portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From woon...@apache.org
Subject svn commit: r722405 [5/17] - in /portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade: ./ src/ src/site/ src/site/resources/ src/site/resources/css/ src/site/resources/images/ src/site/resources/images/layouts/ src/site/resources/images/portlet...
Date Tue, 02 Dec 2008 08:53:28 GMT
Added: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/ldap.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/ldap.xml?rev=722405&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/ldap.xml (added)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/ldap.xml Tue Dec  2 00:53:22 2008
@@ -0,0 +1,1539 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+  
+  http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<document>
+  <properties>
+    <title>Jetspeed 2 Security Services LDAP Configuration</title>
+    <authors>
+        <person name="Davy de Waele" />
+        <person name="David Le Strat" email="dlestrat@apache.org" />
+        <person name="Ate Douma" email="ate@douma.nu" />
+    </authors>
+  </properties>
+  <body>
+      <section name="Getting Started with LDAP and Jetspeed">
+      <p>
+      Jetspeed supports several LDAP servers:
+      </p>
+      <ul>
+      <li><a href='http://directory.apache.org/'>Apache DS</a></li>
+      <li><a href='http://www.openldap.org/'>Open LDAP</a></li>
+      <li><a href='http://www-306.ibm.com/software/lotus/'>Domino</a></li>
+      <li><a href='http://www.sun.com/software/products/directory_srvr_ee/dir_srvr/index.xml'>Sun DS</a></li>
+      </ul>
+      <p>This getting started section only covers getting started with Apache DS</p>
+      <subsection name='Apache DS 1.0.2'>
+	  <p>The first step to getting started with Apache DS is to download and install it. Once it is up and running, you will need to add the Jetspeed LDAP schema
+	  to the Apache DS server configuration. The general instructions for adding a custom schema are documented here for version ApacheDS 1.0.2. 
+	  However, as of 2.1.3, the pre Jetspeed build only works with version 0.9.3. As of Jetspeed 2.1.3, we recommend using the guidelines 
+	  described here for version 1.0.2 instead of the Jetspeed build, as we will be deprecated all 0.9.3 support with version 2.2 of Jetspeed.
+	  </p>
+	  <p><a href='http://directory.apache.org/apacheds/1.0/custom-schema.html'>http://directory.apache.org/apacheds/1.0/custom-schema.html</a></p>
+	  <p>
+	  Apache DS 1.0 does not support dynamic schema updates via the LDAP protocol. 
+	  This feature will be added in the future however you can still change the schema used by Apache DS. It just requires a restart.
+	  To include addtional schemas in Apache DS, simply add the schema definitions to the Apache DS server.xml configuration file found under the <i>/conf</i> directory in the Apache DS distribution. 
+	  Find the property configuration named "bootstrapSchemas".   
+	  Since we are interested specifically in adding the Jetspeed schema, we want to add a bean definition appropriate to Jetspeed.  This looks like:	  
+	  </p>
+<source><![CDATA[
+<property name="bootstrapSchemas">
+      <set>
+        <bean class="org.apache.directory.server.core.schema.bootstrap.AutofsSchema"/>
+        <bean class="org.apache.directory.server.core.schema.bootstrap.CorbaSchema"/>
+	...
+    <bean class="org.apache.jetspeed.security.ldap.JetspeedSchema"/>		
+      </set>
+</property>
+]]></source>
+    <p>For version Apache LDAP 0.9.3 (which I have never tried), use the same:</p>
+<source><![CDATA[	
+	<bean class="org.apache.jetspeed.security.ldap.JetspeedSchema"/>
+]]></source>    
+<p>
+We simply added the Jetspeed schema definition at the end of the list of bean definitions. 
+The bean references a class named <i>org.apache.jetspeed.security.ldap.JetspeedSchema</i>. This class is included in a JAR file that Jetspeed provides for you, see below.
+</p>
+<p>Next, we need to create a new domain for the jetspeed schema named <b>sevenSeas</b>. The following steps will create the sevenSeas domain in Apache DS.
+<p>To add a partition with the suffix <b>"o=sevenSeas"</b> and the id <b>"sevenSeasPartitionConfiguration"</b>, editthe conf/server.xml file in Apache DS. 
+Open it in your favorite editor and look for the following element with name contextPartitionConfigurations. Add a second ref element for the sevenSeas partition:</p>
+</p>
+<source><![CDATA[
+<property name="contextPartitionConfigurations">
+  <set>
+    <ref bean="examplePartitionConfiguration"/>
+    <ref bean="sevenSeasPartitionConfiguration"/>
+  </set>
+</property>
+]]></source>
+<p>Next, create the actual partition for Seven Seas by pasting this code in after the examplePartitionConfiguration (you can also remove the example partition and ref if you like):</p>
+<source><![CDATA[
+<bean id="sevenSeasPartitionConfiguration" class="org.apache.directory.server.core.partition.impl.btree.MutableBTreePartitionConfiguration">    
+
+    <!-- the optimizer is enabled by default but may not always be what     -->
+    <!-- you want if your queries are really simple                         -->
+    <!--<property name="optimizerEnabled" value="true" />-->
+	
+	<property name="name" value="The seven seas" />
+	<property name="cacheSize" value="100" />
+	<property name="suffix" value="o=sevenSeas" />
+	<property name="optimizerEnabled" value="true" />
+	<property name="synchOnWrite" value="true" />
+
+
+    <!--
+      Synchronization on writes does not wait for synch operations
+      to flush dirty pages.  Writes persist immediately to disk at 
+      a cost to performance with increased data integrity.  Otherwise
+      the periodic synch operation will flush dirty pages using the
+      synchPeriodMillis parameter in the main configuration.
+    -->
+    
+    <property name="indexedAttributes">
+      <set>
+        <bean class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
+          <property name="attributeId" value="dc" />
+          <property name="cacheSize" value="100" />
+        </bean>
+        <bean class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
+          <property name="attributeId" value="ou" />
+          <property name="cacheSize" value="100" />
+        </bean>
+        <bean class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
+          <property name="attributeId" value="krb5PrincipalName" />
+          <property name="cacheSize" value="100" />
+        </bean>
+        <bean class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
+          <property name="attributeId" value="uid" />
+          <property name="cacheSize" value="100" />
+        </bean>
+        <bean class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
+          <property name="attributeId" value="objectClass" />
+          <property name="cacheSize" value="100" />
+        </bean>
+      </set>
+    </property>
+    <property name="contextEntry">
+      <value>
+        objectClass: top
+        objectClass: domain
+        objectClass: extensibleObject
+		o: sevenSeas
+      </value>
+    </property>
+  </bean>
+</bean>
+]]></source>
+<p>Note that the important areas that you may need to change if you need to customize your partition are the name of the partition:</p>
+<source><![CDATA[
+<bean id="sevenSeasPartitionConfiguration"
+]]></source>
+<p>The suffix:</p>
+<source><![CDATA[
+<property name="suffix" value="o=sevenSeas" />
+]]></source>
+<p>The last property remaining now is the context entry. 
+   The object classes top and extensibleObject are universal hence they remain. 
+   But the object class domain is replaced by the object class organization, because our partition should not represent a domain but an organization:</p>
+<source><![CDATA[
+<property name="contextEntry">
++  <value>
++      objectClass: top
++      objectClass: organization
++      objectClass: extensibleObject
++      o: sevenSeas
++  </value>
++</property>
+]]></source>
+<p>
+After saving the server.xml, you will need to download the jar file and drop it into the <i>/lib</i> directory in the Apache DS distribution. 
+The JAR contains the Java-implementation of the Jetspeed schema for LDAP.
+For ApacheDS version 1.0.2, download the Jetspeed LDAP schema JAR file from here:
+</p>
+<p><a href='http://people.apache.org/~taylor/LDAP/jetspeed-security-schema-2.1.3.jar'>Apache DS 1.0.2 - Jetspeed Schema Files</a></p>
+<p>
+For ApacheDS version 0.9.3, download the Jetspeed LDAP schema JAR file from here:
+</p>  
+<p><a href='http://people.apache.org/~taylor/LDAP/jetspeed-security-schema-2.1.3-0.9.3.jar'>Apache DS 0.9.3 - Jetspeed Schema Files</a></p>
+<p>After dropping in the jar file, restart the server. Apache DS should now be ready to support Jetspeed schemas.
+When the server starts up, make sure that there are no error messages printing out on the console related to this configuration</p>
+	  </subsection>
+	  <subsection name='Jetspeed Configuration'>
+	  <p>So, how do you tie Jetspeed into ApacheDS, There are two steps.</p>
+	  <p>First, you need to create an “spring-filter-key.properties”  and create  name value pair.</p>
+	  <p>spring.filter.key=portal.ldap</p> 
+	  <p>Second you need to modify the jetspeed.proptries files for your server configuration data.</p>
+	  </subsection>
+	  <subsection name='Configuring  jetspeed.properties'>  	  
+	  <p>
+			The jetspeed.proptries configuration file for  jetspeed portal. 
