You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by ol...@apache.org on 2012/04/06 09:21:09 UTC
svn commit: r1310197 [1/2] - in /archiva/redback/redback-site/trunk: ./ src/
src/site/ src/site/apt/ src/site/apt/development/ src/site/apt/integration/
src/site/apt/rbac/ src/site/resources/
Author: olamy
Date: Fri Apr 6 07:21:08 2012
New Revision: 1310197
URL: http://svn.apache.org/viewvc?rev=1310197&view=rev
Log:
import redback site
Added:
archiva/redback/redback-site/trunk/.gitignore
archiva/redback/redback-site/trunk/pom.xml (with props)
archiva/redback/redback-site/trunk/src/
archiva/redback/redback-site/trunk/src/site/
archiva/redback/redback-site/trunk/src/site/apt/
archiva/redback/redback-site/trunk/src/site/apt/authentication.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/authorization.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/configuration.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/development/
archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/index.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/integration/
archiva/redback/redback-site/trunk/src/site/apt/integration.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm (with props)
archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/key-store.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/rbac/
archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/rbac/role-management.apt (with props)
archiva/redback/redback-site/trunk/src/site/apt/user-management.apt (with props)
archiva/redback/redback-site/trunk/src/site/resources/
archiva/redback/redback-site/trunk/src/site/resources/access_control-xacml-2.0-rbac-profile1-spec-os.pdf (with props)
archiva/redback/redback-site/trunk/src/site/site.xml (with props)
archiva/redback/redback-site/trunk/src/site/web-responsibilities.txt (with props)
Added: archiva/redback/redback-site/trunk/.gitignore
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/.gitignore?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/.gitignore (added)
+++ archiva/redback/redback-site/trunk/.gitignore Fri Apr 6 07:21:08 2012
@@ -0,0 +1,3 @@
+*.iml
+target
+.DS_Store
Added: archiva/redback/redback-site/trunk/pom.xml
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/pom.xml?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/pom.xml (added)
+++ archiva/redback/redback-site/trunk/pom.xml Fri Apr 6 07:21:08 2012
@@ -0,0 +1,71 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.codehaus.redback</groupId>
+ <artifactId>redback</artifactId>
+ <version>1.5-SNAPSHOT</version>
+ </parent>
+ <artifactId>redback-site</artifactId>
+ <name>Redback :: Site</name>
+ <packaging>pom</packaging>
+ <properties>
+ <redbackVersion>${project.version}</redbackVersion>
+ <siteDeploymentUrl>dav:https://dav.codehaus.org/redback/</siteDeploymentUrl>
+ </properties>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-site-plugin</artifactId>
+ <configuration>
+ <port>9000</port>
+ <tempWebappDirectory>${basedir}/target/site/tempdir</tempWebappDirectory>
+ </configuration>
+ <!-- as already loaded by an extension: java.lang.ClassNotFoundException: org.slf4j.impl.StaticLoggerBinder -->
+ <!--
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.maven.wagon</groupId>
+ <artifactId>wagon-webdav-jackrabbit</artifactId>
+ <version>2.0</version>
+ </dependency>
+ </dependencies>
+ -->
+ </plugin>
+ </plugins>
+ </build>
+ <reporting>
+ <excludeDefaults>true</excludeDefaults>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-project-info-reports-plugin</artifactId>
+ <version>2.4</version>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>cim</report>
+ <report>issue-tracking</report>
+ <report>mailing-list</report>
+ <report>license</report>
+ <report>project-team</report>
+ <report>scm</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ </plugins>
+ </reporting>
+ <scm>
+ <connection>scm:svn:http://svn.codehaus.org/redback/redback-site/trunk</connection>
+ <developerConnection>scm:svn:https://svn.codehaus.org/redback/redback-site/trunk</developerConnection>
+ <url>http://fisheye.codehaus.org/browse/redback/redback-site/trunk</url>
+ </scm>
+ <distributionManagement>
+ <site>
+ <id>codehaus.org</id>
+ <name>Redback Website</name>
+ <url>${siteDeploymentUrl}</url>
+ </site>
+ </distributionManagement>
+</project>
Propchange: archiva/redback/redback-site/trunk/pom.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/pom.xml
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/authentication.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/authentication.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/authentication.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/authentication.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,25 @@
+ -----
+ Authentication
+ -----
+ 2 June 2007
+ -----
+
+Redback Authentication
+
+ Redback currently supports the following authentication mechanisms:
+
+ * username/password for redback-users
+
+ * keystore based for redback-keys
+
+ * read only LDAP
+
+ []
+
+ Support is being actively worked on or considered for:
+
+ * ACEGI (effectively using their setup for authentication purposes)
+
+ * LDAP
+
+ []
\ No newline at end of file
Propchange: archiva/redback/redback-site/trunk/src/site/apt/authentication.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/authentication.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/authorization.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/authorization.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/authorization.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/authorization.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,9 @@
+ -----
+ Authorization
+ -----
+ 2 June 2007
+ -----
+
+Redback Authorization
+
+ Redback comes with an implementation of role based access control. Please see the section below on rbac to learn more about that system.
\ No newline at end of file
Propchange: archiva/redback/redback-site/trunk/src/site/apt/authorization.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/authorization.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/configuration.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/configuration.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/configuration.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/configuration.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,213 @@
+ -----
+ Configuration
+ -----
+ 19 January 2008
+ -----
+
+Redback Configuration
+
+ <<NOTE>>: This has changed dramatically and may not be correct.
+
+ Configuration in Redback is governed by a plexus configuration setup making
+use of properties files. Below is a listing of all of the available configuration options along with default values and notes on what they are where applicable.
+
+* Configuration File Locations
+
+ Configuration file location can depend on the application that is embedding Redback. Since Redback is currently built up off of Plexus, it would be ideal to check out the application.xml of the relevant application and look for an entry similar to the following.
+
+--------------------------------------------
+
+ <component>
+ <role>org.codehaus.plexus.redback.configuration.UserConfiguration</role>
+ <implementation>org.codehaus.plexus.redback.configuration.UserConfiguration</implementation>
+ <configuration>
+ <configs>
+ <config>${user.home}/.m2/security.properties</config>
+ <config>${user.home}/.m2/security-example.properties</config>
+ </configs>
+ </configuration>
+ </component>
+
+--------------------------------------------
+
+* Configuration Options
+
+** Application Configuration
+
+ * application.timestamp=EEE d MMM yyyy HH:mm:ss Z
+
+ * application.url=http://myurl.mycompany.com
+
+ * Set the application base URL. The default is to derive it from the HTTP request
+
+** JDBC Setup
+
+ By default Redback uses Apache Derby for persistence of user and role
+information. This can be configured with the following options.
+
+ * jdbc.driver.name=org.apache.derby.jdbc.EmbeddedDriver
+
+ * jdbc.url=jdbc:derby:${plexus.home}/database;create=true
+
+ * jdbc.username=sa
+
+ * jdbc.password=
+
+ []
+
+ By default Redback uses Apache Derby for persistence of user and role information. This can be configured with the following options.
