incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: 2.4 with kaukolu ldap auth/userdatabase to 2.8 migration
Date Thu, 16 Jul 2009 18:23:33 GMT
Jonathan --

Very interesting. I'll look into this. Thanks for investigating. -- 
Andrew

On Jul 16, 2009, at 10:10, jonathan <jengbrec@ryerson.ca> wrote:

> update/fix:
>
> I've added a new role "person", via userRoleName="objectClass" in my  
> server.xml realm configuration (as well as appropriate adds in  
> web.xml).  I also had to add a connectionName and connectionPassword  
> since we don't allow anonymous searches of the directory.
>
> I now get assigned the "person" role by the container, in addition  
> to "Authenticated":
>
> 2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD  
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@ee3aa7,  
> princpal=com.ecyrd.jspwiki.auth.authorize.Role person,  
> target=com.ecyrd.jspwiki.WikiSession@6d06b0]
> 2009-07-16 10:53:01,701 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD  
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@ee3aa7,  
> princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated,  
> target=com.ecyrd.jspwiki.WikiSession@6d06b0]
>
> I no longer get "Forbidden".  I'm unsure why this manually  
> configured role works differently than the default "Authenticated",  
> but this is a workable solution.
>
> curious point:  with jspwiki.cookieAssertions=true in  
> jspwiki.properties, I'm forced to login twice (at which point  
> everything works).  With it false, I get properly authenticated the  
> first time. strange.
>
> jonathan.
>
> jonathan wrote:
>> heya too!
>> The wiki page on container auth has been very, very helpful, yes.   
>> Upon further investigation, I think my issues are currently more  
>> role-related than UserDatabase related.
>> Container has been set up to authenticate to ldap, no roles have  
>> been configured, web.xml is default container-managed config.  As  
>> soon as I log in, I end up getting a forbidden page (on Login.jsp? 
>> redirect=Main).  If I click "Better luck next time", I end up back  
>> on the main page, "authenticated" (much like this problem: http://www.mail-archive.com/jspwiki-user@incubator.apache.org/msg01892.html

>>  - except I'm using Tomcat 5.5.15).
>> If I look at my security log, I get the following entries only  
>> *after* I click the "Better luck..." link on the Forbidden page:
>> 2009-07-15 17:11:07,547 INFO -  
>> WikiSecurityEvent.LOGIN_AUTHENTICATED  
>> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245,  
>> princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,  
>> target=com.ecyrd.jspwiki.WikiSession@1f55105]
>> 2009-07-15 17:11:07,547 DEBUG -  
>> WikiSecurityEvent.LOGIN_AUTHENTICATED  
>> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245,  
>> princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,  
>> target=com.ecyrd.jspwiki.WikiSession@1f55105]
>> 2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD  
>> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245,  
>> princpal=org.apache.catalina.realm.GenericPrincipal jengbrec,  
>> target=com.ecyrd.jspwiki.WikiSession@1f55105]
>> 2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD  
>> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@e4245,  
>> princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated,  
>> target=com.ecyrd.jspwiki.WikiSession@1f55105]
>> It looks like I now should have the "Authenticated" role from the  
>> container (though I don't seem to have it (according to the log,  
>> anyway) immediately after clicking "login" which is strange).   
>> However, I still get "Forbidden" if I try and go to Edit.jsp or  
>> similar (the "Authenticated area" in web.xml).
>> After the initial "Forbidden", my wiki acls seem to work properly,  
>> but the container-given Role ("Authenticated") doesn't seem to be  
>> working, even though the logs appear to indicate that the role has  
>> been assigned.
>> Thoughts on where to go from here?
>> as always, many thanks,
>> jonathan.
>> Janne Jalkanen wrote:
>>>
>>> Heya!
>>>
>>> Does this help?
>>>
>>> http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
>>>
>>> /Janne
>>>
>>> On 14 Jul 2009, at 21:37, jonathan wrote:
>>>
>>>> Has anyone successfully done this?
>>>>
>>>> In 2.4 I'm using Kaukolu LDAPUserDatabase implementation to get  
>>>> user data, so I have no local userdatabse.xml file to fall back  
>>>> on.  The existing LDAPUserDatabase doesn't work with 2.8, of  
>>>> course.
>>>>
>>>> If you've done this, how are you handling the userdatabase  
>>>> portion under 2.8?  We have a very large ldap database, but a  
>>>> relatively small number of JSPWiki users, so migrating the ldap  
>>>> info into an xml (or even mysql) userdatabase seems a bit like  
>>>> overkill (though this may be the simplest route to take given my  
>>>> relative inability to recode the LDAPUserDatabase stuff).
>>>>
>>>> Any thoughts appreciated.
>>>
>>>

Mime
View raw message