[jboss-cvs] JBossAS SVN: r76309 - in projects/security/security-negotiation/trunk: jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Jul 28 12:30:38 EDT 2008
Author: darran.lofthouse at jboss.com
Date: 2008-07-28 12:30:37 -0400 (Mon, 28 Jul 2008)
New Revision: 76309
Modified:
projects/security/security-negotiation/trunk/docs/userguide/en/modules/free_ipa.xml
projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml
projects/security/security-negotiation/trunk/docs/userguide/en/modules/introduction.xml
projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml
projects/security/security-negotiation/trunk/docs/userguide/en/modules/troubleshooting.xml
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java
Log:
[SECURITY-266] Pre-release updates.
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/free_ipa.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/free_ipa.xml 2008-07-28 16:07:59 UTC (rev 76308)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/free_ipa.xml 2008-07-28 16:30:37 UTC (rev 76309)
@@ -12,9 +12,19 @@
<para>
This chapter describes the steps required to configure the
- authenticator which are specific to Windows, these instructions
+ authenticator which are specific to FreeIPA, these instructions
are prepared using Fedora 9 with Free IPA version 1.1.
</para>
+
+ <blockquote>
+ <attribution>FreeIPA</attribution>
+ <para>
+ FreeIPA is an integrated security information management
+ solution combining Linux (Fedora), Fedora Directory Server,
+ MIT Kerberos, NTP, DNS. It consists of a web interface and
+ command-line administration tools.
+ </para>
+ </blockquote>
</section>
<section>
@@ -162,16 +172,17 @@
<xref linkend="negotiation_toolkit" />
.
</para>
-
- <para>
- For the role mapping again you could make use of the UsersRolesLoginModule as described in
- <xref linkend="users_roles_login_module" />
- or you can make use of a new LDAP login module to load the roles
- directly from the Free IPA Open LDAP server, an example of think login module
- is documented in
- <xref linkend="ipa_chained_configuration" />
- </para>
-
+
+ <para>
+ For the role mapping again you could make use of the
+ UsersRolesLoginModule as described in
+ <xref linkend="users_roles_login_module" />
+ or you can make use of a new LDAP login module to load the roles
+ directly from the Free IPA Open LDAP server, an example of think
+ login module is documented in
+ <xref linkend="ipa_chained_configuration" />
+ </para>
+
</section>
</section>
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml 2008-07-28 16:07:59 UTC (rev 76308)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/general_installation.xml 2008-07-28 16:30:37 UTC (rev 76309)
@@ -39,6 +39,13 @@
any problems are specific to your web application and also use the
toolkit to obtain additional debug information.
</para>
+
+ <para>
+ Also see
+ <xref linkend="troubleshooting" />
+ for information on additional logging which is available to
+ diagnose installation issues.
+ </para>
</section>
<section>
@@ -48,9 +55,9 @@
<title>Authenticator Installation</title>
<para>
- The authenticator is contained within a single jar
- 'jboss-negotiation.jar', this jar should be placed in the
- following location -
+ The authenticator is contained within a single jar '
+ <code>jboss-negotiation.jar</code>
+ ', this jar should be placed in the following location -
<code>{jboss.home}/server/{configuration}/lib/</code>
</para>
@@ -87,7 +94,8 @@
<para>
The key can be any value you choose, however using SPNEGO is
- recommended to be consistent with the rest of this document.
+ recommended to be consistent with the rest of this document,
+ this is also required by the Negotiation Toolkit.
</para>
</section>
@@ -147,7 +155,7 @@
requirement is that these properties are set before the first
authentication attempt - JBoss does not allow incomming HTTP
connections until the server is completely started so this is
- not a proble.
+ not a problem.
</para>
<para>
@@ -327,9 +335,7 @@
<para id="users_roles_login_module">
The second login module is used to load the users roles after
the authentication has already taken place by the previous login
- module. The Beta2 release will cover how to make use of LDAP to
- retrieve the users roles so for a Microsoft Active Directory
- installation the roles can be retrieved using an LDAP query.
+ module.
