RE: [Acegisecurity-developer] Suggested approach for authority design
Ray,
Many thanks for writing in. You've pretty much confirmed many of the things I
was thinking. I just wanted to be sure that I was going down the path of least
resistance and not run across some DOH! Moment a month later when I realize
there's a far better way to do it.
I think what I'll do is create a custom AuthorityProvider that will do the jaas
operations and the role creation I need, since there are other stuff I should
be pulling in as well that are not coming from JAAS, and using an
AuthorityGranter doesn’t sit well with me.
Thanks again for your input. Appreciate it much.
-tim
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ray Krueger
Sent: Monday, July 18, 2005 11:44 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Suggested approach for authority design
Hey Tim, Jaas is full of smells :P
Let's see if I can help you out here...
1. You are correct. You can chain AuthenticationProviders, but as soon
as one returns a valid token the chain ends.
2. The first part of this is what the AuthorityGranter interface is
designed for. The AuthenticationDao thing, I'm not sure what your
intent was. Either way, the AuthenticationDao.authenticate(...) method
returns a UserDetails instance, which has the GrantedAuthority[]
getAuthorites() method on it.
3. The AuthorityGranter (AuthorityResolver would have been a better
name though hehe) returns a set for exactly the reason you mentioned.
You pass it a principal and it returns a set of ROLE_names. This +
some jdbc access or whatever your authority source is going to be
would be an option. Inelegance is in the eye of the beholder :P
One thing to keep in mind with Jaas, there will (almost) always be at
least one principal to work with, and that's the user. So if certain
users are going to get extra roles or authorities based on their
username for example writing an AuthorityGranter to do that would be
the way to go.
I hope this helps, or at least made sense.
-Ray
On 7/18/05, Tim Kettering [EMAIL PROTECTED] wrote:
Hi everyone,
On this project I'm working on, we are using JAAS to authenticate a token,
and Acegi's JAAS support classes allow for the translation of the user and
its principals to Acegi's authority objects. But in this particular case,
we are not interested in the principals that JAAS returns. We want to
continue using our own method for obtaining the authorities.
So I've been looking at a few possible approaches. But none of them seem to
really avoid the sense of code smell, so I thought I'd ask on the list for
suggestions from people who may be more familiar with a better strategy.
using a different authentication provider to simply populate the authorities
– it seems to me that authentication manager will only process with one
authentication provider, and if it returns a valid token, it does not
continue down the list… so when jaas authentication provider returns a valid
token, it wont process the custom class I made. (correct me if im wrong).
Replace Acegi's JaasAuthenticationProvider with a similar one of our own
that adds a method that obtains the additional authorities and adds it in.
This was the approach I started with, and I thought perhaps I could make use
of the AuthenticationDao to obtain the authorities I needed for the user and
add them in, but apparently AuthenticationDao does not provide an easy way
to simply obtain the authorities.. but instead, need to obtain the user
itself.
With the latest code in HEAD, AuthorityResolver can now return a set, so I
could hack a custom Resolver that ignored the returned Jaas Principal and
simply provided its own, but this seems rather inelegant, and has it's own
issues.
So, I guess I'm asking here.. is there a easier way (that I've missed) to
introduce my own GrantedAuthorities in the JAAS authentication flow??
Thanks in advance!
