Re: Re: How can I realize authentication in sling?

[yanjie <ya...@gmail.com>]

HI felix:
Glad to recieve your answer , 
I think it's important for a content manager system  to have authentication control.
If there is no authenticatioin control , user management will be less useful.
I think the users of sling really hope sling can add the authentication's  function early.
waiting ...

thanks.


2009-03-02 



yanjie 



发件人： Felix Meschberger 
发送时间： 2009-02-28  05:03:18 
收件人： sling-dev 
抄送： 
主题： Re: How can I realize authentication in sling? 
 
Hi,
yanjie schrieb:
> Hi everyone:
> I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? 
Sling employs the authentication and access control functionality of the
underlying JCR repository (Jackrabbit by default).
So you have to create users and groups in Jackrabbit (I have applied the
SLING-875 patches by Eric Norman today to enable user/group management
in Sling.
In addition you have to set access control in the repository. This is
more problematic at the moment because Jackrabbit 1.5 embedded in Sling
only contains partial support for JSR-283 (aka JCR 2.0) access control
support.
Maybe others on the list are more knowledgeable in this respect...
Regards
Felix

Re: How can I realize authentication in sling?

[Eric Norman <er...@gmail.com>]

Hi Felix,
My proposed changes for access control management are attached to
https://issues.apache.org/jira/browse/SLING-879

Let me know if you run into any troubles using it.

On Thu, Mar 5, 2009 at 1:52 PM, Felix Meschberger <fm...@gmail.com>wrote:

> Hi Eric
>
> Eric Norman schrieb:
> > Hi yanjie,
> >
> > For my own project, I've implemented some custom sling POST handlers
> > (similar to the usermanager actions I contributed earlier) to
> > add/modify/delete access control entries for users/groups using the early
> > access JSR-283 access control support in jackrabbit 1.5.
> >
> > It seems to work well for my use cases, and I was planning on submitting
> a
> > patch when I get some free time to clean it up a bit.  If that is
> something
> > you would be interested in using, I can try to submit a patch for
> > consideration in the next few days.
>
> Yes, please, thanks ;-)
>
> Regards
> Felix
>
> >
> > -Eric
> >
> >
> > On Sun, Mar 1, 2009 at 7:16 PM, yanjie <ya...@gmail.com> wrote:
> >
> >> HI felix:
> >> Glad to recieve your answer ,
> >> I think it's important for a content manager system  to have
> authentication
> >> control.
> >> If there is no authenticatioin control , user management will be less
> >> useful.
> >> I think the users of sling really hope sling can add the
> authentication's
> >>  function early.
> >> waiting ...
> >>
> >> thanks.
> >>
> >>
> >> 2009-03-02
> >>
> >>
> >>
> >> yanjie
> >>
> >>
> >>
> >> 发件人： Felix Meschberger
> >> 发送时间： 2009-02-28  05:03:18
> >> 收件人： sling-dev
> >> 抄送：
> >> 主题： Re: How can I realize authentication in sling?
> >>
> >> Hi,
> >> yanjie schrieb:
> >>> Hi everyone:
> >>> I want to give a user some policy to handle a node(read or write or
> >> modify..) , and other users don't have the policy . Or a group has the
> >> policy and the users in the group all have the authentication . how can
> I
> >> use sling to realize it?
> >> Sling employs the authentication and access control functionality of the
> >> underlying JCR repository (Jackrabbit by default).
> >> So you have to create users and groups in Jackrabbit (I have applied the
> >> SLING-875 patches by Eric Norman today to enable user/group management
> >> in Sling.
> >> In addition you have to set access control in the repository. This is
> >> more problematic at the moment because Jackrabbit 1.5 embedded in Sling
> >> only contains partial support for JSR-283 (aka JCR 2.0) access control
> >> support.
> >> Maybe others on the list are more knowledgeable in this respect...
> >> Regards
> >> Felix
> >>
> >
>
>

Re: How can I realize authentication in sling?

[Felix Meschberger <fm...@gmail.com>]

Hi Eric

Eric Norman schrieb:
> Hi yanjie,
> 
> For my own project, I've implemented some custom sling POST handlers
> (similar to the usermanager actions I contributed earlier) to
> add/modify/delete access control entries for users/groups using the early
> access JSR-283 access control support in jackrabbit 1.5.
> 
> It seems to work well for my use cases, and I was planning on submitting a
> patch when I get some free time to clean it up a bit.  If that is something
> you would be interested in using, I can try to submit a patch for
> consideration in the next few days.

