Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 68871 invoked from network); 19 Mar 2008 01:05:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 19 Mar 2008 01:05:52 -0000 Received: (qmail 62741 invoked by uid 500); 19 Mar 2008 01:05:50 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 62728 invoked by uid 500); 19 Mar 2008 01:05:50 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 62719 invoked by uid 99); 19 Mar 2008 01:05:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Mar 2008 18:05:50 -0700 X-ASF-Spam-Status: No, hits=1.4 required=10.0 tests=DATE_IN_PAST_03_06,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of alex@samad.com.au designates 203.12.160.104 as permitted sender) Received: from [203.12.160.104] (HELO mail9.tpgi.com.au) (203.12.160.104) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Mar 2008 01:05:01 +0000 X-TPG-Antivirus: Passed Received: from sydrt01.samad.com.au (adsl.samad.com.au [60.241.248.86]) by mail9.tpgi.com.au (envelope-from alex@samad.com.au) (8.14.2/8.14.2) with ESMTP id m2J15HON010846 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for ; Wed, 19 Mar 2008 12:05:19 +1100 Received: from alex by smtp.samad.com.au with local (Exim 4.69 #1 (Debian)) id 1Jbhna-00066I-BX for ; Wed, 19 Mar 2008 06:48:38 +1100 Date: Wed, 19 Mar 2008 06:48:38 +1100 From: Alex Samad To: jspwiki-dev@incubator.apache.org Subject: Re: Some 2.8 auth improvements Message-ID: <20080318194838.GU26025@samad.com.au> Mail-Followup-To: jspwiki-dev@incubator.apache.org References: <35F374DD-6C1A-41D2-B904-56B7974E5A85@mac.com> <20080318055549.GQ26025@samad.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ULJ2Z7kCM1hyNsWd" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17+20080114 (2008-01-14) X-Virus-Checked: Checked by ClamAV on apache.org --ULJ2Z7kCM1hyNsWd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 18, 2008 at 12:44:33AM -0600, Andrew Jaquith wrote: > Hey Alex -- you asked a fine question. We do indeed use JAAS =20 > LoginModules to access container credentials. Those will still be used = =20 > in 2.8.. What changes is the need to rely on JVM-wide JAAS =20 > *configuration* -- specifically the need to obtain a LoginContext from = =20 > the JVM-wide config. > > The new strategy keeps the stuff that works (the LoginModule classes) =20 > and kills the stuff that is annoying (the need for a JAAS config file =20 > aka jspwiki.jaas.. sounds great, does this also mean it will be easier to have ldap based user and group module > > On Mar 17, 2008, at 23:55, Alex Samad wrote: > >> Hi >> >> On Mon, Mar 17, 2008 at 11:08:36PM -0600, Andrew Jaquith wrote: >>> All -- >>> >>> I went ahead and did something I've been meaning to do for a while: >>> eliminate the dependency on JAAS configuration from JSPWiki. The idea >>> was to get rid of the tweaks and hacks we use to configure the login >>> process, and eliminate a bunch of configuration hassles. >>> >>> It's all ready to go: code, unit tests, javadoc and jspwiki comments. >>> All I need is a 2.8 branch to put it in. >>> >>> Some more information about the refactoring: >>> >>> The technique I've employed does three things: it refactors >>> AuthenticationManager, adds some responsibilities to =20 >>> WikiServletFilter, >>> and moves configuration of the login process to jspwiki.properties. =20 >>> Best >>> of all: the API changes are fairly small, and we re-use the existing >>> LoginModules. >>> >>> The upsides to the new approach are many: >>> - Elimination of the need to configure JAAS at runtime >>> - Maintains backwards compatibility with any existing third-party >>> LoginModules that may have been developed for JSPWiki >>> - Adds the ability to use MORE LoginModules with JSPWiki (because we >>> move responsibility for adding/deleting JSPWiki Roles out of the >>> LoginModules, and into AuthenticationManager) >>> - Removes the last barrier for "drop-in" deployments on ALL =20 >>> containers >>> (no need to worry about JAAS configuration) >>> >>> There are very few downsides, other than the fact that WikiContext =20 >>> loses >>> a few methods that were only used by one or two callers, and were =20 >>> only >>> public because of package boundaries. >> going to show how much I don't know, but wasn't JAAS the method used =20 >> to >> access container authentication? >> >>> >>> Andrew >>> >> >> --=20 >> "Joe, I don't do nuance." >> >> - George W. Bush >> 02/15/2004 >> to Sen. Joseph Biden, as quoted in Time > --=20 "If you're sick and tired of the politics of cynicism and polls and princip= les, come and join this campaign." - George W. Bush 02/16/2000 Hilton Head, S.C. --ULJ2Z7kCM1hyNsWd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH4ByWkZz88chpJ2MRAn4mAKCP/QSgy8TjecOXdGeQpjFbPYDvIQCg7Fij 90GNBtHlva0F2uZJJHU+ME8= =/Cmy -----END PGP SIGNATURE----- --ULJ2Z7kCM1hyNsWd--