You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Vidar Ramdal <vi...@idium.no> on 2008/02/21 13:25:13 UTC
LDAP user authentication
Does anyone have a working example of configuring Sling to using an
external LDAP server for authentication?
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
Re: LDAP user authentication
Posted by Felix Meschberger <fm...@gmail.com>.
Hi all,
Am Donnerstag, den 21.02.2008, 16:50 +0100 schrieb David Nuescheler:
> I would argue that a proper architecture would be to use the
> repository authentication to go directly to ldap. Since this would
> allow you to use the repository users for access control.
>
> This is exactly how we integrated it in our commercial content
> repository [1] (which is based on jackrabbit) and I would argue that
> this is the only proper way of dealing with authentication in sling since this
> would allow the repository to reflect particularly read privileges properly
> for example in search results.
>
> In my mind one of the main purposes of using a content repository
> is to be able to ignore access control all together on the application
> layer.
And this is how we do it in Sling: We authenticate against the
repository and leave it to the repository how users are configured or
authentication is done down there.
Having said that, I suggest you look around in the Jackrabbit Mail
Archives. One solution might be to make use of Jackrabbit's internal
JAAS LoginModule support. See [1] or [2] for more on this.
Regards
Felix
[1] http://markmail.org/message/ovdsh2tuiq7tq4vw
[2]
http://jackrabbit.apache.org/frequently-asked-questions.html#FrequentlyAskedQuestions-HowdoIuseLDAP%2CKerberos%2CorsomeotherauthenticationmechanismwithJackrabbit%3F
>
> regards,
> david
>
>
>
> [1] http://www.day.com/crx (testdrive here: http://jcr.day.com )
>
>
> On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> >
> > On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:
> >
> > >> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
> > >>> Does anyone have a working example of configuring Sling to using an
> > >>> external LDAP server for authentication?
> > > On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> > >> I'd assume this is sort of orthogonal to Sling at the moment?
> > >>
> > >> One option would be to employ something like Spring security or
> > >> SecurityFilter with an appropriate LDAP realm impl. This would make
> > >> sure all requests would return something sane in the
> > >> getUserPrincipal() and isUserInRole() calls. You could then code
> > >> accordingly in your Sling components.
> > >
> > > I see. But using a servlet filter would not enforce security on the
> > > JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
> > > and then handle authorization issues when Sling connects to
> > > Jackrabbit.
> >
> >
> >
> > If Jackrabbit actually supported any authorisation.. (I assume you
> > know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171)
> > . You can store ACLs as node children though (we currently do this,
> > but we don't enforce security through the AccessManager mechanism
> > provided by JCR itself but at a higher level).
> >
> > My general experience is that many application might need the concept
> > of ownership (eg your blog posts are only editable by you), but that
> > read permissions are mostly set at world-readable. The concept of
> > ownership would be integral to your domain model, and should probably
> > be enforces as part of any DAO layer. If you need anything more
> > advanced than that, all access to the JCR nodes should go through a
> > proper DAO layer, also for reading, which would sort of make it wise
> > to use something else than Sling.
> >
> >
> > --
> >
> > Torgeir Veimo
> > torgeir@netenviron.com
> >
> >
> >
> >
> >
Re: LDAP user authentication
Posted by David Nuescheler <da...@day.com>.
I would argue that a proper architecture would be to use the
repository authentication to go directly to ldap. Since this would
allow you to use the repository users for access control.
This is exactly how we integrated it in our commercial content
repository [1] (which is based on jackrabbit) and I would argue that
this is the only proper way of dealing with authentication in sling since this
would allow the repository to reflect particularly read privileges properly
for example in search results.
In my mind one of the main purposes of using a content repository
is to be able to ignore access control all together on the application
layer.
regards,
david
[1] http://www.day.com/crx (testdrive here: http://jcr.day.com )
On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
>
> On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:
>
> >> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
> >>> Does anyone have a working example of configuring Sling to using an
> >>> external LDAP server for authentication?
> > On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> >> I'd assume this is sort of orthogonal to Sling at the moment?