Yes, please, thanks ;-)

Regards
Felix

> 
> -Eric
> 
> 
> On Sun, Mar 1, 2009 at 7:16 PM, yanjie <ya...@gmail.com> wrote:
> 
>> HI felix:
>> Glad to recieve your answer ,
>> I think it's important for a content manager system  to have authentication
>> control.
>> If there is no authenticatioin control , user management will be less
>> useful.
>> I think the users of sling really hope sling can add the authentication's
>>  function early.
>> waiting ...
>>
>> thanks.
>>
>>
>> 2009-03-02
>>
>>
>>
>> yanjie
>>
>>
>>
>> 发件人： Felix Meschberger
>> 发送时间： 2009-02-28  05:03:18
>> 收件人： sling-dev
>> 抄送：
>> 主题： Re: How can I realize authentication in sling?
>>
>> Hi,
>> yanjie schrieb:
>>> Hi everyone:
>>> I want to give a user some policy to handle a node(read or write or
>> modify..) , and other users don't have the policy . Or a group has the
>> policy and the users in the group all have the authentication . how can I
>> use sling to realize it?
>> Sling employs the authentication and access control functionality of the
>> underlying JCR repository (Jackrabbit by default).
>> So you have to create users and groups in Jackrabbit (I have applied the
>> SLING-875 patches by Eric Norman today to enable user/group management
>> in Sling.
>> In addition you have to set access control in the repository. This is
>> more problematic at the moment because Jackrabbit 1.5 embedded in Sling
>> only contains partial support for JSR-283 (aka JCR 2.0) access control
>> support.
>> Maybe others on the list are more knowledgeable in this respect...
>> Regards
>> Felix
>>
> 

Re: Re: How can I realize authentication in sling?

[Eric Norman <er...@gmail.com>]

Hi yanjie,

For my own project, I've implemented some custom sling POST handlers
(similar to the usermanager actions I contributed earlier) to
add/modify/delete access control entries for users/groups using the early
access JSR-283 access control support in jackrabbit 1.5.

It seems to work well for my use cases, and I was planning on submitting a
patch when I get some free time to clean it up a bit.  If that is something
you would be interested in using, I can try to submit a patch for
consideration in the next few days.

-Eric


On Sun, Mar 1, 2009 at 7:16 PM, yanjie <ya...@gmail.com> wrote:

> HI felix:
> Glad to recieve your answer ,
> I think it's important for a content manager system  to have authentication
> control.
> If there is no authenticatioin control , user management will be less
> useful.
> I think the users of sling really hope sling can add the authentication's
>  function early.
> waiting ...
>
> thanks.
>
>
> 2009-03-02
>
>
>
> yanjie
>
>
>
> 发件人： Felix Meschberger
> 发送时间： 2009-02-28  05:03:18
> 收件人： sling-dev
> 抄送：
> 主题： Re: How can I realize authentication in sling?
>
> Hi,
> yanjie schrieb:
> > Hi everyone:
> > I want to give a user some policy to handle a node(read or write or
> modify..) , and other users don't have the policy . Or a group has the
> policy and the users in the group all have the authentication . how can I
> use sling to realize it?
> Sling employs the authentication and access control functionality of the
> underlying JCR repository (Jackrabbit by default).
> So you have to create users and groups in Jackrabbit (I have applied the
> SLING-875 patches by Eric Norman today to enable user/group management
> in Sling.
> In addition you have to set access control in the repository. This is
> more problematic at the moment because Jackrabbit 1.5 embedded in Sling
> only contains partial support for JSR-283 (aka JCR 2.0) access control
> support.
> Maybe others on the list are more knowledgeable in this respect...
> Regards
> Felix
>

Re: Re: How can I realize authentication in sling?

[Vidar Ramdal <vi...@idium.no>]

On Fri, Mar 13, 2009 at 1:00 AM, Alexander Klimetschek <ak...@day.com> wrote:
> On Thu, Mar 12, 2009 at 2:17 PM, Vidar Ramdal <vi...@idium.no> wrote:
>> One of the main goals of the application we're developing, is that it
>> must be dead simple for our users. Our users are NOT computer-savvy in
>> any way, so they will certainly not be able to grasp the concept of
>> ACLs. Thus, we'd have to abstract the logic in some
>> user-understandable manner anyway, and as I've tried to describe, we
>> think it's easier to describe the rules using Java (or any programming
>> language, really) than with ACLs.
>
> I wasn't saying that the end-users should fiddle around with a
> repository explorer and set the basic ACLs themselves - there still
> must be a GUI for it.

Exactly. But our pedagogic skills are not good enough to make that GUI
understandable for our users.

-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
+47 21 531941, ext 2070

Re: How can I realize authentication in sling?

[Bertrand Delacretaz <bd...@apache.org>]

Hi Andreas,

On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann <an...@apache.org> wrote:
> ...I hope I'll find the time to document my findings. Actually there is a lot
> of documentation, but it is distributed in various places – the Sling
> website, mailing list, dev.day.com blog etc. Maybe some consolidation would
> be even more important than adding new docs, but I know this is difficult
> and time-consuming...

Agree with that, some reorganization of what we have would be good!

> ...BTW, the support by the community is excellent – thanks a lot to everybody!...

You're welcome - it's great to see several new Sling users on this
list in the last few months.
-Bertrand

Re: How can I realize authentication in sling?

[Alexander Klimetschek <ak...@day.com>]

On Wed, Mar 11, 2009 at 10:26 AM, Andreas Hartmann <an...@apache.org> wrote:
> thanks for this great summary! Does it make sense to put it on the website
> or on the Wiki?

