Added: portals/jetspeed-2/trunk/components/security/xdocs/config.xml URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/config.xml?rev=291290&view=auto ============================================================================== --- portals/jetspeed-2/trunk/components/security/xdocs/config.xml (added) +++ portals/jetspeed-2/trunk/components/security/xdocs/config.xml Sat Sep 24 05:29:23 2005 @@ -0,0 +1,450 @@ +<?xml version="1.0"?> +<!-- + Copyright 2004 The Apache Software Foundation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<document> + <properties> + <title>Jetspeed 2 Security Services Configuration</title> + <authors> + <person name="David Le Strat" email="[EMAIL PROTECTED]" /> + <person name="Ate Douma" email="[EMAIL PROTECTED]" /> + </authors> + </properties> + <body> + <section name="Default configuration"> + <p> + Jetspeed 2 default security services configuration leverages a relational database as its default persitent datastore for security information. + Jetspeed 2 security service provider interface provides a mechanism to replace the default datastore configured. + </p> + <p> + 3 files are involved when configuring Jetspeed 2 security SPI. All the SPI configuration files are located under + <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i> + . + </p> + <subsection name="security-atn.xml"> + <p> + This configuration file provides the login module configuration. Not everyone needs this, as some application may decide to use another + login module other than the one provided. + </p> + </subsection> + <subsection name="security-atz.xml"> + <p> + This configuration file configures the authorization policy, in J2's case + <a href="atz-jass.html">RdbmsPolicy</a> + . + </p> + </subsection> + <subsection name="security-managers.xml"> + <p>This configuration file configures all the managers for security purpose.</p> + </subsection> + <subsection name="security-providers.xml"> + <p>This configuration file configures the various providers and weaves the SPI together.</p> + <ul> + <li> + <code>AuthenticationProviderProxy</code> + : Configures the list of + <code>AuthenticationProvider</code> + and the default authenticator. + <source> + <![CDATA[ +<bean id="org.apache.jetspeed.security.AuthenticationProviderProxy" + class="org.apache.jetspeed.security.impl.AuthenticationProviderProxyImpl"> + <constructor-arg > + <list> + <ref bean="org.apache.jetspeed.security.AuthenticationProvider"/> + </list> + </constructor-arg> + <constructor-arg><value>DefaultAuthenticator</value></constructor-arg> +</bean>]]> + </source> + </li> + <li> + <code>AuthenticationProvider</code> + : Configures the authentication providers for the current portal implementation. The example below configures the default authenticator + that uses the RDBMS to manage/store user information. + <source> + <![CDATA[ +<bean id="org.apache.jetspeed.security.AuthenticationProvider" + class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl"> + <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg> + <constructor-arg index="1"><value>The default authenticator</value></constructor-arg> + <constructor-arg index="2"><value>login.conf</value></constructor-arg> + <constructor-arg index="3"> + <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/> + </constructor-arg> + <constructor-arg index="4"> + <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/> + </constructor-arg> +</bean>]]> + </source> + </li> + <li> + <code>AuthorizationProvider</code> + : Configures the policies and instantiates the + <code>SecurityPolicies</code> + that are used for enforcing permissions. By default, Jetspeed 2 does not load any other + security policies that may have been configured. In order to use default policies, set + <code>useDefaultPolicy</code> to <code>true</code> + <source> + <![CDATA[ +<bean id="org.apache.jetspeed.security.AuthorizationProvider" + class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"> + <constructor-arg index="0"> + <ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/> + </constructor-arg> + <!-- Does not use the default policy as a default behavior --> + <constructor-arg index="1"><value>false</value></constructor-arg> +</bean>]]> + </source> + </li> + </ul> + </subsection> + <subsection name="security-spi.xml"> + <p>This configuration file contains configuration that are common to the authentication and authorization SPIs.