portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dlest...@apache.org
Subject svn commit: r291290 [2/2] - in /portals/jetspeed-2/trunk: components/security/ components/security/src/java/org/apache/jetspeed/security/ components/security/src/java/org/apache/jetspeed/security/impl/ components/security/src/java/org/apache/jetspeed/s...
Date Sat, 24 Sep 2005 12:29:43 GMT
Added: portals/jetspeed-2/trunk/components/security/xdocs/config.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/config.xml?rev=291290&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/config.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/config.xml Sat Sep 24 05:29:23 2005
@@ -0,0 +1,450 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security Services Configuration</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+            <person name="Ate Douma" email="ate@douma.nu" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Default configuration">
+            <p>
+                Jetspeed 2 default security services configuration leverages a relational
database as its default persitent datastore for security information.
+                Jetspeed 2 security service provider interface provides a mechanism to replace
the default datastore configured.
+            </p>
+            <p>
+                3 files are involved when configuring Jetspeed 2 security SPI. All the SPI
configuration files are located under
+                <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i>
+                .
+            </p>
+            <subsection name="security-atn.xml">
+                <p>
+                    This configuration file provides the login module configuration. Not
everyone needs this, as some application may decide to use another
+                    login module other than the one provided.
+                </p>
+            </subsection>
+            <subsection name="security-atz.xml">
+                <p>
+                    This configuration file configures the authorization policy, in J2's
case
+                    <a href="atz-jass.html">RdbmsPolicy</a>
+                    .
+                </p>
+            </subsection>
+            <subsection name="security-managers.xml">
+                <p>This configuration file configures all the managers for security
purpose.</p>
+            </subsection>
+            <subsection name="security-providers.xml">
+                <p>This configuration file configures the various providers and weaves
the SPI together.</p>
+                <ul>
+                    <li>
+                        <code>AuthenticationProviderProxy</code>
+                        : Configures the list of
+                        <code>AuthenticationProvider</code>
+                        and the default authenticator.
+                        <source>
+                            <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthenticationProviderProxy" 
+   class="org.apache.jetspeed.security.impl.AuthenticationProviderProxyImpl">  	   
+   <constructor-arg >
+      <list>
+         <ref bean="org.apache.jetspeed.security.AuthenticationProvider"/>
+      </list>
+   </constructor-arg>
+  <constructor-arg><value>DefaultAuthenticator</value></constructor-arg>
+</bean>]]>
+                        </source>
+                    </li>
+                    <li>
+                        <code>AuthenticationProvider</code>
+                        : Configures the authentication providers for the current portal
implementation. The example below configures the default authenticator
+                        that uses the RDBMS to manage/store user information.
+                        <source>
+                            <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthenticationProvider" 
+  	   class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl">  	   
+   <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>
+   <constructor-arg index="1"><value>The default authenticator</value></constructor-arg>
+   <constructor-arg index="2"><value>login.conf</value></constructor-arg>
+   <constructor-arg index="3">
+      <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>
+   </constructor-arg>
+   <constructor-arg index="4">
+      <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>
+   </constructor-arg>
+</bean>]]>
+                        </source>
+                    </li>
+                    <li>
+                        <code>AuthorizationProvider</code>
+                        : Configures the policies and instantiates the
+                        <code>SecurityPolicies</code>
+                        that are used for enforcing permissions.  By default, Jetspeed 2
does not load any other 
+                        security policies that may have been configured.  In order to use
default policies, set
+                        <code>useDefaultPolicy</code> to <code>true</code>
+                        <source>
+                            <![CDATA[
+<bean id="org.apache.jetspeed.security.AuthorizationProvider" 
+  	  class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl">  	   
+    <constructor-arg index="0">
+        <ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/>
+    </constructor-arg>
+    <!-- Does not use the default policy as a default behavior -->
+    <constructor-arg index="1"><value>false</value></constructor-arg>
  
