You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Nicolas Barrera <nb...@gmail.com> on 2011/07/22 16:11:06 UTC
tapestry-security and sso
Hi,
just wondered... (nothing concrete)
about a tapestry app implementing single -sign on...
does tapestry-security integrates with a CAS server? ( I 'm thinking about
that because I 've never used shiro although I could start using it, no
problem. But I come from acegi where it integrated with CAS for
single-sign-on)
perhaps single sign on would be better implemented any other way rather than
a cas server...,
I 've heard about tynamo federeated-accounts using OAuth but I really don't
know if that would fill the gaps of a requirement that I got which is, to
build a couple of (tapestry) web apps and that they should
perform as in single sign on scenario..., like once logged on an app I could
acess the other without logging in again.
I would appreaciate any advice or insight you may have on this...
cheers and thanks
Nicolás.-
Re: tapestry-security and sso
Posted by Nicolas Barrera <nb...@gmail.com>.
Hi,
Thanks Kalle for your response...
On Fri, Jul 22, 2011 at 12:39 PM, Kalle Korhonen <kalle.o.korhonen@gmail.com
> wrote:
> Well, there are plenty of single-sign-on solutions but if you have a
> CAS server that's what you need to use.
>
In fact, we ain't got nothing implemented yet and I could choose among
different solutions, and I mentioned
CAS because it was the only thing I knew from a years ago when I had a look
a this subject...
perhaps somebody rises up here telling me "don't use cas because X, try this
newer, more practical solution"...
I would be glad to investigate about any recommendations anyone could give
:)
well thanks again for your answer about shiro statu's,
cheers!
Nicolás.-
On Fri, Jul 22, 2011 at 12:39 PM, Kalle Korhonen <kalle.o.korhonen@gmail.com
> wrote:
> On Fri, Jul 22, 2011 at 7:11 AM, Nicolas Barrera <nb...@gmail.com>
> wrote:
> > about a tapestry app implementing single -sign on...
> > does tapestry-security integrates with a CAS server? ( I 'm thinking
> about
> > that because I 've never used shiro although I could start using it, no
> > problem. But I come from acegi where it integrated with CAS for
> > single-sign-on)
>
> There's a not-yet-integrated CAS patch in shiro trunk.
> Tapestry-security would gain CAS integration once Shiro 1.2 is
> released and integrated into tapestry-security (I don't expect much
> work there).
>
> > perhaps single sign on would be better implemented any other way rather
> than
> > a cas server...,
>
> Well, there are plenty of single-sign-on solutions but if you have a
> CAS server that's what you need to use.
>
> > I 've heard about tynamo federeated-accounts using OAuth but I really
> don't
> > know if that would fill the gaps of a requirement that I got which is, to
> > build a couple of (tapestry) web apps and that they should
> > perform as in single sign on scenario..., like once logged on an app I
> could
> > acess the other without logging in again.
>
> OAuth, OpenID might work but then you'd need to roll a different
> authentication server. Amber server
> (http://incubator.apache.org/amber/) is a possibility for an OAuth
> server.
>
> Kalle
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: tapestry-security and sso
Posted by Kalle Korhonen <ka...@gmail.com>.
On Fri, Jul 22, 2011 at 7:11 AM, Nicolas Barrera <nb...@gmail.com> wrote:
> about a tapestry app implementing single -sign on...
> does tapestry-security integrates with a CAS server? ( I 'm thinking about
> that because I 've never used shiro although I could start using it, no
> problem. But I come from acegi where it integrated with CAS for
> single-sign-on)
There's a not-yet-integrated CAS patch in shiro trunk.
Tapestry-security would gain CAS integration once Shiro 1.2 is
released and integrated into tapestry-security (I don't expect much
work there).
> perhaps single sign on would be better implemented any other way rather than
> a cas server...,
Well, there are plenty of single-sign-on solutions but if you have a
CAS server that's what you need to use.
> I 've heard about tynamo federeated-accounts using OAuth but I really don't
> know if that would fill the gaps of a requirement that I got which is, to
> build a couple of (tapestry) web apps and that they should
> perform as in single sign on scenario..., like once logged on an app I could
> acess the other without logging in again.
OAuth, OpenID might work but then you'd need to roll a different
authentication server. Amber server
(http://incubator.apache.org/amber/) is a possibility for an OAuth
server.
Kalle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: tapestry-security and sso
Posted by Nicolas Barrera <nb...@gmail.com>.
Vangel,
thank you so much for your clean explanation and the online example you
offer...
I 'll take all this into account,
cheers!
Nicolás.-
On Thu, Aug 11, 2011 at 10:27 PM, Vangel V. Ajanovski <aj...@ii.edu.mk>wrote:
>
> Of course comments are welcome by anyone, especially regarding how to
> better the solution security-wise.
