jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Carriedo Scher <fcarrie...@gmail.com>
Subject Authentication, authorization and Jackrabbit
Date Wed, 31 Aug 2011 10:05:56 GMT
Hi there,

i have been reading about Jackrabbit and it's authentication and
authorization capabilities. For the sake of clarity i will directly split
and* limit my questions to the authentication part*.

Since Jackrabbit uses JAAS and i had no idea about how JAAS works i read
(and understood i think) and executed successfully the sample in
http://download.oracle.com/javase/1.5.0/docs/guide/security/jaas/tutorials/index.html.
Then i have tried to extrapolate what i learned to Jackrabbit and i
established the following similarities (<=> means correspond):

- the sample code in JAAS tutorial is executed through the following command
(relevant fields are coloured):

java -classpath SampleAzn.jar:SampleAction.jar:SampleLM.jar
*-Djava.security.manager *
*-Djava.security.policy==/path/to/sampleazn.policy*
*-Djava.security.auth.login.config==/path/to/sample_jaas.config*
sample.SampleAcn

- SimpleSecurityManager (specified in repository.xml) <=> SecurityManager
specified by the *-Djava.security.manager *. Not relevant so far for
authentication, isn't it?

- security.xml <=> *-Djava.security.policy==/path/to/sampleazn.policy* . The
policy is specified in security.xml file. By the way, i did not find any
link to security.xml syntax nor samples are provided with Jackrabbit
distributions, any useful link?

- SimpleLoginModule (specified in repository.xml and *always return true*,
regardless what parameters it gets) <=> *
-Djava.security.auth.login.config==/path/to/sample_jaas.config* pointing to
SampleLoginModule (a custom class provided in the JAAS tutorial which
performs a very simple authentication which checks if the given username and
password correspond to fixed strings).

- AccessManager (specified in repository.xml): not relevant so far for
authentication, isn't it?


So, having the sources from Jackrabbit downloaded and checking what happens
using Eclipse debugger i would say that i must implement my own
"SimpleLoginModule" with my own logic to determine whether authentication
succeeds or not (looking for username and password in a database, for
example). Then specify it in repository.xml file for Jackrabbit to use it.
Would my guess be correct? Would be the procedure i described the most
convenient way to catch every authentication try  (when getting the
repository via webdav, rmi, jndi or accessing the contents through HTTP) or
should i go deeper??? Any hint about correctness and convenience of my
approach will be welcome, of course!!!!

Thanks in advance for your attention!

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message