Re: How can I realize authentication in sling?
On 12 Mar 2009, at 14:17, Vidar Ramdal wrote: On Thu, Mar 12, 2009 at 9:55 AM, Alexander Klimetschek aklim...@day.com wrote: On Thu, Mar 12, 2009 at 9:49 AM, Vidar Ramdal vi...@idium.no wrote: For the application I'm developing, I have abandoned the ACL concept alltogether. Instead, I'm implementing my own access management logic from scratch. I find that in many web applications, a typical ACL concept is not the best solution. Interesting, could you elaborate? Is this similar to the reasons mentioned in a presentation by Zed Shaw ( http://dev.day.com/microsling/content/blogs/main/theaclisdead.html )? That was certainly an interesting watch (especially the stripper part). In my case, it's not that ACLs are too limited. Our access rules are much simpler than what can be described with ACLs. And exactly because our rules are simpler, it was just easier to describe them with a couple of Java classes. I have to agree, having programmatically security is much more useful in a lot of scenarios. One example is when the security requirements changes. If you have a lot of ACLs in a very large repository, it becomes a nightmare to change. It would be very handy to be able to express permission in terms of scripts, with an appropriate selector mechanism. -- Torgeir Veimo torg...@pobox.com
Re: Re: How can I realize authentication in sling?
On Fri, Mar 13, 2009 at 1:00 AM, Alexander Klimetschek aklim...@day.com wrote: On Thu, Mar 12, 2009 at 2:17 PM, Vidar Ramdal vi...@idium.no wrote: One of the main goals of the application we're developing, is that it must be dead simple for our users. Our users are NOT computer-savvy in any way, so they will certainly not be able to grasp the concept of ACLs. Thus, we'd have to abstract the logic in some user-understandable manner anyway, and as I've tried to describe, we think it's easier to describe the rules using Java (or any programming language, really) than with ACLs. I wasn't saying that the end-users should fiddle around with a repository explorer and set the basic ACLs themselves - there still must be a GUI for it. Exactly. But our pedagogic skills are not good enough to make that GUI understandable for our users. -- Vidar S. Ramdal vi...@idium.no - http://www.idium.no Akersgata 16, N-0158 Oslo, Norway +47 21 531941, ext 2070
Re: How can I realize authentication in sling?
Torgeir Veimo wrote: I have to agree, having programmatically security is much more useful in a lot of scenarios. One example is when the security requirements changes. If you have a lot of ACLs in a very large repository, it becomes a nightmare to change. It would be very handy to be able to express permission in terms of scripts, with an appropriate selector mechanism. That sounds like an interesting idea. We could provide an AccessManager implementation that uses something like the Sling servlet resolution process to locate per-resource-type or per-path AccessHandler. These services would then make the authorization decisions for the types or paths they control. This might make implementing access policies like the one Vidar described much simpler (than implementing an AccessManager or plugin from scratch), since you enforce the policy at the type level rather than at the each instance node of that type. For instance if I may have a need to restrict access to nodes under paths /user/username to be visible only to the user named username. I can of course create an appropriate ACL every time I create a new node under the /user path, but it would be simpler more reliable to just register a path-based AccessHandler that controls /user, and just checks that current authenticated user = username taken from the path. I realize the downside of this approach is that, unlike the default Jackrabbit ACLs, these kinds of policies aren't persisted in the repository (they'd essentially be persisted in the Felix framework properties if the registration of AccessHandlers was handled like servlets), however, that might be acceptable for many applications. This approach also addresses something I've previously wondered about: access to servlets that are registered by path (like /system/sling/login). There doesn't appear to be any way to apply access control to these paths currently? WDYT? Rory
Re: Re: How can I realize authentication in sling?
On Thu, Mar 12, 2009 at 9:49 AM, Vidar Ramdal vi...@idium.no wrote: For the application I'm developing, I have abandoned the ACL concept alltogether. Instead, I'm implementing my own access management logic from scratch. I find that in many web applications, a typical ACL concept is not the best solution. Interesting, could you elaborate? Is this similar to the reasons mentioned in a presentation by Zed Shaw ( http://dev.day.com/microsling/content/blogs/main/theaclisdead.html )? In general, if you consider access control during the modeling of your content structure and use inheritance of ACLs, it is actually quite simple to do. And can be configured by administrators later without changing the code. Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: Re: How can I realize authentication in sling?
