Hi Florent, Generally I only used security when dealing with the Clerezza Platfrom Bundles. If you want to work only with lower level API I don't know how to use our Security modules.
We do have a system for Permissions in Clerezza. Some documentation can be found at http://incubator.apache.org/clerezza/documentation/ (search for the heading "Security"). I do not know too much about them though, they look like JAAS permissions though. I used them from time to time and just checked how it has been used by some bundles and copied the approach. Maybe someone else can give more detailed information. When it comes to graph access via TcManager, there is a permission for checking read and write access: (org.apache.clerezza.rdf.core.access.security.TcPermission "<graphUri>" "readwrite"). The security system is tied to Clerezza platform users who can have those permissions assigned to them. So when a user is authenticated (cookie and http basic auth are supported by the platfrom) all accesses to a graph run inside this user's security context and permissions are checked. If you want other authentication methods you will need to implement a Clerezza WeightedAutenicationMethod OSGi service. Now when you want the uses managed by a LDAP server you will most likely need to implement this support first. I once dealt with a similar scenario but then LDAP users were imported to the Clerezza platform and periodically updated. If you have the users managed by the LDAP server you probably have to come up with some method to make them known to the Clerezza platform such that permission can be assigned to them. Then you will have to implement a Clerezza AutenticationChecker OSGi service that relays authentication to the LDAP server in some way. To summarize two points not to be confuded: - There are Authentication Methods. We support HTTP Basic Auth and Cookies. This deals with how the user credentials are supplied to the Platform. - There are Authentication Checkers. This deals with how the supplied credentials are validated/checked, e.g. the Password encoding. Clerezza uses SHA-1 AFAIK. This is regardless of auth. method. If you supply an authentication checker that supports MD5, it will be used by each auth. method to try and validate the user credentials. I'm not an expert on this part of Clerezza though so some information may be inaccurate. This is what I remember ;)
