You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by Michael Ralston <mi...@ralston.id.au> on 2007/04/02 04:29:19 UTC
making ac global rather than publication specific
Imagine this scenario...
The root url of the lenya application requires authentication. After
authenticating the user will be shown the lenya welcome page, listing
only publications which the user has priviledges on.
To accomplish this I am thinking of removing publication directory
from the user object, but leaving publication directory in the group
object. By doing this users will be global across all publications,
but groups will still be publication specific.
I can then make a user a member of the editor group on one
publication, and a member of the review group on a different
publication. The welcome page would then display the publication and
which groups they were a member of on that publication (or not display
the publication at all if they are not a member of any group).
What do you guys think of this idea? Would it be potentially useful
for lenya projects you have worked on? How difficult do you think it
would be to implement?
The first issue I am concerned about, it how to redirect a user to a
login page when they request the "Welcome to Apache Lenya" page.
How would I go about changing the Identity object? The method:
Identity.belongsTo(AccreditableManager manager)
would not really be applicable to how the new system works. As I
understand it, this method checks if the user contained in the current
identity belonds to the accreditableManager for the current
publication. Currently each publication has a different
accreditableManager. I guess I would need the accreditableManager to
be global across all publications.
Would it be easier to make all publications inherit their AC module
from the 'default' publication? If I did that how could I manage the
groups which users belonged to on a per publication basis?
thanks in advance for any feedback :)
Michael Ralston
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: making ac global rather than publication specific
Posted by Andreas Hartmann <an...@apache.org>.
Hi Michael,
maybe you could file an enhancement bug so that the issue doesn't
get lost.
-- Andreas
Michael Ralston schrieb:
> Imagine this scenario...
>
> The root url of the lenya application requires authentication. After
> authenticating the user will be shown the lenya welcome page, listing
> only publications which the user has priviledges on.
>
> To accomplish this I am thinking of removing publication directory
> from the user object, but leaving publication directory in the group
> object. By doing this users will be global across all publications,
> but groups will still be publication specific.
>
> I can then make a user a member of the editor group on one
> publication, and a member of the review group on a different
> publication. The welcome page would then display the publication and
> which groups they were a member of on that publication (or not display
> the publication at all if they are not a member of any group).
>
> What do you guys think of this idea? Would it be potentially useful
> for lenya projects you have worked on? How difficult do you think it
> would be to implement?
>
> The first issue I am concerned about, it how to redirect a user to a
> login page when they request the "Welcome to Apache Lenya" page.
>
> How would I go about changing the Identity object? The method:
> Identity.belongsTo(AccreditableManager manager)
> would not really be applicable to how the new system works. As I
> understand it, this method checks if the user contained in the current
> identity belonds to the accreditableManager for the current
> publication. Currently each publication has a different
> accreditableManager. I guess I would need the accreditableManager to
> be global across all publications.
>
> Would it be easier to make all publications inherit their AC module
> from the 'default' publication? If I did that how could I manage the
> groups which users belonged to on a per publication basis?
>
> thanks in advance for any feedback :)
> Michael Ralston
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: making ac global rather than publication specific
Posted by Michael Ralston <mi...@kcms.com.au>.
I have been looking at the AccessControllerResolver interface. I found
some documentation at
http://lenya.apache.org/docs/1_2_x/components/accesscontrol/accesscontrollerresolvers.html
On this page, it shows a configuration segment under the heading
"Declaring the Access Controller Resolvers in cocoon.xconf". I found
this configuration in access-controller-resolver.xconf.
However, I also found in the AccessControllerResolver interface the
following declaration:
/**
* The name of the default resolver to use.
*/
String DEFAULT_RESOLVER = "publication";
I did some testing in the eclipse debugger to confirm that the
PublicationAccessControllerResolver is the only one ever used. So why
do the other resolvers exist? Is it something left over from lenya 1.2
or is there something I'm missing?
The Publication AC resolver returns an AccessController based purely
on the publication name in the http request -
http://server:port/PUBNAME/index.html. Any requests to the lenya
welcome page to not contain a publication name, and the Publication AC
resolver returns null. AccessControlAction permits access it cannot
get an AccessController.
What would be the best way to get an AccessController for the welcome
page? I only want authenticated users to be able to access this page.
I will then make a simple jx template to show only publications that
the user has access.
Michael Ralston
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: making ac global rather than publication specific
Posted by Michael Wechner <mi...@wyona.com>.