On Wed, Mar 11, 2009 at 8:49 PM, Eric Norman eric.d.nor...@gmail.com wrote: Hi yanjie, I attached a proposed patch to enable changing the ACL via a web form to http://issues.apache.org/jira/browse/SLING-879 Hi yanjie, For the application I'm developing, I have abandoned the ACL concept alltogether. Instead, I'm implementing my own access management logic from scratch. I find that in many web applications, a typical ACL concept is not the best solution. I have attached a patch at https://issues.apache.org/jira/browse/SLING-880 for a pluggable AccessManager, which will allow you to implement your own access management policies. -- Vidar S. Ramdal vi...@idium.no - http://www.idium.no Akersgata 16, N-0158 Oslo, Norway +47 21 531941, ext 2070
Re: Re: How can I realize authentication in sling?
On Thu, Mar 12, 2009 at 9:55 AM, Alexander Klimetschek aklim...@day.com wrote: On Thu, Mar 12, 2009 at 9:49 AM, Vidar Ramdal vi...@idium.no wrote: For the application I'm developing, I have abandoned the ACL concept alltogether. Instead, I'm implementing my own access management logic from scratch. I find that in many web applications, a typical ACL concept is not the best solution. Interesting, could you elaborate? Is this similar to the reasons mentioned in a presentation by Zed Shaw ( http://dev.day.com/microsling/content/blogs/main/theaclisdead.html )? That was certainly an interesting watch (especially the stripper part). In my case, it's not that ACLs are too limited. Our access rules are much simpler than what can be described with ACLs. And exactly because our rules are simpler, it was just easier to describe them with a couple of Java classes. For instance, we have a feature for moderated comments on a webpage. The rules for comments are simple: Anyone have permission to read approved comments, and to post new comments. Comments have to be approved by a moderator before they are readable to everyone. This implies that the moderator must have read and delete access to all comments. Should we implement this with ACLs, we'd have to take make sure to set the correct ACL on every new comment posted. Allthough the case of comments is fairly simple, we could have more complex cases where ACLs would be more complex, and even prone to errors. It is definately possible to define this rules with ACLs, but it makes more sense to implement it with a custom policy. We know that every comment field should have the same access logic, so why should we have to copy ACLs to every instance of it? And the sling:resourceType property already defines a comment field, so why not just hook up a policy class to respond to those requests. In general, if you consider access control during the modeling of your content structure and use inheritance of ACLs, it is actually quite simple to do. And can be configured by administrators later without changing the code. One of the main goals of the application we're developing, is that it must be dead simple for our users. Our users are NOT computer-savvy in any way, so they will certainly not be able to grasp the concept of ACLs. Thus, we'd have to abstract the logic in some user-understandable manner anyway, and as I've tried to describe, we think it's easier to describe the rules using Java (or any programming language, really) than with ACLs. -- Vidar S. Ramdal vi...@idium.no - http://www.idium.no Akersgata 16, N-0158 Oslo, Norway +47 21 531941, ext 2070
Re: Re: How can I realize authentication in sling?
On Thu, Mar 12, 2009 at 2:17 PM, Vidar Ramdal vi...@idium.no wrote: One of the main goals of the application we're developing, is that it must be dead simple for our users. Our users are NOT computer-savvy in any way, so they will certainly not be able to grasp the concept of ACLs. Thus, we'd have to abstract the logic in some user-understandable manner anyway, and as I've tried to describe, we think it's easier to describe the rules using Java (or any programming language, really) than with ACLs. I wasn't saying that the end-users should fiddle around with a repository explorer and set the basic ACLs themselves - there still must be a GUI for it. But I can understand the need for programmed ACLs, it can often be simpler if you don't need fully-fledged enterprise configuration ... something ;-) Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: How can I realize authentication in sling?