Yup, why not. Would be nice if you could do it ;-)

One thing, which I forgot: the authentication module interface in
Jackrabbit is the standard JAAS login module, so it should be possible
to simply reuse existing ones that authenticate against LDAP or
custom, existing user databases.

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: How can I realize authentication in sling?

[Andreas Hartmann <an...@apache.org>]

Hi Alex,

thanks for this great summary! Does it make sense to put it on the 
website or on the Wiki?

-- Andreas


Alexander Klimetschek schrieb:
> On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann <an...@apache.org> wrote:
>> actually I didn't intend to do any beta-testing (yet), but somehow I got the
>> impression that OpenID is the only supported way for authentication ATM. But
>> I just noticed that I can simply disable anonymous access in the
>> configuration console to enable the built-in authentication …
> 
> In general the idea with JCR is that the repository handles
> authentication and authorization, because it makes things simple and
> content-oriented (and no need to put security access checks across the
> application code). That's why Sling uses a single JCR session for each
> request with a certain logged-in user.
> 
> The credentials for this session are fetched using an
> o.a.s.engine.auth.AuthenticationHandler - currently there is a handler
> using HTTP basic auth (bundles/extensions/httpauth) and the OpenID
> handler. You can quite easily write your own, for using a cookie-based
> mechanism or to do SSO stuff. Those credentials provided by the
> handler are then used by Sling for the JCR Repository.login() method
> that will return the session.
> 
> How the authentication is done inside the JCR repository is up to the
> implementation (for JCR 1.0). Previous Jackrabbit versions (up to
> 1.4.x I think) only provided a simple login module out of the box that
> provided anonymous, admin and normal users (whereas only for the
> special admin user a password could be set in the repository.xml
> config, ie. you couldn't really call it security ;-)). The recent
> Jackrabbit releases introduced proper user management, mainly because
> JCR 2.0 will define more in this respect (and Jackrabbit is already
> working towards that new version of the spec). For this, users (incl.
> their passwords and other preferences) are stored inside the
> repository itself, typically in a separate workspace to ensure a
> strict separation of "system" stuff and application content (although
> that is freely configurable I think).
> 
> Now if you are logged in with the session in the request and some
> servlets or scripts are trying to read and write from the repository,
> the authorization comes into play. Things that you cannot read are
> simply not visible through the JCR API (ie. you get a "404" and not a
> "403" when speaking in HTTP status codes ;-)). If write access is
> denied, you get that AccessDeniedException on save().
> 
> The authorization is now also done inside the repository and for
> previous Jackrabbit versions there effectively was no built-in
> authorization. The 1.5 release contains the aforementioned
> implementation based on what the JCR 2.0 spec is saying (so far, it's
> not final yet ;-)). This stores the ACLs in the repository as well,
> right at the nodes to which these belong. There is also an API to
> manually set those ACLs (I think one is free again to store those ACLs
> whereever you want, if you'd like to change the default authorization
> manager in Jackrabbit). The documentation on that is a bit sparse yet,
> reading the code and searching the Jackrabbit mailing list archives is
> the best you can do at the moment :-)
> 
> <spam>
> You might have seen the commercial CRX repository built on top of
> Jackrabbit, which provides a full authentication and authorization
> implementation for some time now and has a GUI to manage the users and
> ACLs (and it bundles Sling).
> </spam>
> 
> Hope that helps as an overview,
> Alex
> 


-- 
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01

Re: How can I realize authentication in sling?

[Rory Douglas <ro...@oracle.com>]

Torgeir Veimo wrote:
> I have to agree, having programmatically security is much more useful 
> in a lot of scenarios.
>
> One example is when the security requirements changes. If you have a 
> lot of ACLs in a very large repository, it becomes a nightmare to change.
>
> It would be very handy to be able to express permission in terms of 
> scripts, with an appropriate selector mechanism.
That sounds like an interesting idea.  We could provide an AccessManager 
implementation that uses something like the Sling servlet resolution 
process to locate per-resource-type or per-path "AccessHandler". These 
services would then make the authorization decisions for the types or 
paths they control.  This might make implementing access policies like 
the one Vidar described much simpler (than implementing an AccessManager 
or plugin from scratch), since you enforce the policy at the type level 
rather than at the each instance node of that type.

For instance if I may have a need to restrict access to nodes under 
paths "/user/username" to be visible only to the user named "username". 
I can of course create an appropriate ACL every time I create a new node 
under the /user path, but it would be simpler & more reliable to just 
register a path-based AccessHandler that controls /user, and just checks 
that current authenticated user = username taken from the path. 

I realize the downside of this approach is that, unlike the default 
Jackrabbit ACLs, these kinds of policies aren't persisted in the 
repository (they'd essentially be persisted in the Felix framework 
properties if the registration of AccessHandlers was handled like 
servlets), however, that might be acceptable for many applications.

This approach also addresses something I've previously wondered about: 
access to servlets that are registered by path (like 
/system/sling/login).  There doesn't appear to be any way to apply 
access control to these paths currently?

