:
> I will like to know more about this auto-provisioning feature and how to implement it my personal project. Thanks 
> 
> 
> Elias Torres <el...@torrez.us> wrote: Right. I have not coded NTLM support, but like you said it can be done
> and easily integrated into the Acegi Security framework. The main thing
> my patch does is that if you configure your security.xml to request
> authentication for user.do?method=registerUser, then if a user hits the
> registration page it will load the user information (from NTLM+LDAP)
> from the Acegi SecurityContextHolder and pre-populate the form and
> disabling of course the username field (since you already have one) and
> hiding the password fields as well.
> 
> Now, if you are interested in auto-provisioning, I can enable a hook
> that will automatically register a user and deploy a blog with (their
> username as their handle) as soon as they authenticate. What do you think?
> 
> -Elias
> 
> Eric.Bardoux@sanofipasteur.com wrote:
>> Hi,
>>
>> Today, for roller, i'm only using the LDAP authentification.
>> But, lot of our applications here use a NTLM authentification through a filter (tomcat) that calls a webservice connected to our LDAP.
>> I hope that with your new classes, i will be able to modify a bit my filter so that it would only tell to Roller "yes, the user is known, let him go".
>>
>> Eric 
>>
>> -----Message d'origine-----
>> De : Elias Torres [mailto:eliast@gmail.com] De la part de Elias Torres
>> Envoyé : mardi 29 août 2006 14:55
>> À : roller-dev@incubator.apache.org
>> Objet : Re: Roller and SSO via Acegi Security
>>
>> Eric,
>>
>> I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? I would like to hear more about it to see how general we can make this initial support.
>>
>> -Elias
>>
>> Eric.Bardoux@sanofipasteur.com wrote:
>>> +1
>>> Release 3.0 :):)
>>>
>>> -----Message d'origine-----
>>> De : Dave Johnson [mailto:snoopdave@gmail.com] Envoyé : mardi 29 août 
>>> 2006 02:03 À : roller-dev@incubator.apache.org Objet : Re: Roller and 
>>> SSO via Acegi Security
>>>
>>> +1 for getting this into 3.0
>>>
>>> Elias sent me a patch containing the small amount of code necessary to 
>>> optionally add support for SSO via LDAP -- a much request feature. I 
>>> think it's safe to add this to the Roller 3.0 code base because
>>>
>>> - It's optional and effects the new user creation process
>>> - It's a small change to UserFormEx and two new classes
>>>
>>> There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data.
>>>
>>> There are also two new classes that depend on Acegi.
>>>
>>> 1. CustomUserRegistry
>>> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
>>> - Populates UserData object with data from LDAP
>>>
>>> 2. RollerAuthoritiesPopulator
>>>
>>> The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ?
>>>
>>> - Dave
>>>
>>>
>>>
>>> On 8/27/06, Matt Raible  wrote:
>>>> +1 for anything that makes integrating with LDAP easier for companies.
>>>>
>>>> Matt
>>>>
>>>> On 8/27/06, Elias Torres  wrote:
>>>>> Hi folks,
>>>>>
>>>>> I'm revisiting the need for LDAP support in Roller and after some 
>>>>> investigation on Acegi Security it seems like I could work something 
>>>>> in Roller that would benefit not just IBM but other Roller 
>>>>> installations such as Yale and N.C. State. Dave pointed me to 
>>>>> RollerAndSSO [1] in the wiki and it seems like covers the most 
>>>>> common cases of authentication in Roller. I've started reading Acegi 
>>>>> Security documentation and was able to succesfully configure Roller 
>>>>> 3.0 against our Enterprise Directory, however, there are some 
>>>>> remaining issues that I want to share with you for suggestions on how I should proceed.
>>>>>
>>>>> I've configured security.xml to use LDAPAuthProvider. This provider 
>>>>> fetches user information and authorities (roles) information. The 
>>>>> issue is that our roles "editor" and "admin" are not stored in our 
>>>>> secondary LDAP directory (for Groups only). The LDAPProvider does
>>>>> (thankfully) split the provider functions of checking user 
>>>>> credentials and fetching role information. Therefore I can write my 
>>>>> own AuthoritiesPopulator that access the rest of the information 
>>>>> from the RollerDB. Now, writing the AuthoritiesPopulator is not 
>>>>> exactly trivial mostly because of simple design of the provider code 
>>>>> in Acegi Security. I would have to copy most of the code from the 
>>>>> DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal.
>>>>>
>>>>> My suggestion then is for me to write some sort of 
>>>>> [Roller]CompositeProvider that allows basically a pick-your-own 
>>>>> combo of features for providing user information. Something like 
>>>>> pick either or both LDAP and DAO for either or both credentials and 
>>>>> roles. It would duplicate some code from two Acegi Security classes 
>>>>> because the code is not properly abstracted, but it will not require 
>>>>> changes to Acegi Security and it would always be an optional 
>>>>> provider for Roller installations, the default could be what we have in security.xml today.
>>>>>
>>>>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In 
>>>>> our IBM internal environment, we have enabled registration, but we 
>>>>> don't store password information in Roller. In essence what I 
>>>>> suggested to Dave is to password-protect the registration page and 
>>>>> when loaded auto-populate the username, name and email address 
>>>>> fields (actually make them read-only) and let any authenticated user register in Roller.
>>>>> However, there's a NullPointerException in
>>>>> RollerSession.getRollerSession() because there's an authenticated 
>>>>> user but there's no user in the RollerDB. I was hoping I can inject 
>>>>> some code there that would use the generic UserDetailsService in Acegi Security to
>>>>>    (based on a configurable option) to either auto-insert a record 
>>>>> and tweak the registration update to deal with an existing user and 
>>>>> just update, or to populate the session with a transient user-object 
>>>>> that could be used in the registration page.
>>>>>
>>>>> I hope you can make sense of the long winded message and let me know 
>>>>> if I can proceed to add this code (together with whatever 
>>>>> tweaks/suggestions you may have) to the 3.0 branch.
>>>>>
>>>>> -Elias
>>>>>
>>>>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
>>>>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>>>>>
>>> ----------------------------------------------------------------------
>>> --------------------- "Cette communication (y compris les pieces 
>>> jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
>>> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
>>> **********************************************************************
>>>
>>>
>> -------------------------------------------------------------------------------------------
>> "Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
>> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
>> **********************************************************************
>>
>>
> 
> 
> 
> Ransford Segu-Baffoe
> 
> paksegu@yahoo.com
> paksegu@noqturnalmediasystems.com
> 
> http://www.noqturnalmediasystems.com/
> http://www.noqturnalmediasystems.com/Serenade/
> https://serenade.dev.java.net/
>  		
> ---------------------------------
> How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.

