You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Lars Huttar <la...@sil.org> on 2012/07/23 18:37:50 UTC
authentication framework problem
Hi all,
I'm trying to get authentication working in Cocoon 2.1.11. Everything
that I've been able to examine is working correctly, but instead of
letting certain people in, it just keeps everybody out (and shows the
redirect-to page).
Here's my handler configuration:
<authentication-manager>
<handlers>
<handler name="ethnopubhandler">
<redirect-to
uri="cocoon://mount/ethnologue-17-pub/forbidden.html"/>
<!-- <redirect-to
uri="cocoon:/../../../../forbidden.html"/> works, but depends on how
deep current URL is. -->
<authentication
uri="cocoon:raw://mount/ethnologue-17-pub/authorize"/>
</handler>
</handlers>
</authentication-manager>
This is in a subsitemap that's in the subfolder mount/ethnologue-17-pub/
under the main Cocoon sitemap.
The authorize pipeline, in the same sitemap, is defined as:
<map:match pattern="authorize">
<map:generate src="process/access-list.xml" />
<map:transform src="process/authorize.xsl" type="xslt-saxon">
<map:parameter name="username"
value="{request-header:osso_user_dn}" />
</map:transform>
<map:serialize type="xml-utf8" />
</map:match>
This part works fine: if I go to "/authorize" in a browser, I get this
XML response:
<?xml version="1.0" encoding="UTF-8"?><authentication><ID>lars_huttar</ID><role>...</role></authentication>
According to this page:
http://cocoon.apache.org/2.1/developing/webapps/authentication/authenticating_user.html
the XML response just has to include the <authentication> and <ID>
elements to indicate successful authentication. Which it does.
But if I go to a URL that's protected by that authentication handler,
such as
<map:match pattern="dataset/*/*/*/source">
<map:act type="auth-protect">
<map:parameter name="handler" value="ethnopubhandler"
/>
<map:generate src="datasets/query/{1}.xml"/>
<map:serialize type="xml"/>
</map:act>
</map:match>
I get the "forbidden.html" page.
How can I trace what's going wrong?
Thanks,
Lars
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: authentication framework problem
Posted by Lars Huttar <la...@sil.org>.
On 7/24/2012 10:05 AM, Lars Huttar wrote:
> On 7/24/2012 9:58 AM, Lars Huttar wrote:
>> I wonder if "auth" is the same as "CAuth", which I think refers to
>> org.apache.cocoon.auth package. [0]
>> But I haven't yet found documentation on how to use this package in
>> Cocoon 2.1.11; only JavaDoc pages.
> The package seems to exist in Cocoon 2.1.11 [0]. I wonder if I can use
> the "Cocoon Authentication" documentation from Cocoon 2.2 [1], aside
> from the bean stuff?
I've tried this, following the instructions at [1]. The result I'm
getting is that the resource is not protected; everybody is let in,
regardless.
Here is my configuration.
In cocoon.xconf:
<component class="org.apache.cocoon.auth.impl.PipelineSecurityHandler"
role="org.apache.cocoon.auth.SecurityHandler/ethnopubHandler">
<authentication-resource>cocoon:raw://mount/ethnologue-17-pub/authorize</authentication-resource>
</component>
<component class="org.apache.cocoon.auth.StandardApplication"
role="org.apache.cocoon.auth.Application/ethnopub">
<security-handler>org.apache.cocoon.auth.SecurityHandler/ethnopubHandler</security-handler>
</component>
Some of the above is guesswork, attempting to convert from bean format
to the older Cocoon 2.1.11 format. Can anybody validate it?
In the top-level sitemap.xmap, under <map:components>/<map:actions>:
<!-- for CAuth: (see
http://cocoon.apache.org/2.2/blocks/auth/1.0/1315_1_1.html) -->
<map:action name="cauth-is-logged-in"
src="org.apache.cocoon.auth.acting.LoggedInAction"/>
<map:action name="cauth-login"
src="org.apache.cocoon.auth.acting.LoginAction"/>
<map:action name="cauth-logout"
src="org.apache.cocoon.auth.acting.LogoutAction"/>
(I copied this from the "portal" block's sitemap.)
