You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Michael Gustav Simon <mg...@gmail.com> on 2006/02/02 10:40:08 UTC
login process
I don't understand the login process in detail!
Why starts the internal redirect from "/login/proxy" (
org.apache.jetspeed.login.LoginProxyServlet) to "/login/redirector" (
org.apache.jetspeed.login.LoginRedirectorServlet) the jetspeed-pipeline
named "LoginPipeline"?
If I call the redirctor directly, the pipeline "LoginPipeline" will not
start.
How does it works?
I need a hint! :-)
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
OK, I see that login.jsp will post j_username and j_password to the action
j_security_check.
How does handle the container the action j_security_check?
2006/2/3, Michael Gustav Simon <mg...@gmail.com>:
>
> I believe to understand the explained login process, but i want to
> understand the process more in detail.
> The principals are stored in the tabel security_principal, the table
> security_credential contains the associated passwords.
> Which class or process inspects the hidden fields against the database and
> sets the principal?
>
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
I believe to understand the explained login process, but i want to
understand the process more in detail.
The principals are stored in the tabel security_principal, the table
security_credential contains the associated passwords.
Which class or process inspects the hidden fields against the database and
sets the principal?
2006/2/3, Aaron Evans <aa...@yahoo.ca>:
>
> David Sean Taylor <david <at> bluesunrise.com> writes:
>
> > Think we covered this before on this list on a thread called "Login
> > page" on Jan 11, 2006
> >
> > Here is part of the discussion:
> >
> > Hi Aaron,
> >
> > Great description of our Active Authentication process.
> >
> > I also have a sequence diagram of this process on paper here....
> >
> > It would be great to have this process documented in the xdocs
> > Would you like to volunteer to write a Active Authentication page for
> > our documentation?
> >
> > I scanned in the diagram here, you may find it informative:
> >
> > http://www.bluesunrise.com/jetspeed-2/AA.jpg
> >
>
> And I did agree to document it, I just have been crazy busy getting the
> first
> release of our portal out the door. I hope to work on this this weekend.
>
> The servlets mentioned in Jacek's post were not discussed however, so I'll
> take
> a look at those when I write this up...
>
> aaron
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
I have another problem with my authentification integration.
In my solution the authentifcated user will be deliverd by the webserver.
The security works without any problem on the pages folder structure,
but i have a problem with the portlet level.
In my portlet the method isUserInRole will not work!
I test it with the Role Security Test portlet and my own portlet.
If I use the jetspeed form login I will get the following output.
isUserInRole:
Role Ref Name Role Name PortletRequest ServletRequest Administrator admin
true true Manager manager true true User user true trueWith my
authentification integration I will get the following output with the same
user! :-(
isUserInRole:
Role Ref Name Role Name PortletRequest ServletRequest Administrator admin
false false Manager manager false false User user false falseThe same
result occurs in my own portlet.
Does anyone have a hint for me to resolve this problem?
Or do I have to use another implementation to determine the roles?
--
mgsimon
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
I have my solution.
Here for interested user:
I use mod_jk to connect my tomcat to my apache webserver.
The authentification of an user will be dony by the webserverpluggin.
User is set as the remoteuser.
The servlet gets the remoteuser (request.getRequest().getRemoteUser();) if
the tomcat configuration trust the mod_jk (tomcatAuthentication="false").
server.xml
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3"
tomcatAuthentication="false"/>
To ensure nonexisting user in the jetspeed user repository give user access,
I use my own valve (invoke before securityValve) to create the remote user
with the usermanager.
mgsimon
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
Jeetspeed will use JAAS to authenticate an user.
My problem is, that I will get the remote user in the httpheader from an
apache plugin.
The user is authenticated allready.
Now I want to set or create the user depends on the remote user.
Where is the best integration point?
SecurityValve?
A new CallBackHandler to set the user and my own LoginModule will set and
create the user?
I see there is an unused PassiveCallbackHandler in the package
org.apache.jetspeed.security.impl, but how do i get the remote user?
I have no scop to a HttpServletRequest, but in the article "All that JASS":
By creating a CallbackHandler with an HttpServletRequest argument, you can
authenticate using additional information from the request, including the
client's IP address.
How do I can implement a CallbackHandler with an HttpServletRequest argument
in the jetspeed environment.
Many thanks to every hint! :-)
Michael
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
I have one gap to understand the login process in detail.
How gets the vm or container the java.security.auth.login.config to
use another authentication module to validate with another
authenticationhandler?
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: login process
Posted by David Sean Taylor <da...@bluesunrise.com>.
Aaron Evans wrote:
>
> And I did agree to document it, I just have been crazy busy getting the first
> release of our portal out the door. I hope to work on this this weekend.
Hey no problem I can *completely* relate to that scenario times 2
Sounds like there are a few portals going out the door this week :)
Get to it when we get to it. My open source dev was on hold all last month
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: login process
Posted by Aaron Evans <aa...@yahoo.ca>.
David Sean Taylor <david <at> bluesunrise.com> writes:
> Think we covered this before on this list on a thread called "Login
> page" on Jan 11, 2006
>
> Here is part of the discussion:
>
> Hi Aaron,
>
> Great description of our Active Authentication process.