Re: Roller and SSO via Acegi Security

[paksegu <pa...@yahoo.com>]

I will like to know more about this auto-provisioning feature and how to implement it my personal project. Thanks 


Elias Torres <el...@torrez.us> wrote: Right. I have not coded NTLM support, but like you said it can be done
and easily integrated into the Acegi Security framework. The main thing
my patch does is that if you configure your security.xml to request
authentication for user.do?method=registerUser, then if a user hits the
registration page it will load the user information (from NTLM+LDAP)
from the Acegi SecurityContextHolder and pre-populate the form and
disabling of course the username field (since you already have one) and
hiding the password fields as well.

Now, if you are interested in auto-provisioning, I can enable a hook
that will automatically register a user and deploy a blog with (their
username as their handle) as soon as they authenticate. What do you think?

-Elias

Eric.Bardoux@sanofipasteur.com wrote:
> Hi,
> 
> Today, for roller, i'm only using the LDAP authentification.
> But, lot of our applications here use a NTLM authentification through a filter (tomcat) that calls a webservice connected to our LDAP.
> I hope that with your new classes, i will be able to modify a bit my filter so that it would only tell to Roller "yes, the user is known, let him go".
> 
> Eric 
> 
> -----Message d'origine-----
> De : Elias Torres [mailto:eliast@gmail.com] De la part de Elias Torres
> Envoyé : mardi 29 août 2006 14:55
> À : roller-dev@incubator.apache.org
> Objet : Re: Roller and SSO via Acegi Security
> 
> Eric,
> 
> I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? I would like to hear more about it to see how general we can make this initial support.
> 
> -Elias
> 
> Eric.Bardoux@sanofipasteur.com wrote:
>> +1
>> Release 3.0 :):)
>>
>> -----Message d'origine-----
>> De : Dave Johnson [mailto:snoopdave@gmail.com] Envoyé : mardi 29 août 
>> 2006 02:03 À : roller-dev@incubator.apache.org Objet : Re: Roller and 
>> SSO via Acegi Security
>>
>> +1 for getting this into 3.0
>>
>> Elias sent me a patch containing the small amount of code necessary to 
>> optionally add support for SSO via LDAP -- a much request feature. I 
>> think it's safe to add this to the Roller 3.0 code base because
>>
>> - It's optional and effects the new user creation process
>> - It's a small change to UserFormEx and two new classes
>>
>> There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data.
>>
>> There are also two new classes that depend on Acegi.
>>
>> 1. CustomUserRegistry
>> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
>> - Populates UserData object with data from LDAP
>>
>> 2. RollerAuthoritiesPopulator
>>
>> The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ?
>>
>> - Dave
>>
>>
>>
>> On 8/27/06, Matt Raible  wrote:
>>> +1 for anything that makes integrating with LDAP easier for companies.
>>>
>>> Matt
>>>
>>> On 8/27/06, Elias Torres  wrote:
>>>> Hi folks,
>>>>
>>>> I'm revisiting the need for LDAP support in Roller and after some 
>>>> investigation on Acegi Security it seems like I could work something 
>>>> in Roller that would benefit not just IBM but other Roller 
>>>> installations such as Yale and N.C. State. Dave pointed me to 
>>>> RollerAndSSO [1] in the wiki and it seems like covers the most 
>>>> common cases of authentication in Roller. I've started reading Acegi 
>>>> Security documentation and was able to succesfully configure Roller 
>>>> 3.0 against our Enterprise Directory, however, there are some 
>>>> remaining issues that I want to share with you for suggestions on how I should proceed.
>>>>
>>>> I've configured security.xml to use LDAPAuthProvider. This provider 
>>>> fetches user information and authorities (roles) information. The 
>>>> issue is that our roles "editor" and "admin" are not stored in our 
>>>> secondary LDAP directory (for Groups only). The LDAPProvider does
>>>> (thankfully) split the provider functions of checking user 