</p> + <table> + <tr> + <th>Bean</th> + <th>Description</th> + </tr> + <tr> + <td>org.apache.jetspeed.security.spi.SecurityAccess</td> + <td> + Used internally by the default OJB based SPI. Provide access to common action/methods for the various SPI implementations. The + <i>SecurityAccess</i> + bean is used by both the Authentication and Authorization SPIs. + </td> + </tr> + </table> + </subsection> + <subsection name="security-spi-atn.xml"> + <p>This configuration file contains all the configurations for configuring the authentication SPI.</p> + <table> + <tr> + <th>Bean</th> + <th>Description</th> + </tr> + <tr> + <td>org.apache.jetspeed.security.spi.CredentialHandler</td> + <td> + The + <i>CredentialHandler</i> + encapsulates the operations involving manipulation of credentials. The default implementation provides support for password + protection as defined by the + <i>PasswordCredentialProvider</i> + ; as well as lifecycle management of credentials through + <i>InternalPasswordCredentialInterceptor</i> + which can be configured to manages parameters such as maximum number of authentication + failures, maximum life span of a credential in days and how much history to retain for a + given credential. + </td> + </tr> + <tr> + <td>org.apache.jetspeed.security.spi.UserSecurityHandler</td> + <td> + The + <i>UserSecurityHandler</i> + encapuslated all the operations around the user principals. + </td> + </tr> + </table> + <p> + The following simple <code>CredentialHandler</code> configuration is currently provided + by default with Jetspeed:</p> + <source><![CDATA[ +<!-- require a non-empty password --> +<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator" + class="org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator"/> + +<!-- MessageDigest encode passwords using SHA-1 --> +<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder" + class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder"> + <constructor-arg index="0"><value>SHA-1</value></constructor-arg> +</bean> + +<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler --> +<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor" + class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy"> + <constructor-arg index="0"> + <list> + <!-- enforce an invalid preset password value in the persisent store is required to be changed --> + <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/> + + <!-- ensure preset cleartext passwords in the persistent store will be encoded on first use --> + <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/> + </list> + </constructor-arg> +</bean> + +<bean id="org.apache.jetspeed.security.spi.PasswordCredentialProvider" + class="org.apache.jetspeed.security.spi.impl.DefaultPasswordCredentialProvider"> + <constructor-arg index="0"> + <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordValidator"/> + </constructor-arg> + <constructor-arg index="1"> + <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/> + </constructor-arg> +</bean> + +<bean id="org.apache.jetspeed.security.spi.CredentialHandler" + class="org.apache.jetspeed.security.spi.impl.DefaultCredentialHandler"> + <constructor-arg index="0"> + <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/> + </constructor-arg> + <constructor-arg index="1"> + <ref bean="org.apache.jetspeed.security.spi.PasswordCredentialProvider"/> + </constructor-arg> + <constructor-arg index="2"> + <ref bean="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"/> + </constructor-arg> +</bean>]]> + </source> + <p> + The above configuration requires not much more than that a password should not be + empty and MessageDigest encode it using SHA-1.</p> + <p> + Before the 2.0-M4 release, Jetspeed came configured with a much stricter configuration, but for + first time users of the Portal this was a bit overwelming and also quite difficult to configure + differently.</p> + <p> + With the 2.0-M4 release, the previously provided, and rather complex, + <code>InternalPasswordCredentialInterceptor</code> implementations are split up in single atomic + interceptors which can much easier be configured indepedently.</p> + <p> + An overview of the new interceptors and how related request processing pipeline valves can be + configured to provide feedback to the user is provided in the <a href="credentials.html"> + Credentials Management</a> document.</p> + <p> + Since the "old" (pre 2.0-M4) interceptors are no longer provided with Jetspeed, the example below + shows how to "restore" the old setup using the new interceptors:</p> + <source><![CDATA[ +<!