+</bean>]]>
+                        </source>
+                    </li>
+                </ul>
+            </subsection>
+            <subsection name="security-spi.xml">
+                <p>This configuration file contains configuration that are common to
the authentication and authorization SPIs.</p>
+                <table>
+                    <tr>
+                        <th>Bean</th>
+                        <th>Description</th>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.security.spi.SecurityAccess</td>
+                        <td>
+                            Used internally by the default OJB based SPI. Provide access
to common action/methods for the various SPI implementations. The
+                            <i>SecurityAccess</i>
+                            bean is used by both the Authentication and Authorization SPIs.
+                        </td>
+                    </tr>
+                </table>
+            </subsection>
+            <subsection name="security-spi-atn.xml">
+                <p>This configuration file contains all the configurations for configuring
the authentication SPI.</p>
+                <table>
+                    <tr>
+                        <th>Bean</th>
+                        <th>Description</th>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.security.spi.CredentialHandler</td>
+                        <td>
+                            The
+                            <i>CredentialHandler</i>
+                            encapsulates the operations involving manipulation of credentials.
The default implementation provides support for password
+                            protection as defined by the
+                            <i>PasswordCredentialProvider</i>
+                            ; as well as lifecycle management of credentials through
+                            <i>InternalPasswordCredentialInterceptor</i>
+                            which can be configured to manages parameters such as maximum
number of authentication
+                            failures, maximum life span of a credential in days and how much
history to retain for a
+                            given credential.
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.security.spi.UserSecurityHandler</td>
+                        <td>
+                            The
+                            <i>UserSecurityHandler</i>
+                            encapuslated all the operations around the user principals.
+                        </td>
+                    </tr>
+                </table>
+                <p>
+                    The following simple <code>CredentialHandler</code> configuration
is currently provided
+                    by default with Jetspeed:</p>
+                    <source><![CDATA[
+<!-- require a non-empty password -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator" 
+     class="org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator"/>
+
+<!-- MessageDigest encode passwords using SHA-1 -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder" 
+     class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">
+     <constructor-arg index="0"><value>SHA-1</value></constructor-arg>
      
+</bean>       
+
+<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler
--> 
+<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+     class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+     <constructor-arg index="0">
+       <list>
+         <!-- enforce an invalid preset password value in the persisent store is required
to be changed -->
+         <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+         <!-- ensure preset cleartext passwords in the persistent store  will be encoded
on first use -->
+         <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+       </list>
+     </constructor-arg>
+</bean>
+
+<bean id="org.apache.jetspeed.security.spi.PasswordCredentialProvider" 
+     class="org.apache.jetspeed.security.spi.impl.DefaultPasswordCredentialProvider">
+     <constructor-arg index="0">
+       <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordValidator"/>
+     </constructor-arg>       
+     <constructor-arg index="1">
+       <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/>
+     </constructor-arg>       
+</bean>       
+
+<bean id="org.apache.jetspeed.security.spi.CredentialHandler" 
+     class="org.apache.jetspeed.security.spi.impl.DefaultCredentialHandler">       
+     <constructor-arg index="0">
+       <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>
+     </constructor-arg>       
+     <constructor-arg index="1">
+       <ref bean="org.apache.jetspeed.security.spi.PasswordCredentialProvider"/>
+     </constructor-arg>       
+     <constructor-arg index="2">
+       <ref bean="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"/>
+     </constructor-arg>
+</bean>]]>
+                  </source>
+                <p>
+                The above configuration requires not much more than that a password should
not be
+                empty and MessageDigest encode it using SHA-1.</p>
+                <p>
+                Before the 2.0-M4 release, Jetspeed came configured with a much stricter
configuration, but for
+                first time users of the Portal this was a bit overwelming and also quite
difficult to configure
+                differently.</p>
+                <p>
+                With the 2.0-M4 release, the previously provided, and rather complex, 
+                <code>InternalPasswordCredentialInterceptor</code> implementations
are split up in single atomic
+                interceptors which can much easier be configured indepedently.</p>
+                <p>
+                An overview of the new interceptors and how related request processing pipeline
valves can be
+                configured to provide feedback to the user is provided in the <a href="credentials.html">
+                Credentials Management</a> document.</p>
+                <p>
+                Since the "old" (pre 2.0-M4) interceptors are no longer provided with Jetspeed,
the example below
+                shows how to "restore" the old setup using the new interceptors:</p>
+                  <source><![CDATA[
+<!-- require a password of minimum length 6 and at least two numeric characters -->
+<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator" 
+     class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator">
+     <constructor-arg index="0"><value>6</value></constructor-arg>
      
