Return-Path: 
 <user-return-1606-apmail-manifoldcf-user-archive=manifoldcf.apache.org@manifoldcf.apache.org>
X-Original-To: apmail-manifoldcf-user-archive@www.apache.org
Delivered-To: apmail-manifoldcf-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E7324EEAC
	for <apmail-manifoldcf-user-archive@www.apache.org>;
 Mon, 18 Feb 2013 15:48:11 +0000 (UTC)
Received: (qmail 10024 invoked by uid 500); 18 Feb 2013 15:48:11 -0000
Delivered-To: apmail-manifoldcf-user-archive@manifoldcf.apache.org
Received: (qmail 9881 invoked by uid 500); 18 Feb 2013 15:48:11 -0000
Mailing-List: contact user-help@manifoldcf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@manifoldcf.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@manifoldcf.apache.org>
List-Post: <mailto:user@manifoldcf.apache.org>
List-Id: <user.manifoldcf.apache.org>
Reply-To: user@manifoldcf.apache.org
Delivered-To: mailing list user@manifoldcf.apache.org
Received: (qmail 9776 invoked by uid 99); 18 Feb 2013 15:48:10 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Feb 2013 15:48:10 +0000
X-ASF-Spam-Status: No, hits=0.9 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_SOFTFAIL,UNPARSEABLE_RELAY
X-Spam-Check-By: apache.org
Received-SPF: softfail (nike.apache.org: transitioning domain of
 bhoesel@scamander.com does not designate 193.109.254.113 as permitted sender)
Received: from [193.109.254.113] (HELO mail1.bemta14.messagelabs.com)
 (193.109.254.113)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Feb 2013 15:48:02 +0000
Received: from [193.109.255.147:39422] by server-9.bemta-14.messagelabs.com id
 85/A1-30867-D1D42215; Mon, 18 Feb 2013 15:47:41 +0000
X-Env-Sender: bhoesel@scamander.com
X-Msg-Ref: server-6.tower-72.messagelabs.com!1361202460!13252820!1
X-Originating-IP: [213.154.239.4]
X-StarScan-Received: 
X-StarScan-Version: 6.7; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 21460 invoked from network); 18 Feb 2013 15:47:41 -0000
Received: from mail.autodiscover.net (HELO mail.autodiscover.net)
 (213.154.239.4)
  by server-6.tower-72.messagelabs.com with SMTP; 18 Feb 2013 15:47:41 -0000
Received: from MEXHUB02.mits.corp ([192.168.230.25]) by mail.autodiscover.net
 with Microsoft SMTPSVC(6.0.3790.4675);
	 Mon, 18 Feb 2013 16:47:39 +0100
Received: from MEXMBX03.mits.corp ([fe80::a42a:a84d:411c:d83b]) by
 MEXHUB02.mits.corp ([fe80::7093:80d2:5b60:62cb%11]) with mapi; Mon, 18 Feb
 2013 16:47:39 +0100
From: Bert van Hoesel <bhoesel@scamander.com>
To: "user@manifoldcf.apache.org" <user@manifoldcf.apache.org>
Date: Mon, 18 Feb 2013 16:47:42 +0100
Subject: Re: next step in implementing manifold: user authentication
Thread-Topic: next step in implementing manifold: user authentication
Thread-Index: Ac4N70dLrRlptCmzQHy9GhIO4cnIwQ==
Message-ID: <51224D1E.5060805@scamander.com>
References: <1360568921.72224.ezmlm@manifoldcf.apache.org>
 <5118B282.7000309@scamander.com>
 <CALUFAGDziV7ouf=UfCXJjsocRPB0_FASEx_GvTuA=2Tvxf-stw@mail.gmail.com>
 <5119FF1B.4050105@scamander.com>	<511A1645.1060802@scamander.com>
 <512234AB.4040905@scamander.com>
 <CALUFAGChCpig5V93Vkjzdb+8FwW8NmWe6y6WUvJ+jLcn7ntSBQ@mail.gmail.com>
 <51223AA3.6000603@scamander.com>
 <CALUFAGB_xOarkWvSRMgC7ViDe2ZUL=LpiSf=WoMNMrk+XTwYkg@mail.gmail.com>
 <51224007.6060107@scamander.com>
 <CALUFAGBrnD3m+N1u9LkddFUzD9AYPSpnrqjhmHbMwJkdvnHAcQ@mail.gmail.com>
In-Reply-To: 
 <CALUFAGBrnD3m+N1u9LkddFUzD9AYPSpnrqjhmHbMwJkdvnHAcQ@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130107
 Thunderbird/17.0.2
acceptlanguage: en-US
Content-Type: multipart/alternative;
	boundary="_000_51224D1E5060805scamandercom_"
MIME-Version: 1.0
X-OriginalArrivalTime: 18 Feb 2013 15:47:39.0331 (UTC)
 FILETIME=[47CD6130:01CE0DEF]
X-Virus-Checked: Checked by ClamAV on apache.org

