incubator-clerezza-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Spicar <daniel.spi...@trialox.org>
Subject Re: Auth management in Clerezza
Date Fri, 15 Jun 2012 10:26:56 GMT
Hi Florent,

Generally I only used security when dealing with the Clerezza Platfrom
Bundles. If you want to work only with lower level API I don't know how to
use our Security modules.

We do have a system for Permissions in Clerezza. Some documentation can be
found at http://incubator.apache.org/clerezza/documentation/ (search for
the heading "Security"). I do not know too much about them though, they
look like JAAS permissions though. I used them from time to time and just
checked how it has been used by some bundles and copied the approach. Maybe
someone else can give more detailed information.

When it comes to graph access via TcManager, there is a permission for
checking read and write access:
(org.apache.clerezza.rdf.core.access.security.TcPermission "<graphUri>"
"readwrite"). The security system is tied to Clerezza platform users who
can have those permissions assigned to them. So when a user is
authenticated (cookie and http basic auth are supported by the platfrom)
all accesses to a graph run inside this user's security context and
permissions are checked. If you want other authentication methods you will
need to implement a Clerezza WeightedAutenicationMethod OSGi service.

Now when you want the uses managed by a LDAP server you will most likely
need to implement this support first. I once dealt with a similar scenario
but then LDAP users were imported to the Clerezza platform and periodically
updated. If you have the users managed by the LDAP server you probably have
to come up with some method to make them known to the Clerezza platform
such that permission can be assigned to them. Then you will have to
implement a Clerezza AutenticationChecker OSGi service that relays
authentication to the LDAP server in some way.

To summarize two points not to be confuded:
- There are Authentication Methods. We support HTTP Basic Auth and Cookies.
This deals with how the user credentials are supplied to the Platform.
- There are Authentication Checkers. This deals with how the supplied
credentials are validated/checked, e.g. the Password encoding. Clerezza
uses SHA-1 AFAIK. This is regardless of auth. method. If you supply an
authentication checker that supports MD5, it will be used by each auth.
method to try and validate the user credentials.

I'm not an expert on this part of Clerezza though so some information may
be inaccurate. This is what I remember ;)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message