On 6/21/06, Matthew Holt <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote:
> Hi all,
>
> As far as my last issues are with my ldap configuration, and no more
> with Roller, here are the elements i can give you today to set up an
> identification with LDAP on Roller.
>
> First of all, you must know that the jar delivered with Roller are not
> really "up-to-date".
> - So first, you have to download the Acegi 1.0.0 (not the RC1), and
> spring 2.0-m4.
> - In your WEB-INF/lib, remove the old acegi jar (RC1 named one) and
copy
> the new one from your download.
> - Open the spring 2.0-m4 jar file, and extract only the
> org\springframework\dao\EmptyResultDataAccessException.class (with
this
> same path to your WEB-INF/classes folder.
>
> Now we have our file, we will have to make some small changes to the
> security.xml file.
> - First, as far as the html filter has been reviewed in the new Acegi
> jar, you must change your filter list in the filter chain bean. To do
> that, look for the definition of this bean at the beginning of the
> security.xml "filterChainProxy"
> In this bean, you must have the chain of filters applyed to every
> request. At the very end of this chain, you should find the
> "securityEnforcementFilter". Replace it with those two new filters :
> "exceptionTranslationFilter,filterSecurityInterceptor"
>
> Now your bean must be :
> <bean id="filterChainProxy"
> class="org.acegisecurity.util.FilterChainProxy">
> <property name="filterInvocationDefinitionSource">
> <value>
> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> PATTERN_TYPE_APACHE_ANT
>
>
/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,r
>
ememberMeProcessingFilter,channelProcessingFilter,remoteUserFilter,anony
>
mousProcessingFilter,exceptionTranslationFilter,filterInvocationIntercep
> tor
> </value>
> </property>
> </bean>
>
> - Then, we must define those two new filters, and remove the old
one. To
> do that, in the security.xml file, look for the
> <bean id="securityEnforcementFilter", and remove the whole bean.
>
> - Add this bean at its place :
> <bean id="exceptionTranslationFilter"
> class="org.acegisecurity.ui.ExceptionTranslationFilter">
> <property name="authenticationEntryPoint"
> ref="authenticationProcessingFilterEntryPoint"/>
> </bean>
>
> - The filterInvocationInterceptor Bean should be already defined
(it was
> used by the old securityEnforcementFilter).
> Just check it.
>
>
> At this point, you should be able to start Roller, and it should
work in
> its initial configuration. Please check it. If it doesn't work now, it
> won't work after ;)
>
> Ok, now, let's set up the ldap authentication.
> - First, we must tell Roller to try an LDAP authentification first,
then
> try in the database, and then, an anonymous.
> The tries in database and anonymous are already set up, so we just
have
> to add the ldap one.
> So, in the security.xml file, look for the bean which id is
> "authenticationManager", and add as the first tag of the <list>
this one
> : <ref local="ldapAuthProvider"/>
> It should look like :
> <bean id="authenticationManager"
> class="org.acegisecurity.providers.ProviderManager">
> <property name="providers">
> <list>
> <ref local="ldapAuthProvider"/>
> <ref local="daoAuthenticationProvider"/>
> <ref local="anonymousAuthenticationProvider"/>
> <!-- rememberMeAuthenticationProvider added
> programmatically -->
> </list>
> </property>
> </bean>
>
> - We are very near from the end now! As you can imagine, we now
have to
> set up the ldapAuthProvider!
> Here it is. Some fields has to be changed to match your own ldap
> configuration :
>
> <bean id="ldapAuthProvider"
>
> class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
> <constructor-arg>
> <bean
>
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"
>
> <constructor-arg><ref
> local="initialDirContextFactory"/></constructor-arg>
> <property name="userDnPatterns"><list><value>uid={0}
[ERIC'S
> NOTES : CHANGE IT?]</value></list></property>
> </bean>
> </constructor-arg>
> <constructor-arg>
> <bean
>
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthorities
> Populator">
> <constructor-arg><ref
> local="initialDirContextFactory"/></constructor-arg>
> <constructor-arg><value>ou=groups</value></constructor-arg>
> <property
> name="groupRoleAttribute"><value>ou</value></property>
> </bean>
> </constructor-arg>
> </bean>
>
> - and finally, you have to set up the initialDirContextFactory used
> here. Put it BEFORE the ldapAuthProvider bean :
> <bean id="initialDirContextFactory"
>
> class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
> <constructor-arg value="ldap://ldap.url...[TO BE
> CHANGED]:389/dc=[TO BE CHANGED],[dc, dn, whatever you need]"/>
> <!-- <property
>
name="managerDn"><value>dc=pasteur,dc=aventis,dc=com</value></property>
> <property
> name="managerPassword"><value>password</value></property> -->
> [ERIC'S NOTE : uncomment if your LDAP need authentication]
> </bean>
>
>
> - Now, this should work.