WDYT?

Rory

Re: How can I realize authentication in sling?

[Torgeir Veimo <to...@pobox.com>]

On 12 Mar 2009, at 14:17, Vidar Ramdal wrote:

> On Thu, Mar 12, 2009 at 9:55 AM, Alexander Klimetschek <aklimets@day.com 
> > wrote:
>> On Thu, Mar 12, 2009 at 9:49 AM, Vidar Ramdal <vi...@idium.no> wrote:
>>> For the application I'm developing, I have abandoned the ACL concept
>>> alltogether. Instead, I'm implementing my own access management  
>>> logic
>>> from scratch.
>>>
>>> I find that in many web applications, a typical ACL concept is not  
>>> the
>>> best solution.
>>
>> Interesting, could you elaborate? Is this similar to the reasons
>> mentioned in a presentation by Zed Shaw (
>> http://dev.day.com/microsling/content/blogs/main/theaclisdead.html )?
>
> That was certainly an interesting watch (especially the stripper  
> part).
>
> In my case, it's not that ACLs are too limited. Our access rules are
> much simpler than what can be described with ACLs.
> And exactly because our rules are simpler, it was just easier to
> describe them with a couple of Java classes.

I have to agree, having programmatically security is much more useful  
in a lot of scenarios.

One example is when the security requirements changes. If you have a  
lot of ACLs in a very large repository, it becomes a nightmare to  
change.

It would be very handy to be able to express permission in terms of  
scripts, with an appropriate selector mechanism.


-- 
Torgeir Veimo
torgeir@pobox.com

Re: Re: How can I realize authentication in sling?

[Alexander Klimetschek <ak...@day.com>]

On Thu, Mar 12, 2009 at 2:17 PM, Vidar Ramdal <vi...@idium.no> wrote:
> One of the main goals of the application we're developing, is that it
> must be dead simple for our users. Our users are NOT computer-savvy in
> any way, so they will certainly not be able to grasp the concept of
> ACLs. Thus, we'd have to abstract the logic in some
> user-understandable manner anyway, and as I've tried to describe, we
> think it's easier to describe the rules using Java (or any programming
> language, really) than with ACLs.

I wasn't saying that the end-users should fiddle around with a
repository explorer and set the basic ACLs themselves - there still
must be a GUI for it. But I can understand the need for programmed
ACLs, it can often be simpler if you don't need fully-fledged
enterprise configuration ... something ;-)

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: Re: How can I realize authentication in sling?

[Vidar Ramdal <vi...@idium.no>]

On Thu, Mar 12, 2009 at 9:55 AM, Alexander Klimetschek <ak...@day.com> wrote:
> On Thu, Mar 12, 2009 at 9:49 AM, Vidar Ramdal <vi...@idium.no> wrote:
>> For the application I'm developing, I have abandoned the ACL concept
>> alltogether. Instead, I'm implementing my own access management logic
>> from scratch.
>>
>> I find that in many web applications, a typical ACL concept is not the
>> best solution.
>
> Interesting, could you elaborate? Is this similar to the reasons
> mentioned in a presentation by Zed Shaw (
> http://dev.day.com/microsling/content/blogs/main/theaclisdead.html )?

That was certainly an interesting watch (especially the stripper part).

In my case, it's not that ACLs are too limited. Our access rules are
much simpler than what can be described with ACLs.
And exactly because our rules are simpler, it was just easier to
describe them with a couple of Java classes.

For instance, we have a feature for moderated comments on a webpage.
The rules for comments are simple: Anyone have permission to read
approved comments, and to post new comments. Comments have to be
approved by a moderator before they are readable to everyone. This
implies that the moderator must have read and delete access to all
comments.

Should we implement this with ACLs, we'd have to take make sure to set
the correct ACL on every new comment posted. Allthough the case of
comments is fairly simple, we could have more complex cases where ACLs
would be more complex, and even prone to errors.
It is definately possible to define this rules with ACLs, but it makes
more sense to implement it with a custom policy. We know that every
comment field should have the same access logic, so why should we have
to copy ACLs to every instance of it? And the sling:resourceType
property already defines a comment field, so why not just hook up a
policy class to respond to those requests.

> In general, if you consider access control during the modeling of your
> content structure and use inheritance of ACLs, it is actually quite
> simple to do. And can be configured by administrators later without
> changing the code.

One of the main goals of the application we're developing, is that it
must be dead simple for our users. Our users are NOT computer-savvy in
any way, so they will certainly not be able to grasp the concept of
ACLs. Thus, we'd have to abstract the logic in some
user-understandable manner anyway, and as I've tried to describe, we
think it's easier to describe the rules using Java (or any programming
language, really) than with ACLs.

-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
+47 21 531941, ext 2070

Re: Re: How can I realize authentication in sling?

[Alexander Klimetschek <ak...@day.com>]

On Thu, Mar 12, 2009 at 9:49 AM, Vidar Ramdal <vi...@idium.no> wrote:
> For the application I'm developing, I have abandoned the ACL concept
> alltogether. Instead, I'm implementing my own access management logic
> from scratch.
>
> I find that in many web applications, a typical ACL concept is not the
> best solution.

