You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by Tilman Bender <tb...@stud.hs-heilbronn.de> on 2009/03/18 12:02:30 UTC
Re: OpenID support in JSPWiki?
Hey guys,
I am currently plaing with the 2.8.1 code and openid4java.
But I am having a hard time trying to fiugre out where exactly to hook
in the OpenID stuff.
The problem is (as also described in #JSPWIKI-94), that:
1. To me it seems you cannot do the whole thing in JAAS:
OpenID as I understand it has two phases :
Phase I:
- The user just submitted his openid identifier to our login/
registration from.
- We do discovery on the identifier to find the Endpoint of his OpenID
Provider (and check if the provider is in our whitelist)
- We redirect the user to his OpenID provider
So in this phase it makes no sense to me to use a JAAS-Module since we
wouldn't be able to complete the login mehtod
as we do not know enough about the user yet (we do not know if his
identity is asserted by the OpenID Provider).
So I currently do this via JSP and Scriptlets (no custom tag yet).
Phase II:
- The user is redirected back to us by his OpenID Provider
- We connect to the OpenID Provider to verify the assertion that was
passed along the request (be it a positive or negative assertion)
- Now we know enough about the user to log them in.
I currently try to use UserManager.setUserProfile in this situation.
Now here comes my Problem:
I would like to do all the assertion verifiaction in a JAAS-Module,
but for that I need all the request
data, which I do not have in the setUserProfile-Method.
So currently I am stuck. Before I start to wildly mess the API: Am I
taking the right direction?
Tilman Bender
Student des Software Engineering
Hochschule Heilbronn
tbender@stud.hs-heilbronn.de
Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
> Hi!
>
> Thanks for the effort - sounds like a worthy project!
>
> I think you will save yourself a lot of grief if you work on the
> 2.8.1 branch, since the trunk is now the subject of a lot of changes
> - but note that we *will* be making some rather major changes for
> 3.0, so you may face a small porting effort towards the end. We
> certainly wouldn't like to land a major feature in 2.8 branch
> anymore, since it's rather stable.
>
> I think the first thing you could do is to outline your plan as to
> how exactly are you planning to hook into our structures - a good
> place to start is probably the Security documentation at http://doc.jspwiki.org/2.8/wiki/Security
> , and then asking a lot of questions on this mailing list.
>
> Also, since we are talking about a fairly large project here, you
> might want to sign a contributor license agreement (CLA), and
> depending on the German copyright legislation, get also Heilbronn to
> sign a corporate CLA. That, or Heilbronn (or you) need to, at the
> end of the project, give a software grant (SGA) to Apache Software
> Foundation. But these are not biggies and can be tackled if/when we
> start merging ;-)
>
> /Janne
>
> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>
>> Hi JSPWiki Devs,
>>
>> I am a student at Heilbronn University in Germany (Some of you
>> might know Christoph Sauer, who worked there.)
>> As pre-thesis for my diploma I want to enhance JSPWiki with OpenID.
>>
>> I am still pretty new to JSPWIki, OpenID and JAAS.
>> I have worked my way through the official OpenID 2.0 Authentication
>> standard
>> and will do as well for Attributes Exchange.
>>
>> I would like to base my work on the 2.8.1 tag and
>> see to get it integrate into the trunk later. Is that the correct
>> way to do it?
>>
>> As I see Andrew already spent quite some time on OpenID and did
>> some preparations.
>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
>> have a high personal interest
>> in getting OpenID into JSPWiki.
>>
>> Summary:
>>
>> * I have time
>> * I have motivation
>> * I need some help to get started ;-)
>>
>> Any suggestions where to begin? I guess registration/profile
>> creation would be first.
>>
>> kind regards
>>
>>
>> Tilman Bender
>> Student des Software Engineering
>> Hochschule Heilbronn
>> tbender@stud.hs-heilbronn.de
>>
>>
>
OAuth Re: OpenID support in JSPWiki?
Posted by Janne Jalkanen <ja...@ecyrd.com>.
BTW, how about OAuth support? Do we have good usecases?
/Janne
On 20 Mar 2009, at 15:43, Andrew Jaquith wrote:
> Tilman--
>
> Thanks for your e-mail, and for your good work.
>
> Your thought-process on this seems sound. Agreed, the first phase of
> login (OP discovery + redirect) should be handled by a custom JSP.
> The second phase (validation) should be handled by JAAS.
>
> To do this, you will need to get the HttpRequest object. JSPWiki
> does have an HttpRequestCallback that can supply this, at least in
> the custom authentication case. You will need to check to see if
> WikiCallbackHandler passes that callback. If not, it is trivial to
> patch the code to do this.
>
> So, I think this is basically in line with what you proposed.
>
> Some other thoughts:
>
> At login time, it would be highly desirable to use SREG or OpenID
> attribute exchange to pull the user's name and e-mail address and
> use the returned values to update their profile, which would ensure
> that their information is always current. The login ID used to look
> up the profile should be the user's OpenID URL... I think.
>
> On the UI side, we will need a special OpenID login page (JSP). The
> regular login page could include this if desired.
>
> Andrew
>
> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-
> heilbronn.de> wrote:
>
>> Hey guys,
>>
>> I am currently plaing with the 2.8.1 code and openid4java.
>>
>> But I am having a hard time trying to fiugre out where exactly to
>> hook in the OpenID stuff.
>> The problem is (as also described in #JSPWIKI-94), that:
>>
>> 1. To me it seems you cannot do the whole thing in JAAS:
>> OpenID as I understand it has two phases :
>>
>> Phase I:
>> - The user just submitted his openid identifier to our login/
>> registration from.
>> - We do discovery on the identifier to find the Endpoint of his
>> OpenID Provider (and check if the provider is in our whitelist)
>> - We redirect the user to his OpenID provider
>>
>> So in this phase it makes no sense to me to use a JAAS-Module since
>> we wouldn't be able to complete the login mehtod
>> as we do not know enough about the user yet (we do not know if his
>> identity is asserted by the OpenID Provider).
>> So I currently do this via JSP and Scriptlets (no custom tag yet).
>>
>> Phase II:
>> - The user is redirected back to us by his OpenID Provider
>> - We connect to the OpenID Provider to verify the assertion that
>> was passed along the request (be it a positive or negative assertion)
>> - Now we know enough about the user to log them in.
>>
>> I currently try to use UserManager.setUserProfile in this
>> situation. Now here comes my Problem:
>>
>> I would like to do all the assertion verifiaction in a JAAS-Module,
>> but for that I need all the request
>> data, which I do not have in the setUserProfile-Method.
>>
>> So currently I am stuck. Before I start to wildly mess the API: Am
>> I taking the right direction?