Bob Harner wrote:
> On 4/1/07, Michael Ralston <mi...@ralston.id.au> wrote:
>
>> Imagine this scenario...
>>
>> The root url of the lenya application requires authentication. After
>> authenticating the user will be shown the lenya welcome page, listing
>> only publications which the user has priviledges on.
>>
>> To accomplish this I am thinking of removing publication directory
>> from the user object, but leaving publication directory in the group
>> object. By doing this users will be global across all publications,
>> but groups will still be publication specific.
>>
>> I can then make a user a member of the editor group on one
>> publication, and a member of the review group on a different
>> publication. The welcome page would then display the publication and
>> which groups they were a member of on that publication (or not display
>> the publication at all if they are not a member of any group).
>>
>> What do you guys think of this idea? Would it be potentially useful
>> for lenya projects you have worked on? How difficult do you think it
>> would be to implement?
>>
>> The first issue I am concerned about, it how to redirect a user to a
>> login page when they request the "Welcome to Apache Lenya" page.
>>
>> How would I go about changing the Identity object? The method:
>> Identity.belongsTo(AccreditableManager manager)
>> would not really be applicable to how the new system works. As I
>> understand it, this method checks if the user contained in the current
>> identity belonds to the accreditableManager for the current
>> publication. Currently each publication has a different
>> accreditableManager. I guess I would need the accreditableManager to
>> be global across all publications.
>>
>> Would it be easier to make all publications inherit their AC module
>> from the 'default' publication? If I did that how could I manage the
>> groups which users belonged to on a per publication basis?
>>
>> thanks in advance for any feedback :)
>> Michael Ralston
>
>
> We had a similar need to unify the logins of multiple Lenya
> publications, but we approached it from a different angle. In our
> case, we wanted Lenya to work with the commercial single sign-on (SSO)
> product that we already had. The SSO product sits in front of our app
> server and handles the authentication (via LDAP) for all Lenya
> requests via a plug-in on the web server. So we changed Lenya's
> authentication to look at the REMOTE_USER HTTP header (which our
> single sign-on product always sets) and only prompt for a user name
> and password if REMOTE_USER is empty.
>
> This solution has the advantage that it should work with any
> authentication mechanism implemented at the web server level,
> including Basic Authentication done by Apache httpd.
>
> I can provide more details if there is interest.
yes, that would be great
Cheers
Michael
> Our solution extends
> a Lenya class or two, rather than modifying them,
> so it is pretty
> clean and simple and is backward-compatible with environments that
> don't have the REMOTE_USER header available. Unfortunately, we are
> using Lenya 1.2.4 (because 1.4 isn't released yet).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
> For additional commands, e-mail: dev-help@lenya.apache.org
>
>
--
Michael Wechner
Wyona - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
michael.wechner@wyona.com michi@apache.org
+41 44 272 91 61
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: making ac global rather than publication specific
Posted by Bob Harner <bo...@gmail.com>.
On 4/3/07, Michael Ralston <mi...@kcms.com.au> wrote:
> On 4/4/07, Bob Harner <bo...@gmail.com> wrote:
> > On 4/1/07, Michael Ralston <mi...@ralston.id.au> wrote:
> > > Imagine this scenario...
> > >
> > > How would I go about changing the Identity object? The method:
> > > Identity.belongsTo(AccreditableManager manager)
> > > would not really be applicable to how the new system works. As I
> > > understand it, this method checks if the user contained in the current
> > > identity belonds to the accreditableManager for the current
> > > publication. Currently each publication has a different
> > > accreditableManager. I guess I would need the accreditableManager to
> > > be global across all publications.
> > >
> >
> > We had a similar need to unify the logins of multiple Lenya
> > publications, but we approached it from a different angle. In our
> > case, we wanted Lenya to work with the commercial single sign-on (SSO)
> > product that we already had. The SSO product sits in front of our app
> > server and handles the authentication (via LDAP) for all Lenya
> > requests via a plug-in on the web server. So we changed Lenya's
> > authentication to look at the REMOTE_USER HTTP header (which our
> > single sign-on product always sets) and only prompt for a user name
> > and password if REMOTE_USER is empty.
>
> Do you have multiple publications in your lenya instance? If so, how
> does your solution handle logging into one publication, then changing
> to a different publication? Does it require logging in a second time
> into the second publication?