In the mounted sub-sitemap:
<map:match pattern="dataset/*/*/*/source">
<map:act type="cauth-is-logged-in">
<map:parameter name="application" value="ethnopubapp"
/>
<map:generate src="datasets/query/{1}.xml"/>
<map:serialize type="xml"/>
</map:act>
</map:match>
When I put Cocoon in full DEBUG logging mode, this is the only log
output I get relevant to the authentication of the resource:
DEBUG (2012-07-24) 13:32.52:579 [sitemap]
(/mount/ethnologue-17-pub/dataset/country-header/-/-/source)
catalina-exec-2/LoggedInAction: BEGIN act
resolver=org.apache.cocoon.environment.http.HttpEnvironment@834e7,
objectModel={response=org.apache.cocoon.environment.http.HttpResponse@c92ed6,
source-resolver=org.apache.cocoon.environment.http.HttpEnvironment@834e7, request=org.apache.cocoon.environment.http.HttpRequest@21f46a,
context=org.apache.cocoon.environment.http.HttpContext@13598c3,
httpresponse=org.apache.catalina.connector.ResponseFacade@1c06a6d,
org.apache.cocoon.components.CocoonComponentManager=org.apache.cocoon.components.EnvironmentDescription@18b3fee,
httpservletcontext=org.apache.catalina.core.ApplicationContextFacade@1125f92,
httprequest=org.apache.catalina.connector.RequestFacade@14096e6},
source=null, par=Parameters[r/w]:{application=ethnopubapp}
DEBUG (2012-07-24) 13:32.52:579 [sitemap]
(/mount/ethnologue-17-pub/dataset/country-header/-/-/source)
catalina-exec-2/LoggedInAction: END act map={}
Nothing in the log indicates that the authentication resource URI
("cocoon:raw://mount/ethnologue-17-pub/authorize") is even being called.
Help, anyone?
BTW I'm cross-posting this to the dev list, because nobody seems to be
responding on the user list. For previous posts in this thread, see
http://cocoon.markmail.org/thread/fgidpmwxrajormjn
Thanks,
Lars
[1] http://cocoon.apache.org/2.2/blocks/auth/1.0/1315_1_1.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: authentication framework problem
Posted by Lars Huttar <la...@sil.org>.
On 7/24/2012 10:05 AM, Lars Huttar wrote:
> On 7/24/2012 9:58 AM, Lars Huttar wrote:
>> I wonder if "auth" is the same as "CAuth", which I think refers to
>> org.apache.cocoon.auth package. [0]
>> But I haven't yet found documentation on how to use this package in
>> Cocoon 2.1.11; only JavaDoc pages.
> The package seems to exist in Cocoon 2.1.11 [0]. I wonder if I can use
> the "Cocoon Authentication" documentation from Cocoon 2.2 [1], aside
> from the bean stuff?
I've tried this, following the instructions at [1]. The result I'm
getting is that the resource is not protected; everybody is let in,
regardless.
Here is my configuration.
In cocoon.xconf:
<component class="org.apache.cocoon.auth.impl.PipelineSecurityHandler"
role="org.apache.cocoon.auth.SecurityHandler/ethnopubHandler">
<authentication-resource>cocoon:raw://mount/ethnologue-17-pub/authorize</authentication-resource>
</component>
<component class="org.apache.cocoon.auth.StandardApplication"
role="org.apache.cocoon.auth.Application/ethnopub">
<security-handler>org.apache.cocoon.auth.SecurityHandler/ethnopubHandler</security-handler>
</component>
Some of the above is guesswork, attempting to convert from bean format
to the older Cocoon 2.1.11 format. Can anybody validate it?
In the top-level sitemap.xmap, under <map:components>/<map:actions>:
<!-- for CAuth: (see
http://cocoon.apache.org/2.2/blocks/auth/1.0/1315_1_1.html) -->
<map:action name="cauth-is-logged-in"
src="org.apache.cocoon.auth.acting.LoggedInAction"/>
<map:action name="cauth-login"
src="org.apache.cocoon.auth.acting.LoginAction"/>
<map:action name="cauth-logout"
src="org.apache.cocoon.auth.acting.LogoutAction"/>
(I copied this from the "portal" block's sitemap.)