>>
>>
>> Tilman Bender
>> Student des Software Engineering
>> Hochschule Heilbronn
>> tbender@stud.hs-heilbronn.de
>>
>>
>>
>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>>
>>> Hi!
>>>
>>> Thanks for the effort - sounds like a worthy project!
>>>
>>> I think you will save yourself a lot of grief if you work on the
>>> 2.8.1 branch, since the trunk is now the subject of a lot of
>>> changes - but note that we *will* be making some rather major
>>> changes for 3.0, so you may face a small porting effort towards
>>> the end. We certainly wouldn't like to land a major feature in
>>> 2.8 branch anymore, since it's rather stable.
>>>
>>> I think the first thing you could do is to outline your plan as to
>>> how exactly are you planning to hook into our structures - a good
>>> place to start is probably the Security documentation at http://doc.jspwiki.org/2.8/wiki/Security
>>> , and then asking a lot of questions on this mailing list.
>>>
>>> Also, since we are talking about a fairly large project here, you
>>> might want to sign a contributor license agreement (CLA), and
>>> depending on the German copyright legislation, get also Heilbronn
>>> to sign a corporate CLA. That, or Heilbronn (or you) need to, at
>>> the end of the project, give a software grant (SGA) to Apache
>>> Software Foundation. But these are not biggies and can be tackled
>>> if/when we start merging ;-)
>>>
>>> /Janne
>>>
>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>>
>>>> Hi JSPWiki Devs,
>>>>
>>>> I am a student at Heilbronn University in Germany (Some of you
>>>> might know Christoph Sauer, who worked there.)
>>>> As pre-thesis for my diploma I want to enhance JSPWiki with OpenID.
>>>>
>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>>> I have worked my way through the official OpenID 2.0
>>>> Authentication standard
>>>> and will do as well for Attributes Exchange.
>>>>
>>>> I would like to base my work on the 2.8.1 tag and
>>>> see to get it integrate into the trunk later. Is that the correct
>>>> way to do it?
>>>>
>>>> As I see Andrew already spent quite some time on OpenID and did
>>>> some preparations.
>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
>>>> have a high personal interest
>>>> in getting OpenID into JSPWiki.
>>>>
>>>> Summary:
>>>>
>>>> * I have time
>>>> * I have motivation
>>>> * I need some help to get started ;-)
>>>>
>>>> Any suggestions where to begin? I guess registration/profile
>>>> creation would be first.
>>>>
>>>> kind regards
>>>>
>>>>
>>>> Tilman Bender
>>>> Student des Software Engineering
>>>> Hochschule Heilbronn
>>>> tbender@stud.hs-heilbronn.de
>>>>
>>>>
>>>
>>
Re: OpenID support in JSPWiki?
Posted by Andrew Jaquith <an...@gmail.com>.
Great news. Glad it works for you.
On Dec 8, 2009, at 9:30, "Schenk, Andre" <Andre.Schenk@FIZ-
Karlsruhe.DE> wrote:
Hi developers,
>
> just a short message from me, that supplying the WikiEngine to a
> custom login module now works with JSPWiki 2.8.3. Many thanks for
> that!!!
>
> Best regards,
>
> André
> --------------------------
> André Schenk
> ePublishing & eScience
> Development & Applied Research
> Phone +49 7247 808-215
> Fax +49 7247 808-133
> Andre.Schenk@fiz-karlsruhe.de
>
>
> FIZ Karlsruhe
> Hermann-von-Helmholtz-Platz 1
> 76344 Eggenstein-Leopoldshafen, Germany
>
> www.fiz-karlsruhe.de
> ---------------------------------------
>
>
>> -----Original Message-----
>> From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
>> Sent: Thursday, March 26, 2009 4:39 AM
>> To: jspwiki-dev@incubator.apache.org; Schenk, Andre
>> Subject: Re: OpenID support in JSPWiki?
>>
>> Hi Tilman --
>>
>> Your analysis is correct. You would need to get obtain the
>> HttpRequest
>> from WikiCallbackHandler, which at the moment it does not know how to
>> supply. We have had some other questions about this recently, notably
>> Andre Schenk's desire to be able to obtain a reference to the
>> WikiEngine from inside his custom LoginModule.
>>
>> In both cases, the common thread is that we need to supply additional
>> callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
>> by simply adding in support for the HttpRequestCallback. That should
>> meet your needs, no?
>>
>> It should also meet Andre's, indirectly, in the sense that if you
>> have
>> an HttpRequest you can fairly easily retrieve the WikiEngine also (by
>> passing getSession().getServletContext() to WikiEngine.getInstance
>> ()).
>>
>> Andrew
>>
>> On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
>> <tb...@stud.hs-heilbronn.de> wrote:
>>> Hi Andrew,
>>>
>>> Thanks for your help!
>>>
>>> Let's see if I got it right:
>>>
>>> - My OpenidAssertionLoginModule need the data from the HttpPRequest
>>> - The way to obtain this data is via HttpReuqestCallback
>>>
>>> From what I can see so far, the HttpReuqest in HttpRequestCallBack
>>> is
>> only
>>> set in WebContainerCallbackHandler, which is used by:
>>>
>>> -WebContainerLoginModule
>>> -CookieAssertionLoginModule
>>> - AnonymousLoginModule
>>>
>>> So as I get it, I would have to either use this CallBackHandler,
>> instead of
>>> WikiCallBackHandler
>>> or to find a way to set the HttpRequest in HttpRequestCallBack from
>> within
>>> WikiCallBackHandler.
>>>
>>> Question is: How can I access the request from within,
>> WikiCallBackHandler?
>>>
>>> I agree on the attribute exchange on login, allthough I would see
>> that as a
>>> further improvement to the basic OpenID
>>> functionality.
>>>
>>> For the UI side, I attached some mocks. This is what my UI currenlty
>> looks
>>> like, but it is far from complete. Comments
>>> welcome :-)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> kind regards
>>>
>>> Tilman Bender
>>> Student des Software Engineering
>>> Hochschule Heilbronn
>>> tbender@stud.hs-heilbronn.de
>>>
>>>
>>>
>>> Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
>>>
>>>> Tilman--
>>>>
>>>> Thanks for your e-mail, and for your good work.
>>>>
>>>> Your thought-process on this seems sound. Agreed, the first phase
>>>> of
>> login
>>>> (OP discovery + redirect) should be handled by a custom JSP. The
>> second
>>>> phase (validation) should be handled by JAAS.
>>>>
>>>> To do this, you will need to get the HttpRequest object. JSPWiki
>> does have
>>>> an HttpRequestCallback that can supply this, at least in the custom
>>>> authentication case. You will need to check to see if
>> WikiCallbackHandler
>>>> passes that callback. If not, it is trivial to patch the code to do
>> this.
