LDAP user authentication

[Vidar Ramdal <vi...@idium.no>]

Does anyone have a working example of configuring Sling to using an
external LDAP server for authentication?

-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway

Re: LDAP user authentication

[Felix Meschberger <fm...@gmail.com>]

Hi all,

Am Donnerstag, den 21.02.2008, 16:50 +0100 schrieb David Nuescheler:
> I would argue that a proper architecture would be to use the
> repository authentication to go directly to ldap. Since this would
> allow you to use the repository users for access control.
> 
> This is exactly how we integrated it in our commercial content
> repository [1] (which is based on jackrabbit) and I would argue that
> this is the only proper way of dealing with authentication in sling since this
> would allow the repository to reflect particularly read privileges properly
> for example in search results.
> 
> In my mind one of the main purposes of using a content repository
> is to be able to ignore access control all together on the application
> layer.

And this is how we do it in Sling: We authenticate against the
repository and leave it to the repository how users are configured or
authentication is done down there.

Having said that, I suggest you look around in the Jackrabbit Mail
Archives. One solution might be to make use of Jackrabbit's internal
JAAS LoginModule support. See [1] or [2] for more on this.

Regards
Felix

[1] http://markmail.org/message/ovdsh2tuiq7tq4vw
[2]
http://jackrabbit.apache.org/frequently-asked-questions.html#FrequentlyAskedQuestions-HowdoIuseLDAP%2CKerberos%2CorsomeotherauthenticationmechanismwithJackrabbit%3F

> 
> regards,
> david
> 
> 
> 
> [1] http://www.day.com/crx (testdrive here: http://jcr.day.com )
> 
> 
> On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> >
> >  On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:
> >
> >  >> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
> >  >>> Does anyone have a working example of configuring Sling to using an
> >  >>> external LDAP server for authentication?
> >  > On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> >  >> I'd assume this is sort of orthogonal to Sling at the moment?
> >  >>
> >  >> One option would be to employ something like Spring security or
> >  >> SecurityFilter with an appropriate LDAP realm impl. This would make
> >  >> sure all requests would return something sane in the
> >  >> getUserPrincipal() and isUserInRole() calls. You could then code
> >  >> accordingly in your Sling components.
> >  >
> >  > I see. But using a servlet filter would not enforce security on the
> >  > JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
> >  > and then handle authorization issues when Sling connects to
> >  > Jackrabbit.
> >
> >
> >
> > If Jackrabbit actually supported any authorisation.. (I assume you
> >  know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171)
> >  . You can store ACLs as node children though (we currently do this,
> >  but we don't enforce security through the AccessManager mechanism
> >  provided by JCR itself but at a higher level).
> >
> >  My general experience is that many application might need the concept
> >  of ownership (eg your blog posts are only editable by you), but that
> >  read permissions are mostly set at world-readable. The concept of
> >  ownership would be integral to your domain model, and should probably
> >  be enforces as part of any DAO layer. If you need anything more
> >  advanced than that, all access to the JCR nodes should go through a
> >  proper DAO layer, also for reading, which would sort of make it wise
> >  to use something else than Sling.
> >
> >
> >  --
> >
> > Torgeir Veimo
> >  torgeir@netenviron.com
> >
> >
> >
> >
> >

Re: LDAP user authentication

[David Nuescheler <da...@day.com>]

I would argue that a proper architecture would be to use the
repository authentication to go directly to ldap. Since this would
allow you to use the repository users for access control.

This is exactly how we integrated it in our commercial content
repository [1] (which is based on jackrabbit) and I would argue that
this is the only proper way of dealing with authentication in sling since this
would allow the repository to reflect particularly read privileges properly
for example in search results.