>>>> credentials and fetching role information. Therefore I can write my 
>>>> own AuthoritiesPopulator that access the rest of the information 
>>>> from the RollerDB. Now, writing the AuthoritiesPopulator is not 
>>>> exactly trivial mostly because of simple design of the provider code 
>>>> in Acegi Security. I would have to copy most of the code from the 
>>>> DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal.
>>>>
>>>> My suggestion then is for me to write some sort of 
>>>> [Roller]CompositeProvider that allows basically a pick-your-own 
>>>> combo of features for providing user information. Something like 
>>>> pick either or both LDAP and DAO for either or both credentials and 
>>>> roles. It would duplicate some code from two Acegi Security classes 
>>>> because the code is not properly abstracted, but it will not require 
>>>> changes to Acegi Security and it would always be an optional 
>>>> provider for Roller installations, the default could be what we have in security.xml today.
>>>>
>>>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In 
>>>> our IBM internal environment, we have enabled registration, but we 
>>>> don't store password information in Roller. In essence what I 
>>>> suggested to Dave is to password-protect the registration page and 
>>>> when loaded auto-populate the username, name and email address 
>>>> fields (actually make them read-only) and let any authenticated user register in Roller.
>>>> However, there's a NullPointerException in
>>>> RollerSession.getRollerSession() because there's an authenticated 
>>>> user but there's no user in the RollerDB. I was hoping I can inject 
>>>> some code there that would use the generic UserDetailsService in Acegi Security to
>>>>    (based on a configurable option) to either auto-insert a record 
>>>> and tweak the registration update to deal with an existing user and 
>>>> just update, or to populate the session with a transient user-object 
>>>> that could be used in the registration page.
>>>>
>>>> I hope you can make sense of the long winded message and let me know 
>>>> if I can proceed to add this code (together with whatever 
>>>> tweaks/suggestions you may have) to the 3.0 branch.
>>>>
>>>> -Elias
>>>>
>>>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
>>>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>>>>
>> ----------------------------------------------------------------------
>> --------------------- "Cette communication (y compris les pieces 
>> jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
>> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
>> **********************************************************************
>>
>>
> -------------------------------------------------------------------------------------------
> "Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
> **********************************************************************
> 
> 



Ransford Segu-Baffoe

paksegu@yahoo.com
paksegu@noqturnalmediasystems.com

http://www.noqturnalmediasystems.com/
http://www.noqturnalmediasystems.com/Serenade/
https://serenade.dev.java.net/
 		
---------------------------------
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.

Re: Roller and SSO via Acegi Security

[Elias Torres <el...@torrez.us>]

Right. I have not coded NTLM support, but like you said it can be done
and easily integrated into the Acegi Security framework. The main thing
my patch does is that if you configure your security.xml to request
authentication for user.do?method=registerUser, then if a user hits the
registration page it will load the user information (from NTLM+LDAP)
from the Acegi SecurityContextHolder and pre-populate the form and
disabling of course the username field (since you already have one) and
hiding the password fields as well.

Now, if you are interested in auto-provisioning, I can enable a hook
that will automatically register a user and deploy a blog with (their
username as their handle) as soon as they authenticate. What do you think?

