incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jonathan <jengb...@ryerson.ca>
Subject Re: 2.4 with kaukolu ldap auth/userdatabase to 2.8 migration
Date Thu, 16 Jul 2009 15:10:29 GMT
update/fix:

I've added a new role "person", via userRoleName="objectClass" in my 
server.xml realm configuration (as well as appropriate adds in web.xml). 
  I also had to add a connectionName and connectionPassword since we 
don't allow anonymous searches of the directory.

I now get assigned the "person" role by the container, in addition to 
"Authenticated":

2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD 
[source=com.ecyrd.jspwiki.auth.AuthenticationManager@ee3aa7, 
princpal=com.ecyrd.jspwiki.auth.authorize.Role person, 
target=com.ecyrd.jspwiki.WikiSession@6d06b0]
2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD 
[source=com.ecyrd.jspwiki.auth.AuthenticationManager@ee3aa7, 
princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated, 
target=com.ecyrd.jspwiki.WikiSession@6d06b0]

I no longer get "Forbidden".  I'm unsure why this manually configured 
role works differently than the default "Authenticated", but this is a 
workable solution.

curious point:  with jspwiki.cookieAssertions=true in 
jspwiki.properties, I'm forced to login twice (at which point everything 
works).  With it false, I get properly authenticated the first time. 
strange.

jonathan.

jonathan wrote:
> heya too!
> 
> The wiki page on container auth has been very, very helpful, yes.  Upon 
> further investigation, I think my issues are currently more role-related 
> than UserDatabase related.
> 
> Container has been set up to authenticate to ldap, no roles have been 
> configured, web.xml is default container-managed config.  As soon as I 
> log in, I end up getting a forbidden page (on Login.jsp?redirect=Main). 
>  If I click "Better luck next time", I end up back on the main page, 
> "authenticated" (much like this problem: 
> http://www.mail-archive.com/jspwiki-user@incubator.apache.org/msg01892.html 
> - except I'm using Tomcat 5.5.15).
> 
> If I look at my security log, I get the following entries only *after* I 
> click the "Better luck..." link on the Forbidden page:
> 
> 2009-07-15 17:11:07,547 INFO - WikiSecurityEvent.LOGIN_AUTHENTICATED 
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245, 
> princpal=org.apache.catalina.realm.GenericPrincipal jengbrec, 
> target=com.ecyrd.jspwiki.WikiSession@1f55105]
> 2009-07-15 17:11:07,547 DEBUG - WikiSecurityEvent.LOGIN_AUTHENTICATED 
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245, 
> princpal=org.apache.catalina.realm.GenericPrincipal jengbrec, 
> target=com.ecyrd.jspwiki.WikiSession@1f55105]
> 2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD 
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245, 
> princpal=org.apache.catalina.realm.GenericPrincipal jengbrec, 
> target=com.ecyrd.jspwiki.WikiSession@1f55105]
> 2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD 
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245, 
> princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated, 
> target=com.ecyrd.jspwiki.WikiSession@1f55105]
> 
> 
> It looks like I now should have the "Authenticated" role from the 
> container (though I don't seem to have it (according to the log, anyway) 
> immediately after clicking "login" which is strange).  However, I still 
> get "Forbidden" if I try and go to Edit.jsp or similar (the 
> "Authenticated area" in web.xml).
> 
> After the initial "Forbidden", my wiki acls seem to work properly, but 
> the container-given Role ("Authenticated") doesn't seem to be working, 
> even though the logs appear to indicate that the role has been assigned.
> 
> Thoughts on where to go from here?
> 
> as always, many thanks,
> jonathan.
> 
> 
> Janne Jalkanen wrote:
>>
>> Heya!
>>
>> Does this help?
>>
>> http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
>>
>> /Janne
>>
>> On 14 Jul 2009, at 21:37, jonathan wrote:
>>
>>> Has anyone successfully done this?
>>>
>>> In 2.4 I'm using Kaukolu LDAPUserDatabase implementation to get user 
>>> data, so I have no local userdatabse.xml file to fall back on.  The 
>>> existing LDAPUserDatabase doesn't work with 2.8, of course.
>>>
>>> If you've done this, how are you handling the userdatabase portion 
>>> under 2.8?  We have a very large ldap database, but a relatively 
>>> small number of JSPWiki users, so migrating the ldap info into an xml 
>>> (or even mysql) userdatabase seems a bit like overkill (though this 
>>> may be the simplest route to take given my relative inability to 
>>> recode the LDAPUserDatabase stuff).
>>>
>>> Any thoughts appreciated.
>>
>>
> 

Mime
View raw message