You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by bu...@apache.org on 2013/01/14 19:58:14 UTC
svn commit: r846645 - in /websites/staging/isis/trunk: cgi-bin/ content/
content/components/security/shiro/
content/components/security/shiro/resources/
Author: buildbot
Date: Mon Jan 14 18:58:13 2013
New Revision: 846645
Log:
Staging update by buildbot for isis
Added:
websites/staging/isis/trunk/content/components/security/shiro/resources/
websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png (with props)
websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png (with props)
websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png (with props)
websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png (with props)
websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-users.png (with props)
websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html
Modified:
websites/staging/isis/trunk/cgi-bin/ (props changed)
websites/staging/isis/trunk/content/ (props changed)
websites/staging/isis/trunk/content/components/security/shiro/about.html
websites/staging/isis/trunk/content/documentation.html
Propchange: websites/staging/isis/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Jan 14 18:58:13 2013
@@ -1 +1 @@
-1432849
+1433037
Propchange: websites/staging/isis/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Jan 14 18:58:13 2013
@@ -1 +1 @@
-1432849
+1433037
Modified: websites/staging/isis/trunk/content/components/security/shiro/about.html
==============================================================================
--- websites/staging/isis/trunk/content/components/security/shiro/about.html (original)
+++ websites/staging/isis/trunk/content/components/security/shiro/about.html Mon Jan 14 18:58:13 2013
@@ -303,14 +303,9 @@ com.mycompany.myapp
* # view/edit access to everything
</pre>
-<p><!--</p>
+<h3>Configuring LDAP</h3>
-<h3>Configuring</h3>
-
-<ul>
-<li><a href="using-apache-ds-for-authentication.html">Using Apache DS for authentication</a>
---></li>
-</ul>
+<p>Details of configuring the Shiro integration to work against an LDAP server can be found <a href="using-ldap.html">here</a>.</p>
Added: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-groups.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-partition.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-mojo-root-dse.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-sasl-authentication.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-users.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/isis/trunk/content/components/security/shiro/resources/activeds-ldap-users.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html
==============================================================================
--- websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html (added)
+++ websites/staging/isis/trunk/content/components/security/shiro/using-ldap.html Mon Jan 14 18:58:13 2013
@@ -0,0 +1,352 @@
+<!DOCTYPE html>
+<html lang="en">
+ <head>
+
+ <meta charset="utf-8">
+ <title>Using Shiro with an LDAP Server
</title>
+ <meta name="description" content="">
+ <meta name="author" content="">
+
+ <!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
+ <!--[if lt IE 9]>
+ <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
+ <![endif]-->
+
+ <!-- Le styles -->
+ <link href="./../../../bootstrap.css" rel="stylesheet">
+ <link href="./../../../prettify.css" rel="stylesheet">
+ <link href="./../../../bootstrap-mods.css" rel="stylesheet">
+
+ <style type="text/css">
+ body {
+ padding-top: 60px;
+ }
+ .sprite {
+ display: inline-block;
+ height: 20px;
+ margin: 0 auto 4px;
+ outline: medium none;
+ text-indent: -999em;
+ width: 24px;
+ background-image: url('./../../../images/sprites.png');
+ background-repeat: no-repeat;
+ overflow: hidden;
+ cursor: pointer;
+ }
+ .edit-page {
+ display: inline-block;
+ height: 20px;
+ margin: 0 auto 4px;
+ outline: medium none;
+ text-indent: -999em;
+ width: 24px;
+ background-image: url('./../../../images/edit.png');
+ background-repeat: no-repeat;
+ overflow: hidden;
+ cursor: pointer;
+ }
+ .fb-share {
+ background-position: 0px -40px;
+ }
+ .gp-share {