--_000_51224D1E5060805scamandercom_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi Karl,

Thanks. That was the missing link I was looking for. So far I did not come =
across that variable name. The way I checked it works was the 'negation' wa=
y (not sure if the term s used correctly). I did not know what was needed s=
o I presumed that if it is not set it will not authorize. And that seemed t=
o work ;-)  .

Thanks again. Up to the next step.

Regards,

Bert.

On 02/18/2013 04:01 PM, Karl Wright wrote:

Do you mean, what URL argument does the Apache Solr 4.x Plugin expect
to see the authenticated user ID?  I would have thought you'd already
need that to confirm that everything works.  But in case you didn't
find it anywhere, it's "AuthenticatedUserName".

Karl

On Mon, Feb 18, 2013 at 9:51 AM, Bert van Hoesel <bhoesel@scamander.com><ma=
ilto:bhoesel@scamander.com> wrote:


Hi Karl,

The construct this way is clear. I hoped it would be more 'transparent' to
the underlying processes.

The next question that raises is: what is the (environment) variable name
that ManifoldCF is expecting the authenticated username in? This is for me
the 'missing' link in the setup. I have no clue what (as an example) to
'append' to the url to convey the username to ManifoldCF. Or is this
configurable? If so where can I find it. As So far it has escaped my
attention.

Regards,

Bert.

On 02/18/2013 03:33 PM, Karl Wright wrote:

Hi Bert,

Typically the authenticated user name would get passed from
mod-auth-kerb to Tomcat (or whatever the app server is you are running
solr under) as an argument, maybe appended to the url.  It's going to
be up to you to figure out how to do that.  Others may have more
concrete suggestions.

Karl

On Mon, Feb 18, 2013 at 9:28 AM, Bert van Hoesel <bhoesel@scamander.com><ma=
ilto:bhoesel@scamander.com>
wrote:

Hi Karl,

To be more precise. We are trying to get an 'sightly' customized Blacklight
fronted to connect to solr via ManifoldCF with authorization (obvious).
Blacklight is running from within Apache. So that would be a pre for
mod-auth-kerb. But ManifoldCF is running from within a Tomcat instance. In
this construct it is still not clear to me how and if this is going to work=
.
Technically, I am still missing the link between the login on Apache and th=
e
authentication / user 'handover' to the Tomcat environment for Manifold.

So if anyone can pitch in to describe their solution. It would be much
appreciated.

Regards,

Bert.


On 02/18/2013 03:09 PM, Karl Wright wrote:

Hi Bert,

Others, I hope, will chime in on this thread and let you know what
precise solutions they have adopted.  But, in general, the solution
you use will depend on the environment you intend to run in.  As you
point out, JAAS authentication is an option, should you be able to
find an appropriate JAAS plugin that does what you want.  If you want
to do things via the Apache web server, I'd look at mod-auth-kerb
rather than mod-authz.  Others, no doubt, have less generic
suggestions.

Karl

On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bhoesel@scamander.com><ma=
ilto:bhoesel@scamander.com>
wrote:

Hi,

At the moment for the most part it is clear how to install, configure and
populate manifoldcd and solr with authorized data. Using the added
Manifoldcf 'search' url I can see I do not have access to any 'authorized'
documents. Indeed I only see the non authorized documents.

Thus the next step would be an authentication mechanism on top of this. I
have been looking 'around' but was not able to find enough pointers on how
to accomplish this. Two 'obvious' paths seem to be available: JAAS or apach=
e
mod_authz. But maybe other solutions exists. Most preferable options are
those with minimal (java) programming.

Biggest issue at the moment is that I can not figure out how authentication
data is propagated into ManifoldCF.

Can anybody point me to some howtoo's or documentation of some kind on how
to accomplish this authentication on top of ManifoldCF.

Thanks in advance.

Regards,

Bert.