-Elias

Eric.Bardoux@sanofipasteur.com wrote:
> Hi,
> 
> Today, for roller, i'm only using the LDAP authentification.
> But, lot of our applications here use a NTLM authentification through a filter (tomcat) that calls a webservice connected to our LDAP.
> I hope that with your new classes, i will be able to modify a bit my filter so that it would only tell to Roller "yes, the user is known, let him go".
> 
> Eric 
> 
> -----Message d'origine-----
> De : Elias Torres [mailto:eliast@gmail.com] De la part de Elias Torres
> Envoyé : mardi 29 août 2006 14:55
> À : roller-dev@incubator.apache.org
> Objet : Re: Roller and SSO via Acegi Security
> 
> Eric,
> 
> I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? I would like to hear more about it to see how general we can make this initial support.
> 
> -Elias
> 
> Eric.Bardoux@sanofipasteur.com wrote:
>> +1
>> Release 3.0 :):)
>>
>> -----Message d'origine-----
>> De : Dave Johnson [mailto:snoopdave@gmail.com] Envoyé : mardi 29 août 
>> 2006 02:03 À : roller-dev@incubator.apache.org Objet : Re: Roller and 
>> SSO via Acegi Security
>>
>> +1 for getting this into 3.0
>>
>> Elias sent me a patch containing the small amount of code necessary to 
>> optionally add support for SSO via LDAP -- a much request feature. I 
>> think it's safe to add this to the Roller 3.0 code base because
>>
>> - It's optional and effects the new user creation process
>> - It's a small change to UserFormEx and two new classes
>>
>> There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data.
>>
>> There are also two new classes that depend on Acegi.
>>
>> 1. CustomUserRegistry
>> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
>> - Populates UserData object with data from LDAP
>>
>> 2. RollerAuthoritiesPopulator
>>
>> The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ?
>>
>> - Dave
>>
>>
>>
>> On 8/27/06, Matt Raible <mr...@gmail.com> wrote:
>>> +1 for anything that makes integrating with LDAP easier for companies.
>>>
>>> Matt
>>>
>>> On 8/27/06, Elias Torres <el...@torrez.us> wrote:
>>>> Hi folks,
>>>>
>>>> I'm revisiting the need for LDAP support in Roller and after some 
>>>> investigation on Acegi Security it seems like I could work something 
>>>> in Roller that would benefit not just IBM but other Roller 
>>>> installations such as Yale and N.C. State. Dave pointed me to 
>>>> RollerAndSSO [1] in the wiki and it seems like covers the most 
>>>> common cases of authentication in Roller. I've started reading Acegi 
>>>> Security documentation and was able to succesfully configure Roller 
>>>> 3.0 against our Enterprise Directory, however, there are some 
>>>> remaining issues that I want to share with you for suggestions on how I should proceed.
>>>>
>>>> I've configured security.xml to use LDAPAuthProvider. This provider 
>>>> fetches user information and authorities (roles) information. The 
>>>> issue is that our roles "editor" and "admin" are not stored in our 
>>>> secondary LDAP directory (for Groups only). The LDAPProvider does
>>>> (thankfully) split the provider functions of checking user 
>>>> credentials and fetching role information. Therefore I can write my 
>>>> own AuthoritiesPopulator that access the rest of the information 
>>>> from the RollerDB. Now, writing the AuthoritiesPopulator is not 
>>>> exactly trivial mostly because of simple design of the provider code 
>>>> in Acegi Security. I would have to copy most of the code from the 
>>>> DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal.
>>>>
>>>> My suggestion then is for me to write some sort of 
>>>> [Roller]CompositeProvider that allows basically a pick-your-own 
>>>> combo of features for providing user information. Something like 
>>>> pick either or both LDAP and DAO for either or both credentials and 
>>>> roles. It would duplicate some code from two Acegi Security classes 
>>>> because the code is not properly abstracted, but it will not require 
>>>> changes to Acegi Security and it would always be an optional 
>>>> provider for Roller installations, the default could be what we have in security.xml today.
>>>>
>>>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In 
>>>> our IBM internal environment, we have enabled registration, but we 
>>>> don't store password information in Roller. In essence what I 
>>>> suggested to Dave is to password-protect the registration page and 
>>>> when loaded auto-populate the username, name and email address 
>>>> fields (actually make them read-only) and let any authenticated user register in Roller.
>>>> However, there's a NullPointerException in
>>>> RollerSession.getRollerSession() because there's an authenticated 
>>>> user but there's no user in the RollerDB. I was hoping I can inject 
>>>> some code there that would use the generic UserDetailsService in Acegi Security to
>>>>    (based on a configurable option) to either auto-insert a record 
>>>> and tweak the registration update to deal with an existing user and 
>>>> just update, or to populate the session with a transient user-object 
>>>> that could be used in the registration page.
>>>>
>>>> I hope you can make sense of the long winded message and let me know 
>>>> if I can proceed to add this code (together with whatever 
>>>> tweaks/suggestions you may have) to the 3.0 branch.
>>>>
>>>> -Elias
>>>>
>>>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
>>>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>>>>
>> ----------------------------------------------------------------------
>> --------------------- "Cette communication (y compris les pieces 
>> jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
>> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
>> **********************************************************************
>>
>>
> -------------------------------------------------------------------------------------------
> "Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
> **********************************************************************
> 
> 

RE: Roller and SSO via Acegi Security

[Er...@sanofipasteur.com]

Hi,

Today, for roller, i'm only using the LDAP authentification.
But, lot of our applications here use a NTLM authentification through a filter (tomcat) that calls a webservice connected to our LDAP.
I hope that with your new classes, i will be able to modify a bit my filter so that it would only tell to Roller "yes, the user is known, let him go".

Eric 

-----Message d'origine-----
De : Elias Torres [mailto:eliast@gmail.com] De la part de Elias Torres
Envoyé : mardi 29 août 2006 14:55
À : roller-dev@incubator.apache.org
Objet : Re: Roller and SSO via Acegi Security

Eric,

I was wondering what is your SSO setup? do you use LDAP? Do you use Cookies? I would like to hear more about it to see how general we can make this initial support.