+     <constructor-arg index="1"><value>2</value></constructor-arg>
      
+</bean>
+
+<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler
--> 
+<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"
+     class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">
+     <constructor-arg index="0">
+       <list>
+         <!-- enforce an invalid preset password value in the persisent store is required
to be changed -->
+         <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>
+
+         <!-- ensure preset cleartext passwords in the persistent store  will be encoded
on first use -->
+         <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>
+
+         <!-- remember the last 3 passwords used and require a new password to be different
from those -->
+         <bean class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor">
+           <constructor-arg index="0"><value>3</value></constructor-arg>
      
+         </bean>
+
+         <!-- Automatically expire a password after 60 days -->
+         <bean class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">
+           <constructor-arg index="0"><value>60</value></constructor-arg>
      
+         </bean>
+
+         <!-- Automatically disable a password after 3 invalid authentication attempts
in a row --> 
+         <bean class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">
+           <constructor-arg index="0"><value>3</value></constructor-arg>
      
+         </bean>
+       </list>
+     </constructor-arg>
+</bean>]]>
+                  </source>
+                <p>
+                And, make sure something like the following configuration is set for the
security related valves in
+                pipelines.xml:</p>
+                  <source><![CDATA[
+<bean id="passwordCredentialValve"
+      class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl"
+      init-method="initialize">
+ <constructor-arg>
+   <!-- expirationWarningDays -->
+   <list>
+     <value>2</value>
+     <value>3</value>
+     <value>7</value>
+   </list>
+ </constructor-arg>
+</bean> 
+
+<bean id="loginValidationValve"
+      class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"
+      init-method="initialize">
+  <!-- maxNumberOfAuthenticationFailures
+       This value should be in sync with the value for
+       org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor
+       (if used) to make sense.
+       Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT
+       error code when only one last attempt is possible before the credential
+       will be disabled after the next authentication failure.
+  -->
+  <constructor-arg index="0"><value>3</value></constructor-arg> 

+</bean>]]>
+                  </source>
+                <p>
+                Also, make sure the above valves are configured in the <code>jetspeed-pipeline</code>
bean.</p>
+                <p>
+                See the <a href="credentials.html#User_interaction">User Interaction</a>
section in the
+                Credentials Management document for a description of these valves and their
relation to the
+                interceptors configuration.</p>
+            </subsection>
+            <subsection name="security-spi-atz.xml">
+                <p>This configuration file contains all the configurations for configuring
the authorization SPI.</p>
+                <table>
+                    <tr>
+                        <th>Bean</th>
+                        <th>Description</th>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.security.spi.RoleSecurityHandler</td>
+                        <td>
+                            The
+                            <i>RoleSecurityHandler</i>
+                            encapsulates all the operations around the role principals.
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.security.spi.GroupSecurityHandler</td>
+                        <td>
+                            The
+                            <i>GroupSecurityHandler</i>
+                            encapsulates all the operations around the group principals.
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.security.spi.SecurityMappingHandler</td>
+                        <td>
+                            The
+                            <i>SecurityMappingHandler</i>
+                            encapsulates all the operations involving mapping between principals.
It contains the logic managing hierarchy resolution for
+                            hierarchical principals (roles or groups). The default hierarchy
resolution provided is a hierarchy by generalization (see overview
+                            for definitions). A
+                            <i>contructor-arg</i>
+                            can be added to the
+                            <i>SecurityMappingHandler</i>
+                            to change the hierarchy resolution strategy. Jetspeed 2 also
support a hierarchy resolution by aggregation.
+                        </td>
+                    </tr>
+                </table>
+                <p>
+                    A sample
+                    <code>SecurityMappingHandler</code>
+                    configuration could be:
+                    <source><![CDATA[
+<!-- Security SPI: SecurityMappingHandler -->
+<bean id="org.apache.jetspeed.security.spi.SecurityMappingHandler" 
+      class="org.apache.jetspeed.security.spi.impl.DefaultSecurityMappingHandler">  	
  
