You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by Garner Andrews <Ga...@CCGI.NET> on 2006/01/24 20:45:48 UTC

dev or user group question?

We have our own security app that we've revealed with a web service.  We
want to replace the Jetspeed2 authentication and authorization functions
with our app.  Has anyone experimented with this at all yet?  Can you
even swap out the internal portal maintenance users' security roles or
do you have to use what's already there?  I'm really trying to gauge the
level of effort this will take.  I've read everything I have found so
far in the mail archives and in the other support areas and not found
answers to these questions yet.  If I missed something, please don't
hesitate to point me in the right direction.

Thanks,
Garner

C. Garner Andrews
Enterprise Architect
CompuNet Consulting Group, Inc.
+mailto:garner@ccgi.net

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: dev or user group question?

Posted by David Jencks <da...@yahoo.com>.

On Jan 24, 2006, at 1:04 PM, David Jencks wrote:

>
> On Jan 24, 2006, at 11:45 AM, Garner Andrews wrote:
>
>> We have our own security app that we've revealed with a web  
>> service.  We
>> want to replace the Jetspeed2 authentication and authorization  
>> functions
>> with our app.  Has anyone experimented with this at all yet?  Can you
>> even swap out the internal portal maintenance users' security  
>> roles or
>> do you have to use what's already there?  I'm really trying to  
>> gauge the
>> level of effort this will take.  I've read everything I have found so
>> far in the mail archives and in the other support areas and not found
>> answers to these questions yet.  If I missed something, please don't
>> hesitate to point me in the right direction.
>
> If you can express your authorization requirements purely in terms  
> of the jetspeed user, group, and role principals, and use the  
> jetspeed principal to permission mapping, you should be able to  
> simply replace the jetspeed login module with one that communicates  
> with your security server.  If you require more sophisticated  
> identity to permission mapping you may have to implement a Policy  
> to replace the jetspeed RdbmsPolicy: this would involve removing or  
> ignoring the jetspeed framework for managing permissions, although  
> I would strongly recommend still using the jetspeed permissions to  
> describe what the authorization decision is about.  There are a  
> couple places in the current code where the PermissionManager is  
> accessed directly instead of using the Policy but I'm hoping those  
> will get fixed shortly, they are in some patches I've submitted.
>
> I've been thinking about some of these issues while working on the  
> geronimo-jetspeed integration (JS2-444) and considering how the  
> geronimo security framework should develop and am wondering if you  
> could describe at a high level the capabilities of your security  
> server and what kinds of authorization decisions you need to make.

I should perhaps point out that I'm working to integrate JS2 with  
geronimo so as to use the geronimo JACC implementation, which is  
running into some of the same issues.  In particular I'm using the  
geronimo JACC-based Policy rather than the jetspeed Policy.  I'd  
certainly be interested to find out more about your specific  
requirements.

thanks
david jencks

>
> many thanks,
> david jencks
>
>>
>> Thanks,
>> Garner
>>
>> C. Garner Andrews
>> Enterprise Architect
>> CompuNet Consulting Group, Inc.
>> +mailto:garner@ccgi.net
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: dev or user group question?

Posted by David Jencks <da...@yahoo.com>.

On Jan 24, 2006, at 11:45 AM, Garner Andrews wrote:

> We have our own security app that we've revealed with a web  
> service.  We
> want to replace the Jetspeed2 authentication and authorization  
> functions
> with our app.  Has anyone experimented with this at all yet?  Can you
> even swap out the internal portal maintenance users' security roles or
> do you have to use what's already there?  I'm really trying to  
> gauge the
> level of effort this will take.  I've read everything I have found so
> far in the mail archives and in the other support areas and not found
> answers to these questions yet.  If I missed something, please don't
> hesitate to point me in the right direction.

If you can express your authorization requirements purely in terms of  
the jetspeed user, group, and role principals, and use the jetspeed  
principal to permission mapping, you should be able to simply replace  
the jetspeed login module with one that communicates with your  
security server.  If you require more sophisticated identity to  
permission mapping you may have to implement a Policy to replace the  
jetspeed RdbmsPolicy: this would involve removing or ignoring the  
jetspeed framework for managing permissions, although I would  
strongly recommend still using the jetspeed permissions to describe  
what the authorization decision is about.  There are a couple places  
in the current code where the PermissionManager is accessed directly  
instead of using the Policy but I'm hoping those will get fixed  
shortly, they are in some patches I've submitted.

I've been thinking about some of these issues while working on the  
geronimo-jetspeed integration (JS2-444) and considering how the  
geronimo security framework should develop and am wondering if you  
could describe at a high level the capabilities of your security  
server and what kinds of authorization decisions you need to make.

many thanks,
david jencks

>
> Thanks,
> Garner
>
> C. Garner Andrews
> Enterprise Architect
> CompuNet Consulting Group, Inc.
> +mailto:garner@ccgi.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: dev or user group question?

Posted by Aaron Evans <aa...@gmail.com>.

This is relatively easy to do.

You just have to implement the following interfaces:

org.apache.jetspeed.security.spi.UserSecurityHandler
org.apache.jetspeed.security.spi.RoleSecurityHandler
org.apache.jetspeed.security.spi.GroupSecurityHandler
org.apache.jetspeed.security.spi.SecurityMappingHandler

And then change the configuration of the security-spi.atn.xml and
security-spi-atz.xml spring
assembly files to use your implementations.

Note that you don't necessarily need to implement all of the above, you
could for example
leave Group managment in jetspeed and not implement the GroupSecurityHandler
and then
only override the methods in the default SecurityMappingHandler
implementation as it relates
to roles for authorization.

By looking at the default implementations and the LDAP authentication
implementation, I was
able to figure it out and have jetspeed use my custom implementations that
utilize my LDAP
schema for users, groups and roles.

HTH,
aaron

On 1/24/06, Garner Andrews <Ga...@ccgi.net> wrote:
>
> We have our own security app that we've revealed with a web service.  We
> want to replace the Jetspeed2 authentication and authorization functions
> with our app.  Has anyone experimented with this at all yet?  Can you
> even swap out the internal portal maintenance users' security roles or
> do you have to use what's already there?  I'm really trying to gauge the
> level of effort this will take.  I've read everything I have found so
> far in the mail archives and in the other support areas and not found
> answers to these questions yet.  If I missed something, please don't
> hesitate to point me in the right direction.
>
> Thanks,
> Garner
>
> C. Garner Andrews
> Enterprise Architect
> CompuNet Consulting Group, Inc.
> +mailto:garner@ccgi.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>