Hi, On 21.06.2010 13:00, Ian Boston wrote: > > > On 21 Jun 2010, at 11:47, Felix Meschberger wrote: > >> Hi, >> >> Yes, this is why I just use this mechanism ;-) >> >> In addition it is also fully transparent down the road with respect to >> setting ACLs etc. > > Yes, principals need to be resolvable via a PrincipalManager to be in ACLs. > > Does a standard JCR User node get created at first login if one cant be found > either by searching for a matching open.id.identifier or userID, or do you > have to create the OpenID JCR node prior to attempting to login with OpenID ?
No, the OpenID Authentication Handler expects the user and its association to be existing. > > If its the latter, then much of the benefit of OpenID may be lost ? Not really. Based on the Authentication Handler mechanism, creating GUI to allow users to self-register or allowing existing users to update their profile to add OpenID identity (or identities) is outside of the scope of the authentication handler. I could imagine, that we provide such functionality as a sample as part of or in the context of SLING-1370 [1] Regards Felix [1] https://issues.apache.org/jira/browse/SLING-1370 > Ian > > > > >> >> Regards >> Felix >> >> On 21.06.2010 12:44, Ian Boston wrote: >>> >>> On 21 Jun 2010, at 11:28, Felix Meschberger (JIRA) wrote: >>> >>>> >>>> [ >>>> https://issues.apache.org/jira/browse/SLING-860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12880776#action_12880776 >>>> ] >>>> >>>> Felix Meschberger commented on SLING-860: >>>> ----------------------------------------- >>>> >>>> To be able to properly authenticate with OpenID the JCR users must be >>>> associated with the actual OpenID Identity of the user. >>>> >>>> Currently there is no easy GUI support to do this, but you may use curl >>>> and the Sling user management functionality to set this property, e.g.: >>>> >>>> curl -u admin:admin -F:name=username -Fpwd= -FpwdConfirm= \ >>>> -Fopen.id.identifier=http://OpenIDIdentity \ >>>> http://localhost:8888/system/userManager/user.create.html >>>> >>>> WDYT ? >>> >>> >>> Wouldn't it make more sense to have an PrincipalManager that resolved and >>> OpenID principal to a Principal and a User Manager that would create valid >>> User objects for an open ID principal (or Principal). Unfortunately this >>> might require changes to the Jackrabbit UserManager which IIRC hard binds >>> to UserImpl and GroupImpl and changes to GroupImpl which only allows >>> members of type UserImpl. ? >>> >>> Having a JCR node as the only way to represent a User object means that all >>> User have to be inside JCR before they can be used. >>> >>> I realise that making the existing JR UserManager work for externally >>> provisioned users is a major task and may simply be out of scope, in which >>> case the open.id.identifier is a reasonable solution. >>> >>> >>>> >>>> >>>>> OpenId authenticator problem >>>>> ---------------------------- >>>>> >>>>> Key: SLING-860 >>>>> URL: https://issues.apache.org/jira/browse/SLING-860 >>>>> Project: Sling >>>>> Issue Type: Bug >>>>> Components: Extensions >>>>> Reporter: Michael Marth >>>>> Priority: Minor >>>>> >>>>> this is probably a configuration problem, but I do not know how to get >>>>> around this: >>>>> Using the OpenId authenticator I cannot write to the repository. >>>>> -- >>>>> How to reproduce: >>>>> - install bundle espblog from samples >>>>> - install bundle openid from extensions >>>>> - in system config switch off "allow anon access" as described in >>>>> openid-authenticator description >>>>> - do openid login (and make sure you have no http basic auth credentials >>>>> in the request) >>>>> - try to write to repository -> javax.jcr.AccessDeniedException: /: not >>>>> allowed to modify item >>>>> -- >>>>> I believe the openid_user has no write acccess which would explain this >>>>> behaviour. But how do I get around it? Do I have to write my own >>>>> AccessManager? Do I miss something? >>>> >>>> -- >>>> This message is automatically generated by JIRA. >>>> - >>>> You can reply to this email to add a comment to the issue online. >>>> >>> >>> > >
