[portal-commits] JBoss Portal SVN: r6349 - docs/trunk/referenceGuide/en/modules.

Author: bdaw Date: 2007-02-19 16:24:41 -0500 (Mon, 19 Feb 2007) New Revision: 6349 Modified: docs/trunk/referenceGuide/en/modules/authentication.xml Log: basic info about synchronizing stuff in portal authentication Modified: docs/trunk/referenceGuide/en/modules/authentication.xml =================================================================== --- docs/trunk/referenceGuide/en/modules/authentication.xml 2007-02-19 21:19:20 UTC (rev 6348) +++ docs/trunk/referenceGuide/en/modules/authentication.xml 2007-02-19 21:24:41 UTC (rev 6349) @@ -8,5 +8,107 @@ </chapterinfo> <title>Authentication</title> <para>This chapter describes authentication mechanisms in JBoss Portal</para> - + <sect1 id="authentication_in_portal"> + <title>Authentication in JBoss Portal</title> + <para>TODO</para> + <sect2 id="configuration"> + <title>Configuration</title> + <para>You can configure JAAS authentication stack in <emphasis>jboss-portal.sar/conf/login-config.xml</emphasis></para> + <para>TODO</para> + </sect2> + </sect1> + <sect1 id="portal_login_modules"> + <title>JAAS Login Modules</title> + <para>JBoss Portal comes with few implementations of JAAS <emphasis>LoginModule</emphasis> interface</para> + <sect2> + <title>IdentityLoginModule</title> + <para>TODO</para> + </sect2> + <sect2> + <title>DBIdentityLoginModule</title> + <para>TODO</para> + </sect2> + <sect2> + <title>SynchronizingLdapLoginModule</title> + <para> + Use can use this module instead of IdentityLoginModule to bind to LDAP. + <emphasis>org.jboss.portal.identity.auth.SynchronizingLDAPLoginModule</emphasis> class is a wrapper around + <ulink url="http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapLoginModule"&... from JBossSX. + It simply extends it so + all configuration that can be applied to <emphasis>LdapExtLoginModule</emphasis> also can be applied here. For user that + was authenticated successfully it will try to call identity modules from portal, check if such user + is present, and if not it will try to create it. Then for all roles assigned to this authenticated principal it will + try to check and create them using identity modules. This behaviour can be altered using following options: + <itemizedlist> + <listitem> + <emphasis role="bold">userModuleJNDIName</emphasis> - JNDI name of portal UserModule. This option is <emphasis>obligatory</emphasis> + if <emphasis>synchronizeIdentity</emphasis> option is set to <emphasis>true</emphasis> + </listitem> + <listitem> + <emphasis role="bold">roleModuleJNDIName</emphasis> - JNDI name of portal RoleModule. This option is <emphasis>obligatory</emphasis> + if <emphasis>synchronizeIdentity</emphasis> and <emphasis>synchronizeRoles</emphasis> options are set to <emphasis>true</emphasis> + </listitem> + <listitem> + <emphasis role="bold">membershipModuleJNDIName</emphasis> - JNDI name of portal MembershipModule. This option is <emphasis>obligatory</emphasis> + if <emphasis>synchronizeIdentity</emphasis> and <emphasis>synchronizeRoles</emphasis> options are set to <emphasis>true</emphasis> + </listitem> + <listitem> + <emphasis role="bold">userProfileModuleJNDIName</emphasis> - JNDI name of portal UserProfileModule. This option is <emphasis>obligatory</emphasis> + if <emphasis>synchronizeIdentity</emphasis> option is set to <emphasis>true</emphasis> + </listitem> + <listitem> + <emphasis role="bold">synchronizeIdentity</emphasis> - if set to <emphasis>true</emphasis> module will check if + successfully authenticated user exist in portal and if not it will try to create it. If user exists module will update its password + to the one that was just validated. + </listitem> + <listitem> + <emphasis role="bold">synchronizeRoles</emphasis> - if set to <emphasis>true</emphasis> module will iterate over all roles assigned to + authenticated user and for each it will try to check if such role exists in portal and if not it will try to create it. This option is + checked only if <emphasis>synchronizeIdentity</emphasis> is set to true; + </listitem> + <listitem> + <emphasis role="bold">additionalRole</emphasis> - module will add this role name to the group of principals assigned to the authenticated user. + </listitem> + <listitem> + <emphasis role="bold">defaultAssignedRole</emphasis> - if <emphasis>synchronizeIdentity</emphasis> is set to true, module will try to assign + portal role with such name to the authenticated user. If such role doesn't exist in portal, module will try to create it. + </listitem> + </itemizedlist> + For obvious reasons this is designed to use with portal identity modules configured with DB and not LDAP</para> + </sect2> + <sect2> + <title>SynchronizingLdapExtLoginModule</title> + <para>All options that apply for <emphasis>SynchronizingLdapLoginModule</emphasis> also apply here. It's the same kind of wrapper + made around <ulink url="http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule&quo... from JBossSX. + Sample configuration can look like this:</para> + <programlisting><![CDATA[ + + <login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required"> + <module-option name="synchronizeIdentity">true</module-option> + <module-option name="synchronizeRoles">true</module-option> + <module-option name="additionalRole">Authenticated</module-option> + <module-option name="defaultAssignedRole">User</module-option> + <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> + <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> + <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> + <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option> + <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> + <module-option name="java.naming.provider.url">ldap://example.com:10389/</module-option> + <module-option name="java.naming.security.authentication">simple</module-option> + <module-option name="bindDN">cn=Directory Manager</module-option> + <module-option name="bindCredential">secret</module-option> + <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option> + <module-option name="baseFilter">(uid={0})</module-option> + <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option> + <module-option name="roleFilter">(member={1})</module-option> + <module-option name="roleAttributeID">cn</module-option> + <module-option name="roleRecursion">-1</module-option> + <module-option name="searchTimeLimit">10000</module-option> + <module-option name="searchScope">SUBTREE_SCOPE</module-option> + <module-option name="allowEmptyPasswords">false</module-option> + </login-module> + </mbean>]]> + </programlisting> + </sect2> + </sect1> </chapter>