In the mounted sub-sitemap:
<map:match pattern="dataset/*/*/*/source">
<map:act type="cauth-is-logged-in">
<map:parameter name="application" value="ethnopubapp"
/>
<map:generate src="datasets/query/{1}.xml"/>
<map:serialize type="xml"/>
</map:act>
</map:match>
When I put Cocoon in full DEBUG logging mode, this is the only log
output I get relevant to the authentication of the resource:
DEBUG (2012-07-24) 13:32.52:579 [sitemap]
(/mount/ethnologue-17-pub/dataset/country-header/-/-/source)
catalina-exec-2/LoggedInAction: BEGIN act
resolver=org.apache.cocoon.environment.http.HttpEnvironment@834e7,
objectModel={response=org.apache.cocoon.environment.http.HttpResponse@c92ed6,
source-resolver=org.apache.cocoon.environment.http.HttpEnvironment@834e7, request=org.apache.cocoon.environment.http.HttpRequest@21f46a,
context=org.apache.cocoon.environment.http.HttpContext@13598c3,
httpresponse=org.apache.catalina.connector.ResponseFacade@1c06a6d,
org.apache.cocoon.components.CocoonComponentManager=org.apache.cocoon.components.EnvironmentDescription@18b3fee,
httpservletcontext=org.apache.catalina.core.ApplicationContextFacade@1125f92,
httprequest=org.apache.catalina.connector.RequestFacade@14096e6},
source=null, par=Parameters[r/w]:{application=ethnopubapp}
DEBUG (2012-07-24) 13:32.52:579 [sitemap]
(/mount/ethnologue-17-pub/dataset/country-header/-/-/source)
catalina-exec-2/LoggedInAction: END act map={}
Nothing in the log indicates that the authentication resource URI
("cocoon:raw://mount/ethnologue-17-pub/authorize") is even being called.
Help, anyone?
BTW I'm cross-posting this to the dev list, because nobody seems to be
responding on the user list. For previous posts in this thread, see
http://cocoon.markmail.org/thread/fgidpmwxrajormjn
Thanks,
Lars
[1] http://cocoon.apache.org/2.2/blocks/auth/1.0/1315_1_1.html
Re: authentication framework problem
Posted by Lars Huttar <la...@sil.org>.
On 7/24/2012 9:58 AM, Lars Huttar wrote:
> I wonder if "auth" is the same as "CAuth", which I think refers to
> org.apache.cocoon.auth package. [0]
> But I haven't yet found documentation on how to use this package in
> Cocoon 2.1.11; only JavaDoc pages.
The package seems to exist in Cocoon 2.1.11 [0]. I wonder if I can use
the "Cocoon Authentication" documentation from Cocoon 2.2 [1], aside
from the bean stuff?
I'd prefer to use a non-deprecated package, but I'm willing to use
whatever will do the job with the least complexity.
Lars
[0]
http://cocoon.apache.org/2.1/apidocs/org/apache/cocoon/auth/ApplicationManager.html
[1] http://cocoon.apache.org/2.2/blocks/auth/1.0/1315_1_1.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: authentication framework problem
Posted by Lars Huttar <la...@sil.org>.
On 7/23/2012 5:27 PM, Lars Huttar wrote:
>
>
>
> Another angle: in the deprecation.log, I get
>
> WARN (2012-07-23) 16:22.48:459 [deprecation]
> (/mount/ethnologue-17-pub/dataset/country-header/-/-/source)
> catalina-exec-5/Deprecation.LoggerWrapper: The authentication-fw block
> is deprecated. Please use the auth block instead.
>
> Ah, I say, there is something new to replace the authentication
> framework I'm using!
>
> But in the samples/blocks folder, there is "authentication-fw" but no
> "auth" block. Where do I find "auth"?
>
I wonder if "auth" is the same as "CAuth", which I think refers to
org.apache.cocoon.auth package. [0]
But I haven't yet found documentation on how to use this package in
Cocoon 2.1.11; only JavaDoc pages.
Of the deprecated API items on [1] that have to do with authentication,
the only one that lists a replacement is
org.apache.cocoon.portal.profile.impl.AuthenticationProfileManager
<http://cocoon.apache.org/2.1/apidocs/org/apache/cocoon/portal/profile/impl/AuthenticationProfileManager.html>
/Use the |GroupBasedProfileManager|
<http://cocoon.apache.org/2.1/apidocs/org/apache/cocoon/portal/profile/impl/GroupBasedProfileManager.html>/
But the doc for GroupBasedProfileManager [2] says "THIS IS A WORK IN
PROGRESS - IT'S NOT FINISHED/WORKING YET".
Is CAuth the latest way to go, in 2.1.11? Is it tied to portals? (I have
no particular interest in using portal, but can if necessary in order to
get authentication in a way that works.)
I see this in cocoon.xconf:
<portal name="portal">
<profile-manager>org.apache.cocoon.portal.profile.ProfileManager/CAuth</profile-manager>
Does this mean I need to use ProfileManager, or is that just one way to
use CAuth?
When I look up authentication in Cocoon portals [3], it tells me how to
use authentication framework, which I now know is deprecated.