In my mind one of the main purposes of using a content repository
is to be able to ignore access control all together on the application
layer.

regards,
david



[1] http://www.day.com/crx (testdrive here: http://jcr.day.com )


On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
>
>  On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:
>
>  >> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
>  >>> Does anyone have a working example of configuring Sling to using an
>  >>> external LDAP server for authentication?
>  > On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
>  >> I'd assume this is sort of orthogonal to Sling at the moment?
>  >>
>  >> One option would be to employ something like Spring security or
>  >> SecurityFilter with an appropriate LDAP realm impl. This would make
>  >> sure all requests would return something sane in the
>  >> getUserPrincipal() and isUserInRole() calls. You could then code
>  >> accordingly in your Sling components.
>  >
>  > I see. But using a servlet filter would not enforce security on the
>  > JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
>  > and then handle authorization issues when Sling connects to
>  > Jackrabbit.
>
>
>
> If Jackrabbit actually supported any authorisation.. (I assume you
>  know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171)
>  . You can store ACLs as node children though (we currently do this,
>  but we don't enforce security through the AccessManager mechanism
>  provided by JCR itself but at a higher level).
>
>  My general experience is that many application might need the concept
>  of ownership (eg your blog posts are only editable by you), but that
>  read permissions are mostly set at world-readable. The concept of
>  ownership would be integral to your domain model, and should probably
>  be enforces as part of any DAO layer. If you need anything more
>  advanced than that, all access to the JCR nodes should go through a
>  proper DAO layer, also for reading, which would sort of make it wise
>  to use something else than Sling.
>
>
>  --
>
> Torgeir Veimo
>  torgeir@netenviron.com
>
>
>
>
>

Re: LDAP user authentication

[Torgeir Veimo <to...@netenviron.com>]

On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:

>> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
>>> Does anyone have a working example of configuring Sling to using an
>>> external LDAP server for authentication?
> On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
>> I'd assume this is sort of orthogonal to Sling at the moment?
>>
>> One option would be to employ something like Spring security or
>> SecurityFilter with an appropriate LDAP realm impl. This would make
>> sure all requests would return something sane in the
>> getUserPrincipal() and isUserInRole() calls. You could then code
>> accordingly in your Sling components.
>
> I see. But using a servlet filter would not enforce security on the
> JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
> and then handle authorization issues when Sling connects to
> Jackrabbit.


If Jackrabbit actually supported any authorisation.. (I assume you  
know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171) 
. You can store ACLs as node children though (we currently do this,  
but we don't enforce security through the AccessManager mechanism  
provided by JCR itself but at a higher level).

My general experience is that many application might need the concept  
of ownership (eg your blog posts are only editable by you), but that  
read permissions are mostly set at world-readable. The concept of  
ownership would be integral to your domain model, and should probably  
be enforces as part of any DAO layer. If you need anything more  
advanced than that, all access to the JCR nodes should go through a  
proper DAO layer, also for reading, which would sort of make it wise  
to use something else than Sling.

-- 
Torgeir Veimo
torgeir@netenviron.com

Re: LDAP user authentication

[Vidar Ramdal <vi...@idium.no>]

>  On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
>  > Does anyone have a working example of configuring Sling to using an
>  > external LDAP server for authentication?
On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> I'd assume this is sort of orthogonal to Sling at the moment?
>
>  One option would be to employ something like Spring security or
>  SecurityFilter with an appropriate LDAP realm impl. This would make
>  sure all requests would return something sane in the
>  getUserPrincipal() and isUserInRole() calls. You could then code
>  accordingly in your Sling components.

I see. But using a servlet filter would not enforce security on the
JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
and then handle authorization issues when Sling connects to
Jackrabbit.

-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway

Re: LDAP user authentication

[Torgeir Veimo <to...@netenviron.com>]

On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:

> Does anyone have a working example of configuring Sling to using an
> external LDAP server for authentication?


I'd assume this is sort of orthogonal to Sling at the moment?

One option would be to employ something like Spring security or  
SecurityFilter with an appropriate LDAP realm impl. This would make  
sure all requests would return something sane in the  
getUserPrincipal() and isUserInRole() calls. You could then code  
accordingly in your Sling components.

-- 
Torgeir Veimo
torgeir@netenviron.com