>>>>
>>>> So, I think this is basically in line with what you proposed.
>>>>
>>>> Some other thoughts:
>>>>
>>>> At login time, it would be highly desirable to use SREG or OpenID
>>>> attribute exchange to pull the user's name and e-mail address and
>> use the
>>>> returned values to update their profile, which would ensure that
>> their
>>>> information is always current. The login ID used to look up the
>> profile
>>>> should be the user's OpenID URL... I think.
>>>>
>>>> On the UI side, we will need a special OpenID login page (JSP). The
>>>> regular login page could include this if desired.
>>>>
>>>> Andrew
>>>>
>>>> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-
>> heilbronn.de>
>>>> wrote:
>>>>
>>>>> Hey guys,
>>>>>
>>>>> I am currently plaing with the 2.8.1 code and openid4java.
>>>>>
>>>>> But I am having a hard time trying to fiugre out where exactly to
>> hook in
>>>>> the OpenID stuff.
>>>>> The problem is (as also described in #JSPWIKI-94), that:
>>>>>
>>>>> 1. To me it seems you cannot do the whole thing in JAAS:
>>>>> OpenID as I understand it has two phases :
>>>>>
>>>>> Phase I:
>>>>> - The user just submitted his openid identifier to our
>> login/registration
>>>>> from.
>>>>> - We do discovery on the identifier to find the Endpoint of his
>> OpenID
>>>>> Provider (and check if the provider is in our whitelist)
>>>>> - We redirect the user to his OpenID provider
>>>>>
>>>>> So in this phase it makes no sense to me to use a JAAS-Module
>>>>> since
>> we
>>>>> wouldn't be able to complete the login mehtod
>>>>> as we do not know enough about the user yet (we do not know if his
>>>>> identity is asserted by the OpenID Provider).
>>>>> So I currently do this via JSP and Scriptlets (no custom tag
>>>>> yet).
>>>>>
>>>>> Phase II:
>>>>> - The user is redirected back to us by his OpenID Provider
>>>>> - We connect to the OpenID Provider to verify the assertion that
>> was
>>>>> passed along the request (be it a positive or negative assertion)
>>>>> - Now we know enough about the user to log them in.
>>>>>
>>>>> I currently try to use UserManager.setUserProfile in this
>> situation. Now
>>>>> here comes my Problem:
>>>>>
>>>>> I would like to do all the assertion verifiaction in a JAAS-
>>>>> Module,
>> but
>>>>> for that I need all the request
>>>>> data, which I do not have in the setUserProfile-Method.
>>>>>
>>>>> So currently I am stuck. Before I start to wildly mess the API: Am
>> I
>>>>> taking the right direction?
>>>>>
>>>>>
>>>>> Tilman Bender
>>>>> Student des Software Engineering
>>>>> Hochschule Heilbronn
>>>>> tbender@stud.hs-heilbronn.de
>>>>>
>>>>>
>>>>>
>>>>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>>>>>
>>>>>> Hi!
>>>>>>
>>>>>> Thanks for the effort - sounds like a worthy project!
>>>>>>
>>>>>> I think you will save yourself a lot of grief if you work on the
>> 2.8.1
>>>>>> branch, since the trunk is now the subject of a lot of changes -
>> but note
>>>>>> that we *will* be making some rather major changes for 3.0, so
>>>>>> you
>> may face
>>>>>> a small porting effort towards the end. We certainly wouldn't
>> like to land
>>>>>> a major feature in 2.8 branch anymore, since it's rather stable.
>>>>>>
>>>>>> I think the first thing you could do is to outline your plan as
>>>>>> to
>> how
>>>>>> exactly are you planning to hook into our structures - a good
>> place to start
>>>>>> is probably the Security documentation at
>>>>>> http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot
>>>>>> of
>> questions
>>>>>> on this mailing list.
>>>>>>
>>>>>> Also, since we are talking about a fairly large project here, you
>> might
>>>>>> want to sign a contributor license agreement (CLA), and depending
>> on the
>>>>>> German copyright legislation, get also Heilbronn to sign a
>> corporate CLA.
>>>>>> That, or Heilbronn (or you) need to, at the end of the project,
>> give a
>>>>>> software grant (SGA) to Apache Software Foundation. But these
>>>>>> are
>> not
>>>>>> biggies and can be tackled if/when we start merging ;-)
>>>>>>
>>>>>> /Janne
>>>>>>
>>>>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>>>>>
>>>>>>> Hi JSPWiki Devs,
>>>>>>>
>>>>>>> I am a student at Heilbronn University in Germany (Some of you
>> might
>>>>>>> know Christoph Sauer, who worked there.)
>>>>>>> As pre-thesis for my diploma I want to enhance JSPWiki with
>> OpenID.
>>>>>>>
>>>>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>>>>>> I have worked my way through the official OpenID 2.0
>> Authentication
>>>>>>> standard
>>>>>>> and will do as well for Attributes Exchange.
>>>>>>>
>>>>>>> I would like to base my work on the 2.8.1 tag and
>>>>>>> see to get it integrate into the trunk later. Is that the
>>>>>>> correct
>> way
>>>>>>> to do it?
>>>>>>>
>>>>>>> As I see Andrew already spent quite some time on OpenID and did
>> some
>>>>>>> preparations.
>>>>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
>> have a
>>>>>>> high personal interest
>>>>>>> in getting OpenID into JSPWiki.
>>>>>>>
>>>>>>> Summary:
>>>>>>>
>>>>>>> * I have time
>>>>>>> * I have motivation
>>>>>>> * I need some help to get started ;-)
>>>>>>>
>>>>>>> Any suggestions where to begin? I guess registration/profile
>> creation
>>>>>>> would be first.
>>>>>>>
>>>>>>> kind regards
>>>>>>>
>>>>>>>
>>>>>>> Tilman Bender
>>>>>>> Student des Software Engineering
>>>>>>> Hochschule Heilbronn
>>>>>>> tbender@stud.hs-heilbronn.de
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>
>
>
> -------------------------------------------------------
>
> Fachinformationszentrum Karlsruhe, Gesellschaft für wissenschaftlich
> -technische Information mbH.
> Sitz der Gesellschaft: Eggenstein-Leopoldshafen, Amtsgericht
> Mannheim HRB 101892.
> Geschäftsführerin: Sabine Brünger-Weilandt.
> Vorsitzender des Aufsichtsrats: MinR Hermann Riehl.
>
>
RE: OpenID support in JSPWiki?
Posted by "Schenk, Andre" <An...@FIZ-Karlsruhe.DE>.
Hi developers,
just a short message from me, that supplying the WikiEngine to a custom login module now works with JSPWiki 2.8.3. Many thanks for that!!!
