incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <>
Subject OAuth Re: OpenID support in JSPWiki?
Date Fri, 20 Mar 2009 19:22:22 GMT

BTW, how about OAuth support? Do we have good usecases?


On 20 Mar 2009, at 15:43, Andrew Jaquith wrote:

> Tilman--
> Thanks for your e-mail, and for your good work.
> Your thought-process on this seems sound. Agreed, the first phase of  
> login (OP discovery + redirect) should be handled by a custom JSP.  
> The second phase (validation) should be handled by JAAS.
> To do this, you will need to get the HttpRequest object. JSPWiki  
> does have an HttpRequestCallback that can supply this, at least in  
> the custom authentication case. You will need to check to see if  
> WikiCallbackHandler passes that callback. If not, it is trivial to  
> patch the code to do this.
> So, I think this is basically in line with what you proposed.
> Some other thoughts:
> At login time, it would be highly desirable to use SREG or OpenID  
> attribute exchange to pull the user's name and e-mail address and  
> use the returned values to update their profile, which would ensure  
> that their information is always current. The login ID used to look  
> up the profile should be the user's OpenID URL... I think.
> On the UI side, we will need a special OpenID login page (JSP). The  
> regular login page could include this if desired.
> Andrew
> On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs- 
>> wrote:
>> Hey guys,
>> I am currently plaing with the 2.8.1 code and openid4java.
>> But I am having a hard time trying to fiugre out where exactly to  
>> hook in the OpenID stuff.
>> The problem is (as also described in #JSPWIKI-94), that:
>> 1. To me it seems you cannot do the whole thing in JAAS:
>> OpenID as I understand it has two phases :
>> Phase I:
>> - The user just submitted his openid identifier to our login/ 
>> registration from.
>> - We do discovery on the identifier to find the Endpoint of his  
>> OpenID Provider (and check if the provider is in our whitelist)
>> - We redirect the user to his OpenID provider
>> So in this phase it makes no sense to me to use a JAAS-Module since  
>> we wouldn't be able to complete the login mehtod
>> as we do not know enough about the user yet (we do not know if his  
>> identity is asserted by the OpenID Provider).
>> So I currently do this via JSP  and Scriptlets (no custom tag yet).
>> Phase II:
>> - The user is redirected back to us by his OpenID Provider
>> - We connect to the OpenID Provider to verify the assertion that  
>> was passed along the request (be it a positive or negative assertion)
>> - Now we know enough about the user to log them in.
>> I currently try to use UserManager.setUserProfile in this  
>> situation. Now here comes my Problem:
>> I would like to do all the assertion verifiaction in a JAAS-Module,  
>> but for that I need all the request
>> data, which I do not have in the setUserProfile-Method.
>> So currently I am stuck. Before I start to wildly mess the API: Am  
>> I taking the right direction?
>> Tilman Bender
>> Student des Software Engineering
>> Hochschule Heilbronn
>> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>>> Hi!
>>> Thanks for the effort - sounds like a worthy project!
>>> I think you will save yourself a lot of grief if you work on the  
>>> 2.8.1 branch, since the trunk is now the subject of a lot of  
>>> changes - but note that we *will* be making some rather major  
>>> changes for 3.0, so you may face a small porting effort towards  
>>> the end.  We certainly wouldn't like to land a major feature in  
>>> 2.8 branch anymore, since it's rather stable.
>>> I think the first thing you could do is to outline your plan as to  
>>> how exactly are you planning to hook into our structures - a good  
>>> place to start is probably the Security documentation at

>>> , and then asking a lot of questions on this mailing list.
>>> Also, since we are talking about a fairly large project here, you  
>>> might want to sign a contributor license agreement (CLA), and  
>>> depending on the German copyright legislation, get also Heilbronn  
>>> to sign a corporate CLA.  That, or Heilbronn (or you) need to, at  
>>> the end of the project, give a software grant (SGA) to Apache  
>>> Software Foundation.  But these are not biggies and can be tackled  
>>> if/when we start merging ;-)
>>> /Janne
>>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>>> Hi JSPWiki Devs,
>>>> I am a student at Heilbronn University in Germany (Some of you  
>>>> might know Christoph Sauer, who worked there.)
>>>> As pre-thesis for my diploma I want to enhance JSPWiki with OpenID.
>>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>>> I have worked my way through the official OpenID 2.0  
>>>> Authentication standard
>>>> and will do as well for Attributes Exchange.
>>>> I would like to base my work on the 2.8.1 tag and
>>>> see to get it integrate into the trunk later. Is that the correct  
>>>> way to do it?
>>>> As I see Andrew already spent quite some time on OpenID and did  
>>>> some preparations.
>>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I  
>>>> have a high personal interest
>>>> in getting OpenID into JSPWiki.
>>>> Summary:
>>>> * I have time
>>>> * I have motivation
>>>> * I need some help to get started ;-)
>>>> Any suggestions where to begin? I guess registration/profile  
>>>> creation would be first.
>>>> kind regards
>>>> Tilman Bender
>>>> Student des Software Engineering
>>>> Hochschule Heilbronn

View raw message