portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tiwari, Sunil Kumar" <c_sti...@qualcomm.com>
Subject RE: Re: Login page
Date Thu, 12 Jan 2006 20:12:26 GMT
How does LDAP fit into this scenario?
I mean I want the authentication process to look for the user details in
LDAP and it will require LDAP config files.

What are things that has to be mentioned in the config file and where
should it be placed so that Jetspeed recognizes it?

Has anyone done it?
If yes, can you please mention all the details required?

Thanks,
Sunil

-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Aaron Evans
Sent: Wednesday, January 11, 2006 5:36 AM
To: jetspeed-user@jakarta.apache.org
Subject: Re: Login page

yao cuihong <yaocuihong <at> gmail.com> writes:

> 
> 2. Jetspeed 2 security services rely entirely on JAAS
>     Does the LoginPortlet in j2-admin portlet application use JAAS?
>     What is the mechanism of LoginPortlet? I read the source of
> LoginPortlet, but don't understand.
>     How does the LoginPortlet authenticate the user?
> 

I posted this on another thread, but just so others following this
thread will
see the answer:

Jetspeeed uses a JAAS realm for authentication.  It is configured in
jetspeed's
context xml (although it can be moved up to the container level).

J2EE containers that use realm authentication require that the request 
parameters j_username and j_password be posted to /j_security_check for 
authentication. 

If you look at jetspeed's web.xml, you will see a standard web
application
security constraint and login config:

<!-- Protect LogInRedirectory.jsp.  This will require a login when
called -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>


  <!-- Login configuration uses form-based authentication -->
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Jetspeed</realm-name>
    <form-login-config>
      <form-login-page>/login/login</form-login-page>
      <form-error-page>/login/error</form-error-page>
    </form-login-config>
  </login-config> 

I believe that what happens is that the login portlet posts to the
/login/redirector protected resource. Because the user is not
authenticated,
they get redirected to /login/login.  

I believe that the /login/login URI is a blank page that contains a
hidden 
form that takes the user name and password parameter values submitted
from 
the login portlet and puts them in hidden fields with the names
j_username 
and j_password.  It also has some kind of onload JS or meta refresh
which 
then causes the hidden form to post to /j_security_check.

If authentication is not successful, the user will be sent to
/login/error.
If it is successful, the user will be sent to /login/redirector and they
will
now be allowed access to it because they have been authenticated.  This
URI
no doubt redirects to the portal root (applying profiling rules).



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org


Mime
View raw message