You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by dl...@apache.org on 2005/09/24 14:29:43 UTC
svn commit: r291290 [2/2] - in /portals/jetspeed-2/trunk:
components/security/
components/security/src/java/org/apache/jetspeed/security/
components/security/src/java/org/apache/jetspeed/security/impl/
components/security/src/java/org/apache/jetspeed/s...
Added: portals/jetspeed-2/trunk/components/security/xdocs/config.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/config.xml?rev=291290&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/config.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/config.xml Sat Sep 24 05:29:23 2005
@@ -0,0 +1,450 @@
+<?xml version="1.0"?>
+<!--
+ Copyright 2004 The Apache Software Foundation
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Jetspeed 2 Security Services Configuration</title>
+ <authors>
+ <person name="David Le Strat" email="dlestrat@apache.org" />
+ <person name="Ate Douma" email="ate@douma.nu" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Default configuration">
+ <p>
+ Jetspeed 2 default security services configuration leverages a relational database as its default persitent datastore for security information.
+ Jetspeed 2 security service provider interface provides a mechanism to replace the default datastore configured.
+ </p>
+ <p>
+ 3 files are involved when configuring Jetspeed 2 security SPI. All the SPI configuration files are located under
+ <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i>
+ .
+ </p>
+ <subsection name="security-atn.xml">
+ <p>
+ This configuration file provides the login module configuration. Not everyone needs this, as some application may decide to use another
+ login module other than the one provided.
+ </p>
+ </subsection>
+ <subsection name="security-atz.xml">
+ <p>
+ This configuration file configures the authorization policy, in J2's case
+ <a href="atz-jass.html">RdbmsPolicy</a>
+ .
+ </p>
+ </subsection>
+ <subsection name="security-managers.xml">
+ <p>This configuration file configures all the managers for security purpose.</p>
+ </subsection>
+ <subsection name="security-providers.xml">
+ <p>This configuration file configures the various providers and weaves the SPI together.</p>
+ <ul>
+ <li>
+ <code>AuthenticationProviderProxy</code>
+ : Configures the list of
+ <code>AuthenticationProvider</code>
+ and the default authenticator.
+ <source>
+ <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthenticationProviderProxy"
+ class="org.apache.jetspeed.security.impl.AuthenticationProviderProxyImpl">
+ <constructor-arg >
+ <list>
+ <ref bean="org.apache.jetspeed.security.AuthenticationProvider"/>
+ </list>
+ </constructor-arg>
+ <constructor-arg><value>DefaultAuthenticator</value></constructor-arg>
+</bean>]]>
+ </source>
+ </li>
+ <li>
+ <code>AuthenticationProvider</code>
+ : Configures the authentication providers for the current portal implementation. The example below configures the default authenticator
+ that uses the RDBMS to manage/store user information.
+ <source>
+ <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthenticationProvider"
+ class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl">
+ <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>
+ <constructor-arg index="1"><value>The default authenticator</value></constructor-arg>
+ <constructor-arg index="2"><value>login.conf</value></constructor-arg>
+ <constructor-arg index="3">
+ <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>
+ </constructor-arg>
+ <constructor-arg index="4">
+ <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ </li>
+ <li>
+ <code>AuthorizationProvider</code>
+ : Configures the policies and instantiates the
+ <code>SecurityPolicies</code>
+ that are used for enforcing permissions. By default, Jetspeed 2 does not load any other
+ security policies that may have been configured. In order to use default policies, set
+ <code>useDefaultPolicy</code> to <code>true</code>
+ <source>
+ <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthorizationProvider"
+ class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl">
+ <constructor-arg index="0">
+ <ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/>
+ </constructor-arg>
+ <!-- Does not use the default policy as a default behavior -->
+ <constructor-arg index="1"><value>false</value></constructor-arg>
+</bean>]]>
+ </source>
+ </li>
+ </ul>
+ </subsection>
+ <subsection name="security-spi.xml">
+ <p>This configuration file contains configuration that are common to the authentication and authorization SPIs.</p>
+ <table>
+ <tr>
+ <th>Bean</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.SecurityAccess</td>
+ <td>
+ Used internally by the default OJB based SPI. Provide access to common action/methods for the various SPI implementations. The
+ <i>SecurityAccess</i>
+ bean is used by both the Authentication and Authorization SPIs.