-- require a password of minimum length 6 and at least two numeric characters --> +<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator" + class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator"> + <constructor-arg index="0"><value>6</value></constructor-arg> + <constructor-arg index="1"><value>2</value></constructor-arg> +</bean> + +<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler --> +<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor" + class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy"> + <constructor-arg index="0"> + <list> + <!-- enforce an invalid preset password value in the persisent store is required to be changed --> + <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/> + + <!-- ensure preset cleartext passwords in the persistent store will be encoded on first use --> + <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/> + + <!-- remember the last 3 passwords used and require a new password to be different from those --> + <bean class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor"> + <constructor-arg index="0"><value>3</value></constructor-arg> + </bean> + + <!-- Automatically expire a password after 60 days --> + <bean class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor"> + <constructor-arg index="0"><value>60</value></constructor-arg> + </bean> + + <!-- Automatically disable a password after 3 invalid authentication attempts in a row --> + <bean class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor"> + <constructor-arg index="0"><value>3</value></constructor-arg> + </bean> + </list> + </constructor-arg> +</bean>]]> + </source> + <p> + And, make sure something like the following configuration is set for the security related valves in + pipelines.xml:</p> + <source><![CDATA[ +<bean id="passwordCredentialValve" + class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl" + init-method="initialize"> + <constructor-arg> + <!-- expirationWarningDays --> + <list> + <value>2</value> + <value>3</value> + <value>7</value> + </list> + </constructor-arg> +</bean> + +<bean id="loginValidationValve" + class="org.apache.jetspeed.security.impl.LoginValidationValveImpl" + init-method="initialize"> + <!-- maxNumberOfAuthenticationFailures + This value should be in sync with the value for + org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor + (if used) to make sense. + Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT + error code when only one last attempt is possible before the credential + will be disabled after the next authentication failure. + --> + <constructor-arg index="0"><value>3</value></constructor-arg> +</bean>]]> + </source> + <p> + Also, make sure the above valves are configured in the <code>jetspeed-pipeline</code> bean.</p> + <p> + See the <a href="credentials.html#User_interaction">User Interaction</a> section in the + Credentials Management document for a description of these valves and their relation to the + interceptors configuration.</p> + </subsection> + <subsection name="security-spi-atz.xml"> + <p>This configuration file contains all the configurations for configuring the authorization SPI.</p> + <table> + <tr> + <th>Bean</th> + <th>Description</th> + </tr> + <tr> + <td>org.apache.jetspeed.security.spi.RoleSecurityHandler</td> + <td> + The + <i>RoleSecurityHandler</i> + encapsulates all the operations around the role principals. + </td> + </tr> + <tr> + <td>org.apache.jetspeed.security.spi.GroupSecurityHandler</td> + <td> + The + <i>GroupSecurityHandler</i> + encapsulates all the operations around the group principals. + </td> + </tr> + <tr> + <td>org.apache.jetspeed.security.spi.SecurityMappingHandler</td> + <td> + The + <i>SecurityMappingHandler</i> + encapsulates all the operations involving mapping between principals. It contains the logic managing hierarchy resolution for + hierarchical principals (roles or groups). The default hierarchy resolution provided is a hierarchy by generalization (see overview + for definitions). A + <i>contructor-arg</i> + can be added to the + <i>SecurityMappingHandler</i> + to change the hierarchy resolution strategy. Jetspeed 2 also support a hierarchy resolution by aggregation. + </td> + </tr> + </table> + <p> + A sample + <code>SecurityMappingHandler</code> + configuration could be: + <source><![CDATA[ +<!-- Security SPI: SecurityMappingHandler --> +<bean id="org.apache.jetspeed.security.spi.SecurityMappingHandler" + class="org.apache.jetspeed.security.spi.impl.DefaultSecurityMappingHandler"> + <constructor-arg > + <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/> + </constructor-arg> + <!-- Default role hierarchy strategy is by generalization. + Add contructor-arg to change the strategy. --> + <!