Interesting, could you elaborate? Is this similar to the reasons
mentioned in a presentation by Zed Shaw (
http://dev.day.com/microsling/content/blogs/main/theaclisdead.html )?

In general, if you consider access control during the modeling of your
content structure and use inheritance of ACLs, it is actually quite
simple to do. And can be configured by administrators later without
changing the code.

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: Re: How can I realize authentication in sling?

[Vidar Ramdal <vi...@idium.no>]

On Wed, Mar 11, 2009 at 8:49 PM, Eric Norman <er...@gmail.com> wrote:
> Hi yanjie,
>
> I attached a proposed patch to enable changing the ACL via a web form to
> http://issues.apache.org/jira/browse/SLING-879

Hi yanjie,

For the application I'm developing, I have abandoned the ACL concept
alltogether. Instead, I'm implementing my own access management logic
from scratch.

I find that in many web applications, a typical ACL concept is not the
best solution.

I have attached a patch at
https://issues.apache.org/jira/browse/SLING-880 for a pluggable
AccessManager, which will allow you to implement your own access
management policies.



-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
+47 21 531941, ext 2070

Re: Re: How can I realize authentication in sling?

[Eric Norman <er...@gmail.com>]

Hi yanjie,

I attached a proposed patch to enable changing the ACL via a web form to
http://issues.apache.org/jira/browse/SLING-879

I don't have rights to commit the changes to subversion, so it is pending
review by one of the committers before it is becomes part of the sling
distribution.

You may apply the patch manually to your environment if you want to try it
out.

Regards,
-eric

On Tue, Mar 10, 2009 at 7:36 PM, yanjie <ya...@gmail.com> wrote:

> HI everyone:
>
> Glad to find so many person be care about the question. and I want to know
>
> Is sling implements the ACL web interface now ?
>
> Thanks.
>
>
> 2009-03-11
>
>
>
> yanjie
>
>
>
> 发件人： Alexander Klimetschek
> 发送时间： 2009-03-11  01:45:56
> 收件人： sling-dev
> 抄送：
> 主题： Re: How can I realize authentication in sling?
>
> On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann <an...@apache.org>
> wrote:
> > actually I didn't intend to do any beta-testing (yet), but somehow I got
> the
> > impression that OpenID is the only supported way for authentication ATM.
> But
> > I just noticed that I can simply disable anonymous access in the
> > configuration console to enable the built-in authentication …
> In general the idea with JCR is that the repository handles
> authentication and authorization, because it makes things simple and
> content-oriented (and no need to put security access checks across the
> application code). That's why Sling uses a single JCR session for each
> request with a certain logged-in user.
> The credentials for this session are fetched using an
> o.a.s.engine.auth.AuthenticationHandler - currently there is a handler
> using HTTP basic auth (bundles/extensions/httpauth) and the OpenID
> handler. You can quite easily write your own, for using a cookie-based
> mechanism or to do SSO stuff. Those credentials provided by the
> handler are then used by Sling for the JCR Repository.login() method
> that will return the session.
> How the authentication is done inside the JCR repository is up to the
> implementation (for JCR 1.0). Previous Jackrabbit versions (up to
> 1.4.x I think) only provided a simple login module out of the box that
> provided anonymous, admin and normal users (whereas only for the
> special admin user a password could be set in the repository.xml
> config, ie. you couldn't really call it security ;-)). The recent
> Jackrabbit releases introduced proper user management, mainly because
> JCR 2.0 will define more in this respect (and Jackrabbit is already
> working towards that new version of the spec). For this, users (incl.
> their passwords and other preferences) are stored inside the
> repository itself, typically in a separate workspace to ensure a
> strict separation of "system" stuff and application content (although
> that is freely configurable I think).
> Now if you are logged in with the session in the request and some
> servlets or scripts are trying to read and write from the repository,
> the authorization comes into play. Things that you cannot read are
> simply not visible through the JCR API (ie. you get a "404" and not a
> "403" when speaking in HTTP status codes ;-)). If write access is
> denied, you get that AccessDeniedException on save().
> The authorization is now also done inside the repository and for
> previous Jackrabbit versions there effectively was no built-in
> authorization. The 1.5 release contains the aforementioned
> implementation based on what the JCR 2.0 spec is saying (so far, it's
> not final yet ;-)). This stores the ACLs in the repository as well,
> right at the nodes to which these belong. There is also an API to
> manually set those ACLs (I think one is free again to store those ACLs
> whereever you want, if you'd like to change the default authorization
> manager in Jackrabbit). The documentation on that is a bit sparse yet,
> reading the code and searching the Jackrabbit mailing list archives is
> the best you can do at the moment :-)
> <spam>
> You might have seen the commercial CRX repository built on top of
> Jackrabbit, which provides a full authentication and authorization
> implementation for some time now and has a GUI to manage the users and
> ACLs (and it bundles Sling).
> </spam>
> Hope that helps as an overview,
> Alex
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
>

Re: Re: How can I realize authentication in sling?