Yes, we have multiple completely independent web sites running under
the same Lenya instance this way, and the user only has to log in once
to access any of the publications, without any additional login
prompting as the user goes from site to site. The developer that did
the work is unavailable this week, so the details will have to wait
until next week, but the main change was to create
BasicAuthUserAuthenticator.java, which extends UserAuthenticator.java,
checking request.getRemoteUser() before deciding whether to display
the login page. The key to making this work, remember, is to set up
authentication at the web server level.
>
> Michael Ralston
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
> For additional commands, e-mail: dev-help@lenya.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: making ac global rather than publication specific
Posted by Michael Ralston <mi...@kcms.com.au>.
On 4/4/07, Bob Harner <bo...@gmail.com> wrote:
> On 4/1/07, Michael Ralston <mi...@ralston.id.au> wrote:
> > Imagine this scenario...
> >
> > How would I go about changing the Identity object? The method:
> > Identity.belongsTo(AccreditableManager manager)
> > would not really be applicable to how the new system works. As I
> > understand it, this method checks if the user contained in the current
> > identity belonds to the accreditableManager for the current
> > publication. Currently each publication has a different
> > accreditableManager. I guess I would need the accreditableManager to
> > be global across all publications.
> >
>
> We had a similar need to unify the logins of multiple Lenya
> publications, but we approached it from a different angle. In our
> case, we wanted Lenya to work with the commercial single sign-on (SSO)
> product that we already had. The SSO product sits in front of our app
> server and handles the authentication (via LDAP) for all Lenya
> requests via a plug-in on the web server. So we changed Lenya's
> authentication to look at the REMOTE_USER HTTP header (which our
> single sign-on product always sets) and only prompt for a user name
> and password if REMOTE_USER is empty.
Do you have multiple publications in your lenya instance? If so, how
does your solution handle logging into one publication, then changing
to a different publication? Does it require logging in a second time
into the second publication?
Michael Ralston
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
Re: making ac global rather than publication specific
Posted by Bob Harner <bo...@gmail.com>.
On 4/1/07, Michael Ralston <mi...@ralston.id.au> wrote:
> Imagine this scenario...
>
> The root url of the lenya application requires authentication. After
> authenticating the user will be shown the lenya welcome page, listing
> only publications which the user has priviledges on.
>
> To accomplish this I am thinking of removing publication directory
> from the user object, but leaving publication directory in the group
> object. By doing this users will be global across all publications,
> but groups will still be publication specific.
>
> I can then make a user a member of the editor group on one
> publication, and a member of the review group on a different
> publication. The welcome page would then display the publication and
> which groups they were a member of on that publication (or not display
> the publication at all if they are not a member of any group).
>
> What do you guys think of this idea? Would it be potentially useful
> for lenya projects you have worked on? How difficult do you think it
> would be to implement?
>
> The first issue I am concerned about, it how to redirect a user to a
> login page when they request the "Welcome to Apache Lenya" page.
>
> How would I go about changing the Identity object? The method:
> Identity.belongsTo(AccreditableManager manager)
> would not really be applicable to how the new system works. As I
> understand it, this method checks if the user contained in the current
> identity belonds to the accreditableManager for the current
> publication. Currently each publication has a different
> accreditableManager. I guess I would need the accreditableManager to
> be global across all publications.
>
> Would it be easier to make all publications inherit their AC module
> from the 'default' publication? If I did that how could I manage the
> groups which users belonged to on a per publication basis?
>
> thanks in advance for any feedback :)
> Michael Ralston
We had a similar need to unify the logins of multiple Lenya
publications, but we approached it from a different angle. In our
case, we wanted Lenya to work with the commercial single sign-on (SSO)
product that we already had. The SSO product sits in front of our app
server and handles the authentication (via LDAP) for all Lenya
requests via a plug-in on the web server. So we changed Lenya's
authentication to look at the REMOTE_USER HTTP header (which our
single sign-on product always sets) and only prompt for a user name
and password if REMOTE_USER is empty.
This solution has the advantage that it should work with any
authentication mechanism implemented at the web server level,
including Basic Authentication done by Apache httpd.
I can provide more details if there is interest. Our solution extends
a Lenya class or two, rather than modifying them, so it is pretty
clean and simple and is backward-compatible with environments that
don't have the REMOTE_USER header available. Unfortunately, we are
using Lenya 1.2.4 (because 1.4 isn't released yet).
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org