-Elias

Eric.Bardoux@sanofipasteur.com wrote:
> +1
> Release 3.0 :):)
> 
> -----Message d'origine-----
> De : Dave Johnson [mailto:snoopdave@gmail.com] Envoyé : mardi 29 août 
> 2006 02:03 À : roller-dev@incubator.apache.org Objet : Re: Roller and 
> SSO via Acegi Security
> 
> +1 for getting this into 3.0
> 
> Elias sent me a patch containing the small amount of code necessary to 
> optionally add support for SSO via LDAP -- a much request feature. I 
> think it's safe to add this to the Roller 3.0 code base because
> 
> - It's optional and effects the new user creation process
> - It's a small change to UserFormEx and two new classes
> 
> There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data.
> 
> There are also two new classes that depend on Acegi.
> 
> 1. CustomUserRegistry
> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
> - Populates UserData object with data from LDAP
> 
> 2. RollerAuthoritiesPopulator
> 
> The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ?
> 
> - Dave
> 
> 
> 
> On 8/27/06, Matt Raible <mr...@gmail.com> wrote:
>> +1 for anything that makes integrating with LDAP easier for companies.
>>
>> Matt
>>
>> On 8/27/06, Elias Torres <el...@torrez.us> wrote:
>>> Hi folks,
>>>
>>> I'm revisiting the need for LDAP support in Roller and after some 
>>> investigation on Acegi Security it seems like I could work something 
>>> in Roller that would benefit not just IBM but other Roller 
>>> installations such as Yale and N.C. State. Dave pointed me to 
>>> RollerAndSSO [1] in the wiki and it seems like covers the most 
>>> common cases of authentication in Roller. I've started reading Acegi 
>>> Security documentation and was able to succesfully configure Roller 
>>> 3.0 against our Enterprise Directory, however, there are some 
>>> remaining issues that I want to share with you for suggestions on how I should proceed.
>>>
>>> I've configured security.xml to use LDAPAuthProvider. This provider 
>>> fetches user information and authorities (roles) information. The 
>>> issue is that our roles "editor" and "admin" are not stored in our 
>>> secondary LDAP directory (for Groups only). The LDAPProvider does
>>> (thankfully) split the provider functions of checking user 
>>> credentials and fetching role information. Therefore I can write my 
>>> own AuthoritiesPopulator that access the rest of the information 
>>> from the RollerDB. Now, writing the AuthoritiesPopulator is not 
>>> exactly trivial mostly because of simple design of the provider code 
>>> in Acegi Security. I would have to copy most of the code from the 
>>> DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal.
>>>
>>> My suggestion then is for me to write some sort of 
>>> [Roller]CompositeProvider that allows basically a pick-your-own 
>>> combo of features for providing user information. Something like 
>>> pick either or both LDAP and DAO for either or both credentials and 
>>> roles. It would duplicate some code from two Acegi Security classes 
>>> because the code is not properly abstracted, but it will not require 
>>> changes to Acegi Security and it would always be an optional 
>>> provider for Roller installations, the default could be what we have in security.xml today.
>>>
>>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In 
>>> our IBM internal environment, we have enabled registration, but we 
>>> don't store password information in Roller. In essence what I 
>>> suggested to Dave is to password-protect the registration page and 
>>> when loaded auto-populate the username, name and email address 
>>> fields (actually make them read-only) and let any authenticated user register in Roller.
>>> However, there's a NullPointerException in
>>> RollerSession.getRollerSession() because there's an authenticated 
>>> user but there's no user in the RollerDB. I was hoping I can inject 
>>> some code there that would use the generic UserDetailsService in Acegi Security to
>>>    (based on a configurable option) to either auto-insert a record 
>>> and tweak the registration update to deal with an existing user and 
>>> just update, or to populate the session with a transient user-object 
>>> that could be used in the registration page.
>>>
>>> I hope you can make sense of the long winded message and let me know 
>>> if I can proceed to add this code (together with whatever 
>>> tweaks/suggestions you may have) to the 3.0 branch.
>>>
>>> -Elias
>>>
>>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
>>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>>>
> ----------------------------------------------------------------------
> --------------------- "Cette communication (y compris les pieces 
> jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
> **********************************************************************
> 
> 
-------------------------------------------------------------------------------------------
"Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
**********************************************************************

Re: Roller and SSO via Acegi Security

[Elias Torres <el...@torrez.us>]

Eric,

I was wondering what is your SSO setup? do you use LDAP? Do you use
Cookies? I would like to hear more about it to see how general we can
make this initial support.