-- Default group hierarchy strategy is by generalization. + Add contructor-arg to change the strategy. --> +</bean>]]> + </source> + </p> + </subsection> + </section> + <section name="LDAP Configuration"> + <p> + Jetspeed 2 provides LDAP support for authentication. Configuring LDAP authentication can be done by replacing the configuration files located + under + <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/</i> + by the files located under as indicated + <i>${jetspeed-source-home}/components/security/etc/</i> + . below. + </p> + <p> + Jetspeed 2 + <b>does not currently provide an embedded LDAP directory</b> + . A external LDAP directory must be configured in order to leverage this functionality. + </p> + <p> + <i>security-spi-atn.xml</i> + should be replaced by + <i>security-spi-ldap-atn.xml</i> + and + <i>security-spi-ldap.xml</i> + should be copied to the assembly directory as well. + </p> + <p> + The + <i>security-spi-ldap-atn.xml</i> + preforms the same functions as the + <i>security-spi-atn.xml</i> + described above. It replaces the default implementation for + <i>CredentialHandler</i> + and + <i>UserSecurityHandler</i> + with an LDAP specific implementation. + </p> + <p> + Additionally, + <i>ldap.properties</i> + located under + <i>${jetspeed-source-home}/components/security/etc/</i> + should be copied under + <i>${jetspeed-source-home}/portal/src/webapp/WEB-INF/conf/</i> + . + </p> + <subsection name="ldap.properties"> + <table> + <tr> + <th>Property</th> + <th>Value</th> + </tr> + <tr> + <td>org.apache.jetspeed.ldap.ldapServerName</td> + <td> + The LDAP server name to connect to. E.g. + <i>localhost</i> + </td> + </tr> + <tr> + <td>org.apache.jetspeed.ldap.rootDn</td> + <td> + The root domain name. E.g. + <i>cn=Manager,dc=proto,dc=dataline,dc=com</i> + . In properties files the "=" in the value should be escaped, i.e. + <i>cn\=Manager,dc\=proto,dc\=dataline,dc\=com</i> + </td> + </tr> + <tr> + <td>org.apache.jetspeed.ldap.rootPassword</td> + <td>The root password.</td> + </tr> + <tr> + <td>org.apache.jetspeed.ldap.rootContext</td> + <td> + The root context. E.g. + <i>dc=proto,dc=dataline,dc=com</i> + </td> + </tr> + <tr> + <td>org.apache.jetspeed.ldap.defaultDnSuffix</td> + <td> + The default suffix. E.g. + <i>ou=Norfolk,o=Dataline</i> + </td> + </tr> + </table> + </subsection> + </section> + </body> +</document> \ No newline at end of file
Modified: portals/jetspeed-2/trunk/components/security/xdocs/images/arch-overview.gif URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/arch-overview.gif?rev=291290&r1=291289&r2=291290&view=diff ============================================================================== Binary files - no diff available. Modified: portals/jetspeed-2/trunk/design-docs/src/security/securityArchOverview.vsd URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/design-docs/src/security/securityArchOverview.vsd?rev=291290&r1=291289&r2=291290&view=diff ============================================================================== Binary files - no diff available. Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml?rev=291290&r1=291289&r2=291290&view=diff ============================================================================== --- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml (original) +++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-providers.xml Sat Sep 24 05:29:23 2005 @@ -55,7 +55,9 @@ <bean id="org.apache.jetspeed.security.AuthorizationProvider" class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl" > - <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg> + <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg> + <!-- Does not use the default policy as a default behavior --> + <constructor-arg index="1"><value>false</value></constructor-arg> </bean> </beans> Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml?rev=291290&r1=291289&r2=291290&view=diff ============================================================================== --- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml (original) +++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/userinfo.xml Sat Sep 24 05:29:23 2005 @@ -21,8 +21,8 @@ <bean id="org.apache.jetspeed.userinfo.UserInfoManager" class="org.apache.jetspeed.userinfo.impl.UserInfoManagerImpl" > - <constructor-arg ><ref bean="org.apache.jetspeed.security.UserManager"/></constructor-arg> - <constructor-arg ><ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"/></constructor-arg> + <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.UserManager"/></constructor-arg> + <constructor-arg index="1"><ref bean="org.apache.jetspeed.components.portletregistry.PortletRegistry"/></constructor-arg> </bean> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