-tim
HS^µéšŠX¬²š'²ŠÞu¼ƒŠÇ(½êÄjÌ‹Š{±2(+jب+kj×
‰ë®‰ˆÁbÛš™^¶‡è–Z0F†™ªl²ÚÚŠm~Šðj·Z®Øœ•ëú+™«b½åžmƬ¶Æ§vj+xgz÷«ÊØbž
¨ºwžvÚ zÛ©¶‹)yç_jËa¶Úý§l¢Çgr‰¿iؾ;í©e¡È^¸÷j)ÉbrAè™èm¶ŸÿiÇ [EMAIL
PROTECTED]±ç.®+ruëÞ–Š^®f¢–)à–+-Ç
ŠÇœº¸ÉׯzZ)z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ–+-²Ê.ÇŸ¢¸
ë–+-³ùb²Ø§~Úqè±ç.®+ruëÞ–Š^
---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Suggested approach for authority design
Hi everyone, On this project Im working on, we are using JAAS to authenticate a token, and Acegis JAAS support classes allow for the translation of the user and its principals to Acegis authority objects. But in this particular case, we are not interested in the principals that JAAS returns. We want to continue using our own method for obtaining the authorities. So Ive been looking at a few possible approaches. But none of them seem to really avoid the sense of code smell, so I thought Id ask on the list for suggestions from people who may be more familiar with a better strategy. using a different authentication provider to simply populate the authorities it seems to me that authentication manager will only process with one authentication provider, and if it returns a valid token, it does not continue down the list so when jaas authentication provider returns a valid token, it wont process the custom class I made. (correct me if im wrong). Replace Acegis JaasAuthenticationProvider with a similar one of our own that adds a method that obtains the additional authorities and adds it in. This was the approach I started with, and I thought perhaps I could make use of the AuthenticationDao to obtain the authorities I needed for the user and add them in, but apparently AuthenticationDao does not provide an easy way to simply obtain the authorities.. but instead, need to obtain the user itself. With the latest code in HEAD, AuthorityResolver can now return a set, so I could hack a custom Resolver that ignored the returned Jaas Principal and simply provided its own, but this seems rather inelegant, and has its own issues. So, I guess Im asking here.. is there a easier way (that Ive missed) to introduce my own GrantedAuthorities in the JAAS authentication flow?? Thanks in advance! -tim
Re: [Acegisecurity-developer] Suggested approach for authority design
Hey Tim, Jaas is full of smells :P
Let's see if I can help you out here...
1. You are correct. You can chain AuthenticationProviders, but as soon
as one returns a valid token the chain ends.
2. The first part of this is what the AuthorityGranter interface is
designed for. The AuthenticationDao thing, I'm not sure what your
intent was. Either way, the AuthenticationDao.authenticate(...) method
returns a UserDetails instance, which has the GrantedAuthority[]
getAuthorites() method on it.
3. The AuthorityGranter (AuthorityResolver would have been a better
name though hehe) returns a set for exactly the reason you mentioned.
You pass it a principal and it returns a set of ROLE_names. This +
some jdbc access or whatever your authority source is going to be
would be an option. Inelegance is in the eye of the beholder :P
One thing to keep in mind with Jaas, there will (almost) always be at
least one principal to work with, and that's the user. So if certain
users are going to get extra roles or authorities based on their
username for example writing an AuthorityGranter to do that would be
the way to go.
I hope this helps, or at least made sense.
-Ray
On 7/18/05, Tim Kettering [EMAIL PROTECTED] wrote:
Hi everyone,
On this project I'm working on, we are using JAAS to authenticate a token,
and Acegi's JAAS support classes allow for the translation of the user and
its principals to Acegi's authority objects. But in this particular case,
we are not interested in the principals that JAAS returns. We want to
continue using our own method for obtaining the authorities.
So I've been looking at a few possible approaches. But none of them seem to
really avoid the sense of code smell, so I thought I'd ask on the list for
suggestions from people who may be more familiar with a better strategy.
using a different authentication provider to simply populate the authorities
– it seems to me that authentication manager will only process with one
authentication provider, and if it returns a valid token, it does not
continue down the list… so when jaas authentication provider returns a valid
token, it wont process the custom class I made. (correct me if im wrong).
Replace Acegi's JaasAuthenticationProvider with a similar one of our own
that adds a method that obtains the additional authorities and adds it in.
This was the approach I started with, and I thought perhaps I could make use
of the AuthenticationDao to obtain the authorities I needed for the user and
add them in, but apparently AuthenticationDao does not provide an easy way
to simply obtain the authorities.. but instead, need to obtain the user
itself.
With the latest code in HEAD, AuthorityResolver can now return a set, so I
could hack a custom Resolver that ignored the returned Jaas Principal and
simply provided its own, but this seems rather inelegant, and has it's own
issues.
So, I guess I'm asking here.. is there a easier way (that I've missed) to
introduce my own GrantedAuthorities in the JAAS authentication flow??
Thanks in advance!
-tim
HS^µéšŠX¬²š'²ŠÞu¼ƒŠÇ(½êÄjÌ‹Š{±2(+jب�+kj× ‰ë ®‰ˆÁb�Ûš™^¶‡è–Z0F†�™ªl²ÚÚŠm~Šðj·Z®Øœ•ë�ú+™«b½åžmƬ¶Æ§vj+xgz÷«ÊØbž
¨ºwžvÚ zÛ©¶‹)yç_jËa¶Úý§l¢Çgr‰¿iØ�
