Author: ppenicka
Date: 2013-01-29 13:00:27 -0500 (Tue, 29 Jan 2013)
New Revision: 9096
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationAuthorizationOverview.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SAML2_Salesforce_and_Google_Integration.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
Cleared out TODO, FIXME and some other remarks in III. Authentication and Authorization.
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationAuthorizationOverview.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationAuthorizationOverview.xml 2013-01-29
06:56:18 UTC (rev 9095)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationAuthorizationOverview.xml 2013-01-29
18:00:27 UTC (rev 9096)
@@ -4,7 +4,7 @@
%BOOK_ENTITIES;
]>
<chapter id="sect-Reference_Guide-Authentication_Authorization_Intro">
- <title>Authentication and Authorization intro</title>
+ <title>Introduction to Authentication and Authorization</title>
<remark> ======================================================= NOTE: Content
updated to wiki version 4 (11 Jan 2013)
=======================================================</remark>
<section
id="sect-Reference_Guide-Authentication_Authorization_Intro-Authentication">
<title>Authentication Overview</title>
@@ -26,21 +26,18 @@
</para>
</listitem>
<listitem>
- <remark>FIXME: Correct the following link</remark>
<para>
- SSO server integration (CAS, JOSSO, OpenSSO). Refer to ** xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On"/ for more
information.
+ SSO server integration (CAS, JOSSO, OpenSSO). Refer to <xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On"/> for more information.
</para>
</listitem>
<listitem>
- <remark>FIXME: Correct the following link</remark>
<para>
- SPNEGO authentication with a Kerberos ticket. Refer to ** xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On_-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism"/
for more information.
+ SPNEGO authentication with a Kerberos ticket. Refer to <xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On_-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism"/>
for more information.
</para>
</listitem>
<listitem>
<para>
- <remark>FIXME: Fix the following link</remark>
- SAML2 based authentication. Refer to ** xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On_-SAML2"/ for more
information.
+ SAML2 based authentication. Refer to <xref
linkend="Security_Assertion_Markup_Language"/> for more information.
</para>
</listitem>
<listitem>
@@ -115,7 +112,6 @@
<para>
Below is the default login modules stack:
</para>
- <remark> QUESTION: Does the reference below
"JBossEAP6LoginModule" need to be changed? </remark>
<programlisting language="XML" role="XML"><![CDATA[
<security-domain name="gatein-domain" cache-type="default">
<authentication>
@@ -136,7 +132,6 @@
<para>
New login modules can be added or the stack completely replaced with custom
modules.
</para>
- <remark>QUESTION: Should the following reference be to official Red Hat
documentation instead of Oracle's?</remark>
<para>
Authentication starts with the login method of each login module being invoked.
After all login methods are invoked, the authentication is continued by invoking the
commit method on each login module. Both login and commit methods can throw
LoginException. If it happens, then the whole authentication ends unsuccessfully, which in
turn invokes the abort method on each login module. By returning "false"
from the login method, you can ensure that the login module is ignored. This is not
specific to JBoss Portal Platform but it is generic to JAAS. Refer to <ulink
url="http://docs.oracle.com/javase/6/docs/technotes/guides/security/...
type="http">http://docs.oracle.com/javase/6/docs/technotes/g...
here for more information about login modules in general.
</para>
@@ -150,9 +145,8 @@
<varlistentry>
<term>SSODelegateLoginModule</term>
<listitem>
- <remark>FIXME: Fix the link to the relevant CAS section</remark>
<para>
- It's useful only if SSO authentication is enabled (disabled by
default. It can be enabled through properties in configuration.properties file and in this
case it delegates the work to another real login module for SSO integration. If SSO is
disabled, SSODelegateLoginModule is simply ignored. See ** xref linkend="Central
Authentication Service (CAS)#Configuration"/ properties details for more details.
If SSO is used and SSO authentication succeed, the special Identity object will be created
and saved into shared state map (Map, which is shared between all login modules), so that
this Identity object can be used by JBoss Enterprise Application Platform 6 LoginModule or
other login modules in the JAAS chain.
+ It's useful only if SSO authentication is enabled (disabled by
default. It can be enabled through properties in configuration.properties file and in this
case it delegates the work to another real login module for SSO integration. If SSO is
disabled, SSODelegateLoginModule is simply ignored. See <xref
linkend="sect-SSO_Single_Sign_On_-Central_Authentication_Service"/>
properties details for more details. If SSO is used and SSO authentication succeed, the
special Identity object will be created and saved into shared state map (Map, which is
shared between all login modules), so that this Identity object can be used by JBoss
Enterprise Application Platform 6 LoginModule or other login modules in the JAAS chain.
</para>
</listitem>
</varlistentry>
@@ -359,10 +353,9 @@
<para>
Default implementation of Authenticator is
<emphasis>OrganizationAuthenticatorImpl</emphasis>, which is implementation
based on <emphasis>OrganizationService</emphasis>. See <xref
linkend="sect-Reference_Guide-Organization_API"/> .
</para>
- <remark>FIXME: Change the following reference to eXo kernel</remark>
<para>
- You can override default implementation of mentioned interfaces
Authenticator and RolesExtractor if default behavior is not suitable for your needs.