Hi Alex, thanks for this great summary! Does it make sense to put it on the website or on the Wiki? -- Andreas Alexander Klimetschek schrieb: On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann andr...@apache.org wrote: actually I didn't intend to do any beta-testing (yet), but somehow I got the impression that OpenID is the only supported way for authentication ATM. But I just noticed that I can simply disable anonymous access in the configuration console to enable the built-in authentication … In general the idea with JCR is that the repository handles authentication and authorization, because it makes things simple and content-oriented (and no need to put security access checks across the application code). That's why Sling uses a single JCR session for each request with a certain logged-in user. The credentials for this session are fetched using an o.a.s.engine.auth.AuthenticationHandler - currently there is a handler using HTTP basic auth (bundles/extensions/httpauth) and the OpenID handler. You can quite easily write your own, for using a cookie-based mechanism or to do SSO stuff. Those credentials provided by the handler are then used by Sling for the JCR Repository.login() method that will return the session. How the authentication is done inside the JCR repository is up to the implementation (for JCR 1.0). Previous Jackrabbit versions (up to 1.4.x I think) only provided a simple login module out of the box that provided anonymous, admin and normal users (whereas only for the special admin user a password could be set in the repository.xml config, ie. you couldn't really call it security ;-)). The recent Jackrabbit releases introduced proper user management, mainly because JCR 2.0 will define more in this respect (and Jackrabbit is already working towards that new version of the spec). For this, users (incl. their passwords and other preferences) are stored inside the repository itself, typically in a separate workspace to ensure a strict separation of system stuff and application content (although that is freely configurable I think). Now if you are logged in with the session in the request and some servlets or scripts are trying to read and write from the repository, the authorization comes into play. Things that you cannot read are simply not visible through the JCR API (ie. you get a 404 and not a 403 when speaking in HTTP status codes ;-)). If write access is denied, you get that AccessDeniedException on save(). The authorization is now also done inside the repository and for previous Jackrabbit versions there effectively was no built-in authorization. The 1.5 release contains the aforementioned implementation based on what the JCR 2.0 spec is saying (so far, it's not final yet ;-)). This stores the ACLs in the repository as well, right at the nodes to which these belong. There is also an API to manually set those ACLs (I think one is free again to store those ACLs whereever you want, if you'd like to change the default authorization manager in Jackrabbit). The documentation on that is a bit sparse yet, reading the code and searching the Jackrabbit mailing list archives is the best you can do at the moment :-) spam You might have seen the commercial CRX repository built on top of Jackrabbit, which provides a full authentication and authorization implementation for some time now and has a GUI to manage the users and ACLs (and it bundles Sling). /spam Hope that helps as an overview, Alex -- Andreas Hartmann, CTO BeCompany GmbH http://www.becompany.ch Tel.: +41 (0) 43 818 57 01
Re: How can I realize authentication in sling?
On Wed, Mar 11, 2009 at 10:26 AM, Andreas Hartmann andr...@apache.org wrote: thanks for this great summary! Does it make sense to put it on the website or on the Wiki? Yup, why not. Would be nice if you could do it ;-) One thing, which I forgot: the authentication module interface in Jackrabbit is the standard JAAS login module, so it should be possible to simply reuse existing ones that authenticate against LDAP or custom, existing user databases. Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: Re: How can I realize authentication in sling?
Hi yanjie, I attached a proposed patch to enable changing the ACL via a web form to http://issues.apache.org/jira/browse/SLING-879 I don't have rights to commit the changes to subversion, so it is pending review by one of the committers before it is becomes part of the sling distribution. You may apply the patch manually to your environment if you want to try it out. Regards, -eric On Tue, Mar 10, 2009 at 7:36 PM, yanjie yanshaozhi...@gmail.com wrote: HI everyone: Glad to find so many person be care about the question. and I want to know Is sling implements the ACL web interface now ? Thanks. 2009-03-11 yanjie 发件人: Alexander Klimetschek 发送时间: 2009-03-11 01:45:56 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann andr...@apache.org wrote: actually I didn't intend to do any beta-testing (yet), but somehow I got the impression that OpenID is the only supported way for authentication ATM. But I just noticed that I can simply disable anonymous access in the configuration console to enable the built-in authentication … In general the idea with JCR is that the repository handles authentication and authorization, because it makes things simple and content-oriented (and no need to put security access checks across the application code). That's why Sling uses a single JCR session for each request with a certain logged-in user. The credentials for this session are fetched using an o.a.s.engine.auth.AuthenticationHandler - currently there is a handler using HTTP basic auth (bundles/extensions/httpauth) and the OpenID handler. You can quite easily write your own, for using a cookie-based mechanism or to do SSO stuff. Those credentials provided by the handler are then used by Sling for the JCR Repository.login() method that will return the session. How the authentication is done inside the JCR repository is up to the implementation (for JCR 1.0). Previous Jackrabbit versions (up to 1.4.x I think) only provided a simple login module out of the box that provided anonymous, admin and normal users (whereas only for the special admin user a password could be set in the repository.xml config, ie. you couldn't really call it security ;-)). The recent Jackrabbit releases introduced proper user management, mainly because JCR 2.0 will define more in this respect (and Jackrabbit is already working towards that new version of the spec). For this, users (incl. their passwords and other preferences) are stored inside the repository itself, typically in a separate workspace to ensure a strict separation of system stuff and application content (although that is freely configurable I think). Now if you are logged in with the session in the request and some servlets or scripts are trying to read and write from the repository, the authorization comes into play. Things that you cannot read are simply not visible through the JCR API (ie. you get a 404 and not a 403 when speaking in HTTP status codes ;-)). If write access is denied, you get that AccessDeniedException on save(). The authorization is now also done inside the repository and for previous Jackrabbit versions there effectively was no built-in authorization. The 1.5 release contains the aforementioned implementation based on what the JCR 2.0 spec is saying (so far, it's not final yet ;-)). This stores the ACLs in the repository as well, right at the nodes to which these belong. There is also an API to manually set those ACLs (I think one is free again to store those ACLs whereever you want, if you'd like to change the default authorization manager in Jackrabbit). The documentation on that is a bit sparse yet, reading the code and searching the Jackrabbit mailing list archives is the best you can do at the moment :-) spam You might have seen the commercial CRX repository built on top of Jackrabbit, which provides a full authentication and authorization implementation for some time now and has a GUI to manage the users and ACLs (and it bundles Sling). /spam Hope that helps as an overview, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: How can I realize authentication in sling?
