portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Sean Taylor <da...@bluesunrise.com>
Subject Re: Login page
Date Wed, 11 Jan 2006 18:07:48 GMT
Hi Aaron,

Great description of our Active Authentication process.

I also have a sequence diagram of this process on paper here....

It would be great to have this process documented in the xdocs
Would you like to volunteer to write a Active Authentication page for 
our documentation?

I scanned in the diagram here, you may find it informative:

http://www.bluesunrise.com/jetspeed-2/AA.jpg


Aaron Evans wrote:
> yao cuihong <yaocuihong <at> gmail.com> writes:
> 
> 
>>2. Jetspeed 2 security services rely entirely on JAAS
>>    Does the LoginPortlet in j2-admin portlet application use JAAS?
>>    What is the mechanism of LoginPortlet? I read the source of
>>LoginPortlet, but don't understand.
>>    How does the LoginPortlet authenticate the user?
>>
> 
> 
> I posted this on another thread, but just so others following this thread will
> see the answer:
> 
> Jetspeeed uses a JAAS realm for authentication.  It is configured in jetspeed's
> context xml (although it can be moved up to the container level).
> 
> J2EE containers that use realm authentication require that the request 
> parameters j_username and j_password be posted to /j_security_check for 
> authentication. 
> 
> If you look at jetspeed's web.xml, you will see a standard web application
> security constraint and login config:
> 
> <!-- Protect LogInRedirectory.jsp.  This will require a login when called -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Login</web-resource-name>
>       <url-pattern>/login/redirector</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>*</role-name>
>     </auth-constraint>
>   </security-constraint>
> 
> 
>   <!-- Login configuration uses form-based authentication -->
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <realm-name>Jetspeed</realm-name>
>     <form-login-config>
>       <form-login-page>/login/login</form-login-page>
>       <form-error-page>/login/error</form-error-page>
>     </form-login-config>
>   </login-config> 
> 
> I believe that what happens is that the login portlet posts to the
> /login/redirector protected resource. Because the user is not authenticated,
> they get redirected to /login/login.  
> 
> I believe that the /login/login URI is a blank page that contains a hidden 
> form that takes the user name and password parameter values submitted from 
> the login portlet and puts them in hidden fields with the names j_username 
> and j_password.  It also has some kind of onload JS or meta refresh which 
> then causes the hidden form to post to /j_security_check.
> 
> If authentication is not successful, the user will be sent to /login/error.
> If it is successful, the user will be sent to /login/redirector and they will
> now be allowed access to it because they have been authenticated.  This URI
> no doubt redirects to the portal root (applying profiling rules).
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
> 
> 
> 


-- 
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org


Mime
View raw message