Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: jspwiki-dev@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of alex.tracer@gmail.com
 designates 209.85.216.47 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        b=WUrVfwajtHM5gs/YPF3YaIYXdzfWr5+1vYQBoBeF71ekqzHYmOIUO+enN7EsOHd0fH
         IhP8eFOG0CazXoLIXUNNMW8qJzGQ5On7T6Eb9Md4gCmEz9Jv3FFvtARqGInQqqiosojM
         s4iInKcuELvB+6BefuvjAsU/LPtUfgxVqYjhA=
MIME-Version: 1.0
In-Reply-To: <4D1A5CB5.2010404@destin.be>
References: <4D0983C3.9050400@gmail.com>
 <6A175D65-AC8E-43BD-A4F4-9152E79A45CC@ecyrd.com>
 <AANLkTinkOVkairR_rjQQ97xKF0NUPkxN26AfJ2Mz06Wx@mail.gmail.com>
 <AANLkTimw++QbGX60vkA7VCeghbDuXoKXG+VJLacfx9r=@mail.gmail.com>
 <4D1A5CB5.2010404@destin.be>
From: Alex Tracer <alex.tracer@gmail.com>
Date: Tue, 4 Jan 2011 20:05:10 +0200
Message-ID: <AANLkTimHOMJrZO8dbvsEG56=Y8Z_oMmcVNop-WMsk_7T@mail.gmail.com>
Subject: Re: Is there possibility to implement custom automatic
 authentication? (not web-container based)
To: jspwiki-dev@incubator.apache.org
Content-Type: multipart/alternative; boundary=0015175cba1c38af5e0499091d86

--0015175cba1c38af5e0499091d86
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Greetings,

@Janne

CookieAuthenticationLoginModul is quite close to my needs except I need to
get values of 3rd-party cookies and verify them in an external data source.

#2: OK, I will provide a patch later if it still will be useful.

#3: OK, created: https://issues.apache.org/jira/browse/JSPWIKI-681

Apache Shiro is totally different story from JAAS. I'm not sure if JSPWiki
migration to Shiro will help to fix my problem. It's totally depends on
JWPWiki specific implementation.

@Andrew
WebContainerLoginModule can support authentication but I can't use it to
tell JSPWiki about user's roles because I can pass only one Principal objec=
t
trough getUserPrincipal() method of HttpServletRequest. So I can pass
WikiPrincipal (with user's login) but can't pass Role
(com.ecyrd.jspwiki.auth.authorize.Role) with it. Should my custom filter
redefine isUserInRole() of HttpServletRequest to specify roles? Will JSPWik=
i
understand that?

@Christophe
Not really what I need but I'm on the way on making my custom filter too.

@All
Thanks to everybody for your help.