Hi Rory, Rory Douglas schrieb: From your first post, it seems you're really more interested in authorization than authentication, but both are handled (to different degrees) in Sling. For authentication, you can configure one of the provided handlers (HTTP Basic or OpenID) to be active on one or more paths or host/path combinations. is there any documentation on this? Where can I configure the authentication handler? […] I believe the details of the above are covered elsewhere in the mailing archives - let me know if this doesn't resolve your questions. I searched the list, but the replies are generally along the lines of As a workaround you can do XYZ, but I hope someone else has a better answer. :) TIA! -- Andreas Regards, Rory yanjie wrote: HI felix: Glad to recieve your answer , I think it's important for a content manager system to have authentication control. If there is no authenticatioin control , user management will be less useful. I think the users of sling really hope sling can add the authentication's function early. waiting ... thanks. 2009-03-02 yanjie 发件人: Felix Meschberger 发送时间: 2009-02-28 05:03:18 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? Hi, yanjie schrieb: Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Sling employs the authentication and access control functionality of the underlying JCR repository (Jackrabbit by default). So you have to create users and groups in Jackrabbit (I have applied the SLING-875 patches by Eric Norman today to enable user/group management in Sling. In addition you have to set access control in the repository. This is more problematic at the moment because Jackrabbit 1.5 embedded in Sling only contains partial support for JSR-283 (aka JCR 2.0) access control support. Maybe others on the list are more knowledgeable in this respect... Regards Felix -- Andreas Hartmann, CTO BeCompany GmbH http://www.becompany.ch Tel.: +41 (0) 43 818 57 01
Re: How can I realize authentication in sling?
On Tue, Mar 10, 2009 at 11:23 AM, Andreas Hartmann andr...@apache.org wrote: For authentication, you can configure one of the provided handlers (HTTP Basic or OpenID) to be active on one or more paths or host/path combinations. is there any documentation on this? Where can I configure the authentication handler? Almost everything (apart from the repository configuration and contents) is configured through the OSGi component configuration mechanism. It has its GUI in the Felix webconsole at /system/console - Configuration. You'll see the component names (or class names) in the list and if you select one, you'll see its properties. Change them + hit save and the change should immediately take place (depending on how long it takes to restart the component and its dependencies). Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: How can I realize authentication in sling?
Hi Alexander, Alexander Klimetschek schrieb: On Tue, Mar 10, 2009 at 11:23 AM, Andreas Hartmann andr...@apache.org wrote: For authentication, you can configure one of the provided handlers (HTTP Basic or OpenID) to be active on one or more paths or host/path combinations. is there any documentation on this? Where can I configure the authentication handler? Almost everything (apart from the repository configuration and contents) is configured through the OSGi component configuration mechanism. It has its GUI in the Felix webconsole at /system/console - Configuration. You'll see the component names (or class names) in the list and if you select one, you'll see its properties. Change them + hit save and the change should immediately take place (depending on how long it takes to restart the component and its dependencies). thanks a lot, I managed to enable OpenID authentication. Now I have to figure out how to set write permissions (I'm getting a javax.jcr.AccessDeniedException when I send a post request). The entry barrier to get started with some simple operations is still quite high … Thanks again, -- Andreas -- Andreas Hartmann, CTO BeCompany GmbH http://www.becompany.ch Tel.: +41 (0) 43 818 57 01
Re: How can I realize authentication in sling?