Re: tapestry-security and sso
Posted by "Vangel V. Ajanovski" <aj...@ii.edu.mk>.
Sorry for late answer - we use CAS at our institution and I found it is
very easy to front Tapestry with CAS even from scratch.
Some 2-3 years ago I found a tutorial on the web how to do that with
help of Spring Security (previuosly named Acegi), but later I learned a
bit how to do it from scratch because I don't want Spring wasting more
resources.
Basically there exists a ready to use CAS SSO filter that you include in
the project and configure (let's say via dependency in pom.xml and
config in web.xml) so that it will be called before a set of pages that
you need to protect.
So, how it works?
The filter will check for tickets and if you are logged in it will pass
you to the page, otherwise will redirect to the cas login address.
In your application you just check the REMOTE_USER variable which will
be set to the username of the logged in user. This is set by the CAS
filter and will only be set if someone is logged in. Very simple.
Check here for examples from our students information system
(enrollment, grades, courses):
http://develop.ii.edu.mk/projects/isii/browser/trunk
Especially check for CAS references in:
pom.xml
web.xml
mk.edu.ii.isii.upisi.model.UserInfo
UserInfo is a sessionstate object that we keep arround in the session
that holds who is logged in and what role, etc.
Of course since CAS is only for authentication (login logout), we
implemented some access control by checking the logged in user in the
database and using annotations (ex. @AdministratorPage) placed on page
classes for various roles. The access controller only allows access if
the page is accessed by a username that has the appropriate role. For
this check:
mk.edu.ii.isii.upisi.model.UserInfo
mk.edu.ii.isii.upisi.services.AccessController
mk.edu.ii.isii.upisi.annotations...
Of course comments are welcome by anyone, especially regarding how to
better the solution security-wise.
Re: tapestry-security and sso
Posted by Nicolas Barrera <nb...@gmail.com>.
Thanks clement,
will take it into account when implementing sso (although that would be in
some time from here)
cheers all and thanks again!
Nicolás.-
2011/7/22 Clément OUDOT <cl...@gmail.com>
> 2011/7/22 Nicolas Barrera <nb...@gmail.com>:
> > Hi,
> >
> > just wondered... (nothing concrete)
> >
> > about a tapestry app implementing single -sign on...
> >
> > does tapestry-security integrates with a CAS server? ( I 'm thinking
> about
> > that because I 've never used shiro although I could start using it, no
> > problem. But I come from acegi where it integrated with CAS for
> > single-sign-on)
> >
> > perhaps single sign on would be better implemented any other way rather
> than
> > a cas server...,
> >
> > I 've heard about tynamo federeated-accounts using OAuth but I really
> don't
> > know if that would fill the gaps of a requirement that I got which is, to
> > build a couple of (tapestry) web apps and that they should
> > perform as in single sign on scenario..., like once logged on an app I
> could
> > acess the other without logging in again.
> >
> > I would appreaciate any advice or insight you may have on this...
> >
> > cheers and thanks
> >
>
> Hello Nicolas,
>
> we use LemonLDAP::NG (http://lemonldap-ng.org) as WebSSO solution (to
> be fully transparent, I am developer of this solution).
>
> You can see how to use it in T5 with the LinShare project:
> http://www.linpki.org/projects/linshare/wiki/HttpHeaderSSOEN
>
> Hope it helps,
>
> Clément.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: tapestry-security and sso
Posted by Clément OUDOT <cl...@gmail.com>.
2011/7/22 Nicolas Barrera <nb...@gmail.com>:
> Hi,
>
> just wondered... (nothing concrete)
>
> about a tapestry app implementing single -sign on...
>
> does tapestry-security integrates with a CAS server? ( I 'm thinking about
> that because I 've never used shiro although I could start using it, no
> problem. But I come from acegi where it integrated with CAS for
> single-sign-on)
>
> perhaps single sign on would be better implemented any other way rather than
> a cas server...,
>
> I 've heard about tynamo federeated-accounts using OAuth but I really don't
> know if that would fill the gaps of a requirement that I got which is, to
> build a couple of (tapestry) web apps and that they should
> perform as in single sign on scenario..., like once logged on an app I could
> acess the other without logging in again.
>
> I would appreaciate any advice or insight you may have on this...
>
> cheers and thanks
>
Hello Nicolas,
we use LemonLDAP::NG (http://lemonldap-ng.org) as WebSSO solution (to
be fully transparent, I am developer of this solution).
You can see how to use it in T5 with the LinShare project:
http://www.linpki.org/projects/linshare/wiki/HttpHeaderSSOEN
Hope it helps,
Clément.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org