+
+ <<Note:>> If you are using MySQL as your database, the database will not be populated if the encoding is initially set to UTF-8. As a workaround, set the database to UTF-8 encoding after it has been populated. See {{{http://jira.codehaus.org/browse/REDBACK-267} REDBACK-267}} for more details.
+
+
+
+** Email Settings
+
+ * email.jndiSessionName=java:comp/env/mail/Session
+
+ * email.smtp.host=localhost
+
+ * email.smtp.port=25
+
+ * email.smtp.ssl.enabled=false
+
+ * email.smtp.tls.enabled=false
+
+ * email.smtp.username=
+
+ * email.smtp.password=
+
+ * email.from.address=${user.name}@localhost
+
+ * All emails sent by the system will be from the following address
+
+ * email.from.name=Unconfigured Username
+
+ * email.validation.required=true
+
+ * If all email addresses (from new user registration) require an account validation email.
+
+ * email.validation.timeout=2880
+
+ * Timeout (in minutes) for the key generated for an email validation to remain valid.
+
+ * 2880 minutes = 48 hours
+
+ * email.validation.subject=Welcome
+
+ * email.feedback.path=/feedback.action
+
+ * Get the Feedback to use for any outgoing emails.
+
+ * Feedback path starts with a "/" it is appended to the end of the value provided in application.url. This value can be in the format/syntax of "/feedback.action" or even "mailto:feedback@application.com"
+
+
+
+** Auto Login Settings
+
+ * security.rememberme.enabled=true
+
+ * security.rememberme.timeout=525600
+
+ * Timeout in minutes ( 525600 minutes = 1 year )
+
+ * security.signon.timeout=30
+
+ * Single Sign On
+
+ * Timeout is in minutes
+
+** Default Username Values
+
+ * redback.default.admin=admin
+
+ * name for the admin user, by default this is 'admin' and can not easily be changed after the fact at this point. However any number of people may be assigned full administrator roles.
+
+ * redback.default.guest=guest
+
+ * name of the guest user
+
+
+
+** Security Policies
+
+ * security.policy.password.encoder=
+
+ * security.policy.password.previous.count=6
+
+ * security.policy.password.expiration.enabled=true
+
+ * security.policy.password.expiration.days=90
+
+ * security.policy.password.expiration.notify.days=10
+
+ * security.policy.allowed.login.attempt=10
+
+ * security.policy.strict.enforcement.enabled=true
+
+ * turn off the perclick enforcement of various security policies, slightly more heavyweight since it will ensure that the User object on each click is up to date
+
+ * security.policy.strict.force.password.change.enabled=true
+
+ * forces the user to change their password immediately should their account be flagged for a password change.
+
+ * security.policy.unlockable.accounts
+
+ * can be specified multiple times to ensure that password policies never lock the specified account(s) (eg. security.policy.unlockable.accounts=guest )
+
+** Password Rules
+
+ * security.policy.password.rule.alphanumeric.enabled=false
+
+ * security.policy.password.rule.alphacount.enabled=true
+
+ * security.policy.password.rule.alphacount.minimum=1
+
+ * security.policy.password.rule.characterlength.enabled=true
+
+ * security.policy.password.rule.characterlength.minimum=1
+
+ * security.policy.password.rule.characterlength.maximum=24
+
+ * security.policy.password.rule.musthave.enabled=true
+
+ * security.policy.password.rule.numericalcount.enabled=true
+
+ * security.policy.password.rule.numericalcount.minimum=1
+
+ * security.policy.password.rule.reuse.enabled=true
+
+ * security.policy.password.rule.nowhitespace.enabled=true
+
+** LDAP settings
+
+ Ldap can be used as a readonly user manager, however the role assignment is still managed entirely within the given database store. This should be fixed in the future sometime but likely not before ldap is switched over as the default user and role store entirely.
+
+ * ldap.user.store.enabled=false
+
+ * ldap.bind.authenticator.enabled=false
+
+*** ldap options for configuration via properties file
+
+ * ldap.config.hostname=
+
+ * ldap.config.port=
+
+ * ldap.config.base.dn=
+
+ * ldap.config.context.factory=
+
+ * ldap.config.bind.dn=
+
+ * ldap.config.password=
+
+ * ldap.config.authentication.method=
+
+** User Manager Implementation to use
+
+ * user.manager.impl=cached
+
+ * valid values for realistic usage are 'cached' and then further configuring the cached instance to use another underlying user manager like ldap or the jdo one which is used by default. Placing 'ldap' here will check with the ldap system for a fair amount of checks and would likely be a performance issue
+
+
+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/configuration.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/configuration.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,68 @@
+ -----
+ Development
+ -----
+ 30 September 2008
+ -----
+
+Extending Redback Authentication
+
+ In order to accomodate the many authentication security services used in various applications, it is possible to to implement pluggable authentication providers in the Redback security system.
+
+* Requirements
+
+ * <<<redback-authentication-api>>> must be implemented
+
+ * create an authentication implementation project under <<<redback-authentication-providers>>>
+
+ * <<<org.codehaus.plexus.redback.authentication.Authenticator>>> must be implemented
+
+ * <<<redback-users-api>>> must be implemented
+
+ * create a user provider implementation project under <<<redback-users-providers>>>
+
+ * <<<org.codehaus.plexus.redback.users.User>>> must be implemented
+
+ * <<<org.codehaus.plexus.redback.users.UserManager>>> must be implemented
+
+ * utility and wrapper classes can be implemented under <<<redback-common>>>
+
+ * e.g. <<<$redback/redback-common/redback-common-ldap>>> contains the utility class <<<org.codehaus.plexus.redback.common.ldap.LdapUtils>>>, and the wrapper class <<<org.codehaus.plexus.redback.common.ldap.LdapUser>>>
+
+ * other essential classes may be placed here as well, such as the <<<org.codehaus.plexus.redback.common.ldap.connection.LdapConnectionFactory>>>
+
+
+* Examples
+
+** Implementing OpenId ({{{http://wiki.openid.net/}OpenId Homepage}})
+
+ While OpenId may be directly integrated to the authentication point of the web application, another option is to implement the redback api.
+
+ Here is something to get started:
+
+ * create the provider project <<<redback-authentication-openid>>>
+
+ * create the authenticator class, something like <<<OpenIdAuthenticator>>> that implements <<<org.codehaus.plexus.redback.authentication.Authenticator>>>
+
+ * create the provider project <<<redback-users-openid>>>
+
+ * implement <<<org.codehaus.plexus.redback.users.User>>>, something like <<<OpenIdUser>>>
+
+ * OpenId supports only the principal/username and password fields, so use dummy/default values for the unsupported fields (email, fullname) in this case.