Best regards,
André
--------------------------
André Schenk
ePublishing & eScience
Development & Applied Research
Phone +49 7247 808-215
Fax +49 7247 808-133
Andre.Schenk@fiz-karlsruhe.de
FIZ Karlsruhe
Hermann-von-Helmholtz-Platz 1
76344 Eggenstein-Leopoldshafen, Germany
www.fiz-karlsruhe.de
---------------------------------------
> -----Original Message-----
> From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
> Sent: Thursday, March 26, 2009 4:39 AM
> To: jspwiki-dev@incubator.apache.org; Schenk, Andre
> Subject: Re: OpenID support in JSPWiki?
>
> Hi Tilman --
>
> Your analysis is correct. You would need to get obtain the HttpRequest
> from WikiCallbackHandler, which at the moment it does not know how to
> supply. We have had some other questions about this recently, notably
> Andre Schenk's desire to be able to obtain a reference to the
> WikiEngine from inside his custom LoginModule.
>
> In both cases, the common thread is that we need to supply additional
> callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
> by simply adding in support for the HttpRequestCallback. That should
> meet your needs, no?
>
> It should also meet Andre's, indirectly, in the sense that if you have
> an HttpRequest you can fairly easily retrieve the WikiEngine also (by
> passing getSession().getServletContext() to WikiEngine.getInstance()).
>
> Andrew
>
> On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
> <tb...@stud.hs-heilbronn.de> wrote:
> > Hi Andrew,
> >
> > Thanks for your help!
> >
> > Let's see if I got it right:
> >
> > - My OpenidAssertionLoginModule need the data from the HttpPRequest
> > - The way to obtain this data is via HttpReuqestCallback
> >
> > From what I can see so far, the HttpReuqest in HttpRequestCallBack is
> only
> > set in WebContainerCallbackHandler, which is used by:
> >
> > -WebContainerLoginModule
> > -CookieAssertionLoginModule
> > - AnonymousLoginModule
> >
> > So as I get it, I would have to either use this CallBackHandler,
> instead of
> > WikiCallBackHandler
> > or to find a way to set the HttpRequest in HttpRequestCallBack from
> within
> > WikiCallBackHandler.
> >
> > Question is: How can I access the request from within,
> WikiCallBackHandler?
> >
> > I agree on the attribute exchange on login, allthough I would see
> that as a
> > further improvement to the basic OpenID
> > functionality.
> >
> > For the UI side, I attached some mocks. This is what my UI currenlty
> looks
> > like, but it is far from complete. Comments
> > welcome :-)
> >
> >
> >
> >
> >
> >
> >
> >
> > kind regards
> >
> > Tilman Bender
> > Student des Software Engineering
> > Hochschule Heilbronn
> > tbender@stud.hs-heilbronn.de
> >
> >
> >
> > Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
> >
> >> Tilman--
> >>
> >> Thanks for your e-mail, and for your good work.
> >>
> >> Your thought-process on this seems sound. Agreed, the first phase of
> login
> >> (OP discovery + redirect) should be handled by a custom JSP. The
> second
> >> phase (validation) should be handled by JAAS.
> >>
> >> To do this, you will need to get the HttpRequest object. JSPWiki
> does have
> >> an HttpRequestCallback that can supply this, at least in the custom
> >> authentication case. You will need to check to see if
> WikiCallbackHandler
> >> passes that callback. If not, it is trivial to patch the code to do
> this.
> >>
> >> So, I think this is basically in line with what you proposed.
> >>
> >> Some other thoughts:
> >>
> >> At login time, it would be highly desirable to use SREG or OpenID
> >> attribute exchange to pull the user's name and e-mail address and
> use the
> >> returned values to update their profile, which would ensure that
> their
> >> information is always current. The login ID used to look up the
> profile
> >> should be the user's OpenID URL... I think.
> >>
> >> On the UI side, we will need a special OpenID login page (JSP). The
> >> regular login page could include this if desired.
> >>
> >> Andrew
> >>
> >> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-
> heilbronn.de>
> >> wrote:
> >>
> >>> Hey guys,
> >>>
> >>> I am currently plaing with the 2.8.1 code and openid4java.
> >>>
> >>> But I am having a hard time trying to fiugre out where exactly to
> hook in
> >>> the OpenID stuff.
> >>> The problem is (as also described in #JSPWIKI-94), that:
> >>>
> >>> 1. To me it seems you cannot do the whole thing in JAAS:
> >>> OpenID as I understand it has two phases :
> >>>
> >>> Phase I:
> >>> - The user just submitted his openid identifier to our
> login/registration
> >>> from.
> >>> - We do discovery on the identifier to find the Endpoint of his
> OpenID
> >>> Provider (and check if the provider is in our whitelist)
> >>> - We redirect the user to his OpenID provider
> >>>
> >>> So in this phase it makes no sense to me to use a JAAS-Module since
> we
> >>> wouldn't be able to complete the login mehtod
> >>> as we do not know enough about the user yet (we do not know if his
> >>> identity is asserted by the OpenID Provider).
> >>> So I currently do this via JSP and Scriptlets (no custom tag yet).
> >>>
> >>> Phase II:
> >>> - The user is redirected back to us by his OpenID Provider
> >>> - We connect to the OpenID Provider to verify the assertion that
> was
> >>> passed along the request (be it a positive or negative assertion)
> >>> - Now we know enough about the user to log them in.
> >>>
> >>> I currently try to use UserManager.setUserProfile in this
> situation. Now
> >>> here comes my Problem:
> >>>
> >>> I would like to do all the assertion verifiaction in a JAAS-Module,
> but
> >>> for that I need all the request
> >>> data, which I do not have in the setUserProfile-Method.
> >>>
> >>> So currently I am stuck. Before I start to wildly mess the API: Am
> I
> >>> taking the right direction?
> >>>
> >>>
> >>> Tilman Bender
> >>> Student des Software Engineering
> >>> Hochschule Heilbronn
> >>> tbender@stud.hs-heilbronn.de
> >>>
> >>>
> >>>
> >>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
> >>>
> >>>> Hi!
> >>>>
> >>>> Thanks for the effort - sounds like a worthy project!
> >>>>
> >>>> I think you will save yourself a lot of grief if you work on the
> 2.8.1
> >>>> branch, since the trunk is now the subject of a lot of changes -
> but note
> >>>> that we *will* be making some rather major changes for 3.0, so you
> may face
> >>>> a small porting effort towards the end. We certainly wouldn't
> like to land
> >>>> a major feature in 2.8 branch anymore, since it's rather stable.
> >>>>
> >>>> I think the first thing you could do is to outline your plan as to
> how
> >>>> exactly are you planning to hook into our structures - a good
> place to start
> >>>> is probably the Security documentation at
> >>>> http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot of
> questions
> >>>> on this mailing list.