[yanjie <ya...@gmail.com>]

HI everyone:

Glad to find so many person be care about the question. and I want to know

Is sling implements the ACL web interface now ?

Thanks.


2009-03-11 



yanjie 



发件人： Alexander Klimetschek 
发送时间： 2009-03-11  01:45:56 
收件人： sling-dev 
抄送： 
主题： Re: How can I realize authentication in sling? 
 
On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann <an...@apache.org> wrote:
> actually I didn't intend to do any beta-testing (yet), but somehow I got the
> impression that OpenID is the only supported way for authentication ATM. But
> I just noticed that I can simply disable anonymous access in the
> configuration console to enable the built-in authentication …
In general the idea with JCR is that the repository handles
authentication and authorization, because it makes things simple and
content-oriented (and no need to put security access checks across the
application code). That's why Sling uses a single JCR session for each
request with a certain logged-in user.
The credentials for this session are fetched using an
o.a.s.engine.auth.AuthenticationHandler - currently there is a handler
using HTTP basic auth (bundles/extensions/httpauth) and the OpenID
handler. You can quite easily write your own, for using a cookie-based
mechanism or to do SSO stuff. Those credentials provided by the
handler are then used by Sling for the JCR Repository.login() method
that will return the session.
How the authentication is done inside the JCR repository is up to the
implementation (for JCR 1.0). Previous Jackrabbit versions (up to
1.4.x I think) only provided a simple login module out of the box that
provided anonymous, admin and normal users (whereas only for the
special admin user a password could be set in the repository.xml
config, ie. you couldn't really call it security ;-)). The recent
Jackrabbit releases introduced proper user management, mainly because
JCR 2.0 will define more in this respect (and Jackrabbit is already
working towards that new version of the spec). For this, users (incl.
their passwords and other preferences) are stored inside the
repository itself, typically in a separate workspace to ensure a
strict separation of "system" stuff and application content (although
that is freely configurable I think).
Now if you are logged in with the session in the request and some
servlets or scripts are trying to read and write from the repository,
the authorization comes into play. Things that you cannot read are
simply not visible through the JCR API (ie. you get a "404" and not a
"403" when speaking in HTTP status codes ;-)). If write access is
denied, you get that AccessDeniedException on save().
The authorization is now also done inside the repository and for
previous Jackrabbit versions there effectively was no built-in
authorization. The 1.5 release contains the aforementioned
implementation based on what the JCR 2.0 spec is saying (so far, it's
not final yet ;-)). This stores the ACLs in the repository as well,
right at the nodes to which these belong. There is also an API to
manually set those ACLs (I think one is free again to store those ACLs
whereever you want, if you'd like to change the default authorization
manager in Jackrabbit). The documentation on that is a bit sparse yet,
reading the code and searching the Jackrabbit mailing list archives is
the best you can do at the moment :-)
<spam>
You might have seen the commercial CRX repository built on top of
Jackrabbit, which provides a full authentication and authorization
implementation for some time now and has a GUI to manage the users and
ACLs (and it bundles Sling).
</spam>
Hope that helps as an overview,
Alex
-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: How can I realize authentication in sling?

[Alexander Klimetschek <ak...@day.com>]

On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann <an...@apache.org> wrote:
> actually I didn't intend to do any beta-testing (yet), but somehow I got the
> impression that OpenID is the only supported way for authentication ATM. But
> I just noticed that I can simply disable anonymous access in the
> configuration console to enable the built-in authentication …

In general the idea with JCR is that the repository handles
authentication and authorization, because it makes things simple and
content-oriented (and no need to put security access checks across the
application code). That's why Sling uses a single JCR session for each
request with a certain logged-in user.

The credentials for this session are fetched using an
o.a.s.engine.auth.AuthenticationHandler - currently there is a handler
using HTTP basic auth (bundles/extensions/httpauth) and the OpenID
handler. You can quite easily write your own, for using a cookie-based
mechanism or to do SSO stuff. Those credentials provided by the
handler are then used by Sling for the JCR Repository.login() method
that will return the session.

How the authentication is done inside the JCR repository is up to the
implementation (for JCR 1.0). Previous Jackrabbit versions (up to
1.4.x I think) only provided a simple login module out of the box that
provided anonymous, admin and normal users (whereas only for the
special admin user a password could be set in the repository.xml
config, ie. you couldn't really call it security ;-)). The recent
Jackrabbit releases introduced proper user management, mainly because
JCR 2.0 will define more in this respect (and Jackrabbit is already
working towards that new version of the spec). For this, users (incl.
their passwords and other preferences) are stored inside the
repository itself, typically in a separate workspace to ensure a
strict separation of "system" stuff and application content (although
that is freely configurable I think).

Now if you are logged in with the session in the request and some
servlets or scripts are trying to read and write from the repository,
the authorization comes into play. Things that you cannot read are
simply not visible through the JCR API (ie. you get a "404" and not a
"403" when speaking in HTTP status codes ;-)). If write access is
denied, you get that AccessDeniedException on save().

