9 May
2006
9 May
'06
3:36 p.m.
Thanks, Charles. I left a similar request as a comment on your wiki. I
am actively working on a JAAS implementation of XWiki's interfaces. Or
rather, I have begun by subclassing the XWiki*ServiceImpl classes
because that's how some others are done and there may be things that
XWiki needs there. It may actually be that it makes more sense just to
implement the interfaces directly.
This is probably not the venue for continued discussion in this vein, so
I'll do this directly, but thought I'd let the list know that this is
going on in case anyone wants to share in the effort and results.
I'm not on the developers list; are you, Charles? Would that be the
best place to carry on? I suppose if you didn't intend it to be an
"official" part of XWiki it might not be, but on the other hand it looks
like a good place for the XWiki developers to start if nothing else.
The only jGuard-specific code should be connected only by the
configuration files.
Alternatively, perhaps the jGuard wiki would be a good place to discuss
and develop the overall design. Does that sound like a good idea?
I'm sorry for the delay in responding; I started this reply on Friday
and then forgot about it over the weekend. Though I never completed it,
I found it, marked unread, in my Sent Items folder...
brain[sic]
-----Original Message-----
From: charles gay [mailto:charles.gay@gmail.com]
Sent: Thursday, May 04, 2006 3:13 AM
To: xwiki-users(a)objectweb.org
Subject: Re: [xwiki-users] JAAS Integration with XWiki
Hi,
i'm part of the jGuard project and a user of Xwiki (through our website
www.jguard.net hosted and powered by XWiki).
jGuard implements JAAS and provide an easy way to use it in a webapp
context.
that's right that Xwiki security apis differs from the JAAS apis.
but the concept involved in the Xwiki apis, are closed of the JAAS and
jGuard ones.
if you've got some interest by adapting the XWiki apis to JGuard (an
JAAS implicitly), i can help you to do it.
but this adapter will not be an "official" Xwiki way....
hope it helps,
Charles GAY(jGuard team).
On 4/25/06, THOMAS, BRIAN M (SBCSI) <bt0008(a)att.com> wrote:
We are standardizing on the Java Authentication and Authorization
Service (JAAS). I thought I heard that XWiki supports the Pluggable
Authentication Modules (PAM) standard, but haven't found any reference
to it in the docs. Further, there are some articles out about
integrating JAAS into Tomcat, which is another thing to think about. We
actually are considering at least two methods here - a centralized PIN
server and a RADIUS server for SecurID access, and both have clients
that implement the JAAS interfaces.
There are a couple of strategies that I could probably try: one is just
to use the JAAS/Tomcat integration route. That would seem to give the
most bang-per-buck, but that would (I think) not allow controls at the
level of granularity that XWiki does, or would actually take controls
away from the XWiki rights system.
Another (actually my first idea) is to implement the various
com.xpn.xwiki.user.api interfaces (XWikiAuthService, XWikiGroupService,
and XWikiRightService) with JAAS calls.
Anyone have any experience with this?
brain[sic]
--
You receive this message as a subscriber of the
xwiki-users(a)objectweb.org mailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto: <mailto:sympa@objectweb.org>
sympa(a)objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
9 May
9 May
10:52 p.m.
New subject: [xwiki-users] JAAS Integration with XWiki
Hi Brian,
like it was implied in my previous post,i'm not part of the Xwiki team, but
a xwiki user.
firstly, i want to say that i respect the great work of the Xwiki team and
community! good job guys!
about the jGuard integration:
i propose to talk about Xwiki security architecture on this forum, and if
the discussion become mainly focused on jGuard, we will continue this topic
on jGuard forum.
so, if the XwikiService is the main interface to securize, applying
authorization with JAAS through jGuard will be easy to do:all you have to do
is to put at start of the related methods this java code (from j2se, not
jGuard, that's why we can say jGuard use the standard way):
AccessController.checkPermission(yourcustomPermission).
the custom permisison can be a XwikiPermission if you want.
if you want this control only applies when the securityManager is enabled,
you can do the test before this code with :
if(System.getSecurityManager()!=null)'
AccessController.checkPermission(yourCustomPermission);
}
this code will calls the underlying java security architecture to know if
the user has got the permission to access to the ressource.