> >>>>
> >>>> Also, since we are talking about a fairly large project here, you
> might
> >>>> want to sign a contributor license agreement (CLA), and depending
> on the
> >>>> German copyright legislation, get also Heilbronn to sign a
> corporate CLA.
> >>>> That, or Heilbronn (or you) need to, at the end of the project,
> give a
> >>>> software grant (SGA) to Apache Software Foundation. But these are
> not
> >>>> biggies and can be tackled if/when we start merging ;-)
> >>>>
> >>>> /Janne
> >>>>
> >>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
> >>>>
> >>>>> Hi JSPWiki Devs,
> >>>>>
> >>>>> I am a student at Heilbronn University in Germany (Some of you
> might
> >>>>> know Christoph Sauer, who worked there.)
> >>>>> As pre-thesis for my diploma I want to enhance JSPWiki with
> OpenID.
> >>>>>
> >>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
> >>>>> I have worked my way through the official OpenID 2.0
> Authentication
> >>>>> standard
> >>>>> and will do as well for Attributes Exchange.
> >>>>>
> >>>>> I would like to base my work on the 2.8.1 tag and
> >>>>> see to get it integrate into the trunk later. Is that the correct
> way
> >>>>> to do it?
> >>>>>
> >>>>> As I see Andrew already spent quite some time on OpenID and did
> some
> >>>>> preparations.
> >>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
> have a
> >>>>> high personal interest
> >>>>> in getting OpenID into JSPWiki.
> >>>>>
> >>>>> Summary:
> >>>>>
> >>>>> * I have time
> >>>>> * I have motivation
> >>>>> * I need some help to get started ;-)
> >>>>>
> >>>>> Any suggestions where to begin? I guess registration/profile
> creation
> >>>>> would be first.
> >>>>>
> >>>>> kind regards
> >>>>>
> >>>>>
> >>>>> Tilman Bender
> >>>>> Student des Software Engineering
> >>>>> Hochschule Heilbronn
> >>>>> tbender@stud.hs-heilbronn.de
> >>>>>
> >>>>>
> >>>>
> >>>
> >
> >
> >
-------------------------------------------------------
Fachinformationszentrum Karlsruhe, Gesellschaft für wissenschaftlich-technische Information mbH.
Sitz der Gesellschaft: Eggenstein-Leopoldshafen, Amtsgericht Mannheim HRB 101892.
Geschäftsführerin: Sabine Brünger-Weilandt.
Vorsitzender des Aufsichtsrats: MinR Hermann Riehl.
Re: OpenID support in JSPWiki?
Posted by Tilman Bender <tb...@stud.hs-heilbronn.de>.
Hi Andrew,
I had a look into adding the support for HttpRequestCallBack to
WikiCallbackHandler and came up with two more suggestions:
1. Currently a WikiCallBackHandler is created with a UserDatabase and
username and password:
public WikiCallbackHandler( UserDatabase database, String username,
String password )
How about using references to WikiEngine and UserProfile instead:
public WikiCallbackHandler( WikiEngine engine, UserProfile profile )
Cons:
- Added dependencies to WikiEngine and UserProfile
Pros:
- Handling new CallBacks becomes easier since we can obtain most of
the information via WikiEngine
(also regarding Andre's Request)
- Handling new Callbacks becomes easier since we have access to full
user-information instead of
only name and password. This might make the interface of
WikiCallBackHandler more stable even if
new Attributes are added to the user (like OpenID Identifiers).
- Requires very little change to current interface of
WikiCallBackhandler (only the constructor)
2. WikiCallBackHandler is currently only created in
AuthenticationManager, which only has access to HttpReuqest in the
speical case of container or cookie-based authentication :
login( HttpServletRequest request )
but not the login from within the application:
login( WikiSession session, String username, String password ) again:
shouldn't we use an UserProfile Object here instead of strings here?)
So how are you planning to get the HttpRequest in there? ;-)
Sorry, about all this retelling you things about your code you
propably already know. It just helps me to think myself into it . I
hope the
project will benefit from it as well. If I sound a bit pressing:
acutally I'am. I'd like to get my pre-thesis finished in mid of May ;-)
kind reagrds
Tilman Bender
Student des Software Engineering
Hochschule Heilbronn
tbender@stud.hs-heilbronn.de
Am 26.03.2009 um 04:38 schrieb Andrew Jaquith:
> Hi Tilman --
>
> Your analysis is correct. You would need to get obtain the HttpRequest
> from WikiCallbackHandler, which at the moment it does not know how to
> supply. We have had some other questions about this recently, notably
> Andre Schenk's desire to be able to obtain a reference to the
> WikiEngine from inside his custom LoginModule.
>
> In both cases, the common thread is that we need to supply additional
> callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
> by simply adding in support for the HttpRequestCallback. That should
> meet your needs, no?
>
> It should also meet Andre's, indirectly, in the sense that if you have
> an HttpRequest you can fairly easily retrieve the WikiEngine also (by
> passing getSession().getServletContext() to WikiEngine.getInstance()).
>
> Andrew
>
> On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
> <tb...@stud.hs-heilbronn.de> wrote:
>> Hi Andrew,
>>
>> Thanks for your help!
>>
>> Let's see if I got it right:
>>
>> - My OpenidAssertionLoginModule need the data from the HttpPRequest
>> - The way to obtain this data is via HttpReuqestCallback
>>
>> From what I can see so far, the HttpReuqest in HttpRequestCallBack
>> is only
>> set in WebContainerCallbackHandler, which is used by:
>>
>> -WebContainerLoginModule
>> -CookieAssertionLoginModule
>> - AnonymousLoginModule
>>
>> So as I get it, I would have to either use this CallBackHandler,
>> instead of
>> WikiCallBackHandler
>> or to find a way to set the HttpRequest in HttpRequestCallBack from
>> within
>> WikiCallBackHandler.
>>
>> Question is: How can I access the request from within,
>> WikiCallBackHandler?
>>
>> I agree on the attribute exchange on login, allthough I would see
>> that as a
>> further improvement to the basic OpenID
>> functionality.
>>
>> For the UI side, I attached some mocks. This is what my UI
>> currenlty looks
>> like, but it is far from complete. Comments
>> welcome :-)
>>
>>
>>
>>
>>
>>
>>
>>
>> kind regards
>>
>> Tilman Bender
>> Student des Software Engineering
>> Hochschule Heilbronn
>> tbender@stud.hs-heilbronn.de
>>
>>
>>
>> Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
>>
>>> Tilman--
>>>
>>> Thanks for your e-mail, and for your good work.