The authorization is now also done inside the repository and for
previous Jackrabbit versions there effectively was no built-in
authorization. The 1.5 release contains the aforementioned
implementation based on what the JCR 2.0 spec is saying (so far, it's
not final yet ;-)). This stores the ACLs in the repository as well,
right at the nodes to which these belong. There is also an API to
manually set those ACLs (I think one is free again to store those ACLs
whereever you want, if you'd like to change the default authorization
manager in Jackrabbit). The documentation on that is a bit sparse yet,
reading the code and searching the Jackrabbit mailing list archives is
the best you can do at the moment :-)

<spam>
You might have seen the commercial CRX repository built on top of
Jackrabbit, which provides a full authentication and authorization
implementation for some time now and has a GUI to manage the users and
ACLs (and it bundles Sling).
</spam>

Hope that helps as an overview,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: How can I realize authentication in sling?

[Andreas Hartmann <an...@apache.org>]

Hi Bertrand,

Bertrand Delacretaz schrieb:
> On Tue, Mar 10, 2009 at 11:59 AM, Andreas Hartmann <an...@apache.org> wrote:
>> ...thanks a lot, I managed to enable OpenID authentication.
>>
>> Now I have to figure out how to set write permissions (I'm getting a
>> javax.jcr.AccessDeniedException when I send a post request). The entry
>> barrier to get started with some simple operations is still quite high …
> 
> This user management/permissions/OpenID stuff is still quite new, you
> might be one of the very first users apart from those who contributed
> that!

actually I didn't intend to do any beta-testing (yet), but somehow I got 
the impression that OpenID is the only supported way for authentication 
ATM. But I just noticed that I can simply disable anonymous access in 
the configuration console to enable the built-in authentication …

But I certainly will try the OpenID authentication as soon as my grasp 
of things improves.

> Contributions such as wiki explanations/examples/articles in
> high-profile magazines are very welcome, of course ;-)

I hope I'll find the time to document my findings. Actually there is a 
lot of documentation, but it is distributed in various places – the 
Sling website, mailing list, dev.day.com blog etc. Maybe some 
consolidation would be even more important than adding new docs, but I 
know this is difficult and time-consuming.

BTW, the support by the community is excellent – thanks a lot to everybody!

-- Andreas


-- 
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01

Re: How can I realize authentication in sling?

[Bertrand Delacretaz <bd...@apache.org>]

On Tue, Mar 10, 2009 at 11:59 AM, Andreas Hartmann <an...@apache.org> wrote:
> ...thanks a lot, I managed to enable OpenID authentication.
>
> Now I have to figure out how to set write permissions (I'm getting a
> javax.jcr.AccessDeniedException when I send a post request). The entry
> barrier to get started with some simple operations is still quite high …

This user management/permissions/OpenID stuff is still quite new, you
might be one of the very first users apart from those who contributed
that!

Contributions such as wiki explanations/examples/articles in
high-profile magazines are very welcome, of course ;-)

-Bertrand

Re: How can I realize authentication in sling?

[Andreas Hartmann <an...@apache.org>]

Hi Alexander,

Alexander Klimetschek schrieb:
> On Tue, Mar 10, 2009 at 11:23 AM, Andreas Hartmann <an...@apache.org> wrote:
>>> For authentication, you can configure one of the provided handlers (HTTP
>>> Basic or OpenID) to be active on one or more paths or host/path
>>> combinations.
>> is there any documentation on this? Where can I configure the authentication
>> handler?
> 
> Almost everything (apart from the repository configuration and
> contents) is configured through the OSGi component configuration
> mechanism. It has its GUI in the Felix webconsole at /system/console
> -> "Configuration". You'll see the component names (or class names) in
> the list and if you select one, you'll see its properties. Change them
> + hit save and the change should immediately take place (depending on
> how long it takes to restart the component and its dependencies).

thanks a lot, I managed to enable OpenID authentication.

Now I have to figure out how to set write permissions (I'm getting a  	
javax.jcr.AccessDeniedException when I send a post request). The entry 
barrier to get started with some simple operations is still quite high …

Thanks again,

-- Andreas


-- 
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01

Re: How can I realize authentication in sling?

[Alexander Klimetschek <ak...@day.com>]

On Tue, Mar 10, 2009 at 11:23 AM, Andreas Hartmann <an...@apache.org> wrote:
>> For authentication, you can configure one of the provided handlers (HTTP
>> Basic or OpenID) to be active on one or more paths or host/path
>> combinations.
>
> is there any documentation on this? Where can I configure the authentication
> handler?

Almost everything (apart from the repository configuration and
contents) is configured through the OSGi component configuration
mechanism. It has its GUI in the Felix webconsole at /system/console
-> "Configuration". You'll see the component names (or class names) in
the list and if you select one, you'll see its properties. Change them
+ hit save and the change should immediately take place (depending on
how long it takes to restart the component and its dependencies).

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: How can I realize authentication in sling?