+			There are a total of 9 arguments. While not all of these arguments may not actually be used by you, they must all be specified, otherwise Jetspeed will fail to initialize.
+			Here is a base proptries file that you will need to modify to point to your LDAP server: 
+      </p>
+      <source><![CDATA[#-------------------------------------------------------------------------
+# LDAP
+#-------------------------------------------------------------------------
+#defaults for LDAP
+ldap.url = ldap://localhost:389
+ldap.base =o=sevenSeas
+ldap.userDn = cn=admin,o=sevenSeas
+ldap.password =secret
+ldap.context.factory=com.sun.jndi.ldap.LdapCtxFactory
+ldap.user.filter = (objectclass=person)
+ldap.search.scope = 2
+ldap.role.searchBase=ou=Roles,o=Jetspeed
+ldap.group.searchBase=ou=Groups,o=Jetspeed      
+      ]]></source>      
+      
+	  <p>Lets cover the most often used modifications. Further in the documentation on this page,
+	   we go into more detail of each parameter. You will probably need to make changes in the following locations in order to make it work with your setup.
+	    I've listed them according to the constructor argument it uses in the XML file. Possible changes marked with a (!)
+	    will require a corresponding change to the LDIF file (explained later), so do not change them unless you understand what you're doing in both files. 
+	  </p>
+		<table>
+		<tr><td>1. The hostname of your LDAP server. In our case, it was "localhost". If your LDAP server is on the same computer that Jetspeed is running on, you'll probably want to set it to "localhost".
+The default for most LDAP servers is port 389.
+		</td></tr>
+		<tr><td>2.(!) We set the organization name as "o=sevenSeas", as was done in the ApacheDS example. If you want to use a different organization name, you can change it to anything of the form "o=yourOrganizationName".
+		</td></tr>
+        <tr><td>3 (!) This is user name for the admin, using which jetspeed will login to Ldap server and
+         perform operations. So make sure that provided user has sufficient
+ permission for that. 
+        </td></tr>
+        <tr><td>4.(!) The password for connecting to ldap server.
+        </td></tr>
+		<tr><td>5.This context factory which will be used for creating ldap context. I will suggest not to 
+		change, as most of ldap implementation works with this. No need to change this.
+		</td></tr>
+		<tr><td>6.(!) In this you should provide the object classes, which are used in creating users in your ldap implementation 
+		</td></tr>
+	    <tr><td>7. This specify search scope in LDAP tree. Default value is 2. We suggest you, not to change this.
+	    </td></tr>
+	    <tr><td>8.(!) In this you can provide search base for your roles. In lot of implementation, people separate tree for roles and group. Change it according to you organization schema
+	    </td></tr>
+	    <tr><td>9.(!) Same as above, here you can provide the search base for your groups, Change it according to you organization schema
+	    </td></tr>
+		</table>
+       </subsection>
+       <subsection name='LDIF Import'>       
+       <p>
+	  LDAP Data Interchange Format (LDIF) is a standard data interchange format for representing LDAP directory content as well as directory update
+	   (Add, Modify, Delete, Rename) requests. The following text is the contents of the LDIF file for getting you started with a Jetspeed LDAP base configuration.
+	   The entries in the LDIF sample include definitions for creating the basic Jetspeed admin user and required roles to get a mimimal portal up and running.
+	  For your convenience, you can download this LDIF file from here:
+		</p>
+	  <p><a href='http://people.apache.org/~taylor/LDAP/jetspeed-apacheds.ldif'>http://people.apache.org/~taylor/LDAP/jetspeed-apacheds.ldif</a></p>
+	  <p> With Apache DS, we could not create the root domain with an LDIF import. Instead we had to create a partition as described above.
+	   Also take a look at the <a href='http://people.apache.org/~taylor/LDAP/root.ldif'>root.ldif</a> file, as it contains the root definitions for the sevenSeas organization that you may need on different LDAP server.
+	   </p>
+	  <p>
+	  We recommend using <a href='http://directory.apache.org/studio/'>LDAP Studio</a> to import the Jetspeed LDIF file into the Apache DS server via File->Import
+	  </p>		
+<source><![CDATA[			
+dn: ou=rootOrg,o=sevenSeas
+objectClass: organizationalUnit
+objectClass: top
+ou: rootOrg
+
+dn: ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalUnit
+objectClass: top
+ou: People
+
+dn: ou=Groups,ou=rootOrg,o=sevenSeas
+objectClass: organizationalUnit
+objectClass: top
+ou: Groups
+
+dn: ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: organizationalUnit
+objectClass: top
+ou: Roles
+
+dn: cn=accounting,ou=Groups,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-group
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: accounting
+j2-classname: accounting
+uid: accounting
+uniquemember: user,local,sublocal
+
+dn: cn=engineering,ou=Groups,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-group
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: engineering
+j2-classname: engineering
+uid: engineering
+uniquemember: user
+
+dn: cn=marketing,ou=Groups,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-group
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: marketing
+j2-classname: marketing
+uid: marketing
+uniquemember: user
+
+dn: cn=admin,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: admin
+j2-classname: admin
+uid: admin
+uniquemember: admin
+
+dn: cn=manager,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: manager
+j2-classname: manager
+uid: manager
+uniquemember: admin,jetspeed,manager
+
+dn: cn=user,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: user
+j2-classname: user
+uid: user
+uniquemember: user,admin,manager,local
+
+dn: cn=guest,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: guest
+j2-classname: guest
+uid: guest
+uniquemember: guest
+
+dn: cn=subsite,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: subsite
+j2-classname: subsite
+uid: subsite
+uniquemember: subsite
+
+dn: cn=subsite2,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: subsite2
+j2-classname: subsite2
+uid: subsite2
+uniquemember: subsite
+
+dn: cn=dev,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: dev
+j2-classname: dev
+uid: dev
+uniquemember: dev
+
+dn: cn=devmgr,ou=Roles,ou=rootOrg,o=sevenSeas
+objectClass: jetspeed-2-role
+objectClass: groupOfUniqueNames
+objectClass: top
+cn: devmgr
+j2-classname: devmgr
+uid: devmgr
+uniquemember: devmgr
+
+dn: cn=admin,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: admin
+givenname: Admin
+j2-role: admin
+j2-role: manager
+j2-role: user
+sn: admin
+uid: admin
+userpassword:: c2VjcmV0
+
+dn: cn=manager,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: manager
+givenname: Manager
+j2-role: manager
+j2-role: user
+sn: manager
+uid: manager
+userpassword:: c2VjcmV0
+
+dn: cn=user,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: user
+givenname: User
+j2-role: user
+sn: user
+uid: user
+userpassword:: c2VjcmV0
+
+dn: cn=local,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: local
+givenname: Local
+j2-role: user
+sn: local
+uid: local
+userpassword:: c2VjcmV0
+
+dn: cn=sublocal,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: sublocal
+givenname: sublocal
+j2-role: user
+sn: sublocal
+uid: sublocal
+userpassword:: c2VjcmV0
+
+dn: cn=tomcat,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: tomcat
+givenname: tomcat
+sn: tomcat
+uid: tomcat
+userpassword:: c2VjcmV0
+
+dn: cn=jetspeed,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: jetspeed
+givenname: jetspeed
+j2-role: manager
+sn: jetspeed
+uid: jetspeed
+userpassword:: c2VjcmV0
+
+dn: cn=guest,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: guest
+givenname: guest
+sn: guest
+uid: guest
+userpassword:: c2VjcmV0
+
+dn: cn=subsite,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: subsite
+givenname: subsite
+j2-role: subsite
+j2-role: subsite2
+j2-role: user
+sn: subsite
+uid: subsite
+userpassword:: c2VjcmV0
+
+dn: cn=subsite2,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: subsite2
+givenname: subsite2
+j2-role: subsite
+j2-role: subsite2
+j2-role: user
+sn: subsite2
+uid: subsite2
+userpassword:: c2VjcmV0
+
+dn: cn=devmgr,ou=People,ou=rootOrg,o=sevenSeas
+objectClass: organizationalPerson
+objectClass: person
+objectClass: jetspeed-2-user
+objectClass: inetOrgPerson
+objectClass: top
+cn: devmgr
+givenname: devmgr
+j2-role: devmgr
+j2-role: dev
+j2-role: user
+sn: devmgr
+uid: devmgr
+userpassword:: c2VjcmV0
+]]></source>	
+<p>
+So what exactly does it produce, from a Jetspeed perspective?
