From do-not-reply at jboss.org Sun Jan 8 20:32:32 2012
Content-Type: multipart/mixed; boundary="===============7436320879803138401=="
MIME-Version: 1.0
From: do-not-reply at jboss.org
To: gatein-commits at lists.jboss.org
Subject: [gatein-commits] gatein SVN: r8281 -
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity.
Date: Sun, 08 Jan 2012 20:32:32 -0500
Message-ID: <201201090132.q091WWCF024292@svn01.web.mwc.hst.phx2.redhat.com>
--===============7436320879803138401==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Author: smumford
Date: 2012-01-08 20:32:31 -0500 (Sun, 08 Jan 2012)
New Revision: 8281
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIde=
ntity/AuthenticationAuthorizationOverview.xml
Log:
JBEPP-1468: Perfunctory edit of new Authorization content
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/modules/Authenticatio=
nAndIdentity/AuthenticationAuthorizationOverview.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndId=
entity/AuthenticationAuthorizationOverview.xml 2012-01-08 23:46:25 UTC (rev=
8280)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndId=
entity/AuthenticationAuthorizationOverview.xml 2012-01-09 01:32:31 UTC (rev=
8281)
@@ -143,7 +143,7 @@
Login modules
=
- JBoss Enterprise Portal Platform uses its own security domain =
(gatein-domain) with a set of predefined=
login modules. Login module configuration for gatein-domain is contained in the deploy/gatein.ear/META-INF/gatein-jboss-b=
eans.xml file.
+ JBoss Enterprise Portal Platform uses its own security domain =
(gatein-domain) with a set of predefined=
login modules. Login module configuration for gatein-domain is contained in the deploy/gatein.ear/META-INF/gatein-jbos=
s-beans.xml file.
Below is the default login modules stack:
@@ -187,7 +187,7 @@
- It is possible to log a user in through existing login m=
odules with their credentials (username: root/ password:=
gtn, for example) but also with a WCI ticket (username:=
root/password: wci-ticket-458791). =
The login modules stack supports both of these methods of authentication.
+ It is possible to log a user in through existing login m=
odules with their credentials (username: root/ password:=
gtn, for example) but also with a WCI ticket (username:=
root/password: wci-ticket-458791). T=
he login modules stack supports both of these methods of authentication.
=
@@ -272,7 +272,10 @@
CustomMembershipLoginModule
- Special login module, which is disabled (=
commented) by default. It can be used to add user to some existing group du=
ring successful login of this user. Name of group is configurable and by de=
fault it's /platform/users group. Login module is comm=
ented because in normal environment, users are already in /platfo=
rm/users group. It's useful only for some special setups like re=
ad-only LDAP, where groups of ldap user are taken from ldap tree and so tha=
t users may not be in /platform/users group, which is needed for successful=
authorization.
+ Special login module, which is disabled (=
commented) by default. It can be used to add user to some existing group du=
ring successful login of this user. Name of group is configurable, by defau=
lt it is /platform/users group.
+
+
+ This login module is commented because in =
normal environment, users are already in /platform/users group. It is useful only for some special setups like read-only LDAP, wh=
ere groups of ldap user are taken from ldap tree and so that users may not =
be in /platform/users group, which is needed for succe=
ssful authorization.
@@ -336,7 +339,7 @@
Authentication on application server level
=
- Application server needs to properly recognize that user=
is successfuly logged and it has assigned his JAAS roles. Unfortunately th=
is part is not standardized and is specific for each AS. For example in JBo=
ss AS, you need to ensure that JAAS Subject has assigned principal with use=
rname (UserPrincipal) and also RolesPrincipal, which has name "Roles" and i=
t contains list of JAAS roles. This part is actually done in Jbos=
sLoginModule.commit(). In Tomcat, this flow is little different,=
which means Tomcat has it's own TomcatLoginModule.
+ Application server needs to properly recognize that user=
is successfuly logged and it has assigned his JAAS roles. Unfortunately th=
is part is not standardized and is specific for each AS. For example in JBo=
ss AS, you need to ensure that JAAS Subject has assigned principal with use=
rname (UserPrincipal) and also RolesPrincipal, which has name "Roles" and i=
t contains list of JAAS roles. This part is actually done in JbossLog=
inModule.commit(). In Tomcat, this flow is little different, which m=
eans Tomcat has it is own TomcatLoginModule.
