Bob Harner wrote:
On 4/1/07, Michael Ralston <[EMAIL PROTECTED]> wrote:
Imagine this scenario...
The root url of the lenya application requires authentication. After
authenticating the user will be shown the lenya welcome page, listing
only publications which the user has priviledges on.
To accomplish this I am thinking of removing publication directory
from the user object, but leaving publication directory in the group
object. By doing this users will be global across all publications,
but groups will still be publication specific.
I can then make a user a member of the editor group on one
publication, and a member of the review group on a different
publication. The welcome page would then display the publication and
which groups they were a member of on that publication (or not display
the publication at all if they are not a member of any group).
What do you guys think of this idea? Would it be potentially useful
for lenya projects you have worked on? How difficult do you think it
would be to implement?
The first issue I am concerned about, it how to redirect a user to a
login page when they request the "Welcome to Apache Lenya" page.
How would I go about changing the Identity object? The method:
Identity.belongsTo(AccreditableManager manager)
would not really be applicable to how the new system works. As I
understand it, this method checks if the user contained in the current
identity belonds to the accreditableManager for the current
publication. Currently each publication has a different
accreditableManager. I guess I would need the accreditableManager to
be global across all publications.
Would it be easier to make all publications inherit their AC module
from the 'default' publication? If I did that how could I manage the
groups which users belonged to on a per publication basis?
thanks in advance for any feedback :)
Michael Ralston
We had a similar need to unify the logins of multiple Lenya
publications, but we approached it from a different angle. In our
case, we wanted Lenya to work with the commercial single sign-on (SSO)
product that we already had. The SSO product sits in front of our app
server and handles the authentication (via LDAP) for all Lenya
requests via a plug-in on the web server. So we changed Lenya's
authentication to look at the REMOTE_USER HTTP header (which our
single sign-on product always sets) and only prompt for a user name
and password if REMOTE_USER is empty.
This solution has the advantage that it should work with any
authentication mechanism implemented at the web server level,
including Basic Authentication done by Apache httpd.
I can provide more details if there is interest.
yes, that would be great
Cheers
Michael
Our solution extends
a Lenya class or two, rather than modifying them,
so it is pretty
clean and simple and is backward-compatible with environments that
don't have the REMOTE_USER header available. Unfortunately, we are
using Lenya 1.2.4 (because 1.4 isn't released yet).
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Michael Wechner
Wyona - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+41 44 272 91 61
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