+
+ * implement <<<org.codehaus.plexus.redback.users.UserManager>>>, something like <<<OpenIdUserManager>>>
+
+ * OpenId is a read-only authentication service, <<<createUser()>>>, <<<updateUser()>>>, <<<deleteUser()>>> may not be used
+
+ * various utility classes may be implemented in <<<redback-common-openid>>>
+
+ * <<<OpenIdConfiguration>>> may be used to encapsulate the following configuration properties (properties that may be specified in the <<<security.properties>>> file):
+
+ * <<<openid.config.provider.url>>>, where this is a url to one openid provider (support to many providers may come later, specified or via discovery, depending on the organization's security policy)
+
+ * <<<OpenIdUtils>>> class, may be implemented to normalize the User-Supplied Identifier to an Identifier that the OpenId Provider understands, e.g. redback username ('<<<johndoe>>>') to OpenId url-like identifier ('<<<http://johndoe.openidprovider.com>>>')
+
+ * <<<OpenIdAuthenticationException>>> that implements <<<org.codehaus.plexus.redback.authentication.AuthenticationException>>>
+
+ * <<<OpenIdProviderFactory>>> that takes the configuration from <<<OpenIdConfiguration>>>
+
+ * <<<OpenIdProvider>>> is where the <<<OpenIdUserManager>>> can verify a user
Propchange: archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/development/extending-authn.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/index.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/index.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/index.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/index.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,13 @@
+ -----
+ Introduction
+ -----
+ 1 June 2007
+ -----
+
+Introduction
+
+ Redback started as an attempt to clean away some of the more annoying security related components of web applications and centralize them into a simple to use framework. Some of the basic beliefs we started with where that authentication, authorization and user management were all basically seperate concerns, sure there are points where they rub up against each other but those are pretty clear points and not worth mashing up whole discrete concepts together.
+
+ Redback supports a number of authentication mechanisms, and a couple of authorization schemes including an implementation of role based access control. Redback has been built on top of the plexus container so it is simple to have the core security system object into your code for making authentication, authorization or user management tasks through its api. We also provide a war overlay based on xwork which provides all of the user management, authentication and remember me and single sign on functionalities. An easy to use taglib allows you to include authorization conditional functionalities to your jsps.
+
+ Redback is currently being used for providing a consistent security related user experience to Apache Continuum and Archiva.
\ No newline at end of file
Propchange: archiva/redback/redback-site/trunk/src/site/apt/index.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/index.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/integration.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/integration.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/integration.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/integration.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,9 @@
+ -----
+ Plexus Security Integration Points
+ -----
+ 26 October 2006
+ -----
+
+Plexus Security Integration
+
+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,11 @@
+ -----
+ Integration Points
+ -----
+ 26 October 2006
+ -----
+
+Redback Integration
+
+ Currently there is only one integration available for use with redback. We provide a webapp overlay that will seamlessly integrate with a webwork application to provide virtually all of your security needs. It comes configured with default system administrator roles and a host of other features. For a complete listing of what comes with the webwork integration just look for that guide.
+
+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/general.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,192 @@
+ -----
+ Ldap Integration
+ -----
+ 29 May 2008
+ -----
+
+Redback Ldap Integration
+
+ <<NOTE>>: This has changed dramatically and may not be correct.
+
+ With the alpha-3 release of redback limited support for ldap has been added as an authentication source. Limited support for ldap means:
+
+ * Read-Only User Management
+
+ * xml and properties based configuration
+
+ * tested against open ldap on linux and apacheds 1.5.0
+
+
+* Setting up Ldap
+
+ Configuration for ldap is actually a relatively simple procedure, a few components definitions need to be declared in an appropriate application.xml and then some configuration options must be set in the security.properties file.
+
+
+** The application.xml Additions
+
+ These components should be defined in the applicable application.xml
+
+*** ldap connection factory
+
++--------------------------------------+
+
+ <component>
+ <role>org.codehaus.plexus.redback.common.ldap.connection.LdapConnectionFactory</role>
+ <role-hint>configurable</role-hint>
+ <implementation>org.codehaus.plexus.redback.common.ldap.connection.ConfigurableLdapConnectionFactory</implementation>
+ <description></description>
+ <configuration>
+ <hostname></hostname>
+ <port></port>
+ <baseDn></baseDn>
+ <contextFactory>com.sun.jndi.ldap.LdapCtxFactory</contextFactory>
+ <password></password>
+ <bindDn></bindDn>
+ </configuration>
+ </component>
+
++--------------------------------------+
+
+ * hostname - The hostname of the ldap server
+
+ * port - The port of the ldap server
+
+ * baseDn - The baseDn of the ldap system
+
+ * contextFactory - context factory for ldap connections
+
+ * password - password for the bindDn for the root ldap connection
+
+ * bindDn - the core user used for authentication the ldap server, must be able to perform the necessary searches, etc.
+
+[]
+
+*** user mapper
+
++--------------------------------------+
+
+ <component>
+ <role>org.codehaus.plexus.redback.common.ldap.UserMapper</role>
+ <role-hint>ldap</role-hint>
+ <implementation>org.codehaus.plexus.redback.common.ldap.LdapUserMapper </implementation>
+ <description></description>
+ <configuration>
+ <email-attribute>email</email-attribute>
+ <full-name-attribute>givenName</full-name-attribute>
+ <password-attribute>userPassword</password-attribute>
+ <user-id-attribute>cn</user-id-attribute>
+ <user-base-dn></user-base-dn>
+ <user-object-class>inetOrgPerson</user-object-class>
+ <user-filter>(|(attributeName=value1)(attributeName=value2))</user-filter>
+ </configuration>
+ </component>
+
++--------------------------------------+
+
+ * email-attribute - The name of the attribute on a user that contains the email address
+
+ * full-name-attribute - The name of the attribute on a user that contains the users fullName
+
+ * password-attribute - The name of the attribute containing the users password, used for the authentiction using the user manager and not the ldap bind authenticator
+
+ * user-id-attribute - The name of the attribute containing the users userId, most commonly cn or sn.
+
+ * user-base-dn - The base dn that will be subtree searched for users.
+
+ * user-object-class - the objectClass used in the ldap server for indentifying users, most commonly inetOrgPerson.
+
+ * user-filter - the user filter is used to reduce the number of results during a LDAP request. It is optional.