On Tue, Mar 10, 2009 at 11:59 AM, Andreas Hartmann andr...@apache.org wrote: ...thanks a lot, I managed to enable OpenID authentication. Now I have to figure out how to set write permissions (I'm getting a javax.jcr.AccessDeniedException when I send a post request). The entry barrier to get started with some simple operations is still quite high … This user management/permissions/OpenID stuff is still quite new, you might be one of the very first users apart from those who contributed that! Contributions such as wiki explanations/examples/articles in high-profile magazines are very welcome, of course ;-) -Bertrand
Re: How can I realize authentication in sling?
Hi Bertrand, Bertrand Delacretaz schrieb: On Tue, Mar 10, 2009 at 11:59 AM, Andreas Hartmann andr...@apache.org wrote: ...thanks a lot, I managed to enable OpenID authentication. Now I have to figure out how to set write permissions (I'm getting a javax.jcr.AccessDeniedException when I send a post request). The entry barrier to get started with some simple operations is still quite high … This user management/permissions/OpenID stuff is still quite new, you might be one of the very first users apart from those who contributed that! actually I didn't intend to do any beta-testing (yet), but somehow I got the impression that OpenID is the only supported way for authentication ATM. But I just noticed that I can simply disable anonymous access in the configuration console to enable the built-in authentication … But I certainly will try the OpenID authentication as soon as my grasp of things improves. Contributions such as wiki explanations/examples/articles in high-profile magazines are very welcome, of course ;-) I hope I'll find the time to document my findings. Actually there is a lot of documentation, but it is distributed in various places – the Sling website, mailing list, dev.day.com blog etc. Maybe some consolidation would be even more important than adding new docs, but I know this is difficult and time-consuming. BTW, the support by the community is excellent – thanks a lot to everybody! -- Andreas -- Andreas Hartmann, CTO BeCompany GmbH http://www.becompany.ch Tel.: +41 (0) 43 818 57 01
Re: How can I realize authentication in sling?
Hi Andreas, On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann andr...@apache.org wrote: ...I hope I'll find the time to document my findings. Actually there is a lot of documentation, but it is distributed in various places – the Sling website, mailing list, dev.day.com blog etc. Maybe some consolidation would be even more important than adding new docs, but I know this is difficult and time-consuming... Agree with that, some reorganization of what we have would be good! ...BTW, the support by the community is excellent – thanks a lot to everybody!... You're welcome - it's great to see several new Sling users on this list in the last few months. -Bertrand
Re: How can I realize authentication in sling?
On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann andr...@apache.org wrote: actually I didn't intend to do any beta-testing (yet), but somehow I got the impression that OpenID is the only supported way for authentication ATM. But I just noticed that I can simply disable anonymous access in the configuration console to enable the built-in authentication … In general the idea with JCR is that the repository handles authentication and authorization, because it makes things simple and content-oriented (and no need to put security access checks across the application code). That's why Sling uses a single JCR session for each request with a certain logged-in user. The credentials for this session are fetched using an o.a.s.engine.auth.AuthenticationHandler - currently there is a handler using HTTP basic auth (bundles/extensions/httpauth) and the OpenID handler. You can quite easily write your own, for using a cookie-based mechanism or to do SSO stuff. Those credentials provided by the handler are then used by Sling for the JCR Repository.login() method that will return the session. How the authentication is done inside the JCR repository is up to the implementation (for JCR 1.0). Previous Jackrabbit versions (up to 1.4.x I think) only provided a simple login module out of the box that provided anonymous, admin and normal users (whereas only for the special admin user a password could be set in the repository.xml config, ie. you couldn't really call it security ;-)). The recent Jackrabbit releases introduced proper user management, mainly because JCR 2.0 will define more in this respect (and Jackrabbit is already working towards that new version of the spec). For this, users (incl. their passwords and other preferences) are stored inside the repository itself, typically in a separate workspace to ensure a strict separation of system stuff and application content (although that is freely configurable I think). Now if you are logged in with the session in the request and some servlets or scripts are trying to read and write from the repository, the authorization comes into play. Things that you cannot read are simply not visible through the JCR API (ie. you get a 404 and not a 403 when speaking in HTTP status codes ;-)). If write access is denied, you get that AccessDeniedException on save(). The authorization is now also done inside the repository and for previous Jackrabbit versions there effectively was no built-in authorization. The 1.5 release contains the aforementioned implementation based on what the JCR 2.0 spec is saying (so far, it's not final yet ;-)). This stores the ACLs in the repository as well, right at the nodes to which these belong. There is also an API to manually set those ACLs (I think one is free again to store those ACLs whereever you want, if you'd like to change the default authorization manager in Jackrabbit). The documentation on that is a bit sparse yet, reading the code and searching the Jackrabbit mailing list archives is the best you can do at the moment :-) spam You might have seen the commercial CRX repository built on top of Jackrabbit, which provides a full authentication and authorization implementation for some time now and has a GUI to manage the users and ACLs (and it bundles Sling). /spam Hope that helps as an overview, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: Re: How can I realize authentication in sling?
