jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Suhail M. Ahmed" <ilya...@mac.com>
Subject jcr authentication and authorization
Date Sat, 05 Feb 2005 19:20:45 GMT
Hi,

My name is Suhail. I was on my way to implementing 170 before David set 
me straight and pointed me the jack rabbit ri, I read from David's 
earlier post that the team is working on A'nA. My own plan's with 
regards to doing this was to specify a node type and build repository 
adapters for LDAP to store and manage instances of the type. Given that 
the repository could be configured with arbitrary storage adapters, one 
could in principle store A'nA data any where. Then there is the issue 
of using JAAS. JAAS itself is an abstraction on top of arbitrary 
identity data stores. It would trivial to code, sya, a JCRLoginModule 
that would allow JAAS to use the repository to access the identity 
database. That should take care of authentication. Authorization on the 
other hand is more involved. I would like to do two things at the 
moment.
Build a JCRLoginModule to work against the default data store or 
specify a new one to store A'nA data. This would require the default 
store to be initialized with start up data for the initial set of 
Principals.
At this point the login use case in the spec should work. Authorization 
on the other hand is a different kettle of fish. If one does go the 
Java permissions route, I suspect there will impact on the current code 
base. Then there is the question of where and how policy data should be 
stored. Naturally, I think policy should be accessed via the repository 
as well.

Build a repository adapter for LDAP to store A'nA data. I propose LDAP 
because I  have experience with it. To this end I would like to 
translate publicly available LDAP schemas to nodedefs. I have a few 
days experience with JavaCC, if someone on this list can help me with 
questions on using it to parse LDAP ldifs, I could have the whole bunch 
translated in a jiffy.

As a start I have tried to define a Node to offer basic support for 
authentication:

Namespace :
xmlns:ext="http://www.example.com/jcr/1.0" //extension namespace
xmlns:ana="http://www.example.com/jcr/acess/1.0" // authentication and 
authorization namespace

<nodeType name="ext:simplePerson" isMixin="false" 
hasOrderableChildNodes="false" primaryItemName="">
         <supertypes>
             <supertype>nt:base</supertype>
         </supertypes>
         <propertyDef name="jcr:created" requiredType="Date" 
autoCreate="true" mandatory="true" onParentVersion="COPY" 
protected="true" multiple="false"/>
         <propertyDef name="ana:cn" requiredType="String" 
autoCreate="false" mandatory="true" onParentVersion="COPY" 
protected="true" multiple="false"/>
         <propertyDef name="ana:sn" requiredType="String" 
autoCreate="false" mandatory="true" onParentVersion="COPY" 
protected="true" multiple="false"/>
         <propertyDef name="ana:givenName" requiredType="String" 
autoCreate="false" mandatory="false" onParentVersion="COPY" 
protected="true" multiple="false"/>
         <propertyDef name="ana:initials" requiredType="String" 
autoCreate="false" mandatory="false" onParentVersion="COPY" 
protected="true" multiple="false"/>
         <propertyDef name="ana:uid" requiredType="String" 
autoCreate="false" mandatory="true" onParentVersion="COPY" 
protected="true" multiple="false"/>
         <propertyDef name="ana:userPassword" requiredType="Binary" 
autoCreate="false" mandatory="true" onParentVersion="COPY" 
protected="true" multiple="false"/>
     </nodeType>

I lifted the properties from LDAP inetOrgPerson. I am not sure if I got 
the onParentVersion correct. The type should also be guarded by a 
access control mixin I suppose. How do I configure the repository so 
that it knows the type above?  Any ideas on how A'nA data is to be 
stored? Is it best to store it in a different repository or in a 
separate workspace? Is it possible to configure jack rabbit with 
multiple repositories?

Have a nice evening.
regards
Suhail


Mime
View raw message