>>>
>>> Your thought-process on this seems sound. Agreed, the first phase
>>> of login
>>> (OP discovery + redirect) should be handled by a custom JSP. The
>>> second
>>> phase (validation) should be handled by JAAS.
>>>
>>> To do this, you will need to get the HttpRequest object. JSPWiki
>>> does have
>>> an HttpRequestCallback that can supply this, at least in the custom
>>> authentication case. You will need to check to see if
>>> WikiCallbackHandler
>>> passes that callback. If not, it is trivial to patch the code to
>>> do this.
>>>
>>> So, I think this is basically in line with what you proposed.
>>>
>>> Some other thoughts:
>>>
>>> At login time, it would be highly desirable to use SREG or OpenID
>>> attribute exchange to pull the user's name and e-mail address and
>>> use the
>>> returned values to update their profile, which would ensure that
>>> their
>>> information is always current. The login ID used to look up the
>>> profile
>>> should be the user's OpenID URL... I think.
>>>
>>> On the UI side, we will need a special OpenID login page (JSP). The
>>> regular login page could include this if desired.
>>>
>>> Andrew
>>>
>>> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-heilbronn.de
>>> >
>>> wrote:
>>>
>>>> Hey guys,
>>>>
>>>> I am currently plaing with the 2.8.1 code and openid4java.
>>>>
>>>> But I am having a hard time trying to fiugre out where exactly to
>>>> hook in
>>>> the OpenID stuff.
>>>> The problem is (as also described in #JSPWIKI-94), that:
>>>>
>>>> 1. To me it seems you cannot do the whole thing in JAAS:
>>>> OpenID as I understand it has two phases :
>>>>
>>>> Phase I:
>>>> - The user just submitted his openid identifier to our login/
>>>> registration
>>>> from.
>>>> - We do discovery on the identifier to find the Endpoint of his
>>>> OpenID
>>>> Provider (and check if the provider is in our whitelist)
>>>> - We redirect the user to his OpenID provider
>>>>
>>>> So in this phase it makes no sense to me to use a JAAS-Module
>>>> since we
>>>> wouldn't be able to complete the login mehtod
>>>> as we do not know enough about the user yet (we do not know if his
>>>> identity is asserted by the OpenID Provider).
>>>> So I currently do this via JSP and Scriptlets (no custom tag yet).
>>>>
>>>> Phase II:
>>>> - The user is redirected back to us by his OpenID Provider
>>>> - We connect to the OpenID Provider to verify the assertion that
>>>> was
>>>> passed along the request (be it a positive or negative assertion)
>>>> - Now we know enough about the user to log them in.
>>>>
>>>> I currently try to use UserManager.setUserProfile in this
>>>> situation. Now
>>>> here comes my Problem:
>>>>
>>>> I would like to do all the assertion verifiaction in a JAAS-
>>>> Module, but
>>>> for that I need all the request
>>>> data, which I do not have in the setUserProfile-Method.
>>>>
>>>> So currently I am stuck. Before I start to wildly mess the API:
>>>> Am I
>>>> taking the right direction?
>>>>
>>>>
>>>> Tilman Bender
>>>> Student des Software Engineering
>>>> Hochschule Heilbronn
>>>> tbender@stud.hs-heilbronn.de
>>>>
>>>>
>>>>
>>>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>>>>
>>>>> Hi!
>>>>>
>>>>> Thanks for the effort - sounds like a worthy project!
>>>>>
>>>>> I think you will save yourself a lot of grief if you work on the
>>>>> 2.8.1
>>>>> branch, since the trunk is now the subject of a lot of changes -
>>>>> but note
>>>>> that we *will* be making some rather major changes for 3.0, so
>>>>> you may face
>>>>> a small porting effort towards the end. We certainly wouldn't
>>>>> like to land
>>>>> a major feature in 2.8 branch anymore, since it's rather stable.
>>>>>
>>>>> I think the first thing you could do is to outline your plan as
>>>>> to how
>>>>> exactly are you planning to hook into our structures - a good
>>>>> place to start
>>>>> is probably the Security documentation at
>>>>> http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot
>>>>> of questions
>>>>> on this mailing list.
>>>>>
>>>>> Also, since we are talking about a fairly large project here,
>>>>> you might
>>>>> want to sign a contributor license agreement (CLA), and
>>>>> depending on the
>>>>> German copyright legislation, get also Heilbronn to sign a
>>>>> corporate CLA.
>>>>> That, or Heilbronn (or you) need to, at the end of the project,
>>>>> give a
>>>>> software grant (SGA) to Apache Software Foundation. But these
>>>>> are not
>>>>> biggies and can be tackled if/when we start merging ;-)
>>>>>
>>>>> /Janne
>>>>>
>>>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>>>>
>>>>>> Hi JSPWiki Devs,
>>>>>>
>>>>>> I am a student at Heilbronn University in Germany (Some of you
>>>>>> might
>>>>>> know Christoph Sauer, who worked there.)
>>>>>> As pre-thesis for my diploma I want to enhance JSPWiki with
>>>>>> OpenID.
>>>>>>
>>>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>>>>> I have worked my way through the official OpenID 2.0
>>>>>> Authentication
>>>>>> standard
>>>>>> and will do as well for Attributes Exchange.
>>>>>>
>>>>>> I would like to base my work on the 2.8.1 tag and
>>>>>> see to get it integrate into the trunk later. Is that the
>>>>>> correct way
>>>>>> to do it?
>>>>>>
>>>>>> As I see Andrew already spent quite some time on OpenID and did
>>>>>> some
>>>>>> preparations.
>>>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
>>>>>> have a
>>>>>> high personal interest
>>>>>> in getting OpenID into JSPWiki.
>>>>>>
>>>>>> Summary:
>>>>>>
>>>>>> * I have time
>>>>>> * I have motivation
>>>>>> * I need some help to get started ;-)
>>>>>>
>>>>>> Any suggestions where to begin? I guess registration/profile
>>>>>> creation
>>>>>> would be first.
>>>>>>
>>>>>> kind regards
>>>>>>
>>>>>>
>>>>>> Tilman Bender
>>>>>> Student des Software Engineering
>>>>>> Hochschule Heilbronn
>>>>>> tbender@stud.hs-heilbronn.de
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>>
>>
Re: OpenID support in JSPWiki?
Posted by Andrew Jaquith <an...@gmail.com>.
Hi Tilman --
Your analysis is correct. You would need to get obtain the HttpRequest
from WikiCallbackHandler, which at the moment it does not know how to
supply. We have had some other questions about this recently, notably
Andre Schenk's desire to be able to obtain a reference to the
WikiEngine from inside his custom LoginModule.
In both cases, the common thread is that we need to supply additional
callbacks to WikiCallbackHandler. I'm inclined to fix this in 2.8.2,
by simply adding in support for the HttpRequestCallback. That should
meet your needs, no?