--_000_51224D1E5060805scamandercom_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
   =20
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <font face=3D"Helvetica, Arial, sans-serif">Hi Karl,<br>
      <br>
      Thanks. That was the missing link I was looking for. So far I did
      not come across that variable name. The way I checked it works was
      the 'negation' way (not sure if the term s used correctly). I did
      not know what was needed so I presumed that if it is not set it
      will not authorize. And that seemed to work <span
        class=3D"moz-smiley-s3"><span> ;-)&nbsp; </span></span>.<br>
      <br>
      Thanks again. Up to the next step.<br>
      <br>
      Regards,<br>
      <br>
      Bert.<br>
      <br>
    </font>
    <div class=3D"moz-cite-prefix">On 02/18/2013 04:01 PM, Karl Wright
      wrote:<br>
    </div>
    <blockquote
cite=3D"mid:CALUFAGBrnD3m+N1u9LkddFUzD9AYPSpnrqjhmHbMwJkdvnHAcQ@mail.gmail.=
com"
      type=3D"cite">
      <pre wrap=3D"">Do you mean, what URL argument does the Apache Solr 4.=
x Plugin expect
to see the authenticated user ID?  I would have thought you'd already
need that to confirm that everything works.  But in case you didn't
find it anywhere, it's "AuthenticatedUserName".

Karl

On Mon, Feb 18, 2013 at 9:51 AM, Bert van Hoesel <a class=3D"moz-txt-link-r=
fc2396E" href=3D"mailto:bhoesel@scamander.com">&lt;bhoesel@scamander.com&gt=
;</a> wrote:
</pre>
      <blockquote type=3D"cite">
        <pre wrap=3D"">Hi Karl,

The construct this way is clear. I hoped it would be more 'transparent' to
the underlying processes.

The next question that raises is: what is the (environment) variable name
that ManifoldCF is expecting the authenticated username in? This is for me
the 'missing' link in the setup. I have no clue what (as an example) to
'append' to the url to convey the username to ManifoldCF. Or is this
configurable? If so where can I find it. As So far it has escaped my
attention.

Regards,

Bert.

On 02/18/2013 03:33 PM, Karl Wright wrote:

Hi Bert,

Typically the authenticated user name would get passed from
mod-auth-kerb to Tomcat (or whatever the app server is you are running
solr under) as an argument, maybe appended to the url.  It's going to
be up to you to figure out how to do that.  Others may have more
concrete suggestions.

Karl

On Mon, Feb 18, 2013 at 9:28 AM, Bert van Hoesel <a class=3D"moz-txt-link-r=
fc2396E" href=3D"mailto:bhoesel@scamander.com">&lt;bhoesel@scamander.com&gt=
;</a>
wrote:

Hi Karl,

To be more precise. We are trying to get an 'sightly' customized Blacklight
fronted to connect to solr via ManifoldCF with authorization (obvious).
Blacklight is running from within Apache. So that would be a pre for
mod-auth-kerb. But ManifoldCF is running from within a Tomcat instance. In
this construct it is still not clear to me how and if this is going to work=
.
Technically, I am still missing the link between the login on Apache and th=
e
authentication / user 'handover' to the Tomcat environment for Manifold.

So if anyone can pitch in to describe their solution. It would be much
appreciated.

Regards,

Bert.


On 02/18/2013 03:09 PM, Karl Wright wrote:

Hi Bert,

Others, I hope, will chime in on this thread and let you know what
precise solutions they have adopted.  But, in general, the solution
you use will depend on the environment you intend to run in.  As you
point out, JAAS authentication is an option, should you be able to
find an appropriate JAAS plugin that does what you want.  If you want
to do things via the Apache web server, I'd look at mod-auth-kerb
rather than mod-authz.  Others, no doubt, have less generic
suggestions.

Karl

On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <a class=3D"moz-txt-link-r=
fc2396E" href=3D"mailto:bhoesel@scamander.com">&lt;bhoesel@scamander.com&gt=
;</a>
wrote:

Hi,

At the moment for the most part it is clear how to install, configure and
populate manifoldcd and solr with authorized data. Using the added
Manifoldcf 'search' url I can see I do not have access to any 'authorized'
documents. Indeed I only see the non authorized documents.

Thus the next step would be an authentication mechanism on top of this. I
have been looking 'around' but was not able to find enough pointers on how
to accomplish this. Two 'obvious' paths seem to be available: JAAS or apach=
e
mod_authz. But maybe other solutions exists. Most preferable options are
those with minimal (java) programming.

Biggest issue at the moment is that I can not figure out how authentication
data is propagated into ManifoldCF.

Can anybody point me to some howtoo's or documentation of some kind on how
to accomplish this authentication on top of ManifoldCF.

Thanks in advance.

Regards,

Bert.



</pre>
      </blockquote>
    </blockquote>
    <br>
  </body>
</html>

--_000_51224D1E5060805scamandercom_--