+</p>
+<table>
+<tr><td>* All the same roles, users, and groups that come with Jetspeed out of the box on a relational database, required for normal operation of Jetspeed.</td></tr>
+<tr><td>* Three groups (accounting, engineering, marketing) are created.  They are not strictly required for normal operation of Jetspeed, but they show how groups are declared.</td></tr>
+<tr><td>* Eight roles (guest, admin, devmgr, jetspeed, local, manager, sublocal, subsite, subsite2, tomcat, user) are created, the same set of roles found in the demo distribution of Jetspeed 2.1.3</td></tr>
+<tr><td>* The administrative user has the name <b>admin</b>.
+ This user has both the "admin" and "manager" roles, so it has full access to all administrative portlets.</td></tr>
+<tr><td>* All users are created with the password <b>secret</b>.</td></tr>
+</table>
+<p><b>WARNING:</b> If you modified any of the arguments from security-spi-ldap.xml that had a (!) next to their explanations, the above LDIF file will not work.  
+It will import into your LDAP server just fine, but Jetspeed will be unable to use it. 
+ Here's a list of the changes you'll need to make to the LDIF file, according to which argument you modified 
+ (if you didn't change it in the XML file, you do not need to change it in the LDIF file):
+</p>
+<table>
+<tr><td>3. If you changed your organization name (the default was "o=sevenSeas"), you need to change it every single time it appears in the LDIF file. 
+ A simple "find/replace" (which is supported by nearly every modern text editor) should do just fine, but if any references to 
+ "o=sevenSeas" are left over (i.e. if you miss one or two), then the LDAP server will reject the LDIF file as malformed.
+</td></tr>
+<tr><td>15. Same as #3.</td></tr>
+<tr><td>16. If you changed your organization unit (the default was "ou=rootOrg"), you need to change it every single time it appears in the LDIF file.
+  You can use the same "find/replace" trick as with #3.  As with #3, a mistake here will result in a malformed LDIF file.</td></tr>
+<tr><td>17. Same as #16.</td></tr>
+<tr><td>18. Same as #16.</td></tr>
+</table>
+	  </subsection>
+	  </section>	  
+      <section name="LDAP Configuration Reference">
+      <p>
+        This section is a reference with examples for the configuration of the LDAP security module in Jetspeed. Out of the box,
+        Jetspeed searches for user, group &amp; role information in a relational database. However, it can also search
+        this information in an LDAP directory.
+      </p>
+      <p>
+        Jetspeed stores its LDAP configuration in a Spring XML file called
+           <a href="http://svn.apache.org/viewcvs.cgi/portals/jetspeed-2/trunk/components/security/etc/security-spi-ldap.xml?content-type=text/plain&amp;view=co">
+                  security-spi-ldap.xml
+           </a>
+      </p>
+      <p> 
+        This XML file describes an object (used internally by Jetspeed) that contains LDAP configuration parameters.
+        These configuration parameters are passed onto the object through constructor arguments:
+      </p>
+      <p>
+        <source><![CDATA[
+<!-- The LDAP initial context factory. -->
+<constructor-arg index="0">
+  <value>com.sun.jndi.ldap.LdapCtxFactory</value>
+</constructor-arg>]]></source>
+      </p>
+      <p>
+        Each constructor argument contains an index to specify the correct order. The file defines the following arguments:
+        <table>
+          <tr>
+            <th>Index</th><th>Name</th><th>Example</th>
+          </tr>
+          <tr>
+            <td>0</td><td>Initial context factory</td><td>com.sun.jndi.ldap.LdapCtxFactory</td>
+          </tr>
+          <tr>
+            <td>1</td><td>LDAP server host</td><td>localhost</td>
+          </tr>
+          <tr>
+            <td>2</td><td>LDAP server port</td><td>389</td>
+          </tr>
+          <tr>
+            <td>3</td><td>Root context</td><td>o=sevenSeas</td>
+          </tr>
+          <tr>
+            <td>4</td><td>The LDAP server root dn</td><td>uid=admin,o=sevenSeas</td>
+          </tr>
+          <tr>
+            <td>5</td><td>The LDAP server root password</td><td>secret</td>
+          </tr>
+          <tr>
+            <td>6</td><td>The roles filter</td><td>(objectclass=groupOfUniqueNames))</td>
+          </tr>
+          <tr>
+            <td>7</td><td>The groups filter</td><td>(objectClass=groupOfNames)</td>
+          </tr>
+          <tr>
+            <td>8</td><td>The user filter</td><td>(objectclass=inetorgperson)</td>
+          </tr>
+          <tr>
+            <td>9</td><td>roleMembershipAttributes</td><td>uniqueMember</td>
+          </tr>
+          <tr>
+            <td>10</td><td>userRoleMembershipAttributes</td><td></td>
+          </tr>
+          <tr>
+            <td>11</td><td>groupMembershipAttributes</td><td>member</td>
+          </tr>
+          <tr>
+            <td>12</td><td>userGroupMembershipAttributes</td><td></td>
+          </tr>
+          <tr>
+            <td>13</td><td>groupMembershipForRoleAttributes</td><td>uniqueMember</td>
+          </tr>
+          <tr>
+            <td>14</td><td>roleGroupMembershipForRoleAttributes</td><td></td>
+          </tr>
+          <tr>
+            <td>15</td><td>defaultSearchBase</td><td></td>
+          </tr>
+          <tr>
+            <td>16</td><td>roleFilterBase</td><td>ou=Roles,ou=rootOrg</td>
+          </tr>
+          <tr>
+            <td>17</td><td>groupFilterBase</td><td>ou=Groups,ou=rootOrg</td>
+          </tr>
+          <tr>
+            <td>18</td><td>userFilterBase</td><td>ou=People,ou=rootOrg</td>
+          </tr>
+          <tr>
+            <td>19</td><td>roleObjectClasses</td><td>top,groupOfUniqueNames</td>
+          </tr>
+          <tr>
+            <td>20</td><td>groupObjectClasses</td><td>top,groupOfNames</td>
+          </tr>
+          <tr>
+            <td>21</td><td>userObjectClasses</td><td>top,person,organizationalPerson,inetorgperson</td>
+          </tr>
+          <tr>
+            <td>22</td><td>roleIdAttribute</td><td>cn</td>
+          </tr>
+          <tr>
+            <td>23</td><td>groupIdAttribute</td><td>cn</td>
+          </tr>
+          <tr>
+            <td>24</td><td>userIdAttribute</td><td>uid</td>
+          </tr>
+          <tr>
+            <td>25</td><td>UidAttribute</td><td>uid</td>
+          </tr>
+          <tr>
+            <td>26</td><td>MemberShipSearchScope</td><td>1</td>
+          </tr>
+          <tr>
+            <td>27</td><td>roleUidAttribute</td><td>cn</td>
+          </tr>
+          <tr>
+            <td>28</td><td>groupUidAttribute</td><td>cn</td>
+          </tr>
+          <tr>
+            <td>29</td><td>userUidAttribute</td><td>uid</td>
+          </tr>
+          <tr>
+            <td>30</td><td>roleObjectRequiredAttributeClasses</td><td>uniqueMember</td>
+          </tr>
+          <tr>
+            <td>31</td><td>groupObjectRequiredAttributeClasses</td><td>member</td>
+          </tr>
+          <tr>
+            <td>32</td><td>userAttributes</td><td>sn={u},cn={u}</td>
+          </tr>
+          <tr>
+            <td>33</td><td>roleAttributes</td><td>sn={u}</td>
+          </tr>
+          <tr>
+            <td>34</td><td>groupAttributes</td><td>sn={u}</td>
+          </tr>
+          <tr>
+            <td>35</td><td>userPasswordAttribute</td><td>passWord</td>
+          </tr>
+          <tr>
+            <td>36</td><td>knownAttributes</td><td>cn,sn,o,uid,ou,objectClass,userPassword,member,uniqueMember,memberOf</td>
+          </tr>
+        </table>
+      </p>
+    </section>
+    <section name="Configuring Jetspeed 2 to Use LDAP">
+        <p>
+          Configuring jetspeed for LDAP usage is simply a matter of having the proper configuration files in place.
+          These configuration files are to be placed in the <code>WEB-INF/assembly</code> folder of the expanded jetspeed WAR.
+        </p>
+        <p>
+          The following files need to be copied into that directory if you want to connect Jetspeed2 to an LDAP server.
+          <ul>
+            <li>
+              <i>
+                <a
+                  href="http://svn.apache.org/viewcvs.cgi/portals/jetspeed-2/trunk/components/security/etc/security-spi-ldap.xml?content-type=text/plain&amp;view=co">
+                  security-spi-ldap.xml
+                </a>
+                :
+              </i>
+              Provides the configuration information for LDAP binding, explained in detail below.