+
+[]
+
+*** security policy (for the password encoder)
+
++--------------------------------------+
+
+ <component>
+ <role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
+ <role-hint>default</role-hint>
+ <implementation>org.codehaus.plexus.redback.policy.DefaultUserSecurityPolicy</implementation>
+ <description>User Security Policy.</description>
+ <requirements>
+ <requirement> <role>org.codehaus.plexus.redback.configuration.UserConfiguration</role>
+ <field-name>config</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.policy.PasswordEncoder</role>
+ <role-hint>sha1</role-hint>
+ <field-name>passwordEncoder</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.policy.UserValidationSettings</role>
+ <field-name>userValidationSettings</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.policy.CookieSettings</role>
+ <role-hint>rememberMe</role-hint>
+ <field-name>rememberMeCookieSettings</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.policy.CookieSettings</role>
+ <role-hint>signon</role-hint>
+ <field-name>signonCookieSettings</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.policy.PasswordRule</role>
+ <field-name>rules</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
++--------------------------------------+
+
+
+
+* security.properties
+
+ These properties should be set as shown:
+
++--------------------------------------+
+
+user.manager.impl=ldap
+ldap.bind.authenticator.enabled=true
+redback.default.admin=admin
+redback.default.guest=guest
+security.policy.password.expiration.enabled=false
+
++--------------------------------------+
+
+ The user.manager.impl is the role hint that is used to determine which user manaher to use while running. The default is 'cached' and if this is desired to be used with ldap then you must include the component declartion below in the caching section for the cached UserManager that sets the underlying userImpl to ldap.
+
+ The ldap.bind.authenitcator.enabled boolean value will toggle the use of authenticator that will authenticate using the bind operation. There are two different mechanisms used to authenticate with ldap, either the bind authenticator which is a standard way to authentication, and then the user manager password validation approach. If this is desired then you must ensure that the security policy is configured to use the correct password encoding. Normally the bind authenticator is simply enabled since this bypasses concerns of password encoding.
+
+ It is also now possible to redefine the basic admin user and guest user names. Since its unlikely that ldap oriented authentication systems will have a specific admin or guest user these can be redefined simply in the security.properties. Care must be taken that they exist in the ldap system since they are looked up. Guest users can be simple utilitie or application users.
+
+ The final setting of security.policy.password.expiration.enabled is a boolean that should be set to false for ldap based authentication. This is because redback will want to attempt to manage and enforce password expiration and that is no longer under the direction of redback but is an artifact of the ldap system in place. Setting this to false prevents issues from cropping up related to redback trying to obtain this type of information.
+
+
+* Caching
+
+ If caching is desired the you should also include the following declarition and set the appropriate configuration from ldap to cached
+
++--------------------------------------+
+ <component>
+ <role>org.codehaus.plexus.redback.users.UserManager</role>
+ <role-hint>cached</role-hint>
+ <implementation> org.codehaus.plexus.redback.users.cached.CachedUserManager</implementation>
+ <description>CachedUserManager</description>
+ <requirements>
+ <requirement>
+ <role> org.codehaus.plexus.redback.users.UserManager</role>
+ <role-hint>ldap</role-hint>
+ <field-name>userImpl</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.cache.Cache</role>
+ <role-hint>users</role-hint>
+ <field-name>usersCache</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
++--------------------------------------+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/ldap.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,115 @@
+ -----
+ Webwork Integration
+ -----
+ 26 October 2006
+ -----
+
+Plugin Configuration
+
+ <<NOTE>>: This has changed dramatically and may not be correct.
+
+ Then you will also want to setup the following plugins in the <build> section of the webapp's pom as well.
+ Briefly, the maven-clean-plugin needs to be configured a little bit to point to the different locations of
+ files to be cleaned. The maven-war-plugin is being used to pull in the plexus-security war overlay and
+ unpackage it into place so the relavent jsp's and actions are available. Lastly is the jetty-maven-plugin
+ which has some configuration to get datasources setup (the jetty-env.xml) and the port it will run on, etc.
+
++--------------------------------------+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-clean-plugin</artifactId>
+ <version>2.1.1</version>
+ <!-- This configuration is added to cleanup from war:inplace -->
+ <configuration>
+ <filesets>
+ <fileset>
+ <directory>${basedir}/</directory>
+ <includes>
+ <include>derby.log</include>
+ </includes>
+ </fileset>
+ <fileset>
+ <directory>${basedir}/src/main/webapp</directory>
+ <includes>
+ <!-- TODO: META-INF shouldn't be required, seems to be an issue with the current war plugin -->
+ <include>META-INF</include>
+ <include>WEB-INF/classes</include> <!-- Classes and Resources from other wars -->
+ <include>WEB-INF/lib</include> <!-- Dependencies from other wars -->
+ <include>WEB-INF/database</include> <!-- Database location configured in application.xml -->
+ <include>WEB-INF/logs</include> <!-- Log file location specified in application.xml -->
+ <include>pss</include> <!-- plexus-security css and javascript -->
+ <include>WEB-INF/jsp/pss</include> <!-- plexus-security jsps -->
+ <include>WEB-INF/template/pss</include> <!-- plexus-security xwork templates -->
+ </includes>
+ </fileset>
+ </filesets>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-war-plugin</artifactId>
+ <version>2.0.1</version>
+ <configuration>
+ <!-- Some versions of maven-war-plugin (snapshots) have this incorrectly defaulted to true.
+ Specifically setting this to false to avoid accidental jar file creation. -->
+ <archiveClasses>false</archiveClasses>
+ <dependentWarExcludes>META-INF/**,WEB-INF/web.xml,WEB-INF/classes/xwork.xml</dependentWarExcludes>
+ </configuration>
+ <!-- TODO: would be good to make the jetty plugin aware of these and remove the below -->
+ <executions>
+ <execution>
+ <phase>compile</phase>
+ <goals>
+ <!-- Needed to get the plexus-security war overlay to do its thing before jetty:run -->
+ <goal>inplace</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.mortbay.jetty</groupId>
+ <artifactId>maven-jetty-plugin</artifactId>
+ <version>6.0.1</version>
+ <configuration>
+ <scanIntervalSeconds>10</scanIntervalSeconds>
+ <contextPath>/</contextPath>
+ <jettyEnvXml>${basedir}/src/jetty-env.xml</jettyEnvXml>
+ <connectors>
+ <connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
+ <port>9090</port>
+ <maxIdleTime>60000</maxIdleTime>
+ </connector>
+ </connectors>
+ </configuration>
+ </plugin>
++--------------------------------------+
+
+ If you are planning on writing your own webwork actions, then your'll need to generally make this available
+ so that your actions are rendered into components correctly if you are not generating your components.xml by hand.
+ This will setup your actions as per-look instantiations, so that every page served results in a new action
+ being generated. This is currently the standard way to using xwork with plexus.
+
++--------------------------------------+
+
+ <plugin>
+ <groupId>org.codehaus.plexus</groupId>
+ <artifactId>plexus-maven-plugin</artifactId>
+ <configuration>
+ <roleDefaults>
+ <roleDefault>
+ <role>com.opensymphony.xwork.Action</role>
+ <instantiation-strategy>per-lookup</instantiation-strategy>
+ </roleDefault>
+ </roleDefaults>
+ </configuration>
+ <executions>
+ <execution>
+ <id>generate</id>
+ <goals>
+ <goal>descriptor</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
++--------------------------------------+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/plugins.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm Fri Apr 6 07:21:08 2012
@@ -0,0 +1,154 @@
+ ------
+ Redback Rest Support
+ ------
+ Olivier Lamy
+ ------
+ 2011-08-11
+ ------
+
+ ~~ Licensed to the Apache Software Foundation (ASF) under one
+ ~~ or more contributor license agreements. See the NOTICE file
+ ~~ distributed with this work for additional information
+ ~~ regarding copyright ownership. The ASF licenses this file
+ ~~ to you under the Apache License, Version 2.0 (the
+ ~~ "License"); you may not use this file except in compliance
+ ~~ with the License. You may obtain a copy of the License at
+ ~~
+ ~~ http://www.apache.org/licenses/LICENSE-2.0
+ ~~
+ ~~ Unless required by applicable law or agreed to in writing,
+ ~~ software distributed under the License is distributed on an
+ ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~~ KIND, either express or implied. See the License for the
+ ~~ specific language governing permissions and limitations
+ ~~ under the License.