It should also meet Andre's, indirectly, in the sense that if you have
an HttpRequest you can fairly easily retrieve the WikiEngine also (by
passing getSession().getServletContext() to WikiEngine.getInstance()).
Andrew
On Wed, Mar 25, 2009 at 7:27 AM, Tilman Bender
<tb...@stud.hs-heilbronn.de> wrote:
> Hi Andrew,
>
> Thanks for your help!
>
> Let's see if I got it right:
>
> - My OpenidAssertionLoginModule need the data from the HttpPRequest
> - The way to obtain this data is via HttpReuqestCallback
>
> From what I can see so far, the HttpReuqest in HttpRequestCallBack is only
> set in WebContainerCallbackHandler, which is used by:
>
> -WebContainerLoginModule
> -CookieAssertionLoginModule
> - AnonymousLoginModule
>
> So as I get it, I would have to either use this CallBackHandler, instead of
> WikiCallBackHandler
> or to find a way to set the HttpRequest in HttpRequestCallBack from within
> WikiCallBackHandler.
>
> Question is: How can I access the request from within, WikiCallBackHandler?
>
> I agree on the attribute exchange on login, allthough I would see that as a
> further improvement to the basic OpenID
> functionality.
>
> For the UI side, I attached some mocks. This is what my UI currenlty looks
> like, but it is far from complete. Comments
> welcome :-)
>
>
>
>
>
>
>
>
> kind regards
>
> Tilman Bender
> Student des Software Engineering
> Hochschule Heilbronn
> tbender@stud.hs-heilbronn.de
>
>
>
> Am 20.03.2009 um 14:43 schrieb Andrew Jaquith:
>
>> Tilman--
>>
>> Thanks for your e-mail, and for your good work.
>>
>> Your thought-process on this seems sound. Agreed, the first phase of login
>> (OP discovery + redirect) should be handled by a custom JSP. The second
>> phase (validation) should be handled by JAAS.
>>
>> To do this, you will need to get the HttpRequest object. JSPWiki does have
>> an HttpRequestCallback that can supply this, at least in the custom
>> authentication case. You will need to check to see if WikiCallbackHandler
>> passes that callback. If not, it is trivial to patch the code to do this.
>>
>> So, I think this is basically in line with what you proposed.
>>
>> Some other thoughts:
>>
>> At login time, it would be highly desirable to use SREG or OpenID
>> attribute exchange to pull the user's name and e-mail address and use the
>> returned values to update their profile, which would ensure that their
>> information is always current. The login ID used to look up the profile
>> should be the user's OpenID URL... I think.
>>
>> On the UI side, we will need a special OpenID login page (JSP). The
>> regular login page could include this if desired.
>>
>> Andrew
>>
>> On Mar 18, 2009, at 7:02, Tilman Bender <tb...@stud.hs-heilbronn.de>
>> wrote:
>>
>>> Hey guys,
>>>
>>> I am currently plaing with the 2.8.1 code and openid4java.
>>>
>>> But I am having a hard time trying to fiugre out where exactly to hook in
>>> the OpenID stuff.
>>> The problem is (as also described in #JSPWIKI-94), that:
>>>
>>> 1. To me it seems you cannot do the whole thing in JAAS:
>>> OpenID as I understand it has two phases :
>>>
>>> Phase I:
>>> - The user just submitted his openid identifier to our login/registration
>>> from.
>>> - We do discovery on the identifier to find the Endpoint of his OpenID
>>> Provider (and check if the provider is in our whitelist)
>>> - We redirect the user to his OpenID provider
>>>
>>> So in this phase it makes no sense to me to use a JAAS-Module since we
>>> wouldn't be able to complete the login mehtod
>>> as we do not know enough about the user yet (we do not know if his
>>> identity is asserted by the OpenID Provider).
>>> So I currently do this via JSP and Scriptlets (no custom tag yet).
>>>
>>> Phase II:
>>> - The user is redirected back to us by his OpenID Provider
>>> - We connect to the OpenID Provider to verify the assertion that was
>>> passed along the request (be it a positive or negative assertion)
>>> - Now we know enough about the user to log them in.
>>>
>>> I currently try to use UserManager.setUserProfile in this situation. Now
>>> here comes my Problem:
>>>
>>> I would like to do all the assertion verifiaction in a JAAS-Module, but
>>> for that I need all the request
>>> data, which I do not have in the setUserProfile-Method.
>>>
>>> So currently I am stuck. Before I start to wildly mess the API: Am I
>>> taking the right direction?
>>>
>>>
>>> Tilman Bender
>>> Student des Software Engineering
>>> Hochschule Heilbronn
>>> tbender@stud.hs-heilbronn.de
>>>
>>>
>>>
>>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>>>
>>>> Hi!
>>>>
>>>> Thanks for the effort - sounds like a worthy project!
>>>>
>>>> I think you will save yourself a lot of grief if you work on the 2.8.1
>>>> branch, since the trunk is now the subject of a lot of changes - but note
>>>> that we *will* be making some rather major changes for 3.0, so you may face
>>>> a small porting effort towards the end. We certainly wouldn't like to land
>>>> a major feature in 2.8 branch anymore, since it's rather stable.
>>>>
>>>> I think the first thing you could do is to outline your plan as to how
>>>> exactly are you planning to hook into our structures - a good place to start
>>>> is probably the Security documentation at
>>>> http://doc.jspwiki.org/2.8/wiki/Security, and then asking a lot of questions
>>>> on this mailing list.
>>>>
>>>> Also, since we are talking about a fairly large project here, you might
>>>> want to sign a contributor license agreement (CLA), and depending on the
>>>> German copyright legislation, get also Heilbronn to sign a corporate CLA.
>>>> That, or Heilbronn (or you) need to, at the end of the project, give a
>>>> software grant (SGA) to Apache Software Foundation. But these are not
>>>> biggies and can be tackled if/when we start merging ;-)
>>>>
>>>> /Janne
>>>>
>>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>>>
>>>>> Hi JSPWiki Devs,
>>>>>
>>>>> I am a student at Heilbronn University in Germany (Some of you might
>>>>> know Christoph Sauer, who worked there.)
>>>>> As pre-thesis for my diploma I want to enhance JSPWiki with OpenID.
>>>>>
>>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>>>> I have worked my way through the official OpenID 2.0 Authentication
>>>>> standard
>>>>> and will do as well for Attributes Exchange.
>>>>>
>>>>> I would like to base my work on the 2.8.1 tag and
>>>>> see to get it integrate into the trunk later. Is that the correct way
>>>>> to do it?
>>>>>
>>>>> As I see Andrew already spent quite some time on OpenID and did some
>>>>> preparations.