+ background-position: 0px 0px;
+ }
+ .tw-share {
+ background-position: 0px -80px;
+ }
+ .markdown-content {
+ min-height: 500px;
+ }
+ .book-image img {
+ border: 1px;
+ border-style: solid;
+ }
+ .stub,.note {
+ position: relative;
+ padding: 7px 15px;
+ margin-bottom: 18px;
+ color: #404040;
+ background-color: #eedc94;
+ background-repeat: repeat-x;
+ background-image: -khtml-gradient(linear, left top, left bottom, from(#fceec1), to(#eedc94));
+ background-image: -moz-linear-gradient(top, #fceec1, #eedc94);
+ background-image: -ms-linear-gradient(top, #fceec1, #eedc94);
+ background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #fceec1), color-stop(100%, #eedc94));
+ background-image: -webkit-linear-gradient(top, #fceec1, #eedc94);
+ background-image: -o-linear-gradient(top, #fceec1, #eedc94);
+ background-image: linear-gradient(top, #fceec1, #eedc94);
+ filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fceec1', endColorstr='#eedc94', GradientType=0);
+ text-shadow: 0 -1px 0 rgba(0, 0, 0, 0.25);
+ border-color: #eedc94 #eedc94 #e4c652;
+ border-color: rgba(0, 0, 0, 0.1) rgba(0, 0, 0, 0.1) rgba(0, 0, 0, 0.25);
+ text-shadow: 0 1px 0 rgba(255, 255, 255, 0.5);
+ border-width: 1px;
+ border-style: solid;
+ -webkit-border-radius: 4px;
+ -moz-border-radius: 4px;
+ border-radius: 4px;
+ -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.25);
+ -moz-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.25);
+ box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.25);
+ }
+ </style>
+ <script type="text/javascript">
+ function fbshare () {
+ window.open(
+ "http://www.facebook.com/sharer/sharer.php?u="+document.URL,
+ 'Share on Facebook',
+ 'width=640,height=426');
+ };
+ function gpshare () {
+ window.open(
+ "https://plus.google.com/share?url="+document.URL,
+ 'Share on Google+',
+ 'width=584,height=385');
+ };
+ function twshare () {
+ window.open(
+ "https://twitter.com/intent/tweet?url="+document.URL+"&text=Using Shiro with an LDAP Server
",
+ 'Share on Twitter',
+ 'width=800,height=526');
+ };
+ </script>
+
+ <!-- Le fav and touch icons -->
+ <link rel="shortcut icon" href="./../../../images/favicon.ico">
+ <link rel="apple-touch-icon" href="./../../../images/apple-touch-icon.png">
+ <link rel="apple-touch-icon" sizes="72x72" href="./../../../images/apple-touch-icon-72x72.png">
+ <link rel="apple-touch-icon" sizes="114x114" href="./../../../images/apple-touch-icon-114x114.png">
+
+ <script src="./../../../javascript/prettify.js" type="text/javascript"></script>
+ <script src="./../../../javascript/jquery-latest.js"></script>
+
+
+ <script src="http://platform.twitter.com/widgets.js" type="text/javascript"></script>
+ <script src="./../../../javascript/common.js"></script>
+ <script src="./../../../javascript/prettyprint.js"></script>
+
+ <script src="./../../../javascript/bootstrap-alert.js"></script>
+ <script src="./../../../javascript/bootstrap-dropdown.js"></script>
+ <script src="./../../../javascript/bootstrap-tooltip.js"></script>
+ <script src="./../../../javascript/bootstrap-alerts.js"></script>
+ <script src="./../../../javascript/bootstrap-modal.js"></script>
+ <script src="./../../../javascript/bootstrap-transition.js"></script>
+ <script src="./../../../javascript/bootstrap-button.js"></script>
+ <script src="./../../../javascript/bootstrap-popover.js"></script>
+ <script src="./../../../javascript/bootstrap-twipsy.js"></script>
+ <script src="./../../../javascript/bootstrap-buttons.js"></script>
+ <script src="./../../../javascript/bootstrap-scrollspy.js"></script>
+ <script src="./../../../javascript/bootstrap-typeahead.js"></script>
+ <script src="./../../../javascript/bootstrap-carousel.js"></script>
+ <script src="./../../../javascript/bootstrap-tab.js"></script>
+ <script src="./../../../javascript/bootstrap-collapse.js"></script>
+ <script src="./../../../javascript/bootstrap-tabs.js"></script>
+
+
+
+
+
+ <script>
+ $(function () { prettyPrint() })
+ $().dropdown()
+ </script>
+
+ <script type="text/javascript">
+
+ var _gaq = _gaq || [];
+ _gaq.push(['_setAccount', 'UA-2717626-1']);
+ _gaq.push(['_setDomainName', 'apache.org']);
+ _gaq.push(['_trackPageview']);
+
+ (function() {