+
+ ~~ NOTE: For help with the syntax of this file, see:
+ ~~ http://maven.apache.org/doxia/references/apt-format.html
+
+Redback Rest Support
+
+ Prior to 1.3 version some redback services are available trough rest request.
+
+ We use jaxrs annotations and authz/karma are verified through cxf interceptors.
+
+* Maven Module
+
+ You must add the following maven dependency
+
++--------------------------------------+
+
+ <dependency>
+ <groupId>org.codehaus.redback</groupId>
+ <artifactId>redback-rest-services</artifactId>
+ <version>${redbackVersion}</version>
+ </dependency>
+
++--------------------------------------+
+
+
+* CXF setup
+
+ The spring file is in the redback-rest-services module.
+ You must add META-INF/spring-context.xml in your spring configuration.
+
+ And add cxf servlet in your web.xml :
+
++--------------------------------------+
+
+ <servlet>
+ <servlet-name>CXFServlet</servlet-name>
+ <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>CXFServlet</servlet-name>
+ <url-pattern>/services/*</url-pattern>
+ </servlet-mapping>
+
++--------------------------------------+
+
+* CXF interceptors
+
+ Rest services are declared as it in the cxf configuration :
+
++--------------------------------------+
+
+ <jaxrs:server id="redbackServices" address="/redbackServices">
+ <jaxrs:providers>
+ <ref bean="authenticationInterceptor#rest"/>
+ <ref bean="permissionInterceptor#rest"/>
+ </jaxrs:providers>
+ <jaxrs:serviceBeans>
+ <ref bean="userService#rest"/>
+ ... more coming ...
+ </jaxrs:serviceBeans>
+ </jaxrs:server>
+
++--------------------------------------+
+
+** AuthenticationInterceptor
+
+ This interceptor is basic on HTTP BASIC authz with using HttpBasicAuthentication spring component.
+
+** PermissionInterceptor
+
+ This inceptor will use a new created annotation named @RedbackAuthorization which supports attributes : permissions, resource and noRestriction.
+
+ You can use it :
+
++--------------------------------------+
+
+ @RedbackAuthorization( permissions = "user-management-user-create" )
+ public Boolean deleteUser( @PathParam( "userName" ) String username )
++--------------------------------------+
+
+ The interceptor will basically check if the user has one of the required permissions.
+
+ <<Note all exposed services must be marked with this annotation. If not forbidden http response will be returned.>>
+
+ If the service doesn't need special permissions you must do :
+
++--------------------------------------+
+
+ @RedbackAuthorization(noRestriction = true)
+ public Boolean ping()
+
++--------------------------------------+
+
+* Client Usage
+
+ Dependencies to add in order to use those REST Services
+
++-------------------------
+
+ <dependency>
+ <groupId>org.codehaus.redback</groupId>
+ <artifactId>redback-rest-api</artifactId>
+ <version>${redbackVersion}</version>
+ </dependency>
+
+ if you use CXF:
+
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-bundle-jaxrs</artifactId>
+ <version>2.4.2</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-server</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
++-------------------------
+
+ Sample on how to use
+
+%{snippet|id=create-user|url=http://svn.codehaus.org/redback/redback/trunk/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/codehaus/redback/rest/services/LoginServiceTest.java}
+
+
+
+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/rest.apt.vm
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,353 @@
+ -----
+ Struts2 Integration
+ -----
+ Olivier Lamy
+ -----
+ 2011-09-09
+ -----
+
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements. See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership. The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License. You may obtain a copy of the License at
+~~
+~~ http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied. See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+
+~~ NOTE: For help with the syntax of this file, see:
+~~ http://maven.apache.org/guides/mini/guide-apt-format.html
+
+
+Redback Struts2 Integration
+
+ <<NOTE>>: This has changed dramatically and may not be correct.
+
+ The Struts2 integration comes as a war overlay that will integration
+ smoothly with your web application through some minor configuration in the
+ xwork.xml file and the weaving of the relavent components in the
+ application.xml or other component declaration file.
+
+
+* Getting Started
+
+ To get started using the war overlay, you'll need to add some dependencies into your project's pom. The examples
+ below were pulled from plexus-security-example-webapp. Choosing the right set of dependencies will be one
+ of the harder tasks involved here so this should be broken up by dependency followed by its associated
+ component configuration. Many of these are brought in transitively by the integration dependency, but we'll list
+ thos and their associated configuration as well.
+
+* Admin User Auto Creation
+
+ Prior to 1.3 release, you can use a file to auto create the admin user.
+ Start your jvm with the following System Property : -Dredback.admin.creation.file=path to a file with the following properties.
+
++----------------------------
+ redback.admin.fullname=
+ redback.admin.email=
+ redback.admin.password=
++----------------------------
+
+* Plugin Configuration
+
+ Configuring a couple of maven plugins with the information here can significantly make working with the war overlay easier. (insert link to plugins.html here)
+
+* Important Files
+
+ * http://fisheye.codehaus.org/browse/plexus/plexus-security/trunk/ui/web/content/src/main/resources/xwork-security.xml?r=HEAD
+
+ * http://fisheye.codehaus.org/browse/plexus/plexus-security/trunk/examples/webapp/src/main/resources/META-INF/plexus/application.xml?r=HEAD
+
+ * http://fisheye.codehaus.org/browse/plexus/plexus-security/trunk/examples/webapp/pom.xml
+
+* Plexus Security System
+
++--------------------------------------+
+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-system</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
+
+
+ <component>
+ <role>org.codehaus.plexus.security.system.SecuritySystem</role>
+ <implementation>org.codehaus.plexus.security.system.DefaultSecuritySystem</implementation>
+ <role-hint>default</role-hint>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.security.authentication.AuthenticationManager</role>
+ <role-hint>default</role-hint>
+ <field-name>authnManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.authorization.Authorizer</role>
+ <role-hint>rbac</role-hint>
+ <field-name>authorizer</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.user.UserManager</role>
+ <role-hint>jdo</role-hint>
+ <field-name>userManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.keys.KeyManager</role>
+ <role-hint>jdo</role-hint>
+ <field-name>keyManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.policy.UserSecurityPolicy</role>
+ <role-hint>default</role-hint>
+ <field-name>policy</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.system.ApplicationDetails</role>
+ <field-name>applicationDetails</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.system.EmailSettings</role>
+ <field-name>emailSettings</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
++--------------------------------------+
+
+* Plexus Security UI Web
+
+ This is the actual war that will be overlaid into your webapp.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-ui-web</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ <type>war</type>
+ </dependency>
++--------------------------------------+
+
+* Plexus Security Authentication : User Manager
+
+ This dependency brings in the user manager authenticator, so Username/Password authentication served from the
+ internal user management jdo store.