>>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I have a
>>>>> high personal interest
>>>>> in getting OpenID into JSPWiki.
>>>>>
>>>>> Summary:
>>>>>
>>>>> * I have time
>>>>> * I have motivation
>>>>> * I need some help to get started ;-)
>>>>>
>>>>> Any suggestions where to begin? I guess registration/profile creation
>>>>> would be first.
>>>>>
>>>>> kind regards
>>>>>
>>>>>
>>>>> Tilman Bender
>>>>> Student des Software Engineering
>>>>> Hochschule Heilbronn
>>>>> tbender@stud.hs-heilbronn.de
>>>>>
>>>>>
>>>>
>>>
>
>
>
Re: OpenID support in JSPWiki?
Posted by Tilman Bender <tb...@stud.hs-heilbronn.de>.
Hi Andrew,
Thanks for your help!
Let's see if I got it right:
- My OpenidAssertionLoginModule need the data from the HttpPRequest
- The way to obtain this data is via HttpReuqestCallback
From what I can see so far, the HttpReuqest in HttpRequestCallBack is
only
set in WebContainerCallbackHandler, which is used by:
-WebContainerLoginModule
-CookieAssertionLoginModule
- AnonymousLoginModule
So as I get it, I would have to either use this CallBackHandler,
instead of WikiCallBackHandler
or to find a way to set the HttpRequest in HttpRequestCallBack from
within WikiCallBackHandler.
Question is: How can I access the request from within,
WikiCallBackHandler?
I agree on the attribute exchange on login, allthough I would see that
as a further improvement to the basic OpenID
functionality.
For the UI side, I attached some mocks. This is what my UI currenlty
looks like, but it is far from complete. Comments
welcome :-)
Re: OpenID support in JSPWiki?
Posted by Andrew Jaquith <an...@gmail.com>.
Tilman--
Thanks for your e-mail, and for your good work.
Your thought-process on this seems sound. Agreed, the first phase of
login (OP discovery + redirect) should be handled by a custom JSP. The
second phase (validation) should be handled by JAAS.
To do this, you will need to get the HttpRequest object. JSPWiki does
have an HttpRequestCallback that can supply this, at least in the
custom authentication case. You will need to check to see if
WikiCallbackHandler passes that callback. If not, it is trivial to
patch the code to do this.
So, I think this is basically in line with what you proposed.
Some other thoughts:
At login time, it would be highly desirable to use SREG or OpenID
attribute exchange to pull the user's name and e-mail address and use
the returned values to update their profile, which would ensure that
their information is always current. The login ID used to look up the
profile should be the user's OpenID URL... I think.
On the UI side, we will need a special OpenID login page (JSP). The
regular login page could include this if desired.
Andrew
On Mar 18, 2009, at 7:02, Tilman Bender <tb...@stud.hs-heilbronn.de>
wrote:
> Hey guys,
>
> I am currently plaing with the 2.8.1 code and openid4java.
>
> But I am having a hard time trying to fiugre out where exactly to
> hook in the OpenID stuff.
> The problem is (as also described in #JSPWIKI-94), that:
>
> 1. To me it seems you cannot do the whole thing in JAAS:
> OpenID as I understand it has two phases :
>
> Phase I:
> - The user just submitted his openid identifier to our login/
> registration from.
> - We do discovery on the identifier to find the Endpoint of his
> OpenID Provider (and check if the provider is in our whitelist)
> - We redirect the user to his OpenID provider
>
> So in this phase it makes no sense to me to use a JAAS-Module since
> we wouldn't be able to complete the login mehtod
> as we do not know enough about the user yet (we do not know if his
> identity is asserted by the OpenID Provider).
> So I currently do this via JSP and Scriptlets (no custom tag yet).
>
> Phase II:
> - The user is redirected back to us by his OpenID Provider
> - We connect to the OpenID Provider to verify the assertion that was
> passed along the request (be it a positive or negative assertion)
> - Now we know enough about the user to log them in.
>
> I currently try to use UserManager.setUserProfile in this situation.
> Now here comes my Problem:
>
> I would like to do all the assertion verifiaction in a JAAS-Module,
> but for that I need all the request
> data, which I do not have in the setUserProfile-Method.
>
> So currently I am stuck. Before I start to wildly mess the API: Am I
> taking the right direction?
>
>
> Tilman Bender
> Student des Software Engineering
> Hochschule Heilbronn
> tbender@stud.hs-heilbronn.de
>
>
>
> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>
>> Hi!
>>
>> Thanks for the effort - sounds like a worthy project!
>>
>> I think you will save yourself a lot of grief if you work on the
>> 2.8.1 branch, since the trunk is now the subject of a lot of
>> changes - but note that we *will* be making some rather major
>> changes for 3.0, so you may face a small porting effort towards the
>> end. We certainly wouldn't like to land a major feature in 2.8
>> branch anymore, since it's rather stable.
>>
>> I think the first thing you could do is to outline your plan as to
>> how exactly are you planning to hook into our structures - a good
>> place to start is probably the Security documentation at http://doc.jspwiki.org/2.8/wiki/Security
>> , and then asking a lot of questions on this mailing list.
>>
>> Also, since we are talking about a fairly large project here, you
>> might want to sign a contributor license agreement (CLA), and
>> depending on the German copyright legislation, get also Heilbronn
>> to sign a corporate CLA. That, or Heilbronn (or you) need to, at
>> the end of the project, give a software grant (SGA) to Apache
>> Software Foundation. But these are not biggies and can be tackled
>> if/when we start merging ;-)
>>
>> /Janne
>>
>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>
>>> Hi JSPWiki Devs,
>>>
>>> I am a student at Heilbronn University in Germany (Some of you
>>> might know Christoph Sauer, who worked there.)
>>> As pre-thesis for my diploma I want to enhance JSPWiki with OpenID.
>>>
>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>> I have worked my way through the official OpenID 2.0
>>> Authentication standard
>>> and will do as well for Attributes Exchange.
>>>
>>> I would like to base my work on the 2.8.1 tag and
>>> see to get it integrate into the trunk later. Is that the correct
>>> way to do it?
>>>
>>> As I see Andrew already spent quite some time on OpenID and did
>>> some preparations.
>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I
>>> have a high personal interest
>>> in getting OpenID into JSPWiki.
>>>
>>> Summary:
>>>
>>> * I have time
>>> * I have motivation
>>> * I need some help to get started ;-)
>>>
>>> Any suggestions where to begin? I guess registration/profile
>>> creation would be first.
>>>
>>> kind regards
>>>
>>>
>>> Tilman Bender
>>> Student des Software Engineering
>>> Hochschule Heilbronn
>>> tbender@stud.hs-heilbronn.de
>>>
>>>
>>
>