+ var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+ ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+ })();
+
+ </script>
+
+
+ </head>
+
+ <body>
+
+ <div class="topbar">
+ <div class="fill">
+ <div class="container">
+ <a class="brand" href="./../../../index.html">Apache Isis™</a>
+ <ul class="nav">
+ <li><a href="./../../../index.html">Home</a></li>
+ <li><a href="./../../../download.html">Download</a></li>
+ <li><a href="./../../../getting-started/screencasts.html">Screencasts</a></li>
+ <li><a href="./../../../documentation.html">Documentation</a></li>
+ <li><a href="./../../../support.html">Support</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="http://www.apache.org/">Apache Homepage <i class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/">Licenses <i class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/security/">Security <i class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship <i class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/thanks.html">Thanks <i class="icon-share-alt"></i></a>
+ </li>
+ </ul>
+ </li>
+
+ </ul>
+
+ <!-- Google CSE Search Box Begins -->
+ <div style="float: right; position: relative; ">
+ <form action="http://www.google.com/cse" id="cse-search-box" _lpchecked="1">
+ <div>
+ <input type="hidden" name="cx" value="001500763902520246267:purt3m54z98">
+ <input type="hidden" name="ie" value="UTF-8">
+ <input type="text" name="q" size="31" style="border: 1px solid rgb(126, 157, 185); padding: 2px; background-color: rgb(255, 255, 255); background-position: 0% 50%; background-repeat: no-repeat no-repeat;">
+ <input type="submit" name="sa" value="Search">
+ </div>
+ <input name="siteurl" type="hidden" value="incubator.apache.org/isis/">
+ <input name="ref" type="hidden" value="">
+ <input name="ss" type="hidden" value="677j458329j2">
+ </form>
+ </div>
+ <!-- Google CSE Search Box Ends -->
+ </div>
+ </div>
+ </div>
+
+ <div class="container">
+ <div class="markdown-content">
+
+
+<div class="page-header">
+<p><a href="./../../../documentation.html">Docs</a> » <a href="./../../../components/about.html">Components</a> » <a href="./../../../components/security/about.html">Security</a> » <a href="./../../../components/security/shiro/about.html">Shiro</a></p>
+<h1>Using Shiro with an LDAP Server
+
+</h1>
+</div>
+
+<p>Isis ships with an implementation of <a href="http://shiro.apache.org">Apache Shiro</a>'s <code>Realm</code> class that allows user authentication and authorization to be performed against an LDAP server.</p>
+
+<p>The configuration required in the <code>WEB-INF/shiro.ini</code> file is:</p>
+
+<pre>
+contextFactory = org.apache.isis.security.shiro.IsisLdapContextFactory
+contextFactory.url = ldap://localhost:10389
+contextFactory.authenticationMechanism = CRAM-MD5
+contextFactory.systemAuthenticationMechanism = simple
+contextFactory.systemUsername = uid=admin,ou=system
+contextFactory.systemPassword = secret
+
+ldapRealm = org.apache.isis.security.shiro.IsisLdapRealm
+ldapRealm.contextFactory = $contextFactory
+
+ldapRealm.searchBase = ou=groups,o=mojo
+ldapRealm.groupObjectClass = groupOfUniqueNames
+ldapRealm.uniqueMemberAttribute = uniqueMember
+ldapRealm.uniqueMemberAttributeValueTemplate = uid={0}
+
+ldapRealm.permissionsByRole=\
+ user_role = *:ToDoItemsJdo:*:*,\
+ *:ToDoItem:*:*; \
+ self-install_role = *:ToDoItemsFixturesService:install:* ; \
+ admin_role = *
+
+securityManager.realms = $ldapRealm
+</pre>
+
+<p>where:</p>
+
+<ul>
+<li>user accounts are searched under <code>ou=system</code>
+<ul>
+<li>users have, at minimum, a <code>uid</code> attribute and a password</li>
+<li>SASL (CRAM-MD5) authentication is used for this authentication</li>
+<li>the users credentials are used to verify their user/password</li>
+</ul></li>
+<li>groups are searched under <code>ou=groups,o=mojo</code> (where <code>mojo</code> is the company name)
+<ul>
+<li>each group has an LDAP objectClass of <code>groupOfUniqueNames</code></li>
+<li>each group has a vector attribute of <code>uniqueMember</code></li>
+<li>each value of <code>uniqueMember</code> is in the form <code>uid=xxx</code>, with <code>xxx</code> being the uid of the user</li>