+
++--------------------------------------+
+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-authentication-provider-user-manager</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
+
++--------------------------------------+
+
+* Plexus Security Authentication : Keystore
+
+ This dependency brings in the support for the Single Sign On and Remember Me type authentications.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-authentication-provider-keystore</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
++--------------------------------------+
+
+* Plexus Security User Management : JDO Store
+
+ The jdo provider for the user management components.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-user-management-provider-jdo</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
++--------------------------------------+
+
+* Plexus Security Authorization : RBAC JDO Store
+
+ The store for all RBAC related object relationships.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-authorization-rbac-store-jdo</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
++--------------------------------------+
+
+* Plexus Security Keys : JDO Store
+
+ The JDO store that the keys for SSO and Remember Me functionalities are stored.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-keys-jdo</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
++--------------------------------------+
+
+* Plexus Security Authorization : RBAC Authorizer
+
+ The RBAC authorization and permission evaluator components.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-authorization-rbac-authorizer</artifactId>
+ <version>1.0-alpha-6-SNAPSHOT</version>
+ </dependency>
++--------------------------------------+
+
+
+* Plexus Security Policy
+
+ This is definitely the most extensive component in terms of configuration as it allows for a large degree
+ of the flexibility of plexus-security. You can configure the password rules to be used, the options for Single
+ Sign On and Remember Me functionalities, emailing account verification keys and welcome emails to new accounts.
+
++--------------------------------------+
+ <dependency>
+ <groupId>org.codehaus.plexus.security</groupId>
+ <artifactId>plexus-security-policy</artifactId>
+ </dependency>
+
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.PasswordRule</role>
+ <role-hint>character-length</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.rules.CharacterLengthPasswordRule</implementation>
+ <description>Basic Password Rule, Checks for non-empty passwords that have between {@link #setMinimumCharacters(int)} and {@link #setMaximumCharacters(int)} characters in length.</description>
+ <configuration>
+ <enabled>true</enabled>
+ <minimum-characters>1</minimum-characters>
+ <maximum-characters>8</maximum-characters>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.PasswordRule</role>
+ <role-hint>reuse</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.rules.ReusePasswordRule</implementation>
+ <description>Password Rule, Checks supplied password found at {@link User#getPassword()} against the {@link User#getPreviousEncodedPasswords()} to ensure that a password is not reused.</description>
+ <configuration>
+ <enabled>true</enabled>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.PasswordRule</role>
+ <role-hint>numerical-count</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.rules.NumericalPasswordRule</implementation>
+ <description>Basic Password Rule, Checks for non-empty passwords that have at least {@link #setMinimumCount(int)} of numerical characters contained within.</description>
+ <configuration>
+ <enabled>true</enabled>
+ <minimum-count>1</minimum-count>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.PasswordRule</role>
+ <role-hint>must-have</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.rules.MustHavePasswordRule</implementation>
+ <description>Basic Password Rule, Checks for non-empty Passwords in non guest users.</description>
+ <configuration>
+ <enabled>true</enabled>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.PasswordRule</role>
+ <role-hint>alpha-count</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.rules.AlphaPasswordRule</implementation>
+ <description>Basic Password Rule, Checks for non-empty passwords that have at least {@link #setMinimumCount(int)} of alpha characters contained within.</description>
+ <configuration>
+ <enabled>true</enabled>
+ <minimum-count>1</minimum-count>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.UserSecurityPolicy</role>
+ <role-hint>default</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.DefaultUserSecurityPolicy</implementation>
+ <description>User Security Policy.</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.security.policy.PasswordEncoder</role>
+ <role-hint>sha256</role-hint>
+ <field-name>passwordEncoder</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.policy.UserValidationSettings</role>
+ <field-name>userValidationSettings</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.policy.CookieSettings</role>
+ <role-hint>rememberMe</role-hint>
+ <field-name>rememberMeSettings</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.policy.CookieSettings</role>
+ <role-hint>signon</role-hint>
+ <field-name>signonCookieSettings</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.security.policy.PasswordRule</role>
+ <field-name>rules</field-name>
+ </requirement>
+ </requirements>
+ <configuration>
+ <previous-passwords-count>6</previous-passwords-count>
+ <login-attempt-count>3</login-attempt-count>
+ <password-expiration-days>90</password-expiration-days>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.UserValidationSettings</role>
+ <implementation>org.codehaus.plexus.security.policy.DefaultUserValidationSettings</implementation>
+ <description>DefaultUserValidationSettings</description>
+ <configuration>
+ <email-validation-required>true</email-validation-required>
+ <!-- This is a timeout for the validation url (in minutes) - 2880 = 48 hours -->
+ <email-validation-timeout>2880</email-validation-timeout>
+ <email-login-path>/security/login!login.action</email-login-path>
+ <email-subject>Unconfigured Subject Line</email-subject>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.CookieSettings</role>
+ <role-hint>rememberMe</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.RememberMeCookieSettings</implementation>
+ <description>DefaultRememberMeSettings</description>
+ <configuration>
+ <enabled>true</enabled>
+ <cookie-timeout>525600</cookie-timeout>
+ </configuration>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.security.policy.CookieSettings</role>
+ <role-hint>signon</role-hint>
+ <implementation>org.codehaus.plexus.security.policy.SignonCookieSettings</implementation>
+ <description>DefaultSingleSignOnSettings</description>
+ <configuration>
+ <enabled>true</enabled>
+ <cookie-timeout>30</cookie-timeout>
+ </configuration>
+ </component>
++--------------------------------------+
+
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/integration/struts2.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/key-store.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/key-store.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/key-store.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/key-store.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,11 @@
+ -----
+ Keystore
+ -----
+ 2 June 2007
+ -----
+
+Redback Keystores
+
+ Redback comes with a keystore implementation for authenticating based on unique keys. This implemention is currently used for authenticating single on for multiple applications sharing a security setup as well as remember me functionalities for website type login scenarios.
+
+ The redback keystore is currently implemented using jpox and has support for multiple databases.