a securityException will be raised if the permission is denied.
jGuard provides a webapp example illustrating how to securize a webapp: it
demonstrates how to do it using a REST strategy(all ressources access
controls are protected through URLs with URLPermissions, and not deeply in
the specific APIs...);but it can be done in a invasive way like described in
this post.
like the code provided above calls the java security architecture, you need
to authenticate through jGuard and JAAS to have permissions granted to
authenticated user.
so, the big work will be to match the access control model with the one used
by jGuard (jGuard uses the standard access control model called RBAC).
have you any precisions about the Xwiki access control model to helps
you?how Xwiki users are authenticated, and how XWiki manage them?
i hope some answers to this post will helps you (and me!) to better
understnad the Xwiki architecture, and access control model.
cheers,
Charles(jGuard team).
http://www.jguard.net
On 5/9/06, THOMAS, BRIAN M (SBCSI) <bt0008(a)att.com> wrote:
Thanks, Charles. I left a similar request as a comment on your wiki. I
am actively working on a JAAS implementation of XWiki's interfaces. Or
rather, I have begun by subclassing the XWiki*ServiceImpl classes because
that's how some others are done and there may be things that XWiki needs
there. It may actually be that it makes more sense just to implement the
interfaces directly.
This is probably not the venue for continued discussion in this vein, so
I'll do this directly, but thought I'd let the list know that this is going
on in case anyone wants to share in the effort and results.
I'm not on the developers list; are you, Charles? Would that be the best
place to carry on? I suppose if you didn't intend it to be an "official"
part of XWiki it might not be, but on the other hand it looks like a good
place for the XWiki developers to start if nothing else. The only
jGuard-specific code should be connected only by the configuration files.
Alternatively, perhaps the jGuard wiki would be a good place to discuss
and develop the overall design. Does that sound like a good idea?
I'm sorry for the delay in responding; I started this reply on Friday and
then forgot about it over the weekend. Though I never completed it, I found
it, marked unread, in my Sent Items folder...
brain[sic]
-----Original Message-----
*From:* charles gay [mailto:charles.gay@gmail.com]
*Sent:* Thursday, May 04, 2006 3:13 AM
*To:* xwiki-users(a)objectweb.org
*Subject:* Re: [xwiki-users] JAAS Integration with XWiki
Hi,
i'm part of the jGuard project and a user of Xwiki (through our website
www.jguard.net hosted and powered by XWiki).
jGuard implements JAAS and provide an easy way to use it in a webapp
context.
that's right that Xwiki security apis differs from the JAAS apis.
but the concept involved in the Xwiki apis, are closed of the JAAS and
jGuard ones.
if you've got some interest by adapting the XWiki apis to JGuard (an JAAS
implicitly), i can help you to do it.
but this adapter will not be an "official" Xwiki way....
hope it helps,
Charles GAY(jGuard team).
On 4/25/06, THOMAS, BRIAN M (SBCSI) <bt0008(a)att.com> wrote:
We are standardizing on the Java Authentication and Authorization
Service (JAAS). I thought I heard that XWiki supports the Pluggable
Authentication Modules (PAM) standard, but haven't found any reference
to it in the docs. Further, there are some articles out about
integrating JAAS into Tomcat, which is another thing to think about. We
actually are considering at least two methods here - a centralized PIN
server and a RADIUS server for SecurID access, and both have clients
that implement the JAAS interfaces.
There are a couple of strategies that I could probably try: one is just
to use the JAAS/Tomcat integration route. That would seem to give the
most bang-per-buck, but that would (I think) not allow controls at the
level of granularity that XWiki does, or would actually take controls
away from the XWiki rights system.
Another (actually my first idea) is to implement the various
com.xpn.xwiki.user.api interfaces (XWikiAuthService, XWikiGroupService,
and XWikiRightService) with JAAS calls.
Anyone have any experience with this?
brain[sic]
--
You receive this message as a subscriber of the
xwiki-users(a)objectweb.org mailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto: sympa(a)objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
--
You receive this message as a subscriber of the xwiki-users(a)objectweb.orgmailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto: sympa(a)objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
6705
days inactive
6705
days old
1 comments
2 participants
participants (2)
-
charles gay -
THOMAS, BRIAN M (SBCSI)