</para>
<para>
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/introduction.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/introduction.xml 2008-07-28 16:07:59 UTC (rev 76308)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/introduction.xml 2008-07-28 16:30:37 UTC (rev 76309)
@@ -35,8 +35,9 @@
and Mozilla Firefox. There are also a number of kerberos domain
controllers available, this documentation focusses on
<trademark>Microsoft Active Directory</trademark>
- and the MIT KDC implementation. Contributions for documentation on
- other web browsers and KDCs would be welcome.
+ and the MIT KDC implementation when included in FreeIPA.
+ Contributions for documentation on other web browsers and KDCs would
+ be welcome.
</para>
<para></para>
@@ -55,7 +56,7 @@
<para>SPNEGO Authenticator and Login Module</para>
<para>
- The authentication process is handled by a Tomcat
+ The authentication process is handled by a JBoss Web
Authenticator that and a JAAS login module, this combination
achieves the integration with JBoss security.
</para>
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml 2008-07-28 16:07:59 UTC (rev 76308)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml 2008-07-28 16:30:37 UTC (rev 76309)
@@ -232,7 +232,9 @@
<para>
The resulting keytab should then be used in setting up the host
- security domain as described previously.
+ security domain as described in
+ <xref linkend="host_security_domain" />
+ .
</para>
</section>
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/troubleshooting.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/troubleshooting.xml 2008-07-28 16:07:59 UTC (rev 76308)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/troubleshooting.xml 2008-07-28 16:30:37 UTC (rev 76309)
@@ -34,7 +34,8 @@
</para>
<programlisting>
- <![CDATA[<category name="org.jboss.security">
+ <![CDATA[
+<category name="org.jboss.security">
<priority value="TRACE"/>
</category>]]>
</programlisting>
Modified: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java 2008-07-28 16:07:59 UTC (rev 76308)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java 2008-07-28 16:30:37 UTC (rev 76309)
@@ -59,7 +59,7 @@
* for password-stacking set to useFirstPass.
*
* This is essentially a complete refactoring of the LdapExtLoginModule
- * but with enough restructuring to seperate out the three login steps: -
+ * but with enough restructuring to separate out the three login steps: -
* -1 Find the user
* -2 Authenticate as the user
* -3 Find the users roles
@@ -107,6 +107,8 @@
private static final String ROLE_NAME_ATTRIBUTE_ID = "roleNameAttributeID";
+ private static final String ROLE_SEARCH_SCOPE = "searchScope";
+
// Authentication Settings
private static final String ALLOW_EMPTY_PASSWORD = "allowEmptyPassword";
@@ -126,6 +128,12 @@
private static final String PROTOCOL_SSL = "SSL";
+ private static final String OBJECT_SCOPE = "OBJECT_SCOPE";
+
+ private static final String ONELEVEL_SCOPE = "ONELEVEL_SCOPE";
+
+ private static final String SUBTREE_SCOPE = "SUBTREE_SCOPE";
+
/*
* Configuration Options
*/
@@ -217,8 +225,23 @@
temp = (String) options.get(RECURSE_ROLES);
recurseRoles = Boolean.parseBoolean(temp);
+ int searchScope = SearchControls.SUBTREE_SCOPE;
+ temp = (String) options.get(ROLE_SEARCH_SCOPE);
+ if (OBJECT_SCOPE.equalsIgnoreCase(temp))
+ {
+ searchScope = SearchControls.OBJECT_SCOPE;
+ }
+ else if (ONELEVEL_SCOPE.equalsIgnoreCase(temp))
+ {
+ searchScope = SearchControls.ONELEVEL_SCOPE;
+ }
+ if (SUBTREE_SCOPE.equalsIgnoreCase(temp))
+ {
+ searchScope = SearchControls.SUBTREE_SCOPE;
+ }
+
roleSearchControls = new SearchControls();
- roleSearchControls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
+ roleSearchControls.setSearchScope(searchScope);
roleSearchControls.setReturningAttributes(new String[0]);
roleSearchControls.setTimeLimit(searchTimeLimit);
More information about the jboss-cvs-commits
mailing list