+   <constructor-arg >
+      <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>
+   </constructor-arg>
+   <!-- Default role hierarchy strategy is by generalization.  
+        Add contructor-arg to change the strategy. -->
+   <!-- Default group hierarchy strategy is by generalization.  
+        Add contructor-arg to change the strategy. -->
+</bean>]]>
+                    </source>
+                </p>
+            </subsection>
+        </section>
+        <section name="LDAP Configuration">
+            <p>
+                Jetspeed 2 provides LDAP support for authentication. Configuring LDAP authentication
can be done by replacing the configuration files located
+                under
+                <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i>
+                by the files located under as indicated
+                <i>${jetspeed-source-home}/components/security/etc/</i>
+                . below.
+            </p>
+            <p>
+                Jetspeed 2
+                <b>does not currently provide an embedded LDAP directory</b>
+                . A external LDAP directory must be configured in order to leverage this
functionality.
+            </p>
+            <p>
+                <i>security-spi-atn.xml</i>
+                should be replaced by
+                <i>security-spi-ldap-atn.xml</i>
+                and
+                <i>security-spi-ldap.xml</i>
+                should be copied to the assembly directory as well.
+            </p>
+            <p>
+                The
+                <i>security-spi-ldap-atn.xml</i>
+                preforms the same functions as the
+                <i>security-spi-atn.xml</i>
+                described above. It replaces the default implementation for
+                <i>CredentialHandler</i>
+                and
+                <i>UserSecurityHandler</i>
+                with an LDAP specific implementation.
+            </p>
+            <p>
+                Additionally,
+                <i>ldap.properties</i>
+                located under
+                <i>${jetspeed-source-home}/components/security/etc/</i>
+                should be copied under
+                <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/conf/</i>
+                .
+            </p>
+            <subsection name="ldap.properties">
+                <table>
+                    <tr>
+                        <th>Property</th>
+                        <th>Value</th>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.ldap.ldapServerName</td>
+                        <td>
+                            The LDAP server name to connect to. E.g.
+                            <i>localhost</i>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.ldap.rootDn</td>
+                        <td>
+                            The root domain name. E.g.
+                            <i>cn=Manager,dc=proto,dc=dataline,dc=com</i>
+                            . In properties files the "=" in the value should be escaped,
i.e.
+                            <i>cn\=Manager,dc\=proto,dc\=dataline,dc\=com</i>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.ldap.rootPassword</td>
+                        <td>The root password.</td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.ldap.rootContext</td>
+                        <td>
+                            The root context. E.g.
+                            <i>dc=proto,dc=dataline,dc=com</i>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>org.apache.jetspeed.ldap.defaultDnSuffix</td>
+                        <td>
+                            The default suffix. E.g.
+                            <i>ou=Norfolk,o=Dataline</i>
+                        </td>
+                    </tr>
+                </table>
+            </subsection>
+        </section>
+    </body>
+</document>
\ No newline at end of file

Modified: portals/jetspeed-2/trunk/components/security/xdocs/images/arch-overview.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/arch-overview.gif?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
Binary files - no diff available.

Modified: portals/jetspeed-2/trunk/design-docs/src/security/securityArchOverview.vsd
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/design-docs/src/security/securityArchOverview.vsd?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
Binary files - no diff available.

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml Sat Sep 24
05:29:23 2005
@@ -55,7 +55,9 @@
   <bean id="org.apache.jetspeed.security.AuthorizationProvider" 
   	   class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
   >  	   
-  	   <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
  
+  	   <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
+  	   <!-- Does not use the default policy as a default behavior -->
+  	   <constructor-arg index="1"><value>false</value></constructor-arg>
  
   </bean>
 
 </beans>

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml?rev=291290&r1=291289&r2=291290&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml Sat Sep 24 05:29:23
2005
@@ -21,8 +21,8 @@
   <bean id="org.apache.jetspeed.userinfo.UserInfoManager" 
   	   class="org.apache.jetspeed.userinfo.impl.UserInfoManagerImpl"
   >
-     <constructor-arg ><ref bean="org.apache.jetspeed.security.UserManager"/></constructor-arg>
 	     	   
-     <constructor-arg ><ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"/></constructor-arg>
+     <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.UserManager"/></constructor-arg>
 	     	   
+     <constructor-arg index="1"><ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"/></constructor-arg>
   </bean>
 
 



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message