+ </td>
+ </tr>
+ </table>
+ </subsection>
+ <subsection name="security-spi-atn.xml">
+ <p>This configuration file contains all the configurations for configuring the authentication SPI.</p>
+ <table>
+ <tr>
+ <th>Bean</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.CredentialHandler</td>
+ <td>
+ The
+ <i>CredentialHandler</i>
+ encapsulates the operations involving manipulation of credentials. The default implementation provides support for password
+ protection as defined by the
+ <i>PasswordCredentialProvider</i>
+ ; as well as lifecycle management of credentials through
+ <i>InternalPasswordCredentialInterceptor</i>
+ which can be configured to manages parameters such as maximum number of authentication
+ failures, maximum life span of a credential in days and how much history to retain for a
+ given credential.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.UserSecurityHandler</td>
+ <td>
+ The
+ <i>UserSecurityHandler</i>
+ encapuslated all the operations around the user principals.
+ </td>
+ </tr>
+ </table>
+ <p>
+ The following simple <code>CredentialHandler</code> configuration is currently provided
+ by default with Jetspeed:</p>
+ <source><![CDATA[
+<!-- require a non-empty password -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
+ class="org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator"/>
+
+<!-- MessageDigest encode passwords using SHA-1 -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"
+ class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
+ <constructor-arg index="0"><value>SHA-1</value></constructor-arg>
+</bean>
+
+<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler -->
+<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+ class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+ <constructor-arg index="0">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent store is required to be changed -->
+ <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+ <!-- ensure preset cleartext passwords in the persistent store will be encoded on first use -->
+ <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+ </list>
+ </constructor-arg>
+</bean>
+
+<bean id="org.apache.jetspeed.security.spi.PasswordCredentialProvider"
+ class="org.apache.jetspeed.security.spi.impl.DefaultPasswordCredentialProvider">
+ <constructor-arg index="0">
+ <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordValidator"/>
+ </constructor-arg>
+ <constructor-arg index="1">
+ <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/>
+ </constructor-arg>
+</bean>
+
+<bean id="org.apache.jetspeed.security.spi.CredentialHandler"
+ class="org.apache.jetspeed.security.spi.impl.DefaultCredentialHandler">
+ <constructor-arg index="0">
+ <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>
+ </constructor-arg>
+ <constructor-arg index="1">
+ <ref bean="org.apache.jetspeed.security.spi.PasswordCredentialProvider"/>
+ </constructor-arg>
+ <constructor-arg index="2">
+ <ref bean="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"/>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ <p>
+ The above configuration requires not much more than that a password should not be
+ empty and MessageDigest encode it using SHA-1.</p>
+ <p>
+ Before the 2.0-M4 release, Jetspeed came configured with a much stricter configuration, but for
+ first time users of the Portal this was a bit overwelming and also quite difficult to configure
+ differently.</p>
+ <p>
+ With the 2.0-M4 release, the previously provided, and rather complex,
+ <code>InternalPasswordCredentialInterceptor</code> implementations are split up in single atomic
+ interceptors which can much easier be configured indepedently.</p>
+ <p>
+ An overview of the new interceptors and how related request processing pipeline valves can be
+ configured to provide feedback to the user is provided in the <a href="credentials.html">
+ Credentials Management</a> document.</p>
+ <p>
+ Since the "old" (pre 2.0-M4) interceptors are no longer provided with Jetspeed, the example below
+ shows how to "restore" the old setup using the new interceptors:</p>
+ <source><![CDATA[
+<!-- require a password of minimum length 6 and at least two numeric characters -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"
+ class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator">
+ <constructor-arg index="0"><value>6</value></constructor-arg>