-Elias

Eric.Bardoux@sanofipasteur.com wrote:
> +1
> Release 3.0 :):)
> 
> -----Message d'origine-----
> De : Dave Johnson [mailto:snoopdave@gmail.com] 
> Envoyé : mardi 29 août 2006 02:03
> À : roller-dev@incubator.apache.org
> Objet : Re: Roller and SSO via Acegi Security
> 
> +1 for getting this into 3.0
> 
> Elias sent me a patch containing the small amount of code necessary to optionally add support for SSO via LDAP -- a much request feature. I think it's safe to add this to the Roller 3.0 code base because
> 
> - It's optional and effects the new user creation process
> - It's a small change to UserFormEx and two new classes
> 
> There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data.
> 
> There are also two new classes that depend on Acegi.
> 
> 1. CustomUserRegistry
> - Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
> - Populates UserData object with data from LDAP
> 
> 2. RollerAuthoritiesPopulator
> 
> The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ?
> 
> - Dave
> 
> 
> 
> On 8/27/06, Matt Raible <mr...@gmail.com> wrote:
>> +1 for anything that makes integrating with LDAP easier for companies.
>>
>> Matt
>>
>> On 8/27/06, Elias Torres <el...@torrez.us> wrote:
>>> Hi folks,
>>>
>>> I'm revisiting the need for LDAP support in Roller and after some 
>>> investigation on Acegi Security it seems like I could work something 
>>> in Roller that would benefit not just IBM but other Roller 
>>> installations such as Yale and N.C. State. Dave pointed me to 
>>> RollerAndSSO [1] in the wiki and it seems like covers the most 
>>> common cases of authentication in Roller. I've started reading Acegi 
>>> Security documentation and was able to succesfully configure Roller 
>>> 3.0 against our Enterprise Directory, however, there are some 
>>> remaining issues that I want to share with you for suggestions on how I should proceed.
>>>
>>> I've configured security.xml to use LDAPAuthProvider. This provider 
>>> fetches user information and authorities (roles) information. The 
>>> issue is that our roles "editor" and "admin" are not stored in our 
>>> secondary LDAP directory (for Groups only). The LDAPProvider does 
>>> (thankfully) split the provider functions of checking user 
>>> credentials and fetching role information. Therefore I can write my 
>>> own AuthoritiesPopulator that access the rest of the information 
>>> from the RollerDB. Now, writing the AuthoritiesPopulator is not 
>>> exactly trivial mostly because of simple design of the provider code 
>>> in Acegi Security. I would have to copy most of the code from the 
>>> DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal.
>>>
>>> My suggestion then is for me to write some sort of 
>>> [Roller]CompositeProvider that allows basically a pick-your-own 
>>> combo of features for providing user information. Something like 
>>> pick either or both LDAP and DAO for either or both credentials and 
>>> roles. It would duplicate some code from two Acegi Security classes 
>>> because the code is not properly abstracted, but it will not require 
>>> changes to Acegi Security and it would always be an optional 
>>> provider for Roller installations, the default could be what we have in security.xml today.
>>>
>>> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In 
>>> our IBM internal environment, we have enabled registration, but we 
>>> don't store password information in Roller. In essence what I 
>>> suggested to Dave is to password-protect the registration page and 
>>> when loaded auto-populate the username, name and email address 
>>> fields (actually make them read-only) and let any authenticated user register in Roller.
>>> However, there's a NullPointerException in
>>> RollerSession.getRollerSession() because there's an authenticated 
>>> user but there's no user in the RollerDB. I was hoping I can inject 
>>> some code there that would use the generic UserDetailsService in Acegi Security to
>>>    (based on a configurable option) to either auto-insert a record 
>>> and tweak the registration update to deal with an existing user and 
>>> just update, or to populate the session with a transient user-object 
>>> that could be used in the registration page.
>>>
>>> I hope you can make sense of the long winded message and let me know 
>>> if I can proceed to add this code (together with whatever 
>>> tweaks/suggestions you may have) to the 3.0 branch.
>>>
>>> -Elias
>>>
>>> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
>>> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>>>
> -------------------------------------------------------------------------------------------
> "Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
> This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
> **********************************************************************
> 
> 

RE: Roller and SSO via Acegi Security

[Er...@sanofipasteur.com]

+1
Release 3.0 :):)

-----Message d'origine-----
De : Dave Johnson [mailto:snoopdave@gmail.com] 
Envoyé : mardi 29 août 2006 02:03
À : roller-dev@incubator.apache.org
Objet : Re: Roller and SSO via Acegi Security

+1 for getting this into 3.0

Elias sent me a patch containing the small amount of code necessary to optionally add support for SSO via LDAP -- a much request feature. I think it's safe to add this to the Roller 3.0 code base because

- It's optional and effects the new user creation process
- It's a small change to UserFormEx and two new classes

There is a small change in UserFormEx that is only invoked if SSO is enabled. If SSO is enabled and SSO data is present, then UserFormEx self-populates based on that SSO data.

There are also two new classes that depend on Acegi.

1. CustomUserRegistry
- Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
- Populates UserData object with data from LDAP

2. RollerAuthoritiesPopulator

The only piece that's missing is docs. With this new code, what needs to change in the existing LDAP FAQ?

