Problem with Roller 3.0 user provisioning and LDAP authentication features

[da...@aim.com]

 Hi,
 
 I am using Roller v3.0 on WebLogic v8.1.5. I turned on the LDAP authentication in security.xml file and found a problem with auto user provisioning specifically when AnonymousProcessingFilter is disabled. The ACEGI classes will not allow a legitimate LDAP account to proceed to create a weblog after LDAP authentication as the minimum role of 'editor' is only created after auto user provisioning. Although the auto provisioning does execute successfully and the user's account is created in Roller DB, the new user will encounter a '403 - Access Denied' HTTP error after the first time login. I have to restart the application so that ACEGI can now pick up the additional 'editor' role granted.
 
 I workaround the problem by extending the existing ACEGI classes and modifying the RollerSession class (please see http://codeharmonics.blogspot.com/2007/02/roller-v30-with-active-directory-non.html). Basically, I had to re-create the user principal object and refresh the user cache. I believe a better way to do this is to perform the auto user provisioning in the filter classes instead. Please consider allowing auto provisioning in the filter class so that the authentication mechanism can work more intuitively. 
 
 Lastly, I am not in the mailing list, would appreciate if you can include me in the dev list. Thank you very much.
 
 Warmest regards,
 Damon Chong
  
________________________________________________________________________
Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection.

Re: Problem with Roller 3.0 user provisioning and LDAP authentication features

[Dave <sn...@gmail.com>]

On 2/7/07, damonchong@aim.com <da...@aim.com> wrote:
>  I am using Roller v3.0 on WebLogic v8.1.5. I turned on the LDAP authentication in security.xml file and found a problem with auto user provisioning specifically when AnonymousProcessingFilter is disabled. The ACEGI classes will not allow a legitimate LDAP account to proceed to create a weblog after LDAP authentication as the minimum role of 'editor' is only created after auto user provisioning. Although the auto provisioning does execute successfully and the user's account is created in Roller DB, the new user will encounter a '403 - Access Denied' HTTP error after the first time login. I have to restart the application so that ACEGI can now pick up the additional 'editor' role granted.

>  I workaround the problem by extending the existing ACEGI classes and modifying the RollerSession class (please see http://codeharmonics.blogspot.com/2007/02/roller-v30-with-active-directory-non.html). Basically, I had to re-create the user principal object and refresh the user cache. I believe a better way to do this is to perform the auto user provisioning in the filter classes instead. Please consider allowing auto provisioning in the filter class so that the authentication mechanism can work more intuitively.

How does your setup differ from the one I documented last week on roller-dev?

That setup did not require code changes. It required new users to
login via LDAP and then it pre-populated the new user for for them
based on info from LDAP.


>  Lastly, I am not in the mailing list, would appreciate if you can include me in the dev list. Thank you very much.

Follow the instructions on the wiki to subscribe to the roller-dev or
roller-user mailing list.

- Dave