+ <constructor-arg index="1"><value>2</value></constructor-arg>
+</bean>
+
+<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler -->
+<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+ class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+ <constructor-arg index="0">
+ <list>
+ <!-- enforce an invalid preset password value in the persisent store is required to be changed -->
+ <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+ <!-- ensure preset cleartext passwords in the persistent store will be encoded on first use -->
+ <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+
+ <!-- remember the last 3 passwords used and require a new password to be different from those -->
+ <bean class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor">
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+ </bean>
+
+ <!-- Automatically expire a password after 60 days -->
+ <bean class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
+ <constructor-arg index="0"><value>60</value></constructor-arg>
+ </bean>
+
+ <!-- Automatically disable a password after 3 invalid authentication attempts in a row -->
+ <bean class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+ </bean>
+ </list>
+ </constructor-arg>
+</bean>]]>
+ </source>
+ <p>
+ And, make sure something like the following configuration is set for the security related valves in
+ pipelines.xml:</p>
+ <source><![CDATA[
+<bean id="passwordCredentialValve"
+ class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl"
+ init-method="initialize">
+ <constructor-arg>
+ <!-- expirationWarningDays -->
+ <list>
+ <value>2</value>
+ <value>3</value>
+ <value>7</value>
+ </list>
+ </constructor-arg>
+</bean>
+
+<bean id="loginValidationValve"
+ class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
+ init-method="initialize">
+ <!-- maxNumberOfAuthenticationFailures
+ This value should be in sync with the value for
+ org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor
+ (if used) to make sense.
+ Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT
+ error code when only one last attempt is possible before the credential
+ will be disabled after the next authentication failure.
+ -->
+ <constructor-arg index="0"><value>3</value></constructor-arg>
+</bean>]]>
+ </source>
+ <p>
+ Also, make sure the above valves are configured in the <code>jetspeed-pipeline</code> bean.</p>
+ <p>
+ See the <a href="credentials.html#User_interaction">User Interaction</a> section in the
+ Credentials Management document for a description of these valves and their relation to the
+ interceptors configuration.</p>
+ </subsection>
+ <subsection name="security-spi-atz.xml">
+ <p>This configuration file contains all the configurations for configuring the authorization SPI.</p>
+ <table>
+ <tr>
+ <th>Bean</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.RoleSecurityHandler</td>
+ <td>
+ The
+ <i>RoleSecurityHandler</i>
+ encapsulates all the operations around the role principals.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.GroupSecurityHandler</td>
+ <td>
+ The
+ <i>GroupSecurityHandler</i>
+ encapsulates all the operations around the group principals.
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.security.spi.SecurityMappingHandler</td>
+ <td>
+ The
+ <i>SecurityMappingHandler</i>
+ encapsulates all the operations involving mapping between principals. It contains the logic managing hierarchy resolution for
+ hierarchical principals (roles or groups). The default hierarchy resolution provided is a hierarchy by generalization (see overview
+ for definitions). A
+ <i>contructor-arg</i>
+ can be added to the
+ <i>SecurityMappingHandler</i>
+ to change the hierarchy resolution strategy. Jetspeed 2 also support a hierarchy resolution by aggregation.
+ </td>
+ </tr>
+ </table>
+ <p>
+ A sample
+ <code>SecurityMappingHandler</code>
+ configuration could be:
+ <source><![CDATA[
+<!-- Security SPI: SecurityMappingHandler -->
+<bean id="org.apache.jetspeed.security.spi.SecurityMappingHandler"
+ class="org.apache.jetspeed.security.spi.impl.DefaultSecurityMappingHandler">
+ <constructor-arg >
+ <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>
+ </constructor-arg>
+ <!-- Default role hierarchy strategy is by generalization.
+ Add contructor-arg to change the strategy. -->
+ <!-- Default group hierarchy strategy is by generalization.