+            </li>
+            <li>
+              <i>
+                <a
+                  href="http://svn.apache.org/viewcvs.cgi/portals/jetspeed-2/trunk/components/security/etc/security-spi-ldap-atn.xml?content-type=text/plain&amp;view=co">
+                  security-spi-ldap-atn.xml
+                </a>
+                :
+              </i>
+              Provides the SPI configuration for authentication. It replaces the default implementations of the
+              <i>CredentialHandler</i> and <i>UserSecurityHandler</i> with an LDAP specific implementation.
+            </li>
+            <li>
+              <i>
+                <a
+                  href="http://svn.apache.org/viewcvs.cgi/portals/jetspeed-2/trunk/components/security/etc/security-spi-ldap-atz.xml?content-type=text/plain&amp;view=co">
+                  security-spi-ldap-atz.xml
+                </a>
+                :
+              </i>
+              Provides the SPI configuration for authorization. It replaces the default implementations of the
+              <i>RoleSecurityHandler</i>, <i>GroupSecurityHandler</i> and <i>SecurityMappingHandler</i>
+              with an LDAP specific implementation.
+            </li>
+          </ul>
+        </p>
+        <p>
+          The default authentication and authorization SPI configurations (the files called <b><code>security-spi-atn.xml</code></b> and <b><code>security-spi-atz.xml</code></b>)
+          need to be removed from that assembly directory.
+        </p>
+        <p>
+          In the Jetspeed source tree the examples ldap configuration files can be found in:
+            <source><![CDATA[${jetspeed-source-home}/components/security/etc/]]></source>
+        </p>
+        <p>
+          If your application is deployed in Tomcat, the target assembly directory is located at:
+           <source><![CDATA[${tomcat-home}/webapps/jetspeed/WEB-INF/assembly/]]></source>
+        </p>
+        <p>
+          Furthermore, the source tree of the Jetspeed security component provides several tests using different configurations as well as ldiff sample data for testing the ApacheDS,
+          OpenLDAP, Domino and sunDS LDAP servers. These are located at:
+           <source><![CDATA[${jetspeed-source-home}/components/security/src/test/JETSPEED-INF/directory/config/]]></source>
+        </p>   
+        <p>
+          We’ll discuss the security-spi-ldap.xml file in detail below.
+        </p>
+        
+      <subsection name="LDAP Connection properties">
+        <p>One of the first Jetspeed needs to know is how it to connect to the directory store.</p>
+        <p>
+          This is done by providing the following properties:
+        </p>
+
+       <br/>
+        <p><b><code>initialContextFactory</code></b></p>
+        <p>
+           The initial context factory
+           <source><![CDATA[
+<constructor-arg index="0">
+  <value>com.sun.jndi.ldap.LdapCtxFactory</value>
+</constructor-arg>]]></source>
+        </p>
+
+       <br/>
+        <p><b><code>ldapServerName</code></b></p>
+        <p>
+          The name of the LDAP server
+          <source><![CDATA[
+<constructor-arg index="1">
+  <value>localhost</value>
+</constructor-arg>]]></source>
+        </p>
+
+       <br/>
+        <p><b><code>ldapServerPort</code></b></p>
+        <p>
+          The port of the LDAP server
+          <source><![CDATA[
+<constructor-arg index="2">
+  <value>389</value>
+</constructor-arg>]]></source>
+        </p>
+                
+       <br/>
+        <p><b><code>rootContext</code></b></p>
+        <p>
+          The root context of the LDAP server
+          <source><![CDATA[
+<constructor-arg index="3">
+  <value>o=sevenSeas</value>
+</constructor-arg>]]></source>
+        </p>
+                
+       <br/>
+        <p><b><code>rootDn</code></b></p>
+        <p>
+          The username
+          <source><![CDATA[
+<constructor-arg index="4">
+  <value>uid=admin,ou=system</value>
+</constructor-arg>]]></source>
+        </p>
+                
+       <br/>
+        <p><b><code>rootPassword</code></b></p>
+        <p>
+          The password
+          <source><![CDATA[
+<constructor-arg index="5">
+  <value>secret</value>
+</constructor-arg>]]></source>
+        </p>
+        
+        <p>Validate the connection using an LDAP browser:</p>
+        <p align="center"><img src="images/ldap/rootPassword.png" border="0"/></p>        
+        <br/>        
+      </subsection>
+      <subsection name="LDAP Object Filters">
+        <p>
+          A directory service can store any type of object anywhere. As Jetspeed needs to work with roles,
+          groups and users that are defined within the directory, it needs some help in finding them.</p>
+        <p>The following 3 properties define how Jetspeed will lookup Roles, Groups and Users from the directory store.</p>
+        <ul>
+          <li>RoleFilter</li>
+          <li>GroupFilter</li>
+          <li>UserFilter</li>
+        </ul>
+        <p>Property values must be valid objectClassses that are defined in the LDAP schema.</p>
+        <p>Most LDAP vendors usually expose their schema through an LDIF file that defines every attribute and objectclass available in the directory store.</p>
+        <p>A configuration based on Lotus Domino might look like this
+          <source><![CDATA[
+RoleFilter=(&(objectclass=groupOfUniqueNames)(!(objectClass=dominoGroup)))
+GroupFilter=(objectclass=dominoGroup)
+UserFilter=(objectclass=dominoPerson)]]></source>
+        </p>
+        <p>
+           Domino uses the <b>dominoGroup</b> objectClass to define a group, <b>dominoPerson</b> to define a user, and <b>groupOfUniqueNames</b> to define a role.
+           Since group also has the groupOfUniqueNames as an object class, we need to define a filter for the roles, so that it will only pick up roles.
+           If we had defined the RoleFilter as being (objectclass=groupOfUniqueNames), then the filter would have also picked up the groups.
+         </p>        
+         
+       <br/>
+        <p><b><code>RoleFilter</code></b></p>
+        <p>
+          This property tells Jetspeed that roles can be recognized by looking for an <b>objectClass</b> attribute with value <b>groupOfUniqueNames</b>.
+          <source><![CDATA[
+<constructor-arg index="6">
+  <value>=(objectclass=groupOfUniqueNames)</value>
+</constructor-arg>]]></source>
+        </p>
+        
+       <br/>
+        <p><b><code>GroupFilter</code></b></p>
+        <p>
+          This property tells Jetspeed that groups can be recognized by looking for an <b>objectClass</b> attribute with value <b>groupOfNames</b>.
+          <source><![CDATA[
+<constructor-arg index="7">
+  <value>=(objectclass=groupOfUniqueNames)</value>
+</constructor-arg>]]></source>
+        </p>
+        
+       <br/>
+        <p><b><code>UserFilter</code></b></p>
+        <p>
+          This property tells Jetspeed that users can be recognized by looking for an <b>objectClass</b> attribute with value <b>organizationalPerson</b>.
+          <source><![CDATA[
+<constructor-arg index="8">
+  <value>=(objectclass= organizationalPerson)</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+          Alongside these filters, we can also define a filter base for each of those objects (roles, groups and users).
+        </p>
+        
+      </subsection>
+      
+      <subsection name="Group/Role membership">
+        <p>In LDAP there are basically 2 ways to define group &amp; role membership (the fact that a user belongs to a group or a role):</p>
+        <ul>
+          <li>The user object has an attribute that specifies the groups he is a member of. This is usually done through a memberOf attribute.
+                Microsoft Active Directory and Sun Directory Server use the memberOf and nsrole attribute on the user object.
+          </li>
+          <li>
+            The group/role object contains the group membership information via a multi-valued attribute.
+            No attributes are put on the user to specify membership.