- Dave



On 8/27/06, Matt Raible <mr...@gmail.com> wrote:
> +1 for anything that makes integrating with LDAP easier for companies.
>
> Matt
>
> On 8/27/06, Elias Torres <el...@torrez.us> wrote:
> > Hi folks,
> >
> > I'm revisiting the need for LDAP support in Roller and after some 
> > investigation on Acegi Security it seems like I could work something 
> > in Roller that would benefit not just IBM but other Roller 
> > installations such as Yale and N.C. State. Dave pointed me to 
> > RollerAndSSO [1] in the wiki and it seems like covers the most 
> > common cases of authentication in Roller. I've started reading Acegi 
> > Security documentation and was able to succesfully configure Roller 
> > 3.0 against our Enterprise Directory, however, there are some 
> > remaining issues that I want to share with you for suggestions on how I should proceed.
> >
> > I've configured security.xml to use LDAPAuthProvider. This provider 
> > fetches user information and authorities (roles) information. The 
> > issue is that our roles "editor" and "admin" are not stored in our 
> > secondary LDAP directory (for Groups only). The LDAPProvider does 
> > (thankfully) split the provider functions of checking user 
> > credentials and fetching role information. Therefore I can write my 
> > own AuthoritiesPopulator that access the rest of the information 
> > from the RollerDB. Now, writing the AuthoritiesPopulator is not 
> > exactly trivial mostly because of simple design of the provider code 
> > in Acegi Security. I would have to copy most of the code from the 
> > DAO provider to make use of the same declarative features in the security.xml file, but it's not a big deal.
> >
> > My suggestion then is for me to write some sort of 
> > [Roller]CompositeProvider that allows basically a pick-your-own 
> > combo of features for providing user information. Something like 
> > pick either or both LDAP and DAO for either or both credentials and 
> > roles. It would duplicate some code from two Acegi Security classes 
> > because the code is not properly abstracted, but it will not require 
> > changes to Acegi Security and it would always be an optional 
> > provider for Roller installations, the default could be what we have in security.xml today.
> >
> > Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In 
> > our IBM internal environment, we have enabled registration, but we 
> > don't store password information in Roller. In essence what I 
> > suggested to Dave is to password-protect the registration page and 
> > when loaded auto-populate the username, name and email address 
> > fields (actually make them read-only) and let any authenticated user register in Roller.
> > However, there's a NullPointerException in
> > RollerSession.getRollerSession() because there's an authenticated 
> > user but there's no user in the RollerDB. I was hoping I can inject 
> > some code there that would use the generic UserDetailsService in Acegi Security to
> >    (based on a configurable option) to either auto-insert a record 
> > and tweak the registration update to deal with an existing user and 
> > just update, or to populate the session with a transient user-object 
> > that could be used in the registration page.
> >
> > I hope you can make sense of the long winded message and let me know 
> > if I can proceed to add this code (together with whatever 
> > tweaks/suggestions you may have) to the 3.0 branch.
> >
> > -Elias
> >
> > [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
> > [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
> >
>
-------------------------------------------------------------------------------------------
"Cette communication (y compris les pieces jointes) est reservee a l'usage exclusif du destinataire (des destinataires) et peut contenir des informations privilegiees, confidentielles, exemptees de divulgation selon la loi ou protegees par les droits d'auteur. Si vous n'etes pas un destinataire, toute utilisation, divulgation, distribution, reproduction, examen ou copie (totale ou partielle) est non-autorisee et peut etre illegale. Tout message electronique est susceptible d'alteration et son integrite ne peut etre assuree. Sanofi Pasteur decline toute responsabilite au titre de ce message s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur de l'erreur de distribution et de la destruction du message. Merci.
This transmission (including any attachments) is intended solely for the use of the addressee(s) and may contain confidential information including trade secrets which are privileged, confidential, exempt from disclosure under applicable law and/or subject to copyright. If you are not an intended recipient, any use, disclosure, distribution, reproduction, review or copying (either whole or partial) is unauthorized and may be unlawful. E-mails are susceptible to alteration and their integrity cannot be guaranteed.Sanofi Pasteur shall not be liable for this e-mail if modified or falsified. If you are not the intended recipient of this e-mail, please delete it immediately from your system and notify the sender of the wrong delivery and the mail deletion. Thank you."
**********************************************************************

Re: Roller and SSO via Acegi Security

[Dave Johnson <sn...@gmail.com>]

+1 for getting this into 3.0

Elias sent me a patch containing the small amount of code necessary to
optionally add support for SSO via LDAP -- a much request feature. I
think it's safe to add this to the Roller 3.0 code base because

- It's optional and effects the new user creation process
- It's a small change to UserFormEx and two new classes

There is a small change in UserFormEx that is only invoked if SSO is
enabled. If SSO is enabled and SSO data is present, then UserFormEx
self-populates based on that SSO data.

There are also two new classes that depend on Acegi.

1. CustomUserRegistry
- Extends Ageci JdbcDaoImpl and implements LdapAuthoritiesPopulator
- Populates UserData object with data from LDAP

2. RollerAuthoritiesPopulator

The only piece that's missing is docs. With this new code, what needs
to change in the existing LDAP FAQ?