+ Add contructor-arg to change the strategy. -->
+</bean>]]>
+ </source>
+ </p>
+ </subsection>
+ </section>
+ <section name="LDAP Configuration">
+ <p>
+ Jetspeed 2 provides LDAP support for authentication. Configuring LDAP authentication can be done by replacing the configuration files located
+ under
+ <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i>
+ by the files located under as indicated
+ <i>${jetspeed-source-home}/components/security/etc/</i>
+ . below.
+ </p>
+ <p>
+ Jetspeed 2
+ <b>does not currently provide an embedded LDAP directory</b>
+ . A external LDAP directory must be configured in order to leverage this functionality.
+ </p>
+ <p>
+ <i>security-spi-atn.xml</i>
+ should be replaced by
+ <i>security-spi-ldap-atn.xml</i>
+ and
+ <i>security-spi-ldap.xml</i>
+ should be copied to the assembly directory as well.
+ </p>
+ <p>
+ The
+ <i>security-spi-ldap-atn.xml</i>
+ preforms the same functions as the
+ <i>security-spi-atn.xml</i>
+ described above. It replaces the default implementation for
+ <i>CredentialHandler</i>
+ and
+ <i>UserSecurityHandler</i>
+ with an LDAP specific implementation.
+ </p>
+ <p>
+ Additionally,
+ <i>ldap.properties</i>
+ located under
+ <i>${jetspeed-source-home}/components/security/etc/</i>
+ should be copied under
+ <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/conf/</i>
+ .
+ </p>
+ <subsection name="ldap.properties">
+ <table>
+ <tr>
+ <th>Property</th>
+ <th>Value</th>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.ldap.ldapServerName</td>
+ <td>
+ The LDAP server name to connect to. E.g.
+ <i>localhost</i>
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.ldap.rootDn</td>
+ <td>
+ The root domain name. E.g.
+ <i>cn=Manager,dc=proto,dc=dataline,dc=com</i>
+ . In properties files the "=" in the value should be escaped, i.e.
+ <i>cn\=Manager,dc\=proto,dc\=dataline,dc\=com</i>
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.ldap.rootPassword</td>
+ <td>The root password.</td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.ldap.rootContext</td>
+ <td>
+ The root context. E.g.
+ <i>dc=proto,dc=dataline,dc=com</i>
+ </td>
+ </tr>
+ <tr>
+ <td>org.apache.jetspeed.ldap.defaultDnSuffix</td>
+ <td>
+ The default suffix. E.g.
+ <i>ou=Norfolk,o=Dataline</i>
+ </td>
+ </tr>
+ </table>
+ </subsection>
+ </section>
+ </body>
+</document>
\ No newline at end of file
Modified: portals/jetspeed-2/trunk/components/security/xdocs/images/arch-overview.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/arch-overview.gif?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
Binary files - no diff available.
Modified: portals/jetspeed-2/trunk/design-docs/src/security/securityArchOverview.vsd
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/design-docs/src/security/securityArchOverview.vsd?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
Binary files - no diff available.
Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml Sat Sep 24 05:29:23 2005
@@ -55,7 +55,9 @@
<bean id="org.apache.jetspeed.security.AuthorizationProvider"
class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
>
- <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
+ <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
+ <!-- Does not use the default policy as a default behavior -->
+ <constructor-arg index="1"><value>false</value></constructor-arg>
</bean>
</beans>
Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml Sat Sep 24 05:29:23 2005
@@ -21,8 +21,8 @@
<bean id="org.apache.jetspeed.userinfo.UserInfoManager"
class="org.apache.jetspeed.userinfo.impl.UserInfoManagerImpl"
>
- <constructor-arg ><ref bean="org.apache.jetspeed.security.UserManager"/></constructor-arg>
- <constructor-arg ><ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"/></constructor-arg>
+ <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.UserManager"/></constructor-arg>
+ <constructor-arg index="1"><ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"/></constructor-arg>
</bean>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org