From jackrabbit-dev-return-633-apmail-incubator-jackrabbit-dev-archive=www.apache.org@incubator.apache.org Sat Feb 05 19:21:54 2005 Return-Path: Delivered-To: apmail-incubator-jackrabbit-dev-archive@www.apache.org Received: (qmail 72099 invoked from network); 5 Feb 2005 19:21:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 5 Feb 2005 19:21:54 -0000 Received: (qmail 34937 invoked by uid 500); 5 Feb 2005 19:21:53 -0000 Mailing-List: contact jackrabbit-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jackrabbit-dev@incubator.apache.org Delivered-To: mailing list jackrabbit-dev@incubator.apache.org Received: (qmail 34924 invoked by uid 99); 5 Feb 2005 19:21:52 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from smtpout.mac.com (HELO smtpout.mac.com) (17.250.248.89) by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 05 Feb 2005 11:21:51 -0800 Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id j15JLnq2013784 for ; Sat, 5 Feb 2005 11:21:49 -0800 (PST) Received: from [81.58.1.187] (unlabelled-187-1-58-81.versatel.net [81.58.1.187] (may be forged)) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id j15JLlm5002643 for ; Sat, 5 Feb 2005 11:21:49 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v619.2) In-Reply-To: References: <420398D1.7080706@zitting.name> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <33a3a149a722317e6bf948226873006c@mac.com> Content-Transfer-Encoding: 7bit From: "Suhail M. Ahmed" Subject: jcr authentication and authorization Date: Sat, 5 Feb 2005 20:20:45 +0100 To: jackrabbit-dev@incubator.apache.org X-Mailer: Apple Mail (2.619.2) X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Hi, My name is Suhail. I was on my way to implementing 170 before David set me straight and pointed me the jack rabbit ri, I read from David's earlier post that the team is working on A'nA. My own plan's with regards to doing this was to specify a node type and build repository adapters for LDAP to store and manage instances of the type. Given that the repository could be configured with arbitrary storage adapters, one could in principle store A'nA data any where. Then there is the issue of using JAAS. JAAS itself is an abstraction on top of arbitrary identity data stores. It would trivial to code, sya, a JCRLoginModule that would allow JAAS to use the repository to access the identity database. That should take care of authentication. Authorization on the other hand is more involved. I would like to do two things at the moment. Build a JCRLoginModule to work against the default data store or specify a new one to store A'nA data. This would require the default store to be initialized with start up data for the initial set of Principals. At this point the login use case in the spec should work. Authorization on the other hand is a different kettle of fish. If one does go the Java permissions route, I suspect there will impact on the current code base. Then there is the question of where and how policy data should be stored. Naturally, I think policy should be accessed via the repository as well. Build a repository adapter for LDAP to store A'nA data. I propose LDAP because I have experience with it. To this end I would like to translate publicly available LDAP schemas to nodedefs. I have a few days experience with JavaCC, if someone on this list can help me with questions on using it to parse LDAP ldifs, I could have the whole bunch translated in a jiffy. As a start I have tried to define a Node to offer basic support for authentication: Namespace : xmlns:ext="http://www.example.com/jcr/1.0" //extension namespace xmlns:ana="http://www.example.com/jcr/acess/1.0" // authentication and authorization namespace nt:base I lifted the properties from LDAP inetOrgPerson. I am not sure if I got the onParentVersion correct. The type should also be guarded by a access control mixin I suppose. How do I configure the repository so that it knows the type above? Any ideas on how A'nA data is to be stored? Is it best to store it in a different repository or in a separate workspace? Is it possible to configure jack rabbit with multiple repositories? Have a nice evening. regards Suhail