\ No newline at end of file
Propchange: archiva/redback/redback-site/trunk/src/site/apt/key-store.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/key-store.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,325 @@
+ -----
+ An Introduction to Role Based Access
+ -----
+ 28 June 2006
+ -----
+
+An Introduction to Role Based Access
+
+ This introduction provides background information on Role-Based
+ Access Control (RBAC), a technical means for controlling access
+ to computer resources. While still largely in the demonstration
+ and prototype stages of development, RBAC appears to be a
+ promising method for controlling what information computer users
+ can utilize, the programs that they can run, and the
+ modifications that they can make. Only a few off-the-shelf
+ systems that implement RBAC are commercially available; however,
+ organizations may want to start investigating RBAC for future
+ application in their multi-user systems. RBAC is appropriate for
+ consideration in systems that process unclassified but sensitive
+ information, as well as those that process classified
+ information.
+
+What is Role-Based Access Control
+
+ Access is the ability to do something with a computer resource
+ (e.g., use, change, or view). Access control is the means by
+ which the ability is explicitly enabled or restricted in some way
+ (usually through physical and system-based controls). Computer-
+ based access controls can prescribe not only who or what process
+ may have access to a specific system resource, but also the type
+ of access that is permitted. These controls may be implemented
+ in the computer system or in external devices.
+
+ With role-based access control, access decisions are based on the
+ roles that individual users have as part of an organization.
+ Users take on assigned roles (such as doctor, nurse, teller,
+ manager). The process of defining roles should be based on a
+ thorough analysis of how an organization operates and should
+ include input from a wide spectrum of users in an organization.
+
+ Access rights are grouped by role name, and the use of resources
+ is restricted to individuals authorized to assume the associated
+ role. For example, within a hospital system the role of doctor
+ can include operations to perform diagnosis, prescribe
+ medication, and order laboratory tests; and the role of
+ researcher can be limited to gathering anonymous clinical
+ information for studies.
+
+ The use of roles to control access can be an effective means for
+ developing and enforcing enterprise-specific security policies,
+ and for streamlining the security management process.
+
+Users and Roles
+
+ Under the RBAC framework, users are granted membership into roles
+ based on their competencies and responsibilities in the
+ organization. The operations that a user is permitted to perform
+ are based on the user's role. User membership into roles can be
+ revoked easily and new memberships established as job assignments
+ dictate. Role associations can be established when new
+ operations are instituted, and old operations can be deleted as
+ organizational functions change and evolve. This simplifies the
+ administration and management of privileges; roles can be updated
+ without updating the privileges for every user on an individual
+ basis.
+
+ When a user is associated with a role:
+
+ the user can be given no more privilege than is necessary to
+ perform the job. This concept of least privilege requires
+ identifying the user's job functions, determining the
+ minimum set of privileges required to perform that function,
+ and restricting the user to a domain with those privileges
+ and nothing more. In less precisely controlled systems,
+ this is often difficult or costly to achieve. Someone
+ assigned to a job category may be allowed more privileges
+ than needed because is difficult to tailor access based on
+ various attributes or constraints. Since many of the
+ responsibilities overlap between job categories, maximum
+ privilege for each job category could cause unlawful access.
+
+Roles and Role Hierarchies
+
+ Under RBAC, roles can have overlapping responsibilities and
+ privileges; that is, users belonging to different roles may need
+ to perform common operations. Some general operations may be
+ performed by all employees. In this situation, it would be
+ inefficient and administratively cumbersome to specify repeatedly
+ these general operations for each role that gets created. Role
+ hierarchies can be established to provide for the natural
+ structure of an enterprise. A role hierarchy defines roles that
+ have unique attributes and that may contain other roles; that is,
+ one role may implicitly include the operations that are
+ associated with another role.
+
+ In the healthcare situation, a role Specialist could contain the
+ roles of Doctor and Intern. This means that members of the role
+ Specialist are implicitly associated with the operations
+ associated with the roles Doctor and Intern without the
+ administrator having to explicitly list the Doctor and Intern
+ operations. Moreover, the roles Cardiologist and Rheumatologist
+ could each contain the Specialist role.
+
+ Role hierarchies are a natural way of organizing roles to reflect
+ authority, responsibility, and competency:
+
+ the role in which the user is gaining membership is not
+ mutually exclusive with another role for which the user
+ already possesses membership. These operations and roles
+ can be subject to organizational policies or constraints.
+ When operations overlap, hierarchies of roles can be
+ established. Instead of instituting costly auditing to
+ monitor access, organizations can put constraints on access
+ through RBAC. For example, it may seem sufficient to allow
+ physicians to have access to all patient data records if
+ their access is monitored carefully. With RBAC, constraints
+ can be placed on physician access so that only those records
+ that are associated with a particular physician can be
+ accessed.
+
+Roles and Operations
+
+ Organizations can establish the rules for the association of
+ operations with roles. For example, a healthcare provider may
+ decide that the role of clinician must be constrained to post
+ only the results of certain tests but not to distribute them
+ where routing and human errors could violate a patient's right to
+ privacy. Operations can also be specified in a manner that can
+ be used in the demonstration and enforcement of laws or
+ regulations. For example, a pharmacist can be provided with
+ operations to dispense, but not to prescribe, medication.
+
+ An operation represents a unit of control that can be referenced
+ by an individual role, subject to regulatory constraints within
+ the RBAC framework. An operation can be used to capture complex
+ security-relevant details or constraints that cannot be
+ determined by a simple mode of access.
+
+ For example, there are differences between the access needs of a
+ teller and an accounting supervisor in a bank. An enterprise
+ defines a teller role as being able to perform a savings deposit
+ operation. This requires read and write access to specific
+ fields within a savings file. An enterprise may also define an
+ accounting supervisor role that is allowed to perform correction
+ operations. These operations require read and write access to
+ the same fields of a savings file as the teller. However, the
+ accounting supervisor may not be allowed to initiate deposits or
+ withdrawals but only perform corrections after the fact.
+ Likewise, the teller is not allowed to perform any corrections
+ once the transaction has been completed. The difference between
+ these two roles is the operations that are executed by the
+ different roles and the values that are written to the
+ transaction log file.
+
+ The RBAC framework provides administrators with the capability to
+ regulate who can perform what actions, when, from where, in what
+ order, and in some cases under what relational circumstances:
+
+ only those operations that need to be performed by members
+ of a role are granted to the role. Granting of user
+ membership to roles can be limited. Some roles can only be
+ occupied by a certain number of employees at any given
+ period of time. The role of manager, for example, can be
+ granted to only one employee at a time. Although an
+ employee other than the manager may act in that role, only
+ one person may assume the responsibilities of a manager at
+ any given time. A user can become a new member of a role as
+ long as the number of members allowed for the role is not
+ exceeded.
+
+Advantages of RBAC
+
+ A properly-administered RBAC system enables users to carry out a
+ broad range of authorized operations, and provides great
+ flexibility and breadth of application. System administrators
+ can control access at a level of abstraction that is natural to
+ the way that enterprises typically conduct business. This is
+ achieved by statically and dynamically regulating users' actions
+ through the establishment and definition of roles, role
+ hierarchies, relationships, and constraints. Thus, once an RBAC
+ framework is established for an organization, the principal
+ administrative actions are the granting and revoking of users
+ into and out of roles. This is in contrast to the more
+ conventional and less intuitive process of attempting to
+ administer lower-level access control mechanisms directly (e.g.,
+ access control lists [ACLs], capabilities, or type enforcement
+ entities) on an object-by-object basis.