2010/12/28 Christophe Dupriez <christophe.dupriez@destin.be>

> Hi!
>
> I can say I just messed to modify JspWiki to add data coming from Active
> Directory (name, e-mail) to an implicit Tomcat authentication done throug=
h
> Waffle (NTLM).
> I found it not so easy (more than one place where information must be
> collected and managed).
> I will redo it now using a Filter: as you say the result will be much
> better:
> http://waffle.codeplex.com/workitem/10034
>
> The request filter approach is independent from JspWiki versions but also
> from applications.
>
> Good evening!
>
> Christophe
>
> Le 28/12/2010 22:15, Andrew Jaquith a =C3=A9crit :
>
>  Alex:
>>
>> Thanks for your message. In general, WebContainerLoginModule isn't
>> meant to be replaced. Its primary job is to allow container-managed
>> credentials to be picked up automatically by JSPWiki.
>>
>> The best solution for you would be to add a servlet filter upstream
>> from JSPWiki that wraps the current HTTPServletRequest. It would
>> ensure that the return value of getPrincipal() returns the value you
>> want. JSPWiki will then dutifully retrieve the user principal you
>> supply and regard the user as logged in.
>>
>> @Janne: I hadn't seen Shiro before. Conceptually it does pretty much
>> everything our own system does, and more. It looks like it's well
>> designed, too. The design choices they made seem to be pretty similar
>> to the ones I made: e.g., the use of annotations for protecting
>> methods, custom permission schemes, separation of authN and authZ,
>> etc. And the "remembered" login feature is more or less what we call
>> "asserted" logins. Were I building a webapp from scratch, I'd probably
>> take a good long look at Shiro.
>>
>> Andrew
>>
>> On Tue, Dec 28, 2010 at 2:06 PM, Harry Metske<harry.metske@gmail.com>
>>  wrote:
>>
>>> I don't have experience yet with Shiro, but looking at the documentatio=
n
>>> (which is good), it looks promising, especially it's web filtering
>>> capabilities, and the ini-file and bean-style configuration.
>>>
>>> I see quite a few similarities with security concepts we currently have
>>> in
>>> JSPWiki, like the default set of web filters that are similar to our
>>> login
>>> modules, and Shiro permissions similar to WikiPermissions.
>>>
>>>
>>> regards,
>>> Harry
>>>
>>>
>>> 2010/12/28 Janne Jalkanen<janne.jalkanen@ecyrd.com>
>>>
>>>  Hi!
>>>>
>>>> I think this is solely in Andrew's domain.  We have automatic login
>>>> using
>>>> CookieAuthenticationLoginModule; do you need something else there?
>>>>
>>>> For #2 I think we could use a patch, if you can write one. Sounds like=
 a
>>>> good addition.
>>>>
>>>> #3 is an oversight; I don't think it should be declared as final. Can
>>>> you
>>>> open up a JIRA issue and contribute a patch?
>>>>
>>>> Actually, I've been using Apache Shiro lately, and it's a very well do=
ne
>>>> AAA library which does a lot of the same stuff as we do.  It would be =
a
>>>> lot
>>>> lighter for us to use that rather than our own system (even though our
>>>> system is pretty awesome).  Does anyone have (esp. Andrew) an opinion =
on
>>>> how
>>>> well Shiro matches up with our stuff?
>>>>
>>>> /Janne
>>>>
>>>> On 16 Dec 2010, at 05:13, Alex Tracer wrote:
>>>>
>>>>  Greetings,
>>>>>
>>>>> I'm trying to link JSPWiki to an existing application. I need make a
>>>>> user automatically (i.e. without explicit login through Login page)
>>>>> logged in JSPWiki if he already logged in the another application. Al=
l
>>>>> I
>>>>> need to do on JSPWiki side is to get some cookies from request and pa=
ss
>>>>> them to my application.
>>>>>
>>>>> I've expected that my task will be quite simple because I knew that
>>>>> JSPWiki provides "jspwiki.loginModule.class" property that allows to
>>>>> use
>>>>> custom JAAS authentication. Also I've seen that
>>>>> WebContainerCallbackHandler is able to give me an HttpRequest (via
>>>>> HttpRequestCallback) so I can grab my cookies from the request and do
>>>>> my
>>>>> dark deeds with them...
>>>>>
>>>>> However I've met some serious obstacles:
>>>>>
>>>>> 1. "jspwiki.loginModule.class" property is used only for authenticati=
on
>>>>> thought Login.jsp. There no way to specify a custom JAAS LoginModule
>>>>> that will be used in the same place as WebContainerLoginModule in
>>>>> AuthenticationManager.login( HttpServletRequest request ). So I can't
>>>>> use my custom LoginModule here so I can't make "automatic" login.
>>>>>
>>>>> 2. Login.jsp uses AuthenticationManager.login( WikiSession session,
>>>>> HttpServletRequest request, String username, String password ) and
>>>>> supports customizable LoginModule but WikiCallbackHandler in this
>>>>> method
>>>>> is unable to handle HttpRequestCallback. So I can't use my custom
>>>>> LoginModule even for explicit login because I can't cookies from
>>>>> JSPWiki.
>>>>>
>>>>> 3. There is no way to replace AuthenticationManager with implementati=
on
>>>>> that matches my needs because AuthenticationManager is final so I can=
't
>>>>> redefine it in classmappings.xml.
>>>>>
>>>>> I know that I can modify JSPWiki sources and build my own version of
>>>>> JSPWiki but I hope that there a way to avoid that because it will add=
 a
>>>>> lot of extra work on merging with future versions of JSPWiki.
>>>>>
>>>>> Could anybody please advise on my problem? At least just point out
>>>>> where
>>>>> is right place to ask ;)
>>>>>
>>>>> Best regards,
>>>>> Alex Tracer.
>>>>>
>>>>> PS: Sorry for my bad English, I'm still not very good in it.
>>>>>
>>>>
>>>>
>>
>

--0015175cba1c38af5e0499091d86--