[Andreas Hartmann <an...@apache.org>]

Hi Rory,

Rory Douglas schrieb:
>  From your first post, it seems you're really more interested in 
> authorization than authentication, but both are handled (to different 
> degrees) in Sling.
> 
> For authentication, you can configure one of the provided handlers (HTTP 
> Basic or OpenID) to be active on one or more paths or host/path 
> combinations.

is there any documentation on this? Where can I configure the 
authentication handler?

[…]

> I believe the details of the above are covered elsewhere in the mailing 
> archives - let me know if this doesn't resolve your questions.

I searched the list, but the replies are generally along the lines of 
"As a workaround you can do XYZ, but I hope someone else has a better 
answer." :)

TIA!

-- Andreas


> 
> Regards,
> Rory
> 
> yanjie wrote:
>> HI felix:
>> Glad to recieve your answer , I think it's important for a content 
>> manager system  to have authentication control.
>> If there is no authenticatioin control , user management will be less 
>> useful.
>> I think the users of sling really hope sling can add the 
>> authentication's  function early.
>> waiting ...
>>
>> thanks.
>>
>>
>> 2009-03-02
>>
>>
>> yanjie
>>
>>
>> 发件人： Felix Meschberger 发送时间： 2009-02-28  05:03:18 收件人： 
>> sling-dev 抄送： 主题： Re: How can I realize authentication in sling?  
>> Hi,
>> yanjie schrieb:
>>  
>>> Hi everyone:
>>> I want to give a user some policy to handle a node(read or write or 
>>> modify..) , and other users don't have the policy . Or a group has 
>>> the policy and the users in the group all have the authentication . 
>>> how can I use sling to realize it?     
>> Sling employs the authentication and access control functionality of the
>> underlying JCR repository (Jackrabbit by default).
>> So you have to create users and groups in Jackrabbit (I have applied the
>> SLING-875 patches by Eric Norman today to enable user/group management
>> in Sling.
>> In addition you have to set access control in the repository. This is
>> more problematic at the moment because Jackrabbit 1.5 embedded in Sling
>> only contains partial support for JSR-283 (aka JCR 2.0) access control
>> support.
>> Maybe others on the list are more knowledgeable in this respect...
>> Regards
>> Felix
>>   
> 


-- 
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01

Re: How can I realize authentication in sling?

[Rory Douglas <ro...@oracle.com>]

Hi Yanjie

 From your first post, it seems you're really more interested in 
authorization than authentication, but both are handled (to different 
degrees) in Sling.

For authentication, you can configure one of the provided handlers (HTTP 
Basic or OpenID) to be active on one or more paths or host/path 
combinations.  This takes care of extracting the credentials of the 
remote user from the request & providing them to Sling.

For user management, you can use the new SlingPostOperations to create & 
update users (or groups) associated with the above credentials.  These 
are the Jackrabbit/repository -level identities that are needed in order 
to use the authorization features.

For authorization, you can use the AccessControlUtil class to 
add/remove/update ACLs on repository nodes, referring to the above 
users/groups.

This last part is from memory and may be incorrect :-): by default a 
fresh Jackrabbit 1.5 repository has 2 users (admin and anonymous), and 3 
groups (administrators, UserAdmin, and GroupAdmin).  There are no ACLs 
initially, though the admin user always has full permissions anyway.  
After you set an initial ACL, I think you will see a root-level ACL will 
be added explicitly giving the admin user full permissions (though *not* 
the administrators group!!!).

I believe the details of the above are covered elsewhere in the mailing 
archives - let me know if this doesn't resolve your questions.

Regards,
Rory

yanjie wrote:
> HI felix:
> Glad to recieve your answer , 
> I think it's important for a content manager system  to have authentication control.
> If there is no authenticatioin control , user management will be less useful.
> I think the users of sling really hope sling can add the authentication's  function early.
> waiting ...
>
> thanks.
>
>
> 2009-03-02 
>
>
>
> yanjie 
>
>
>
> 发件人： Felix Meschberger 
> 发送时间： 2009-02-28  05:03:18 
> 收件人： sling-dev 
> 抄送： 
> 主题： Re: How can I realize authentication in sling? 
>  
> Hi,
> yanjie schrieb:
>   
>> Hi everyone:
>> I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? 
>>     
> Sling employs the authentication and access control functionality of the
> underlying JCR repository (Jackrabbit by default).
> So you have to create users and groups in Jackrabbit (I have applied the
> SLING-875 patches by Eric Norman today to enable user/group management
> in Sling.
> In addition you have to set access control in the repository. This is
> more problematic at the moment because Jackrabbit 1.5 embedded in Sling
> only contains partial support for JSR-283 (aka JCR 2.0) access control
> support.
> Maybe others on the list are more knowledgeable in this respect...
> Regards
> Felix
>   

-- 




Rory Douglas | Senior Principal Consultant
Fax: +1-201-604-6428 | Mobile: +1-917-498-5344
Oracle North America Consulting
ORACLE United States | | San Diego, CA
"Please consider your environmental responsibility before printing this 
e-mail"