Consult documentation of <emphasis>eXo kernel</emphasis> for more info.
- </para>
+ You can override the default implementation of the mentioned
<systemitem>Authenticator</systemitem> and
<systemitem>RolesExtractor</systemitem> interfaces if the default behavior is
not suitable for your needs.
+ </para>
</section>
<!-- Ending section Authenticator and RolesExtractor --> </section>
<!-- Ending section with login modules --> <section
id="sect-Authentication_Authorization_Intro-differentAuthWorkflows">
@@ -451,9 +444,8 @@
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>]]></programlisting>
- <remark>FIXME: correct the link to 'Login
modules'</remark>
<para>
- This actually means that our user needs to be in JBoss Portal Platform
role <emphasis>/platform/users</emphasis> (For details see <xref
linkend="sect-Authentication_Authorization_Intro-authenticatorAndRolesExtractor"/>).
In other words, if we successfully authenticate but our user is not in group
<emphasis>/platform/users</emphasis>, then it means that he is not in JAAS
role <emphasis>users</emphasis>, which in turn means that they will have
authorization error <emphasis role="bold">403 Forbidden</emphasis>
thrown by servlet container. For example in LDAP setup, your users may not be in
/platform/users by default, but you can use CustomMembershipLoginModule to fix this
problem. For details see ** Login modules**.
+ This actually means that our user needs to be in JBoss Portal Platform
role <emphasis>/platform/users</emphasis> (for details see <xref
linkend="sect-Authentication_Authorization_Intro-authenticatorAndRolesExtractor"/>).
In other words, if we successfully authenticate but our user is not in group
<emphasis>/platform/users</emphasis>, then it means that he is not in JAAS
role <emphasis>users</emphasis>, which in turn means that they will have
authorization error <emphasis role="bold">403 Forbidden</emphasis>
thrown by servlet container. For example in LDAP setup, your users may not be in
/platform/users by default, but you can use CustomMembershipLoginModule to fix this
problem. For details see <xref
linkend="sect-Authentication_Authorization_Intro-Login_Modules"/>.
</para>
<para>
You can change the behavior and possibly add some more
<emphasis>auth-constraint</emphasis> elements into
<filename>web.xml</filename>. However this protection of resources based on
web.xml is not standard JBoss Portal Platform method and is mentioned here mainly for
illustration purposes.
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml 2013-01-29
06:56:18 UTC (rev 9095)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml 2013-01-29
18:00:27 UTC (rev 9096)
@@ -33,9 +33,8 @@
</section>
<section
id="sect-Reference_Guide-Authentication_Token_Configuration-Configuring_Token_Services">
<title>Configuring Token Services</title>
- <remark>FIXME: Correct the following link.</remark>
<para>
- The token services configuration includes specifying the token validity
period. The token service is configured as a portal component (in the portal scope, as
opposed to the root scope. Refer to ** xref linkend="Foundations"/ for more
information).
+ The token services configuration includes specifying the token validity
period. The token service is configured as a portal component (in the portal scope, as
opposed to the root scope; refer to <xref
linkend="part-Reference_Guide-Advanced_Development"/> for more information).
</para>
<para>
In the XML example below, <emphasis>CookieTokenService</emphasis>
is a subclass of <emphasis
role="bold">AbstractTokenService</emphasis> so it has a property which
specifies the validity period of the token.
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2013-01-29
06:56:18 UTC (rev 9095)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2013-01-29
18:00:27 UTC (rev 9096)
@@ -4,7 +4,7 @@
%BOOK_ENTITIES;
]>
<chapter id="sect-Reference_Guide-PicketLink_IDM_integration">
- <title>PicketLink IDM integration</title>
+ <title>PicketLink IDM Integration</title>
<remark> Source
https://docs.jboss.org/author/display/GTNPORTAL35/PicketLink+IDM+integrat...
<para>
JBoss Portal Platform uses the <literal>PicketLink IDM</literal> component to
store necessary identity information about users, groups and memberships. While legacy
interfaces are still used
(<literal>org.exoplatform.services.organization</literal>) for identity
management, there is a wrapper implementation that delegates to PicketLink IDM framework.
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SAML2_Salesforce_and_Google_Integration.xml
===================================================================
(Binary files differ)
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
---
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2013-01-29
06:56:18 UTC (rev 9095)
+++
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2013-01-29
18:00:27 UTC (rev 9096)
@@ -234,7 +234,7 @@
For the plug-in to function correctly, it must be properly configured
on the CAS server to connect to this service. Set up the server to authenticate against
the portal using the REST call-back.
</para>
<procedure>
- <title>Configuring the Authentication plug-in</title>
+ <title>Configuring the Authentication Plug-in</title>
<step>
<para>
Open
<code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</code>.
@@ -565,7 +565,7 @@
</section>
</section>
<section
id="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project">
- <title><remark>BZ#856430</remark>Java Open Single Sign-On
Project</title>
+ <title><remark>BZ#856430</remark>Java Open Single Sign-On Project
(JOSSO)</title>
<para>
Configuring JOSSO for JBoss Enterprise Application Platform requires an
Apache server instance to host JOSSO. JBoss Enterprise Application Platform communicates
with the JOSSO Apache instance through the single sign-on plug-in.
</para>