I feel like I've been following hints of various authentication
mechanisms through a "maze of twisty packages, all alike", and not
finding a description of one that actually works in Cocoon 2.1.11.
Help!
(I've also seen hints of Cocoon 2.1.12-dev, but AFAIK that never made it
to release. I don't foresee migrating all our apps to Cocoon 2.2 just to
add authentication to a couple of resources. Instead I would probably
use a selector or something.)
Lars
[0]
http://cocoon.apache.org/2.1/apidocs/org/apache/cocoon/auth/package-summary.html
[1] http://cocoon.apache.org/2.1/apidocs/deprecated-list.html
[2]
http://cocoon.apache.org/2.1/apidocs/org/apache/cocoon/portal/profile/impl/GroupBasedProfileManager.html
[3] http://cocoon.apache.org/2.1/developing/portal/authentication.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: authentication framework problem
Posted by Lars Huttar <la...@sil.org>.
On 7/23/2012 12:37 PM, Lars Huttar wrote:
> Hi all,
>
> I'm trying to get authentication working in Cocoon 2.1.11. Everything
> that I've been able to examine is working correctly, but instead of
> letting certain people in, it just keeps everybody out (and shows the
> redirect-to page).
>
> Here's my handler configuration:
>
> <authentication-manager>
> <handlers>
> <handler name="ethnopubhandler">
> <redirect-to
> uri="cocoon://mount/ethnologue-17-pub/forbidden.html"/>
> <!-- <redirect-to
> uri="cocoon:/../../../../forbidden.html"/> works, but depends on how
> deep current URL is. -->
> <authentication
> uri="cocoon:raw://mount/ethnologue-17-pub/authorize"/>
> </handler>
> </handlers>
> </authentication-manager>
>
> This is in a subsitemap that's in the subfolder mount/ethnologue-17-pub/
> under the main Cocoon sitemap.
>
> The authorize pipeline, in the same sitemap, is defined as:
>
> <map:match pattern="authorize">
> <map:generate src="process/access-list.xml" />
> <map:transform src="process/authorize.xsl" type="xslt-saxon">
> <map:parameter name="username"
> value="{request-header:osso_user_dn}" />
> </map:transform>
> <map:serialize type="xml-utf8" />
> </map:match>
>
> This part works fine: if I go to "/authorize" in a browser, I get this
> XML response:
>
> <?xml version="1.0" encoding="UTF-8"?><authentication><ID>lars_huttar</ID><role>...</role></authentication>
>
> According to this page:
> http://cocoon.apache.org/2.1/developing/webapps/authentication/authenticating_user.html
> the XML response just has to include the <authentication> and <ID>
> elements to indicate successful authentication. Which it does.
>
> But if I go to a URL that's protected by that authentication handler,
> such as
>
> <map:match pattern="dataset/*/*/*/source">
> <map:act type="auth-protect">
> <map:parameter name="handler" value="ethnopubhandler"
> />
> <map:generate src="datasets/query/{1}.xml"/>
> <map:serialize type="xml"/>
> </map:act>
> </map:match>
>
> I get the "forbidden.html" page.
>
> How can I trace what's going wrong?
>
> Thanks,
> Lars
>
>
P.S.
The code in authentication/components/PipelineAuthenticator.java has
debug logging output like
if (this.getLogger().isDebugEnabled()) {
this.getLogger().debug("END isValidAuthenticationFragment
valid=" + isValid);
}
and I have this in my WEB-INF\logkit.xconf:
<category log-level="DEBUG" name="core.authentication-manager">
<log-target id-ref="main" />
</category>
So I would have expected debug logging to be enabled.
But I don't see the above debug log message or anything like it in the
WEB-INF\logs\*.log files.
I also tried turning on global debug logging:
<category log-level="DEBUG" name="">
<log-target id-ref="main"/>
</category>
Of course I got loads of output. But nothing like "END
isValidAuthenticationFragment valid=". What am I doing wrong?
Another angle: in the deprecation.log, I get
WARN (2012-07-23) 16:22.48:459 [deprecation]
(/mount/ethnologue-17-pub/dataset/country-header/-/-/source)
catalina-exec-5/Deprecation.LoggerWrapper: The authentication-fw block
is deprecated. Please use the auth block instead.
Ah, I say, there is something new to replace the authentication
framework I'm using!
But in the samples/blocks folder, there is "authentication-fw" but no
"auth" block. Where do I find "auth"?
Thanks for any help.
Lars
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org