=
@@ -349,7 +352,7 @@
Authentication on JBoss Enterprise Portal Platform l=
evel
=
- Login process needs to create special object org.exoplatform.services.security.Identity and regi=
ster this object into JBoss Enterprise Portal Platform component IdentityRegistry. This Identity object should enca=
psulate username of authenticated user, Memberships of this user and also J=
AAS roles. Identity object can be easily created with interface Authenticator as can be seen below.
+ Login process needs to create special object or=
g.exoplatform.services.security.Identity and register this object=
into JBoss Enterprise Portal Platform component IdentityRegistry<=
/literal>. This Identity object should encapsulate username of authenticate=
d user, Memberships of this user and also JAAS roles. Identity object can b=
e easily created with interface Authenticator as can be =
seen below.
=
@@ -410,7 +413,7 @@
=
- set of Strings with JAAS roles of given user. JAAS ro=
les are simple Strings, which are mapped from MembershipEntry objects. Ther=
e is another special component org.exoplatform.services.security.=
RolesExtractor, which is used to map JAAS roles from MembershipE=
ntry objects. RolesExtractor interface looks like this:
+ Set of Strings with JAAS roles of given user. JAAS ro=
les are simple Strings, which are mapped from MembershipEntry objects. Ther=
e is another special component org.exoplatform.services.security.=
RolesExtractor, which is used to map JAAS roles from MembershipE=
ntry objects. RolesExtractor interface looks like this:
@@ -456,7 +459,7 @@
RememberMe authentication
=
- In default login dialog, you can notice that there is "Reme=
mber my login" checkbox, which users can use to persist their login on his =
workstation. Default validity period of RememberMe cookie is 1 day (it is c=
onfigurable), and so user can be logged for whole day before he need to rea=
uthenticate again with his credentials.
+ In default login dialog, you can notice that there is "Reme=
mber my login" checkbox, which users can use to persist their login on his =
workstation. Default validity period of RememberMe cookie is one day (it is=
configurable), and so user can be logged for whole day before he need to r=
eauthenticate again with his credentials.
=
@@ -465,13 +468,13 @@
- User checks the checkbox "Remember my login" on lo=
gin screen of JBoss Enterprise Portal Platform . Then he submit the form.
+ User checks the checkbox "Remember my login" on lo=
gin screen of JBoss Enterprise Portal Platform . Then submits the form.
=
- HTTP request like http://localhost:8080/=
portal/login?initialURI=3D/portal/classic&username=3Droot&password=
=3Dgtn&rememberme=3Dtrue is send to server
+ HTTP request like http://localhost:8080/porta=
l/login?initialURI=3D/portal/classic&username=3Droot&password=3Dgtn=
&rememberme=3Dtrue is sent to server.
=
@@ -495,7 +498,7 @@
=
- User send HTTP request to some portal page (ie. http://localhost:8080/portal/classic ).
+ User send HTTP request to some portal page (ie. http://localhost:8080/portal/classic ).
=
@@ -511,7 +514,7 @@
RemindPasswordTokenService
=
- This is special service used during RememberMe authentic=
ation workflow. It's configurable in file deploy/gatein.ear/02por=
tal.war/WEB-INF/conf/common/remindpwd-configuration.xml . For mo=
re info, look at section
+ This is special service used during RememberMe authentic=
ation workflow. It is configurable in file deploy/gatein.ear/02po=
rtal.war/WEB-INF/conf/common/remindpwd-configuration.xml . For m=
ore info, look at section
=
@@ -524,7 +527,7 @@
BASIC authentication
=
- JBoss Enterprise Portal Platform is using FORM based authen=
tication by default but it's not a problem with switch to different authent=
ication type like BASIC. Only needed thing is to configure it properly in <=
emphasis>deploy/gatein.ear/02portal.war/WEB-INF/web.xml like thi=
s:
+ JBoss Enterprise Portal Platform is using FORM based authen=
tication by default but it is not a problem with switch to different authen=
tication type like BASIC. Only needed thing is to configure it properly in =
deploy/gatein.ear/02portal.war/WEB-INF/web.xml like th=
is:
- User will send request to loadbalancer and he will be=
redirected to node1. All his requests will be then processed on node1 (sti=
cky session).