+
+ Further, it is possible to associate the concept of an RBAC
+ operation with the concept of "method" in Object Technology.
+ This association leads to approaches where Object Technology can
+ be used in applications and operating systems to implement an
+ RBAC operation.
+
+ For distributed systems, RBAC administrator responsibilities can
+ be divided among central and local protection domains; that is,
+ central protection policies can be defined at an enterprise level
+ while leaving protection issues that are of local concern at the
+ organizational unit level. For example, within a distributed
+ healthcare system, operations that are associated with healthcare
+ providers may be centrally specified and pertain to all hospitals
+ and clinics, but the granting and revoking of memberships into
+ specific roles may be specified by administrators at local sites.
+
+Status of Current RBAC Activities
+
+ Several organizations are experimenting with the inclusion of
+ provisions for RBAC in open consensus specifications. RBAC is an
+ integral part of the security models for Secure European System
+ for Applications in a Multi-vendor Environment (SESAME)
+ distributed system and the database language SQL3. In addition,
+ the Object Management Group's (OMG) Common Object Request Broker
+ Architecture (CORBA) Security specification uses RBAC as an
+ example of an access control mechanism which can be used with the
+ distributed Object Technology defined by the OMG. (See reference
+ below.)
+
+ CSL has been developing and defining RBAC and its applicability
+ cooperatively with industry, government, and academic partners.
+ In conjunction with Dr. Ravi Sandhu of George Mason University
+ and Seta Corporation, CSL is defining RBAC and its feasibility.
+ We are working with Dr. Virgil Gligor and his associates at the
+ University of Maryland and with the National Security Agency
+ (NSA) to develop a formal reference model for RBAC to provide a
+ safe, effective, and consistent mechanism for access control.
+ This effort is also implementing RBAC on NSA's Synergy Platform,
+ a secure platform based on the Mach Operating System. CSL is
+ also developing a demonstration of RBAC use in healthcare. The
+ access policy used in this demonstration is based on a draft
+ consensus policy for patient record access developed in the
+ United Kingdom. In conjunction with the Internal Revenue Service
+ (IRS), CSL is defining roles and operations suitable for the IRS
+ environment. In conjunction with the Veterans Administration
+ (VA), CSL is studying the applicability of RBAC to VA systems.
+
+ Based on current research and experience, RBAC appears to fit
+ well into the widely varying security policies of industry and
+ government organizations.
+
+ For additional information on Role-Based Access Control see:
+
+ http://waltz.ncsl.nist.gov/rbac/
+
+ or contact David Ferraiolo, dferraiolo@nist.gov, (301) 975-3046.
+
+References
+
+ Department of Defense, "Trusted Computer Security Evaluation
+ Criteria," DoD 5200.28-STD, 1985.
+
+ David F. Ferraiolo and D. Richard Kuhn, "Role-Based Access
+ Controls," Proceedings of the 15th NIST-NSA National Computer
+ Security Conference, Baltimore, Maryland, October 13-16, 1992.
+
+ David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch, "An
+ Examination of Federal and Commercial Access Control Policy
+ Needs," Proceedings of the 16th NIST-NSA National Computer
+ Security Conference, Baltimore, Maryland, September 20-23, 1993.
+
+ ISO/IEC 9075, (Working Draft) Database Language SQL - Part 2:
+ Foundation, Document ISO/IEC JTC1/SC21 N9463, March 1995.
+
+ A. Griew and R. Currell, "A Strategy for Security of the
+ Electronic Patient Record," Institute for Health Informatics,
+ Aberystwyth, Draft Version 2.1, March 8, 1995.
+
+ David F. Ferraiolo, Janet A. Cugini, and D. Richard Kuhn,
+ "Role-Based Access Control (RBAC): Features and Motivations,"
+ 11th Annual Computer Security Applications Proceedings, 1995.
+
+ John Barkley, "Application Engineering in Health Care,"
+ Proceedings of the 2nd Annual CHIN Summit, 1995.
+
+ CORBA Security Draft, Object Management Group (OMG) Document
+ Number 95-9-1, September 1995.
+
+ John Barkley, "Implementing Role-Based Access Control using
+ Object Technology," First ACM Workshop on Role-Based Access
+ Control, Gaithersburg, Maryland, November 30-December 1, 1995.
+
+ T. Parker and D. Pinkas, "SESAME Technology Version 3: Overview,"
+
+ http://www.esat.kuleuven.ac.be/cosic/sesame/doc-txt/overview.txt
+
+
+ Background material in a text box in the paper document:
+
+ Access control technology has evolved from research and
+ development efforts supported by the Department of Defense (DoD).
+ This research has resulted in two fundamental types of access
+ control: Discretionary Access Control (DAC) and Mandatory Access
+ Control (MAC). While initial research and applications addressed
+ preventing the unauthorized access to classified information,
+ recent applications have applied these policies to commercial
+ processing environments.
+
+ DAC permits the granting and revoking of access control
+ privileges to be left to the discretion of the individual users.
+ A DAC mechanism allows users to grant or revoke access to any of
+ the objects under their control. As such, users are said to be
+ the owners of the objects under their control. However, for many
+ organizations, the end users do not own the information for which
+ they are allowed access. For these organizations, the
+ corporation or agency is the actual owner of system objects as
+ well as the programs that process them. Access priorities are
+ controlled by the organization and are often based on employee
+ functions rather than data ownership.
+
+ MAC, as defined in the DoD's Trusted Computer Security Evaluation
+ Criteria (TCSEC), is "A means of restricting access to objects
+ based on the sensitivity (as represented by a label) of the
+ information contained in the objects and the formal authorization
+ (i.e. clearance) of subjects to access information of such
+ sensitivity."
+
+ These policies for access control are not particularly well
+ suited to the requirements of government and industry
+ organizations that process unclassified but sensitive
+ information. In these environments, security objectives often
+ support higher-level organizational policies which are derived
+ from existing laws, ethics, regulations, or generally accepted
+ practices. Such environments usually require the ability to
+ control actions of individuals beyond just an individual's
+ ability to access information according to how that information
+ is labeled based on its sensitivity.
Propchange: archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/rbac/introduction.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt
URL: http://svn.apache.org/viewvc/archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt?rev=1310197&view=auto
==============================================================================
--- archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt (added)
+++ archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt Fri Apr 6 07:21:08 2012
@@ -0,0 +1,9 @@
+ -----
+ Resource Links
+ -----
+ 19 Sept 2006
+ -----
+
+On Profiles
+
+ http://www.sun.com/bigadmin/content/submitted/custom_roles_rbac.html
Propchange: archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: archiva/redback/redback-site/trunk/src/site/apt/rbac/resource-links.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision