Crowd Login Authentication Roller Integration
---------------------------------------------
Key: ROL-1933
URL: https://issues.apache.org/jira/browse/ROL-1933
Project: Roller
Issue Type: New Feature
Reporter: Nick Padilla
Assignee: Roller Unassigned
Attachments: BasicUserAutoProvision.txt,
CrowdAuthenticationProvider.java, CrowdRollerUserDetails.java,
crowd.properties, security-xml.txt
CROWD:
1. First off how do we want to handle the demotion or elevation of
permissions,groups rather. Say an admin goes to just an editor or an editor
goes to admin, currently there will be no change on Roller.
2. If user has permissions for the application but is not part of a group,
currently it gives editor roles; does that work? If not we need to make a that
change.
3. Old users can continue to use thier Roller accounts, if the user is a user
of the Roller application in Crowd they will authenticate through Crowd. This
is as long as the two accounts have the same
user name. Once authenticated through Crowd, Roller Authentication will not
work. So if Crowd goes down and all users are in Crowd then no one will be able
to enter the site. Recommendation is to have
at least one admin user that doesn't have an account in Crowd, this way there
will always be a way in.
4. If the crowd.properties file is not on the classpath then we never use crowd
to authenticate, however if you have users that were authenticated through
crowd then they will not be able to login.
5. If the user exists in Crowd and has permissions to access Roller and Roller
doesn't contain this user account then a new user will be registered
automatically; if no groups are setup then the user
will have editor role, if the user is part of a group that contains the string
"admin" or "ADMIN" then that user will be given Admin rights.
6. Here is an example crowd.properties file, currently we get the file every
time there is a need for it; so that resource will be continually accessed. If
this is problem, which I can understand I can
create a singleton that will hanlde the crowd.properties file and only load it
once. This means if any changes are made to the file we have to restart the
application.
#required fields
crowd.application.name=roller
crowd.application.password=password
crowd.port=8095
crowd.host=localhost
crowd.context=crowd
#end required fields
#this setting allows the use of https, defaults to false; not
present we will use plain socket.
crowd.useSecureConnection=false
crowd.default.timezone=
crowd.default.locale=
You can add this file the same way you add the roller-custom.properties.
TimeZone and Locale are not required, but standard format.
7. These are the settings that need to be set in the roller-custom.properties
to enable the use of Crowd Authentication:
# Crowd Auth, need these settings to be enabled
users.sso.enabled=true
users.sso.autoProvision.enabled=true
If these are not set Crowd authentication will not work correctly. The
AutoProvision is what makes this all work, the users from Crowd and not in
Roller will be saved to Rollers db the first time the log in. The reason this
is needed
is so that permissions can be written for Roller. Will still need to add some
code to ensure when users get promoted or demoted, those changes make it to the
Roller DB.
Please see attached files as they contain these changes and are in sync with
Trunk, as of today. We can extend this functionality but here is working
starting point.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