+ User will send request to loadbalancer and he will be=
redirected to node1. All his requests will be then pr=
ocessed on node1 (sticky session).
=
- User login on loadbalancer (which is redirected to no=
de1)
+ User login on loadbalancer (which is redirected to node1)
=
@@ -583,19 +586,19 @@
=
- User will send another HTTP request. He will now be r=
edirected to node2 because node1 is killed. Now user will be automatically =
logged on node2 as well thanks to session replication, because he still has=
same HTTP session, which was replicated from node1 to node2. So end user s=
houldn't recognize any change even if his work is now done on different nod=
e of cluster.
+ User will send another HTTP request. He will now be r=
edirected to node2 because node1 =
is killed. Now user will be automatically logged on node2 as well thanks to session replication, because he still has same HTTP s=
ession, which was replicated from node1 to n=
ode2. So end user shouldn't recognize any change even if his wor=
k is now done on different node of cluster.
=
- This login workflow works thanks to PortalLoginMo=
dule, which is able to save special attribute into HTTP session =
as flag that user is already logged. Then reauthentication on node2 is work=
ing thanks to servlet filter ClusteredSSOFilter, which=
is able to automatically trigger programmatic authentication.
+ This login workflow works thanks to PortalLoginMo=
dule, which is able to save special attribute into HTTP session =
as flag that user is already logged. Then reauthentication on nod=
e2 is working thanks to servlet filter ClusteredSSOFil=
ter, which is able to automatically trigger programmatic authent=
ication.
=
Note
- ClusteredSSOFilter is using proprietary JBossWeb A=
PI for trigger programmatic authentication and so it's working only on JBos=
s AS. It is not working on other servers like Tomcat or Jetty.
+ ClusteredSSOFilter is using pro=
prietary JBossWeb API for trigger programmatic authentication and so it is =
working only on JBoss AS. It is not working on other servers like Tomcat or=
Jetty.
=
@@ -650,18 +653,18 @@
Servlet container authorization
=
- First round of authorization is servlet container authoriza=
tion based on secured URL from web.xml. We saw above i=
n web.xml snippet that secured URL are accessible only for users from role =
users:
+ First round of authorization is servlet container authoriza=
tion based on secured URL from web.xml. We saw above i=
n web.xml snippet that secured URL are accessible only for users from role =
users:
users
]]>
- This actually means that our user needs to be in JBoss Ente=
rprise Portal Platform role /platform/users (For detai=
ls see ). In other words, if we successfuly authenticate bu=
t our user is not in group /platform/users, then it means that he is not in=
JAAS role users, which in next turn means that he wil=
l have authorization error 403 Forbidden=
thrown by servlet container.
+ This actually means that our user needs to be in JBoss Ente=
rprise Portal Platform role /platform/users (For detai=
ls see ). In other words, if we successfuly authenticate bu=
t our user is not in group /platform/users, then it me=
ans that he is not in JAAS role users, which in next t=
urn means that he will have authorization error 403=
Forbidden thrown by servlet container.
=
- You can change the behaviour and possibly add some more auth-constraint elements into web.xml. However this prote=
ction of resources based on web.xml is not standard JBoss Enterprise Portal=
Platform way and it's mentioned here mainly for illustration purposes.
+ You can change the behaviour and possibly add some more auth-constraint elements into web.xml. However this protection of resources based on web.xml is not standard JB=
oss Enterprise Portal Platform way and it is mentioned here mainly for illu=
stration purposes.
=
@@ -685,7 +688,7 @@
=
- HTTP request is processed through SetCurrentIdentityFilter, which is declared in de=
ploy/gatein.ear/02portal.war/WEB-INF/web.xml.
+ HTTP request is processed through SetCurrent=
IdentityFilter, which is declared in deploy/gatein.ear/=
02portal.war/WEB-INF/web.xml.
=
--===============7436320879803138401==--