+            Each group/role object has a member list that contains the users belonging to the group
+          </li>
+        </ul>
+        <p>Jetspeed supports both models.</p>
+        <p>The primary tasks concerning membership of an LDAP are</p>
+        <ul>
+          <li>Determining if a user is part of a particular group/role</li>
+          <li>Obtain a list of users belonging to a particular group/role</li>
+        </ul>
+        <p>The 2 models we just covered have an impact on how these tasks are performed</p>
+        <ul>
+          <li>Attributes on user object
+            <ul>
+               <li>Determining if a user is part of a particular group/role:
+                 <ul><li>lookup the membership attribute (ex: memberOf) on the user object for a particular group/role</li></ul>
+               </li>
+               <li>Obtain a list of users belonging to a particular group/role:
+                 <ul><li>iterate over the all users, and check their memberOf attribute values for the group</li></ul>
+               </li>
+             </ul>
+           </li>
+           <li>Attributes on group/role object
+             <ul>
+               <li>To determine if a user is part of a particular group:
+                 <ul><li>search the member list on the group for the user</li></ul>
+               </li>
+               <li>To determine the users belonging to a particular group:
+                 <ul><li>iterate over the member list on the group</li></ul>
+               </li>
+             </ul>
+           </li>
+         </ul>
+         <p>We’ll now discuss in detail how group/role membership can be configured.</p>
+
+      </subsection>
+
+      <subsection name="Role membership">
+
+        <p>As already discussed, Jetspeed supports 2 models when it comes to Role membership:</p>
+        <ol>
+          <li>Putting the attributes on the user</li>
+          <li>Putting the attributes on the role</li>
+        </ol>
+        <p>Jetspeed requires that 1 of 2 properties is set with a value to determine the model:</p>
+        <ul>
+          <li>RoleMembershipAttributes</li>
+          <li>UserRoleMembershipAttributes</li>
+        </ul>
+
+       <br/>
+        <p><b><code>RoleMembershipAttributes</code></b></p>
+        <p>
+          In order to store role membership on the role, we’ll set the <b>RoleMembershipAttributes</b> attribute by specifying
+          the attribute on the role object that contains the membership information. 
+          We don’t provide a value for the <b>UserRoleMembershipAttributes</b> property.
+          <source><![CDATA[
+<constructor-arg index="9">
+  <value>member</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+           This will make sure that the member attribute is set on the role object, as can be seen in the following screenshot.
+           In the next example, the RoleMembershipAttribute will be blank, so the attributes will be on the user level.
+        </p>
+        <p>
+          In the screenshot below, we have a Role object defined by<br/>
+          <b>cn=Role3,ou=Roles,ou=rootOrg,o=sevenSeas</b>
+         </p>
+         <p>The role contains a member attribute, listing all users belonging to that role.</p>
+         <p align="center">
+           <img src="images/ldap/RoleMembershipAttributes1.png" border="0"/><br/>
+           <i>A role with 2 members</i>
+         </p>
+         <br/>
+         <p>
+           The value of the member attribute is the fully qualified DN of the user (including the root context). As you can see, the user doesn't contain any attributes with regards to role membership.
+         </p>
+         <p align="center">
+           <img src="images/ldap/RoleMembershipAttributes2.png" border="0"/><br/>
+           <i>A user</i>
+         </p>
+         <br/>
+         <p>
+           When this attribute is set, Jetspeed will determine the roles for a particular user by performing the following query:
+          <source><![CDATA[(&(member=cn=user1,ou=people,ou=rootOrg,o=sevenSeas)(objectclass=groupOfNames))]]></source>
+        </p>
+         <p>
+           This search filter will return any number of Roles in the directory.
+           The next step for Jetspeed is to identifiy these roles internally. In order to uniquely identify a role, it will use the RoleIdAttribute.
+         </p>
+         <p>
+           In the example above, cn=Role1 would have been amongst the searchresult. Jetspeed will use the RoleIdAttribute to pickup the role name.
+         </p>
+         
+       <br/>
+        <p><b><code>UserRoleMembershipAttributes</code></b></p>
+        <p>
+           In order to store role membership on the user, we’ll set the <b>UserRoleMembershipAttributes</b> attribute by specifying the attribute on the user object
+           that contains the membership information. We don’t provide a value for the <b>RoleMembershipAttributes</b> property.
+          <source><![CDATA[
+<constructor-arg index="10">
+  <value>memberOf</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+          This will make sure that for each role the user belongs to, the memberOf attribute is set on the user object, as can be seen in the following screenshot:
+        </p>
+         <p align="center">
+           <img src="images/ldap/UserRoleMembershipAttributes1.png" border="0"/><br/>
+           <i>User belonging to 4 different roles</i>
+         </p>
+         <br/>
+         <p>
+           The value of the <b>memberOf</b> attribute is the fully qualified DN of the role (including the root context).
+           It is a multi valued attribute, so a user can have zero or more <b>memberOf</b> attribute values.
+         </p>
+         <p>
+           As you can see, the user belongs to a role defined by<br/>
+           <b>cn=role1,ou=Roles,rootOrg,o=sevenSeas</b>.
+         </p>
+         <p>In order to resolve role membership, Jetspeed will search the directory for roles by using the following filter:
+          <source><![CDATA[
+# define the filters needed to search for roles/groups/users
+RoleFilter=(objectclass=groupOfUniqueNames)]]></source>
+         </p>
+         <p>As you can see in the screenshot, cn=role1,o=sevenSeas corresponds to an object representing a role.</p>
+         <p>
+           Notice the empty uniqueMember attribute. Most LDAP schemas force you to have a <b>uniqueMember</b> attribute on a <b>groupOfUniqueNames</b> object. 
+           Since Jetspeed needs to be able to create roles (that are empty upon creation), an empty <b>uniqueMember</b> attribute needs to be set.
+          This is configurable by Jetspeed through the <b>RequiredAttributeClasses</b> property.
+         </p>         
+         <p align="center">
+           <img src="images/ldap/UserRoleMembershipAttributes2.png" border="0"/><br/>
+           <i>A role without any members</i>
+         </p>
+         <br/>
+      </subsection>
+      
+      <subsection name="Group membership">
+      
+        <p>As already discussed, Jetspeed supports 2 models when it comes to Group membership:</p>
+        <ol>
+          <li>Putting the attributes on the user</li>
+          <li>Putting the attributes on the group</li>
+        </ol>
+        <p>Jetspeed requires that 1 of 2 properties is set with a value to determine the model:</p>
+        <ul>
+          <li>GroupMembershipAttributes</li>
+          <li>UserGroupMembershipAttributes</li>
+        </ul>
+
+       <br/>
+        <p><b><code>GroupMembershipAttributes</code></b></p>
+        <p>
+           In order to store group membership on the group, we'll set the <b>GroupMembershipAttributes</b> attribute by specifying the attribute on the group object
+           that contains the membership information. We don’t provide a value for the <b>UserGroupMembershipAttributes</b> property.
+          <source><![CDATA[
+<constructor-arg index="11">
+  <value>uniqueMember</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+          This will make sure that the <b>uniqueMember</b> attribute is set on the group object, as can be seen in the following screenshot.
+          In the previous example, the <b>GroupMembershipAttributes</b> was blank, so instead the <b>UserGroupMembershipAttributes</b> was used on the user level:
+        </p>
+         <p align="center">
+           <img src="images/ldap/GroupMembershipAttributes1.png" border="0"/><br/>
+         </p>
+         <br/>
+         <p>
+           The value of the uniquemember attribute is the fully qualified DN of the user (including the root context).
+           As you can see, the user doesn’t contain any attributes with regards to group membership.
+         </p>
+         <p align="center">
+           <img src="images/ldap/GroupMembershipAttributes2.png" border="0"/><br/>
+         </p>
+         
+       <br/>
+        <p><b><code>UserGroupMembershipAttributes</code></b></p>
+        <p>
+          In order to store group membership on the user, we’ll set the <b>UserGroupMembershipAttributes</b> attribute by specifying the attribute on the user object
+          that contains the membership information. We don’t provide a value for the <b>GroupMembershipAttributes</b> property.
+          <source><![CDATA[
+<constructor-arg index="12">
+  <value>memberOf</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+          This will make sure that the <b>memberOf</b> attribute is set on the user object, as can be seen in the following screenshot.
+        </p>
+        <p>
+          Only one of those parameters can be filled in. If the <b>GroupMemberShipAttributes</b> is set, Jetspeed assumes that the attribute to determine group membership is on the group object.
+        </p>
+         <p align="center">
+           <img src="images/ldap/UserGroupMembershipAttributes1.png" border="0"/><br/>
+           <i>User belonging to 2 different roles</i>
+         </p>
+         <br/>
+         <p>
+           The value of the memberOf attribute is the fully qualified DN of the role (including the root context). It is a multi valued attribute, so a user can have zero or more memberOf attribute values.
+           In the screenshot above, we can see that user1 belongs to 2 roles.
+         </p>
+         <p>
+           As you can see, the role is defined in <b>cn=role1,o=sevenSeas</b>. (notice the empty uniqueMember attribute).
+         </p>
+         <p align="center">
+           <img src="images/ldap/UserGroupMembershipAttributes2.png" border="0"/><br/>
+           <i>Role definition</i>
+         </p>
+         <br/>
+      </subsection>
+      
+      <subsection name="Group membership (roles)">
+      
+        <p>Besides storing users in a group, Jetspeed also supports storing roles into groups.</p>
+        <p>Again, just like with the basic group membership for users, Jetspeed supports 2 models when it comes to Group membership for roles:</p>
+        <ol>
+          <li>Putting the attributes on the role</li>
+          <li>Putting the attributes on the group</li>
+        </ol>
+        <p>Jetspeed requires that 1 of 2 properties is set with a value to determine the model:</p>
+        <ul>
+          <li>GroupMembershipForRoleAttributes</li>
+          <li>RoleGroupMembershipForRoleAttributes</li>
+        </ul>
+
+       <br/>
+        <p><b><code>GroupMembershipForRoleAttributes</code></b></p>
+        <p>
+           In order to store group membership on the group, we’ll set the GroupMembershipAttributes attribute by specifying the attribute on the group object
+           that contains the membership information. We don’t provide a value for the UserGroupMembershipAttributes property.
