You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by Daniel Patterson <da...@adaptiveinternational.com> on 2002/12/17 14:04:57 UTC
Tiered authentication
Hi all,
I'm quite new to Turbine, so forgive me if I miss something obvious,
but I'm getting a bit lost trying to decouple some of the user
authentication features of Turbine.
I would like to use a Turbine application in an environment where I
have two kinds of users:
1) Users listed in a corporate directory (LDAP)
2) Users to sign-up on the website independently.
I don't really want to provide two entry points, and I'd like to
integrate the application with the cookie-based single-sign-on system
already in place for users in the LDAP directory.
Basically, I'm trying achieve the following:
1) User hits the application URL
2) If user has appropriate cookie, discover username and move on to
default application page. The information may not necessarily
be a cookie, but may be an X509 certificate, a header added by
a frontend proxy, etc.
3) If user does not have "special" authentication information,
display application login screen.
4) On user login attempt, first attempt to validate against LDAP.
If that works, issue single-sign-on cookie (in addition to
session cookie), and contine.
5) If LDAP validation fails, check against internal user database.
If that works, login as normal and don't set any extra cookies.
6) Otherwise, login fails.
Now, there are a few questions that I don't know where to find the
answers to that I'm hoping someone else may have already seen:
1) Can I enumerate over both sets of users from within Turbine
(assuming I had an API for each) so that authorisation features
(role assignments, etc) could be managed from withing the
application? I.e. A search for user by name finds users in
both LDAP *and* the TURBINE_USER table?
2) Does turbine behave nicely if roles are assigned to non-existant
users (i.e. ones that are in LDAP and have no entry in
TURBINE_USER)?
I suspect I may need to "automagically" populate rows in the
TURBINE_USER
table, but this could be a pain during name changes, email changes,
etc,
etc. I would like to source data directly, but I can't tell if it's
possible or not.
Does anyone have any ideas?
daniel
--
Daniel Patterson <da...@adaptiveinternational.com>
Adaptive International
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tiered authentication
Posted by Eric Emminger <er...@ericemminger.com>.
Daniel
> 1) Users listed in a corporate directory (LDAP)
> 2) Users to sign-up on the website independently.
Could you put the public users in LDAP so that you have only one data
source?
Eric
--
Eric Emminger
eric@ericemminger.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>