>
> I also have a sequence diagram of this process on paper here....
>
> It would be great to have this process documented in the xdocs
> Would you like to volunteer to write a Active Authentication page for
> our documentation?
>
> I scanned in the diagram here, you may find it informative:
>
> http://www.bluesunrise.com/jetspeed-2/AA.jpg
>
And I did agree to document it, I just have been crazy busy getting the first
release of our portal out the door. I hope to work on this this weekend.
The servlets mentioned in Jacek's post were not discussed however, so I'll take
a look at those when I write this up...
aaron
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: login process
Posted by David Sean Taylor <da...@bluesunrise.com>.
Michael Gustav Simon wrote:
>>The user logging-in process is as follows (redirections):
>>correct logon:
>>LoginProxyServlet -> LoginServlet -> LoginRedirectorServlet
>>error logon:
>>LoginProxyServlet -> LoginServlet -> LoginErrorServlet
>>logout:
>>LogoutServlet
>>
>>When you call "/login/proxy" it should be fine.
>
>
> I know, it was a test to determine how the system calls the login-pipeline.
> I don't understand how the pipeline is instantiated after the LoginProxyServlet.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
Think we covered this before on this list on a thread called "Login
page" on Jan 11, 2006
Here is part of the discussion:
Hi Aaron,
Great description of our Active Authentication process.
I also have a sequence diagram of this process on paper here....
It would be great to have this process documented in the xdocs
Would you like to volunteer to write a Active Authentication page for
our documentation?
I scanned in the diagram here, you may find it informative:
http://www.bluesunrise.com/jetspeed-2/AA.jpg
Aaron Evans wrote:
> yao cuihong <yaocuihong <at> gmail.com> writes:
>
>
>> 2. Jetspeed 2 security services rely entirely on JAAS
>> Does the LoginPortlet in j2-admin portlet application use JAAS?
>> What is the mechanism of LoginPortlet? I read the source of
>> LoginPortlet, but don't understand.
>> How does the LoginPortlet authenticate the user?
>>
>
>
> I posted this on another thread, but just so others following this
thread will
> see the answer:
>
> Jetspeeed uses a JAAS realm for authentication. It is configured in
jetspeed's
> context xml (although it can be moved up to the container level).
>
> J2EE containers that use realm authentication require that the
request parameters j_username and j_password be posted to
/j_security_check for authentication.
> If you look at jetspeed's web.xml, you will see a standard web
application
> security constraint and login config:
>
> <!-- Protect LogInRedirectory.jsp. This will require a login when
called -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login</web-resource-name>
> <url-pattern>/login/redirector</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> <!-- Login configuration uses form-based authentication -->
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Jetspeed</realm-name>
> <form-login-config>
> <form-login-page>/login/login</form-login-page>
> <form-error-page>/login/error</form-error-page>
> </form-login-config>
> </login-config>
> I believe that what happens is that the login portlet posts to the
> /login/redirector protected resource. Because the user is not
authenticated,
> they get redirected to /login/login.
> I believe that the /login/login URI is a blank page that contains a
hidden form that takes the user name and password parameter values
submitted from the login portlet and puts them in hidden fields with the
names j_username and j_password. It also has some kind of onload JS or
meta refresh which then causes the hidden form to post to /j_security_check.
>
> If authentication is not successful, the user will be sent to
/login/error.
> If it is successful, the user will be sent to /login/redirector and
they will
> now be allowed access to it because they have been authenticated.
This URI
> no doubt redirects to the portal root (applying profiling rules).
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: login process
Posted by Michael Gustav Simon <mg...@gmail.com>.
> The user logging-in process is as follows (redirections):
> correct logon:
> LoginProxyServlet -> LoginServlet -> LoginRedirectorServlet
> error logon:
> LoginProxyServlet -> LoginServlet -> LoginErrorServlet
> logout:
> LogoutServlet
>
> When you call "/login/proxy" it should be fine.
I know, it was a test to determine how the system calls the login-pipeline.
I don't understand how the pipeline is instantiated after the LoginProxyServlet.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: login process
Posted by Jacek Wiślicki <ja...@gmail.com>.
Wiadomosc od Michael Gustav Simon z 2006-02-02 10:40 brzmiala:
> I don't understand the login process in detail!
> Why starts the internal redirect from "/login/proxy" (
> org.apache.jetspeed.login.LoginProxyServlet) to "/login/redirector" (
> org.apache.jetspeed.login.LoginRedirectorServlet) the jetspeed-pipeline
> named "LoginPipeline"?
> If I call the redirctor directly, the pipeline "LoginPipeline" will not
> start.
> How does it works?
> I need a hint! :-)
The user logging-in process is as follows (redirections):
correct logon:
LoginProxyServlet -> LoginServlet -> LoginRedirectorServlet
error logon:
LoginProxyServlet -> LoginServlet -> LoginErrorServlet
logout:
LogoutServlet
When you call "/login/proxy" it should be fine.
--
pozdrawiam,
Jacek Wislicki
jacek.wislicki@gmail.com
tel.: +48 502 408 444
gg: 2540358
skype: jacek_wislicki
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org