+          <source><![CDATA[
+<constructor-arg index="13">
+  <value>uniqueMember</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+          This will make sure that the uniqueMember attribute is set on the group object, as can be seen in the following screenshot.
+          In the previous example, the GroupMembershipAttributes was blank, so instead the UserGroupMembershipAttributes was used on the user level.
+        </p>
+         <p align="center">
+           <img src="images/ldap/GroupMembershipForRoleAttributes1.png" border="0"/><br/>
+         </p>
+         <br/>
+         <p>
+           The value of the uniquemember attribute is the fully qualified DN of the user (including the root context).
+           As you can see, the user doesn’t contain any attributes with regards to group membership.
+        </p>
+         <p align="center">
+           <img src="images/ldap/GroupMembershipForRoleAttributes2.png" border="0"/><br/>
+         </p>
+
+       <br/>
+        <p><b><code>RoleGroupMembershipForRoleAttributes</code></b></p>
+        <p>
+           In order to store group membership on the user, we’ll set the <b>UserGroupMembershipAttributes</b> attribute by specifying the attribute on the user object
+           that contains the membership information. We don’t provide a value for the <b>GroupMembershipAttributes</b> property.
+          <source><![CDATA[
+<constructor-arg index="14">
+  <value>memberOf</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>
+          This will make sure that the <b>memberOf</b> attribute is set on the user object, as can be seen in the following screenshot.
+        </p>
+         <p align="center">
+           <img src="images/ldap/GroupMembershipForRoleAttributes1.png" border="0"/><br/>
+         </p>
+         <br/>
+         <p>
+           The value of the uniquemember attribute is the fully qualified DN of the user (including the root context).
+           As you can see, the user doesn’t contain any attributes with regards to group membership.
+        </p>
+         <p align="center">
+           <img src="images/ldap/GroupMembershipForRoleAttributes2.png" border="0"/><br/>
+         </p>
+         <br/>
+         <p>
+           Only one of those parameters can be filled in. If the <b>GroupMemberShipAttributes</b> is set, Jetspeed assumes that the attribute to determine group membership is on the group object.
+         </p>
+         <p align="center">
+           <img src="images/ldap/RoleGroupMembershipForRoleAttributes1.png" border="0"/><br/>
+           <i>User belonging to 2 different roles</i>
+         </p>
+         <br/>
+         <p>
+           The value of the memberOf attribute is the fully qualified DN of the role (including the root context). It is a multi valued attribute, so a user can have zero or more memberOf attribute values.
+           In the screenshot above, we can see that user1 belongs to 2 roles.
+         </p>
+         <p>As you can see, the role is defined in <b>cn=role1,o=sevenSeas</b>. (notice the empty uniqueMember attribute).</p>
+         <p align="center">
+           <img src="images/ldap/RoleGroupMembershipForRoleAttributes2.png" border="0"/><br/>
+           <i>Role definition</i>
+         </p>
+         <br/>
+      </subsection>
+      
+      <subsection name="DefaultSearchBase">
+      
+        <p>Jetspeed allows you to define a default search base that will be used to search the directory
+          <source><![CDATA[
+<constructor-arg index="15">
+  <value></value>
+</constructor-arg>]]></source>
+        </p>
+      </subsection>
+      
+      <subsection name="LDAP Object Filter base">
+      
+        <p>Jetspeed allows you to define the search base that will be applied to queries for roles, groups and users.</p>
+        <p>Roles, groups and user are typically stored in well-defined containers within the LDAP structure.</p>
+        <ul>
+          <li>Roles can be stored in ou=Roles,ou=rootOrg</li>
+          <li>Groups can be stored in ou=Groups,ou=rootOrg</li>
+          <li>Users can be stored in ou=People,ou=rootOrg</li>
+        </ul>
+      
+        <p>
+          This allows you to have the following structure in your LDAP schema. Notice how there are many organizational units within the o=sevenSeas schema.
+          Jetspeed will limit its search scope on the LDAP to the property values defined above. This means that only roles, groups and people within rootOrg will be used by Jetspeed.
+        </p>
+        <p align="center">
+          <img src="images/ldap/ObjectFilterBase.png" border="0"/><br/>
+        </p>
+        <br/>
+        <p>So, together with the object filers (RoleFilter, GroupFilter, UserFilter), Jetspeed will be able to locate the roles, groups and users within the directory.</p>
+        <p>Using these properties, Jetspeed will also create roles, groups and users using the provided ObjectClasses.</p>
+        
+       <br/>
+        <p><b><code>RoleFilterBase</code></b></p>
+        <p>
+           Using the property value below, Jetspeed will search for roles in the ou=Roles,ou=OrgUnit subtree.
+          <source><![CDATA[
+<constructor-arg index="16">
+  <value>ou=Roles,ou=rootOrg</value>
+</constructor-arg>]]></source>
+        </p>
+        <p align="center">
+          <img src="images/ldap/RoleFilterBase.png" border="0"/><br/>
+        </p>
+
+       <br/>
+        <p><b><code>GroupFilterBase</code></b></p>
+        <p>
+           Using the property value above, Jetspeed will search for groups in the ou=Groups,ou=OrgUnit subtree.
+          <source><![CDATA[
+<constructor-arg index="17">
+  <value>ou=Groups,ou=rootOrg</value>
+</constructor-arg>]]></source>
+        </p>
+        <p align="center">
+          <img src="images/ldap/GroupFilterBase.png" border="0"/><br/>
+        </p>
+        
+       <br/>
+        <p><b><code>UserFilterBase</code></b></p>
+        <p>
+           Using the property value above, Jetspeed will search for users in the ou=People,ou=OrgUnit subtree.
+          <source><![CDATA[
+<constructor-arg index="18">
+  <value>ou=People,ou=rootOrg</value>
+</constructor-arg>]]></source>
+        </p>
+        <p align="center">
+          <img src="images/ldap/UserFilterBase.png" border="0"/><br/>
+        </p>
+        
+      </subsection>
+      
+      <subsection name="LDAP Object classes">
+
+        <p>Jetspeed allows you to define the ObjectClasses that are needed to create roles, groups and users through the following properties</p>
+        <ul>
+          <li>RoleObjectClasses</li>
+          <li>GroupObjectClasses</li>
+          <li>UserObjectClasses</li>
+        </ul>
+        <p>
+          Through the administrative interface, Jetspeed allows an administrator to create roles, groups and users.
+          Each directory server has its own way of defining a role, group or user.
+          Some of the LDAP vendors use proprietary ObjectClasses to define these objects (for example Domino LDAP server uses an dominoGroup objectClass to define a group).
+        </p>
+        <p>Using these properties, Jetspeed will create roles, groups and users using the provided ObjectClasses.</p>
+        
+       <br/>
+        <p><b><code>RoleObjectClasses</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="19">
+  <value>top,groupOfNames</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>Using the settings above, roles will be created like this</p>
+        <p align="center">
+          <img src="images/ldap/RoleObjectClasses.png" border="0"/><br/>
+        </p>
+        <p>Notice how all of the objectClasses defined by the RoleObjectClasses attribute have been created in the LDAP</p>
+        
+       <br/>
+        <p><b><code>GroupObjectClasses</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="20">
+  <value>top,groupOfUniqueNames</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>Using the settings above, groups will be created like this</p>
+        <p align="center">
+          <img src="images/ldap/GroupObjectClasses.png" border="0"/><br/>
+        </p>
+        <p>Notice how all of the objectClasses defined by the GroupObjectClasses attribute have been created in the LDAP</p>
+        
+       <br/>
+        <p><b><code>UserObjectClasses</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="21">
+  <value>top,groupOfUniqueNames</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>Using the settings above users will be created like this</p>
+        <p align="center">
+          <img src="images/ldap/UserObjectClasses.png" border="0"/><br/>
+        </p>
+        <p>Notice how all of the objectClasses defined by the UserObjectClasses attribute have been created in the LDAP</p>
+        
+      </subsection>
+      
+      <subsection name="Naming Attributes">
+      
+        <ul>
+          <li>RoleIdAttribute</li>
+          <li>GroupIdAttribute</li>
+          <li>UserIdAttribute</li>
+        </ul>
+        
+        <p>
+          The attributes above allow you to define the naming attribute for roles / groups and users.
