incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: OpenID support in JSPWiki?
Date Fri, 20 Mar 2009 13:43:05 GMT
Tilman--

Thanks for your e-mail, and for your good work.

Your thought-process on this seems sound. Agreed, the first phase of  
login (OP discovery + redirect) should be handled by a custom JSP. The  
second phase (validation) should be handled by JAAS.

To do this, you will need to get the HttpRequest object. JSPWiki does  
have an HttpRequestCallback that can supply this, at least in the  
custom authentication case. You will need to check to see if  
WikiCallbackHandler passes that callback. If not, it is trivial to  
patch the code to do this.

So, I think this is basically in line with what you proposed.

Some other thoughts:

At login time, it would be highly desirable to use SREG or OpenID  
attribute exchange to pull the user's name and e-mail address and use  
the returned values to update their profile, which would ensure that  
their information is always current. The login ID used to look up the  
profile should be the user's OpenID URL... I think.

On the UI side, we will need a special OpenID login page (JSP). The  
regular login page could include this if desired.

Andrew

On Mar 18, 2009, at 7:02, Tilman Bender <tbender@stud.hs-heilbronn.de>  
wrote:

> Hey guys,
>
> I am currently plaing with the 2.8.1 code and openid4java.
>
> But I am having a hard time trying to fiugre out where exactly to  
> hook in the OpenID stuff.
> The problem is (as also described in #JSPWIKI-94), that:
>
> 1. To me it seems you cannot do the whole thing in JAAS:
> OpenID as I understand it has two phases :
>
> Phase I:
> - The user just submitted his openid identifier to our login/ 
> registration from.
> - We do discovery on the identifier to find the Endpoint of his  
> OpenID Provider (and check if the provider is in our whitelist)
> - We redirect the user to his OpenID provider
>
> So in this phase it makes no sense to me to use a JAAS-Module since  
> we wouldn't be able to complete the login mehtod
> as we do not know enough about the user yet (we do not know if his  
> identity is asserted by the OpenID Provider).
> So I currently do this via JSP  and Scriptlets (no custom tag yet).
>
> Phase II:
> - The user is redirected back to us by his OpenID Provider
> - We connect to the OpenID Provider to verify the assertion that was  
> passed along the request (be it a positive or negative assertion)
> - Now we know enough about the user to log them in.
>
> I currently try to use UserManager.setUserProfile in this situation.  
> Now here comes my Problem:
>
> I would like to do all the assertion verifiaction in a JAAS-Module,  
> but for that I need all the request
> data, which I do not have in the setUserProfile-Method.
>
> So currently I am stuck. Before I start to wildly mess the API: Am I  
> taking the right direction?
>
>
> Tilman Bender
> Student des Software Engineering
> Hochschule Heilbronn
> tbender@stud.hs-heilbronn.de
>
>
>
> Am 03.12.2008 um 21:50 schrieb Janne Jalkanen:
>
>> Hi!
>>
>> Thanks for the effort - sounds like a worthy project!
>>
>> I think you will save yourself a lot of grief if you work on the  
>> 2.8.1 branch, since the trunk is now the subject of a lot of  
>> changes - but note that we *will* be making some rather major  
>> changes for 3.0, so you may face a small porting effort towards the  
>> end.  We certainly wouldn't like to land a major feature in 2.8  
>> branch anymore, since it's rather stable.
>>
>> I think the first thing you could do is to outline your plan as to  
>> how exactly are you planning to hook into our structures - a good  
>> place to start is probably the Security documentation at http://doc.jspwiki.org/2.8/wiki/Security

>> , and then asking a lot of questions on this mailing list.
>>
>> Also, since we are talking about a fairly large project here, you  
>> might want to sign a contributor license agreement (CLA), and  
>> depending on the German copyright legislation, get also Heilbronn  
>> to sign a corporate CLA.  That, or Heilbronn (or you) need to, at  
>> the end of the project, give a software grant (SGA) to Apache  
>> Software Foundation.  But these are not biggies and can be tackled  
>> if/when we start merging ;-)
>>
>> /Janne
>>
>> On Dec 3, 2008, at 21:25 , Tilman Bender wrote:
>>
>>> Hi JSPWiki Devs,
>>>
>>> I am a student at Heilbronn University in Germany (Some of you  
>>> might know Christoph Sauer, who worked there.)
>>> As pre-thesis for my diploma I want to enhance JSPWiki with OpenID.
>>>
>>> I am still pretty new to JSPWIki, OpenID and JAAS.
>>> I have worked my way through the official OpenID 2.0  
>>> Authentication standard
>>> and will do as well for Attributes Exchange.
>>>
>>> I would like to base my work on the 2.8.1 tag and
>>> see to get it integrate into the trunk later. Is that the correct  
>>> way to do it?
>>>
>>> As I see Andrew already spent quite some time on OpenID and did  
>>> some preparations.
>>> Since I plan to get my diploma somday soon (say in 2009 ;-)), I  
>>> have a high personal interest
>>> in getting OpenID into JSPWiki.
>>>
>>> Summary:
>>>
>>> * I have time
>>> * I have motivation
>>> * I need some help to get started ;-)
>>>
>>> Any suggestions where to begin? I guess registration/profile  
>>> creation would be first.
>>>
>>> kind regards
>>>
>>>
>>> Tilman Bender
>>> Student des Software Engineering
>>> Hochschule Heilbronn
>>> tbender@stud.hs-heilbronn.de
>>>
>>>
>>
>

Mime
View raw message