- Dave



On 8/27/06, Matt Raible <mr...@gmail.com> wrote:
> +1 for anything that makes integrating with LDAP easier for companies.
>
> Matt
>
> On 8/27/06, Elias Torres <el...@torrez.us> wrote:
> > Hi folks,
> >
> > I'm revisiting the need for LDAP support in Roller and after some
> > investigation on Acegi Security it seems like I could work something in
> > Roller that would benefit not just IBM but other Roller installations
> > such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the
> > wiki and it seems like covers the most common cases of authentication in
> > Roller. I've started reading Acegi Security documentation and was able
> > to succesfully configure Roller 3.0 against our Enterprise Directory,
> > however, there are some remaining issues that I want to share with you
> > for suggestions on how I should proceed.
> >
> > I've configured security.xml to use LDAPAuthProvider. This provider
> > fetches user information and authorities (roles) information. The issue
> > is that our roles "editor" and "admin" are not stored in our secondary
> > LDAP directory (for Groups only). The LDAPProvider does (thankfully)
> > split the provider functions of checking user credentials and fetching
> > role information. Therefore I can write my own AuthoritiesPopulator that
> > access the rest of the information from the RollerDB. Now, writing the
> > AuthoritiesPopulator is not exactly trivial mostly because of simple
> > design of the provider code in Acegi Security. I would have to copy most
> > of the code from the DAO provider to make use of the same declarative
> > features in the security.xml file, but it's not a big deal.
> >
> > My suggestion then is for me to write some sort of
> > [Roller]CompositeProvider that allows basically a pick-your-own combo of
> > features for providing user information. Something like pick either or
> > both LDAP and DAO for either or both credentials and roles. It would
> > duplicate some code from two Acegi Security classes because the code is
> > not properly abstracted, but it will not require changes to Acegi
> > Security and it would always be an optional provider for Roller
> > installations, the default could be what we have in security.xml today.
> >
> > Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our
> > IBM internal environment, we have enabled registration, but we don't
> > store password information in Roller. In essence what I suggested to
> > Dave is to password-protect the registration page and when loaded
> > auto-populate the username, name and email address fields (actually make
> > them read-only) and let any authenticated user register in Roller.
> > However, there's a NullPointerException in
> > RollerSession.getRollerSession() because there's an authenticated user
> > but there's no user in the RollerDB. I was hoping I can inject some code
> > there that would use the generic UserDetailsService in Acegi Security to
> >    (based on a configurable option) to either auto-insert a record and
> > tweak the registration update to deal with an existing user and just
> > update, or to populate the session with a transient user-object that
> > could be used in the registration page.
> >
> > I hope you can make sense of the long winded message and let me know if
> > I can proceed to add this code (together with whatever
> > tweaks/suggestions you may have) to the 3.0 branch.
> >
> > -Elias
> >
> > [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
> > [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
> >
>

Re: Roller and SSO via Acegi Security

[Matt Raible <mr...@gmail.com>]

+1 for anything that makes integrating with LDAP easier for companies.

Matt

On 8/27/06, Elias Torres <el...@torrez.us> wrote:
> Hi folks,
>
> I'm revisiting the need for LDAP support in Roller and after some
> investigation on Acegi Security it seems like I could work something in
> Roller that would benefit not just IBM but other Roller installations
> such as Yale and N.C. State. Dave pointed me to RollerAndSSO [1] in the
> wiki and it seems like covers the most common cases of authentication in
> Roller. I've started reading Acegi Security documentation and was able
> to succesfully configure Roller 3.0 against our Enterprise Directory,
> however, there are some remaining issues that I want to share with you
> for suggestions on how I should proceed.
>
> I've configured security.xml to use LDAPAuthProvider. This provider
> fetches user information and authorities (roles) information. The issue
> is that our roles "editor" and "admin" are not stored in our secondary
> LDAP directory (for Groups only). The LDAPProvider does (thankfully)
> split the provider functions of checking user credentials and fetching
> role information. Therefore I can write my own AuthoritiesPopulator that
> access the rest of the information from the RollerDB. Now, writing the
> AuthoritiesPopulator is not exactly trivial mostly because of simple
> design of the provider code in Acegi Security. I would have to copy most
> of the code from the DAO provider to make use of the same declarative
> features in the security.xml file, but it's not a big deal.
>
> My suggestion then is for me to write some sort of
> [Roller]CompositeProvider that allows basically a pick-your-own combo of
> features for providing user information. Something like pick either or
> both LDAP and DAO for either or both credentials and roles. It would
> duplicate some code from two Acegi Security classes because the code is
> not properly abstracted, but it will not require changes to Acegi
> Security and it would always be an optional provider for Roller
> installations, the default could be what we have in security.xml today.
>
> Now, the bigger issue is the one mentioned in LDAP_SSP_FAQ [2]. In our
> IBM internal environment, we have enabled registration, but we don't
> store password information in Roller. In essence what I suggested to
> Dave is to password-protect the registration page and when loaded
> auto-populate the username, name and email address fields (actually make
> them read-only) and let any authenticated user register in Roller.
> However, there's a NullPointerException in
> RollerSession.getRollerSession() because there's an authenticated user
> but there's no user in the RollerDB. I was hoping I can inject some code
> there that would use the generic UserDetailsService in Acegi Security to
>    (based on a configurable option) to either auto-insert a record and
> tweak the registration update to deal with an existing user and just
> update, or to populate the session with a transient user-object that
> could be used in the registration page.
>
> I hope you can make sense of the long winded message and let me know if
> I can proceed to add this code (together with whatever
> tweaks/suggestions you may have) to the 3.0 branch.
>
> -Elias
>
> [1] http://rollerweblogger.org/wiki/Wiki.jsp?page=RollerAndSSO
> [2] http://rollerweblogger.org/wiki/Wiki.jsp?page=LDAP_SSP_FAQ
>