>
> Hope this will help some of you ;)
>
> Eric
>
-------------------------------------------------------------------------------------------
> "Cette communication (y compris les pieces jointes) est reservee a
l'usage exclusif du destinataire (des destinataires) et peut contenir
des informations privilegiees, confidentielles, exemptees de
divulgation selon la loi ou protegees par les droits d'auteur. Si
vous n'etes pas un destinataire, toute utilisation, divulgation,
distribution, reproduction, examen ou copie (totale ou partielle) est
non-autorisee et peut etre illegale. Tout message electronique est
susceptible d'alteration et son integrite ne peut etre assuree.
Sanofi Pasteur decline toute responsabilite au titre de ce message
s'il a ete modifie ou falsifie. Si vous n'etes pas destinataire de ce
message, merci de le detruire immediatement et d'avertir l'expediteur
de l'erreur de distribution et de la destruction du message. Merci.
> This transmission (including any attachments) is intended solely
for the use of the addressee(s) and may contain confidential
information including trade secrets which are privileged,
confidential, exempt from disclosure under applicable law and/or
subject to copyright. If you are not an intended recipient, any use,
disclosure, distribution, reproduction, review or copying (either
whole or partial) is unauthorized and may be unlawful. E-mails are
susceptible to alteration and their integrity cannot be
guaranteed.Sanofi Pasteur shall not be liable for this e-mail if
modified or falsified. If you are not the intended recipient of this
e-mail, please delete it immediately from your system and notify the
sender of the wrong delivery and the mail deletion. Thank you."
> **********************************************************************
>
>
>
Should I be making these modifications in the src and then build? I
thought since I'm just modifying files and the WEB-INF dir I can use the
already built app I dl'd off the site.
However, soon as I replace acegi-security-1.0.0-RC1.jar with either
Matt's snapshot or the acegi-security-1.0.0.jar file from the website,
the application fails to start in Tomcat. (i tried removing the default
jar file and replacing it with the new one, and I also tried removing
the default jar file, replacing it with the new one, and renaming the
new one to match the old jar file name).
Did you update security.xml as well? I've attached the one I
committed to roller_3.0 yesterday.
Matt
What am I doing wrong??
Thanks.
Matt
------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. The ASF licenses this file to You
under the Apache License, Version 2.0 (the "License"); you may not
use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. For additional information regarding
copyright in this work, please see the NOTICE file in the top level
directory of this distribution.
-->
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd";>
<beans>
<!-- ======================== FILTER CHAIN ======================= -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,rememberMeProcessingFilter,channelProcessingFilter,remoteUserFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down
to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions
first, with LEAST SPECIFIC (ie a/.*) expressions last -->
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
/roller-ui/login-redirect.jsp=admin,editor
/roller-ui/yourProfile**=admin,editor
/roller-ui/createWebsite**=admin,editor
/roller-ui/yourWebsites**=admin,editor
/roller-ui/authoring/**=admin,editor
/roller-ui/admin/**=admin
/rewrite-status*=admin
</value>
</property>
</bean>
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<!-- rememberMeAuthenticationProvider added programmatically -->
</list>
</property>
</bean>
<!-- Log failed authentication attempts to commons-logging -->
<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="jdbcAuthenticationDao"/>
<property name="userCache" ref="userCache"/>
</bean>
<!-- Read users from database -->
<bean id="jdbcAuthenticationDao"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<bean class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="java:comp/env/jdbc/rollerdb"/>
</bean>
</property>
<property name="usersByUsernameQuery">
<value>SELECT username,passphrase,isenabled FROM rolleruser WHERE
username = ?</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>SELECT username,rolename FROM userrole WHERE username =
?</value>
</property>
</bean>
<bean id="userCache"
class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache">
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<bean
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
</property>
<property name="cacheName" value="userCache"/>
</bean>
</property>
</bean>
<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="anonymous"/>
</bean>
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
<bean id="accessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
</list>
</property>
</bean>
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl"
value="/roller-ui/login.do?error=true"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl" value="/j_security_check"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>
<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="anonymous"/>
<property name="userAttribute" value="anonymous,ROLE_ANONYMOUS"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"
ref="authenticationProcessingFilterEntryPoint"/>
</bean>
<bean id="remoteUserFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
<bean id="authenticationProcessingFilterEntryPoint"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/roller-ui/login.do"/>
<property name="forceHttps" value="false"/>
</bean>
<!-- ===================== REMEMBER ME ==================== -->
<bean id="rememberMeProcessingFilter"
class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>
<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="jdbcAuthenticationDao"/>
<property name="key" value="rollerlovesacegi"/>
<property name="parameter" value="rememberMe"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="rollerlovesacegi"/>
</bean>
<!-- ===================== SSL SWITCHING ==================== -->
<bean id="channelProcessingFilter"
class="org.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager"/>
<property name="filterInvocationDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
</value>
</property>
</bean>
<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<bean
class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
<bean
class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>
</list>
</property>
</bean>
</beans>
