You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by yao cuihong <ya...@gmail.com> on 2006/01/10 08:11:25 UTC
Login page
Hi all.
Does Jetspeed 2.0 implement a login page? If not, What should I do to
implement a login page?
Thanks
Re: Login page
Posted by David Sean Taylor <da...@bluesunrise.com>.
Aaron Evans wrote:
> David Sean Taylor <david <at> bluesunrise.com> writes:
>
> Hi David,
> Sure, I'll give it a shot.
>
> So, I guess I should write it in "xdoc" format an put it in JIRA as described
> here?
>
yes
> http://portals.apache.org/development/documentation.html
>
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Login page
Posted by Aaron Evans <aa...@yahoo.ca>.
David Sean Taylor <david <at> bluesunrise.com> writes:
>
> Hi Aaron,
>
> Great description of our Active Authentication process.
>
> I also have a sequence diagram of this process on paper here....
>
> It would be great to have this process documented in the xdocs
> Would you like to volunteer to write a Active Authentication page for
> our documentation?
>
> I scanned in the diagram here, you may find it informative:
>
> http://www.bluesunrise.com/jetspeed-2/AA.jpg
>
Hi David,
Sure, I'll give it a shot.
So, I guess I should write it in "xdoc" format an put it in JIRA as described
here?
http://portals.apache.org/development/documentation.html
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Login page
Posted by David Sean Taylor <da...@bluesunrise.com>.
Hi Aaron,
Great description of our Active Authentication process.
I also have a sequence diagram of this process on paper here....
It would be great to have this process documented in the xdocs
Would you like to volunteer to write a Active Authentication page for
our documentation?
I scanned in the diagram here, you may find it informative:
http://www.bluesunrise.com/jetspeed-2/AA.jpg
Aaron Evans wrote:
> yao cuihong <yaocuihong <at> gmail.com> writes:
>
>
>>2. Jetspeed 2 security services rely entirely on JAAS
>> Does the LoginPortlet in j2-admin portlet application use JAAS?
>> What is the mechanism of LoginPortlet? I read the source of
>>LoginPortlet, but don't understand.
>> How does the LoginPortlet authenticate the user?
>>
>
>
> I posted this on another thread, but just so others following this thread will
> see the answer:
>
> Jetspeeed uses a JAAS realm for authentication. It is configured in jetspeed's
> context xml (although it can be moved up to the container level).
>
> J2EE containers that use realm authentication require that the request
> parameters j_username and j_password be posted to /j_security_check for
> authentication.
>
> If you look at jetspeed's web.xml, you will see a standard web application
> security constraint and login config:
>
> <!-- Protect LogInRedirectory.jsp. This will require a login when called -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login</web-resource-name>
> <url-pattern>/login/redirector</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> <!-- Login configuration uses form-based authentication -->
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Jetspeed</realm-name>
> <form-login-config>
> <form-login-page>/login/login</form-login-page>
> <form-error-page>/login/error</form-error-page>
> </form-login-config>
> </login-config>
>
> I believe that what happens is that the login portlet posts to the
> /login/redirector protected resource. Because the user is not authenticated,
> they get redirected to /login/login.
>
> I believe that the /login/login URI is a blank page that contains a hidden
> form that takes the user name and password parameter values submitted from
> the login portlet and puts them in hidden fields with the names j_username
> and j_password. It also has some kind of onload JS or meta refresh which
> then causes the hidden form to post to /j_security_check.
>
> If authentication is not successful, the user will be sent to /login/error.
> If it is successful, the user will be sent to /login/redirector and they will
> now be allowed access to it because they have been authenticated. This URI
> no doubt redirects to the portal root (applying profiling rules).
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Login page
Posted by Aaron Evans <aa...@yahoo.ca>.
yao cuihong <yaocuihong <at> gmail.com> writes:
>
> 2. Jetspeed 2 security services rely entirely on JAAS
> Does the LoginPortlet in j2-admin portlet application use JAAS?
> What is the mechanism of LoginPortlet? I read the source of
> LoginPortlet, but don't understand.
> How does the LoginPortlet authenticate the user?
>
I posted this on another thread, but just so others following this thread will
see the answer:
Jetspeeed uses a JAAS realm for authentication. It is configured in jetspeed's
context xml (although it can be moved up to the container level).
J2EE containers that use realm authentication require that the request
parameters j_username and j_password be posted to /j_security_check for
authentication.
If you look at jetspeed's web.xml, you will see a standard web application
security constraint and login config:
<!-- Protect LogInRedirectory.jsp. This will require a login when called -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login/redirector</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- Login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Jetspeed</realm-name>
<form-login-config>
<form-login-page>/login/login</form-login-page>
<form-error-page>/login/error</form-error-page>
</form-login-config>
</login-config>
I believe that what happens is that the login portlet posts to the
/login/redirector protected resource. Because the user is not authenticated,
they get redirected to /login/login.
I believe that the /login/login URI is a blank page that contains a hidden
form that takes the user name and password parameter values submitted from
the login portlet and puts them in hidden fields with the names j_username
and j_password. It also has some kind of onload JS or meta refresh which
then causes the hidden form to post to /j_security_check.
If authentication is not successful, the user will be sent to /login/error.
If it is successful, the user will be sent to /login/redirector and they will
now be allowed access to it because they have been authenticated. This URI
no doubt redirects to the portal root (applying profiling rules).
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Login page
Posted by yao cuihong <ya...@gmail.com>.
Randy,
Thanks
I read the documention in
http://portals.apache.org/jetspeed-2/guides/guide-profiler.html and
http://portals.apache.org/jetspeed-2/guides/guide-security.html. I have the
following questions:
1. Jetspeed 2 provides a custom policy implemention that allow the portal to
secure resources as follow:
grant principal o.a.j.security.UserPrincipal "theUserPrincipal" {
permission o.a.j.security.PagePermission "mypage", "view";
permission o.a.j.security.PortletPermission "myportlet",
"view,edit,minimize,maximize";
permission o.a.j.security.TabPermission "mytab", "view";
};
grant principal o.a.j.security.RolePrincipal "theRolePrincipal" {
permission o.a.j.security.PagePermission "mypage", "view";
permission o.a.j.security.PortletPermission "myportlet",
"view,edit,minimize,maximize";
permission o.a.j.security.TabPermission "mytab", "view";
};
grant principal o.a.j.security.GroupPrincipal "theGroupPrincipal" {
permission o.a.j.security.PagePermission "mypage", "view";
permission o.a.j.security.PortletPermission "myportlet",
"view,edit,minimize,maximize";
permission o.a.j.security.TabPermission "mytab", "view";
};
Where does the policy file locate?
What is "theUserPrincipal", "mypage", and "mytab"? What do they represent?
Are they constant?
2. Jetspeed 2 security services rely entirely on JAAS
Does the LoginPortlet in j2-admin portlet application use JAAS?
What is the mechanism of LoginPortlet? I read the source of
LoginPortlet, but don't understand.
How does the LoginPortlet authenticate the user?
Re: Login page
Posted by Randy Watler <wa...@wispertel.net>.
Yao,
Please refer to the recent "Security of Jetspeed 2.0" thread and earlier
ones on this list. Pay particular attention to the profiler and "guest"
user.
HTH,
Randy
On Tue, 2006-01-10 at 16:11 +0900, yao cuihong wrote:
> Hi all.
>
> Does Jetspeed 2.0 implement a login page? If not, What should I do to
> implement a login page?
>
> Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org