+          When an object is created in the directory, a naming attribute needs to be specified.
+          The naming attribute is the attribute that uniquely defines the object within its subdirectory.
+        </p>
+        
+        <p>In the screenshot below, you can see that the admin user in rootOrg/People is defined by <b>cn=admin</b>.</p>
+        <p><b>cn</b> is the naming attribute for the user object, as no 2 admin users can exist in the rootOrg/People subdirectory</p>
+        
+        <p align="center">
+          <img src="images/ldap/IdAttributes.png" border="0"/><br/>
+        </p>
+        <br/>
+        
+        <p>By changing the property, you can control the way Jetspeed creates user objects.</p>
+        
+       <br/>
+        <p><b><code>RoleIdAttribute</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="22">
+  <value>cn</value>
+</constructor-arg>]]></source>
+        </p>
+
+       <br/>
+        <p><b><code>GroupIdAttribute</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="23">
+  <value>cn</value>
+</constructor-arg>]]></source>
+        </p>
+
+       <br/>
+        <p><b><code>UserIdAttribute</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="24">
+  <value>uid</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>In the screenshot below, users have the <b>uid</b> attribute as their naming attribute</p>
+        <p align="center">
+          <img src="images/ldap/UserIdAttribute.png" border="0"/><br/>
+        </p>
+        
+      </subsection>
+      
+      <subsection name="UserId Attribute">
+      
+        <p>
+          When Jetspeed attempts to find a user, it does so based on the userId provided by the user in the login screen.
+          This userId needs to be defined on the object through a specific attribute. Most LDAP servers have a uid attribute that defines the username of the user in the LDAP.
+        </p>
+        
+        <p>When Jetspeed builds a userPrincipal internally, it will use the attribute corresponding to the value of the userUidAttribute.</p>
+        <p align="center">
+          <img src="images/ldap/userUidAttribute.png" border="0"/><br/>
+        </p>
+
+       <br/>
+        <p><b><code>userUidAttribute</code></b></p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="25">
+  <value>cn</value>
+</constructor-arg>]]></source>
+        </p>
+        <p>This property is used in conjunction with the UidAttribute</p>
+        <p>
+          <source><![CDATA[
+UserIdAttribute=cn
+UidAttribute=uid]]></source>
+        </p>
+        
+      </subsection>
+      
+      <subsection name="membershipSearchScope">
+      
+        <p>Jetspeed allows you to customize the search scope when it comes to membership</p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="26">
+  <value>cn</value>
+</constructor-arg>]]></source>
+        </p>
+        
+      </subsection>
+      
+      <subsection name="RequiredAttributeClasses">
+        
+        <p>
+          Some ObjectClasses force you to add specific attributes on the object before storing it in the directory. 
+          Jetspeed allows you to specify these attributes for roles and groups through the following properties
+        </p>
+        <ul>
+          <li>roleObjectRequiredAttributeClasses</li>
+          <li>roleObjectRequiredAttributeClasses</li>
+        </ul>
+        <p>For example, most LDAP schemas force you to have a <b>uniqueMember</b> attribute on a <b>groupOfUniqueNames</b> object.</p>
+        <p>Since Jetspeed needs to be able to create empty roles through the administrative console, an empty <b>uniqueMember</b> attribute needs to be set upon role creation.</p>
+        <p>This is handled internally by Jetspeed and can be customized by setting the <b>groupObjectRequiredAttributeClasses</b> property.</p>
+      
+       <br/>
+        <p><b><code>roleObjectRequiredAttributeClasses</code></b></p>
+        <p>The following property specifies that if a role is created, an empty <b>member</b> attribute will be created on the role object in order to comply with the LDAP schema.</p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="30">
+  <value>member</value>
+</constructor-arg>]]></source>
+        </p>
+
+       <br/>
+        <p><b><code>groupObjectRequiredAttributeClasses</code></b></p>
+        <p>The following property specifies that if a group is created, an empty <b>uniqueMember</b> attribute will be created on the group object in order to comply with the LDAP schema.</p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="31">
+  <value>uniqueMember</value>
+</constructor-arg>]]></source>
+        </p>
+
+      </subsection>
+      
+      <subsection name="LDAP Object attributes">
+      
+        <p>
+          Jetspeed has an administrative console that allows an administrator to create groups, roles and users in the directory.
+          The Jetspeed LDAP configuration has 3 properties that can manipulate the creation of those objects
+        </p>
+        <ul>
+          <li>userAttributes</li>
+          <li>roleAttributes</li>
+          <li>groupAttributes</li>
+        </ul>
+        <p>Each property accepts a comma separated list of attributes. Placeholders can be used in the attribute value.</p>
+        
+       <br/>
+        <p><b><code>userAttributes</code></b></p>
+        <p>
+          For example, the following <b>userAttributes</b> value will make sure that when Jetspeed creates a user in the directory,
+          the <b>sn, cn and uid</b> attribute will be created containing the username of the user.
+        </p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="32">
+  <value>sn={u},cn={u}</value>
+</constructor-arg>]]></source>
+        </p>
+        
+       <br/>
+        <p><b><code>roleAttributes</code></b></p>
+        <p>
+          For example, the following <b>roleAttributes</b> value will make sure that when Jetspeed creates a user in the directory,
+          the <b>cn</b> attribute will be created containing the username of the user.
+        </p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="33">
+  <value>cn={u}</value>
+</constructor-arg>]]></source>
+        </p>
+        
+       <br/>
+        <p><b><code>groupAttributes</code></b></p>
+        <p>
+          For example, the following <b>groupAttributes</b> value will make sure that when Jetspeed creates a user in the directory,
+          the <b>cn</b> attribute will be created containing the username of the user.
+        </p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="34">
+  <value>cn={u}</value>
+</constructor-arg>]]></source>
+        </p>
+        
+      </subsection>
+      
+      <subsection name="LDAP Password attributes">
+      
+        <p>
+          During runtime, Jetspeed needs to read the password that is associated with a user.
+          Jetspeed needs to know the attribute on the user object that contains the password.
+          The <b>userPasswordAttribute</b> property defines the LDAP attribute that contains the password of the user
+        </p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="35">
+  <value>cn={u}</value>
+</constructor-arg>]]></source>
+        </p>
+        
+      </subsection>
+      
+      <subsection name="Known Attributes">
+      
+        <p>
+           When Jetspeed performs LDAP queries, we need to specify the set of attributes that we want to return.
+           This is done by specifying a comma separated value of LDAP attributes in the <b>knowAttributes</b> property
+        </p>
+        <p>
+          <source><![CDATA[
+<constructor-arg index="36">
+  <value>cn,sn,o,uid,ou,objectClass,userPassword,member,uniqueMember,memberOf</value>
+</constructor-arg>]]></source>
+        </p>
+        
+      </subsection>
+      
+    </section>
+  </body>
+</document>

Added: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/login-module.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/login-module.xml?rev=722405&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/login-module.xml (added)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/login-module.xml Tue Dec  2 00:53:22 2008
@@ -0,0 +1,155 @@
+<?xml version="1.0"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Login Module</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Login Module Overview">
+            <p>
+                For authentication purpose, Jetspeed 2 provide a default login module implementation. Login modules provide a standard way to expose
+                authentication services for java application. More information about login modules can be found in the JDK
+                <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/spi/LoginModule.html">LoginModule interface</a>
+                documentation.
+            </p>
+        </section>
+        <section name="Login Module Configuration">
+            <p>
+                Configuration is central to JAAS authentication. By default, Jetspeed 2 is configured to use its
+                <code>DefaultLoginModule</code>
+                implementation. The configuration file (login.conf) for the login module ship with the
+                <code>jetspeed2-security-{version}.jar</code>
+                component and provide the following configuration:
+                <source>
+                    <![CDATA[
+Jetspeed {
+   org.apache.jetspeed.security.impl.DefaultLoginModule required;
+};]]>
+                </source>
+            </p>
+            <p>
+                In order to override this configuration, you can place your own login.conf file in your web application class path under WEB-INF/classes. The
+                location of the login.conf file is configured in the
+                <code>security-providers.xml</code>
+                as described below. For more information on how to configure the security providers, see
+                <a href="config.html">the configuration section</a>.
+            </p>
+            <p>
+                <source>
+                    <![CDATA[
+<!-- Security: Default Authentication Provider -->
+<bean id="org.apache.jetspeed.security.AuthenticationProvider" 
+  	  class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl"
+>  	   
+    <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>
+  	<constructor-arg index="1"><value>The default authenticator</value></constructor-arg>
+  	<constructor-arg index="2"><value>login.conf</value></constructor-arg>
+  	<constructor-arg index="3">
+  	    <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>
+  	</constructor-arg>
+  	<constructor-arg index="4">
+  	    <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>
+    </constructor-arg>
+</bean>]]>
+                </source>
+            </p>
+            <p>
+                The <code>AuthenticationProvider</code> configures the <code>LoginModule</code> to be used by the
+                application by setting the System property <code>java.security.auth.login.config</code> to the 
+                <code>login.conf</code> specified in the component configuration.
