You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by "Boyce, Keith Garry" <Ke...@bcbsma.com> on 2005/06/08 16:27:25 UTC

Jetspeed2 Security Valve

I want to implement portal security in a way that's portable across
portal containers and in a way that the security stuff is not included
in portlet code. I basically want the portlets to access javabeans
stored in session or request context.

I heard the first place to start was SecurityValve but have been unable
to find any examples of custom security valves or how within the portlet
the security information is used.

I am also particularly interested in if Acegi Security for spring
http://acegisecurity.sourceforge.net/ could have some use here, with a
custom adaptor for jetspeed2.

Please send me your thoughts and examples..

My particular problem domain is that currently there are a number of
user attributes that I am receiving from Sun Access Manager and LDAP
through SSOTokenManager.

i.e:

import com.iplanet.sso.SSOTokenManager;
import com.iplanet.sso.SSOToken;

....

SSOTokenManager mgr = SSOTokenManager.getInstance();
SSOToken token = mgr.createSSOToken(request);
String theAttribute = token.getProperty("THE ATTRIBUTE");

I want to convert app to jetspeed in a way that is portable and
separates out security concerns while still giving access to these
attributes to filter data from backend stores etc.... SSOTokenManager
and SSOToken are specific to iplanet and I don't want that in my code.

This message is a PRIVATE communication.
If you are not the intended recipient, please do not read, copy,
or use it, and do not disclose it to others. Please notify the
sender of the delivery error by replying to this message, and then
delete it from your system. Thank you.

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: Jetspeed2 Security Valve

Posted by Randy Watler <wa...@wispertel.net>.

Start here:

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/200504.mbox/%3c008401c546a3$f75abe20$8f00a8c0@Patan%3e

This thread spans months, so be prepared to follow it in April on...

Randy

Boyce, Keith Garry wrote:

>I want to implement portal security in a way that's portable across
>portal containers and in a way that the security stuff is not included
>in portlet code. I basically want the portlets to access javabeans
>stored in session or request context.
>
>I heard the first place to start was SecurityValve but have been unable
>to find any examples of custom security valves or how within the portlet
>the security information is used.
>
>I am also particularly interested in if Acegi Security for spring
>http://acegisecurity.sourceforge.net/ could have some use here, with a
>custom adaptor for jetspeed2.
>
>Please send me your thoughts and examples..
>
>My particular problem domain is that currently there are a number of
>user attributes that I am receiving from Sun Access Manager and LDAP
>through SSOTokenManager.
>
>i.e:
>
>import com.iplanet.sso.SSOTokenManager;
>import com.iplanet.sso.SSOToken;
>
>....
>
>SSOTokenManager mgr = SSOTokenManager.getInstance();
>SSOToken token = mgr.createSSOToken(request);
>String theAttribute = token.getProperty("THE ATTRIBUTE");
>
>I want to convert app to jetspeed in a way that is portable and
>separates out security concerns while still giving access to these
>attributes to filter data from backend stores etc.... SSOTokenManager
>and SSOToken are specific to iplanet and I don't want that in my code.
>
>This message is a PRIVATE communication.
>If you are not the intended recipient, please do not read, copy,
>or use it, and do not disclose it to others. Please notify the
>sender of the delivery error by replying to this message, and then
>delete it from your system. Thank you.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: Jetspeed2 Security Valve

Posted by David Sean Taylor <da...@bluesunrise.com>.

Boyce, Keith Garry wrote:
> I want to implement portal security in a way that's portable across
> portal containers and in a way that the security stuff is not included
> in portlet code. I basically want the portlets to access javabeans
> stored in session or request context.
> 
> I heard the first place to start was SecurityValve but have been unable
> to find any examples of custom security valves or how within the portlet
> the security information is used.
>
Docs are incomplete, but here's a start:

http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html

and

in the source repository, look under design-docs/src/security

There is a security service provider architecture documented there which 
you should first become familiar with. As an alternative to replacing 
the valve, you can take the approach of integrating your security system 
with jetspeed security providers.

> I am also particularly interested in if Acegi Security for spring
> http://acegisecurity.sourceforge.net/ could have some use here, with a
> custom adaptor for jetspeed2.
> 
> Please send me your thoughts and examples..
> 
Im interested in supporting Acegi in Jetspeed.
Read up on the jetspeed security architecture, and I'll get familiar 
with Acegi, then we can continue this discussion....

> My particular problem domain is that currently there are a number of
> user attributes that I am receiving from Sun Access Manager and LDAP
> through SSOTokenManager.
> 
> 
> i.e:
> 
> 
> import com.iplanet.sso.SSOTokenManager;
> import com.iplanet.sso.SSOToken;
> 
> ....
> 
> SSOTokenManager mgr = SSOTokenManager.getInstance();
> SSOToken token = mgr.createSSOToken(request);
> String theAttribute = token.getProperty("THE ATTRIBUTE");
> 
> I want to convert app to jetspeed in a way that is portable and
> separates out security concerns while still giving access to these
> attributes to filter data from backend stores etc.... SSOTokenManager
> and SSOToken are specific to iplanet and I don't want that in my code.
> 
First have a look at the User Attributes in the Portlet API (PLT.17 User 
Information)

You can retrieve user attributes in a standard way:

	Map attributes =
            portletRequest.getAttribute(PortletRequest.USER_INFO);

Then look into replacing the UserInfoManager in the jetspeed-spring.xml 
with your own implementation:

   <!-- User Info -->
   <bean id="org.apache.jetspeed.userinfo.UserInfoManager"
   	   class="org.apache.jetspeed.userinfo.impl.UserInfoManagerImpl"
   >




-- 
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org