+<li>the group membership is looked up using the specified system user</li>
+</ul></li>
+</ul>
+
+<p>The above configuration has been tested against <a href="http://directory.apache.org/apacheds/">ApacheDS</a>, v1.5.7. This can be administered using <a href="http://directory.apache.org/studio/">Apache Directory Studio</a>, v1.5.3.</p>
+
+<h3>Active DS LDAP Configuration</h3>
+
+<p>The screenshot below shows the ApacheDS using Apache Directory Studio. The setup here was initially base on <a href="http://krams915.blogspot.co.uk/2011/01/ldap-apache-directory-studio-basic.html">this tutorial</a>. However, user accounts have been moved to a separate node.</p>
+
+<h4>Configure Mojo partition and nodes under Root</h4>
+
+<p>Create a partition in order to hold the mojo node (holding the groups)</p>
+
+<p><img src="resources/activeds-ldap-mojo-partition.png" alt="ActiveDS LDAP Users" /></p>
+
+<p>Create the <code>ou=groups,o=mojo</code> hierarchy</p>
+
+<p><img src="resources/activeds-ldap-mojo-root-dse.png" alt="ActiveDS LDAP Users" /></p>
+
+<p>Configure SASL authentication. This means that the checking of user/password is done implicitly by virtue of Isis connecting to LDAP using these credentials.</p>
+
+<p><img src="resources/activeds-ldap-sasl-authentication.png" alt="ActiveDS LDAP Users" /></p>
+
+<p>In order for SASL to work, it seems to be necessary to put users under <code>o=system</code>. (This is why the setup is slightly different than the tutorial mentioned above).</p>
+
+<p><img src="resources/activeds-ldap-users.png" alt="ActiveDS LDAP Users" /></p>
+
+<p>Configure the users into the groups.</p>
+
+<p><img src="resources/activeds-ldap-groups.png" alt="ActiveDS LDAP Users" /></p>
+
+
+
+ </div>
+
+ <div id="edit" class="modal hide fade in" style="display: none; ">
+ <div class="modal-header">
+ <a class="close" data-dismiss="modal">x</a>
+
+ <h3>Thank you for contributing to the documention!</h3>
+ </div>
+ <div class="modal-body">
+ <h4>Any help with the documentation is greatly appreciated.</h4>
+ <p>All edits are reviewed before going live, so feel free to do much more than fix typos or links. If you see a page that could benefit from an entire rewrite, we'd be thrilled to review it. Don't be surprised if we like it so much we ask you for help with other pages :)</p>
+ <small>NOTICE: unless indicated otherwise on the pages in question, all editable content available from apache.org is presumed to be licensed under the Apache License (AL) version 2.0 and hence all submissions to apache.org treated as formal Contributions under the license terms.</small>
+ <!--[if gt IE 6]>
+ <h4>Internet Explorer Users</h4>
+ <p>If you are not an Apache committer, click the Yes link and enter a <i>anonymous</i> for the username and leave the password empty</p>
+ <![endif]-->
+
+ </div>
+ <div class="modal-footer">
+ Do you have an Apache ID?
+ <a href="javascript:void(location.href='https://cms.apache.org/redirect?uri='+escape(location.href))" class="btn">Yes</a>
+ <a href="javascript:void(location.href='https://anonymous:@cms.apache.org/redirect?uri='+escape(location.href))" class="btn">No</a>
+ </div>
+ </div>
+ <script src="./../../../javascript/bootstrap-modal.js"></script>
+
+ <footer>
+ <p>
+ Copyright © 2012~2013 The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
+ <br/>
+ Apache Isis, Apache, the Apache feather logo, and the Apache Isis project logo are trademarks of The Apache Software Foundation.
+ </p>
+ </footer>
+
+ </div> <!-- /container -->
+
+ </body>
+</html>
Modified: websites/staging/isis/trunk/content/documentation.html
==============================================================================
--- websites/staging/isis/trunk/content/documentation.html (original)
+++ websites/staging/isis/trunk/content/documentation.html Mon Jan 14 18:58:13 2013
@@ -459,7 +459,7 @@
<ul>
<li><a href="components/security/shiro/about.html">About</a></li>
-<li><a href="components/security/shiro/using-apache-ds-for-authentication.html">Using Apache DS for authentication</a>
+<li><a href="components/security/shiro/using-ldap.html">Using LDAP</a>
</div>
<div class="span-one-third"></li>
</ul>