incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christophe Dupriez <christophe.dupr...@destin.be>
Subject Re: Is there possibility to implement custom automatic authentication? (not web-container based)
Date Tue, 28 Dec 2010 21:55:01 GMT
Hi!

I can say I just messed to modify JspWiki to add data coming from Active 
Directory (name, e-mail) to an implicit Tomcat authentication done 
through Waffle (NTLM).
I found it not so easy (more than one place where information must be 
collected and managed).
I will redo it now using a Filter: as you say the result will be much 
better:
http://waffle.codeplex.com/workitem/10034

The request filter approach is independent from JspWiki versions but 
also from applications.

Good evening!

Christophe

Le 28/12/2010 22:15, Andrew Jaquith a écrit :
> Alex:
>
> Thanks for your message. In general, WebContainerLoginModule isn't
> meant to be replaced. Its primary job is to allow container-managed
> credentials to be picked up automatically by JSPWiki.
>
> The best solution for you would be to add a servlet filter upstream
> from JSPWiki that wraps the current HTTPServletRequest. It would
> ensure that the return value of getPrincipal() returns the value you
> want. JSPWiki will then dutifully retrieve the user principal you
> supply and regard the user as logged in.
>
> @Janne: I hadn't seen Shiro before. Conceptually it does pretty much
> everything our own system does, and more. It looks like it's well
> designed, too. The design choices they made seem to be pretty similar
> to the ones I made: e.g., the use of annotations for protecting
> methods, custom permission schemes, separation of authN and authZ,
> etc. And the "remembered" login feature is more or less what we call
> "asserted" logins. Were I building a webapp from scratch, I'd probably
> take a good long look at Shiro.
>
> Andrew
>
> On Tue, Dec 28, 2010 at 2:06 PM, Harry Metske<harry.metske@gmail.com>  wrote:
>> I don't have experience yet with Shiro, but looking at the documentation
>> (which is good), it looks promising, especially it's web filtering
>> capabilities, and the ini-file and bean-style configuration.
>>
>> I see quite a few similarities with security concepts we currently have in
>> JSPWiki, like the default set of web filters that are similar to our login
>> modules, and Shiro permissions similar to WikiPermissions.
>>
>>
>> regards,
>> Harry
>>
>>
>> 2010/12/28 Janne Jalkanen<janne.jalkanen@ecyrd.com>
>>
>>> Hi!
>>>
>>> I think this is solely in Andrew's domain.  We have automatic login using
>>> CookieAuthenticationLoginModule; do you need something else there?
>>>
>>> For #2 I think we could use a patch, if you can write one. Sounds like a
>>> good addition.
>>>
>>> #3 is an oversight; I don't think it should be declared as final. Can you
>>> open up a JIRA issue and contribute a patch?
>>>
>>> Actually, I've been using Apache Shiro lately, and it's a very well done
>>> AAA library which does a lot of the same stuff as we do.  It would be a lot
>>> lighter for us to use that rather than our own system (even though our
>>> system is pretty awesome).  Does anyone have (esp. Andrew) an opinion on how
>>> well Shiro matches up with our stuff?
>>>
>>> /Janne
>>>
>>> On 16 Dec 2010, at 05:13, Alex Tracer wrote:
>>>
>>>> Greetings,
>>>>
>>>> I'm trying to link JSPWiki to an existing application. I need make a
>>>> user automatically (i.e. without explicit login through Login page)
>>>> logged in JSPWiki if he already logged in the another application. All I
>>>> need to do on JSPWiki side is to get some cookies from request and pass
>>>> them to my application.
>>>>
>>>> I've expected that my task will be quite simple because I knew that
>>>> JSPWiki provides "jspwiki.loginModule.class" property that allows to use
>>>> custom JAAS authentication. Also I've seen that
>>>> WebContainerCallbackHandler is able to give me an HttpRequest (via
>>>> HttpRequestCallback) so I can grab my cookies from the request and do my
>>>> dark deeds with them...
>>>>
>>>> However I've met some serious obstacles:
>>>>
>>>> 1. "jspwiki.loginModule.class" property is used only for authentication
>>>> thought Login.jsp. There no way to specify a custom JAAS LoginModule
>>>> that will be used in the same place as WebContainerLoginModule in
>>>> AuthenticationManager.login( HttpServletRequest request ). So I can't
>>>> use my custom LoginModule here so I can't make "automatic" login.
>>>>
>>>> 2. Login.jsp uses AuthenticationManager.login( WikiSession session,
>>>> HttpServletRequest request, String username, String password ) and
>>>> supports customizable LoginModule but WikiCallbackHandler in this method
>>>> is unable to handle HttpRequestCallback. So I can't use my custom
>>>> LoginModule even for explicit login because I can't cookies from JSPWiki.
>>>>
>>>> 3. There is no way to replace AuthenticationManager with implementation
>>>> that matches my needs because AuthenticationManager is final so I can't
>>>> redefine it in classmappings.xml.
>>>>
>>>> I know that I can modify JSPWiki sources and build my own version of
>>>> JSPWiki but I hope that there a way to avoid that because it will add a
>>>> lot of extra work on merging with future versions of JSPWiki.
>>>>
>>>> Could anybody please advise on my problem? At least just point out where
>>>> is right place to ask ;)
>>>>
>>>> Best regards,
>>>> Alex Tracer.
>>>>
>>>> PS: Sorry for my bad English, I'm still not very good in it.
>>>
>


Mime
View raw message