> >>
> >> One option would be to employ something like Spring security or
> >> SecurityFilter with an appropriate LDAP realm impl. This would make
> >> sure all requests would return something sane in the
> >> getUserPrincipal() and isUserInRole() calls. You could then code
> >> accordingly in your Sling components.
> >
> > I see. But using a servlet filter would not enforce security on the
> > JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
> > and then handle authorization issues when Sling connects to
> > Jackrabbit.
>
>
>
> If Jackrabbit actually supported any authorisation.. (I assume you
> know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171)
> . You can store ACLs as node children though (we currently do this,
> but we don't enforce security through the AccessManager mechanism
> provided by JCR itself but at a higher level).
>
> My general experience is that many application might need the concept
> of ownership (eg your blog posts are only editable by you), but that
> read permissions are mostly set at world-readable. The concept of
> ownership would be integral to your domain model, and should probably
> be enforces as part of any DAO layer. If you need anything more
> advanced than that, all access to the JCR nodes should go through a
> proper DAO layer, also for reading, which would sort of make it wise
> to use something else than Sling.
>
>
> --
>
> Torgeir Veimo
> torgeir@netenviron.com
>
>
>
>
>
Re: LDAP user authentication
Posted by Torgeir Veimo <to...@netenviron.com>.
On 21 Feb 2008, at 22:47, Vidar Ramdal wrote:
>> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
>>> Does anyone have a working example of configuring Sling to using an
>>> external LDAP server for authentication?
> On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
>> I'd assume this is sort of orthogonal to Sling at the moment?
>>
>> One option would be to employ something like Spring security or
>> SecurityFilter with an appropriate LDAP realm impl. This would make
>> sure all requests would return something sane in the
>> getUserPrincipal() and isUserInRole() calls. You could then code
>> accordingly in your Sling components.
>
> I see. But using a servlet filter would not enforce security on the
> JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
> and then handle authorization issues when Sling connects to
> Jackrabbit.
If Jackrabbit actually supported any authorisation.. (I assume you
know it's planned for JCR 2.0, see also https://issues.apache.org/jira/browse/JCR-1171)
. You can store ACLs as node children though (we currently do this,
but we don't enforce security through the AccessManager mechanism
provided by JCR itself but at a higher level).
My general experience is that many application might need the concept
of ownership (eg your blog posts are only editable by you), but that
read permissions are mostly set at world-readable. The concept of
ownership would be integral to your domain model, and should probably
be enforces as part of any DAO layer. If you need anything more
advanced than that, all access to the JCR nodes should go through a
proper DAO layer, also for reading, which would sort of make it wise
to use something else than Sling.
--
Torgeir Veimo
torgeir@netenviron.com
Re: LDAP user authentication
Posted by Vidar Ramdal <vi...@idium.no>.
> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
> > Does anyone have a working example of configuring Sling to using an
> > external LDAP server for authentication?
On 2/21/08, Torgeir Veimo <to...@netenviron.com> wrote:
> I'd assume this is sort of orthogonal to Sling at the moment?
>
> One option would be to employ something like Spring security or
> SecurityFilter with an appropriate LDAP realm impl. This would make
> sure all requests would return something sane in the
> getUserPrincipal() and isUserInRole() calls. You could then code
> accordingly in your Sling components.
I see. But using a servlet filter would not enforce security on the
JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP,
and then handle authorization issues when Sling connects to
Jackrabbit.
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
Re: LDAP user authentication
Posted by Torgeir Veimo <to...@netenviron.com>.
On 21 Feb 2008, at 22:25, Vidar Ramdal wrote:
> Does anyone have a working example of configuring Sling to using an
> external LDAP server for authentication?
I'd assume this is sort of orthogonal to Sling at the moment?
One option would be to employ something like Spring security or
SecurityFilter with an appropriate LDAP realm impl. This would make
sure all requests would return something sane in the
getUserPrincipal() and isUserInRole() calls. You could then code
accordingly in your Sling components.
--
Torgeir Veimo
torgeir@netenviron.com