+            </p>
+        </section>
+        <section name="Login Module Implementation">
+            <p>
+                The
+                <code>DefaultLoginModule</code>
+                implementation is illustrated by the class diagram below:
+                <br />
+            </p>
+            <table>
+                <tr>
+                    <td style="background-color:#FFFFFF;" align="center">
+                        <img src="images/default-login-module-c.gif" border="0" />
+                    </td>
+                </tr>
+            </table>
+            <p>
+                The roles of the classes used to implement the DefaultLoginModule are:
+            </p>
+            <table>
+                <tr>
+                    <th>Class</th>
+                    <th>Description</th>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.impl.DefaultLoginModule</code></td>
+                    <td>
+                        The
+                        <code>javax.security.auth.spi.LoginModule</code>
+                        implementation. The
+                        <code>DefaultLoginModule</code>
+                        authentication decision is encapsulated behind the
+                        <code>UserManager</code>
+                        interface which leverages the SPI implementation to decide which authenticator should be used in order to authenticate a user against a
+                        specific system of record. For more information on how to implement your own authenticator, see the
+                        <a href="atn-spi.html">authentication SPI documentation</a>.
+                    </td>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.LoginModuleProxy</code></td>
+                    <td>
+                        A utility component used to expose the
+                        <code>UserManager</code>
+                        to the
+                        <code>DefaultLoginModule</code>.
+                    </td>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.User</code></td>
+                    <td>
+                        The
+                        <code>User</code>
+                        is an interface that holds the
+                        <code>javax.security.auth.Subject</code>
+                        and his/her
+                        <code>java.util.prefs.Preferences</code>. The
+                        <code>UserManager</code>
+                        upon user authentication populates the user subject with all user
+                        <code>java.security.Principal</code>. Jetspeed 2 implements 3 types of principals:
+                        <ul>
+                            <li>UserPrincipal: The principal holding the user unique identifier for the application.</li>
+                            <li>RolePrincipal: The principal representing a role for the system.</li>
+                            <li>GroupPrincipal: The principal representing a group for the system.</li>
+                        </ul>
+                    </td>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.UserManager</code></td>
+                    <td>
+                        The interface exposing all user operations. This interfaces fronts the aggregates various SPI to provide developers with the ability to
+                        map users to their specific system of record.
+                    </td>
+                </tr>
+            </table>
+        </section>
+
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/permission.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/permission.xml?rev=722405&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/permission.xml (added)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/permission.xml Tue Dec  2 00:53:22 2008
@@ -0,0 +1,81 @@
+<?xml version="1.0"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - PermissionManager Overview</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="PermissionManager Overview">
+            <p>The <code>PermissionManager</code> is used by the <code>RdbmsPolicy</code> to get the permissions for
+            a given user principals as presented 
+            in the <a href="atz-jaas.html#Jetspeed_JAAS_Policy">Jetspeed JAAS Policy</a> section of the documentation.
+            </p>
+            <p>
+            The <code>PermissionManager</code> manages the association between permissions and principals.  Each permission
+            or  principal maps to a generic object model and reflexion is used to instantiate the proper permission or
+            principal type.  The class diagram below represents the interfaces representing a generic permission 
+            (<code>InternalPermission</code>) and a generic principal (<code>InternalPrincipal</code>) and their relation
+            to the <code>PermissionManager</code>.
+            </p>
+            <p>
+            <img src="images/permission-mgr-c.gif" border="0" />
+            </p>
+            <p>
+            Each <code>InternalPermission</code> maps to one or more <code>InternalPrincipal</code> and, each 
+            <code>InternalPrincipal</code> can have one or more <code>InternalPermission</code>.
+            </p>
+            <p>
+            <img src="images/permissions-principals-om-c.gif" border="0" />
+            </p>
+        </section>
+        <section name="Schema and OJB Mapping">
+            <p>
+            The OJB mappings for the security component are described in <code>security_repository.xml</code>:
+            <ul>
+            <li><code>InternalPrincipal</code>: Maps to the <code>SECURITY_PRINCIPAL</code> table.</li>
+            <li><code>InternalPermission</code>: Maps to the <code>SECURITY_PERMISSION</code> table.</li>
+            <li>Associations between <code>InternalPrincipal</code> and <code>InternalPermission</code> are
+            maintained through the indirection table <code>PRINCIPAL_PERMISSION</code>.</li>
+            </ul>
+            <source><![CDATA[
+<class-descriptor
+	    class="org.apache.jetspeed.security.om.impl.InternalPrincipalImpl"
+	    proxy="dynamic"
+	    table="SECURITY_PRINCIPAL"
+	>...</class-descriptor>
+	
+<class-descriptor
+	    class="org.apache.jetspeed.security.om.impl.InternalPermissionImpl"
+	    proxy="dynamic"
+	    table="SECURITY_PERMISSION"
+	>...</class-descriptor>      
+            ]]>
+            </source>
+            </p>
+            <p>
+            The relational schema maintaining principal to permission associations is provided below:
+            </p>
+            <p>
+            <img src="images/permissions-principals-schema.gif" border="0" />
+            </p>
+        </section>
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/tasks.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/tasks.xml?rev=722405&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/tasks.xml (added)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/tasks.xml Tue Dec  2 00:53:22 2008
@@ -0,0 +1,37 @@
+<?xml version="1.0" ?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<document>
+  <properties>
+    <title>Tasks</title>
+  </properties>
+  <body>
+    <section name="Tasks">
+      <p>
+        Currently this is just a listing of tasks.
+      </p>
+      <p>
+        <ul>
+<li>
+  Remove unused classes.
+</li>
+        </ul>
+      </p>
+    </section>
+  </body>
+</document>
+

Propchange: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/tasks.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-security/tasks.xml
------------------------------------------------------------------------------
    svn:keywords = Id

Added: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/images/sso-manage.gif
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/images/sso-manage.gif?rev=722405&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/images/sso-manage.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/index.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/index.xml?rev=722405&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/index.xml (added)
+++ portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/index.xml Tue Dec  2 00:53:22 2008
@@ -0,0 +1,52 @@
+<?xml version="1.0"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Single Sign On (SSO) Framework</title>
+        <authors>
+            <person name="Roger Ruttimann" email="rogerrut@apache.org" />
+        </authors>
+    </properties>
+    <body>
+
+
+<section name="Introduction">
+<p>Jetspeed-2 (J2) Single Sign-on (SSO) feature is a credential store implemented as a component. It uses J2 security implementation for storing credentials. A management portlet allows the editing of SSO sites and remote credentials. It supports Basic Authentication and Form Based authentication and supports cookies.</p>
+<p>The SSO Management feature enables you to create "single sign-on" access, a permission-based access to applications and underlying tools, which provides an added layer of security and administarative control of Jetspeed-2 content. SSO Management enables the Users of Groups (several Users initially defined in the Group Management tab) to sign-on a single time for jetspeed-2 portal and specified sites and databases.</p>
+</section>
+<section name="SSOProxy Portlet">
+<para>As the name indicates the SSOProxy portlet is the proxy between the portal and authenticated sites. In the preferences a user defines the destination page which might need authentication itself or has links to authenticated pages (inside or outside the portal).</para>
+<para>The SSOProxy Portlet authenticates all SSO sites for the user before it goes to the destination URL defined in the preferences. The SSOProxy keeps a cache of of the proxy client so that the authentication only takes place the first time.</para>
+<para/>
+</section>
+<section name="SSO Provider service">
+<para>The SSO Provider is a part of the jetspeed service framework and is available to any portlet and not just the SSOProxy Portlet. The component takes care of storing the sites and credentials and has an API to get content from a url.</para>
+<para/>
+</section>
+<section name="SSO Management">
+<para>The SSO management portlet helps to administer SSO credentials and assigning them to Portal Users.</para>
+<table>
+                <tr>
+                    <td style="background-color:#FFFFFF;" align="center">
+                        <img src="images/sso-manage.gif" border="0" />
+                    </td>
+                </tr>
+            </table>
+            </section>
+                </body>
+</document>

Propchange: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/index.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: portals/jetspeed-2/portal/branches/JS2-871-pluto-2.0-upgrade/src/site/xdoc/components/jetspeed-sso/index.xml
------------------------------------------------------------------------------
    svn:keywords = Id



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message