HI everyone: Glad to find so many person be care about the question. and I want to know Is sling implements the ACL web interface now ? Thanks. 2009-03-11 yanjie 发件人: Alexander Klimetschek 发送时间: 2009-03-11 01:45:56 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? On Tue, Mar 10, 2009 at 1:03 PM, Andreas Hartmann andr...@apache.org wrote: actually I didn't intend to do any beta-testing (yet), but somehow I got the impression that OpenID is the only supported way for authentication ATM. But I just noticed that I can simply disable anonymous access in the configuration console to enable the built-in authentication … In general the idea with JCR is that the repository handles authentication and authorization, because it makes things simple and content-oriented (and no need to put security access checks across the application code). That's why Sling uses a single JCR session for each request with a certain logged-in user. The credentials for this session are fetched using an o.a.s.engine.auth.AuthenticationHandler - currently there is a handler using HTTP basic auth (bundles/extensions/httpauth) and the OpenID handler. You can quite easily write your own, for using a cookie-based mechanism or to do SSO stuff. Those credentials provided by the handler are then used by Sling for the JCR Repository.login() method that will return the session. How the authentication is done inside the JCR repository is up to the implementation (for JCR 1.0). Previous Jackrabbit versions (up to 1.4.x I think) only provided a simple login module out of the box that provided anonymous, admin and normal users (whereas only for the special admin user a password could be set in the repository.xml config, ie. you couldn't really call it security ;-)). The recent Jackrabbit releases introduced proper user management, mainly because JCR 2.0 will define more in this respect (and Jackrabbit is already working towards that new version of the spec). For this, users (incl. their passwords and other preferences) are stored inside the repository itself, typically in a separate workspace to ensure a strict separation of system stuff and application content (although that is freely configurable I think). Now if you are logged in with the session in the request and some servlets or scripts are trying to read and write from the repository, the authorization comes into play. Things that you cannot read are simply not visible through the JCR API (ie. you get a 404 and not a 403 when speaking in HTTP status codes ;-)). If write access is denied, you get that AccessDeniedException on save(). The authorization is now also done inside the repository and for previous Jackrabbit versions there effectively was no built-in authorization. The 1.5 release contains the aforementioned implementation based on what the JCR 2.0 spec is saying (so far, it's not final yet ;-)). This stores the ACLs in the repository as well, right at the nodes to which these belong. There is also an API to manually set those ACLs (I think one is free again to store those ACLs whereever you want, if you'd like to change the default authorization manager in Jackrabbit). The documentation on that is a bit sparse yet, reading the code and searching the Jackrabbit mailing list archives is the best you can do at the moment :-) spam You might have seen the commercial CRX repository built on top of Jackrabbit, which provides a full authentication and authorization implementation for some time now and has a GUI to manage the users and ACLs (and it bundles Sling). /spam Hope that helps as an overview, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Re: How can I realize authentication in sling?
Hi Felix, My proposed changes for access control management are attached to https://issues.apache.org/jira/browse/SLING-879 Let me know if you run into any troubles using it. On Thu, Mar 5, 2009 at 1:52 PM, Felix Meschberger fmesc...@gmail.comwrote: Hi Eric Eric Norman schrieb: Hi yanjie, For my own project, I've implemented some custom sling POST handlers (similar to the usermanager actions I contributed earlier) to add/modify/delete access control entries for users/groups using the early access JSR-283 access control support in jackrabbit 1.5. It seems to work well for my use cases, and I was planning on submitting a patch when I get some free time to clean it up a bit. If that is something you would be interested in using, I can try to submit a patch for consideration in the next few days. Yes, please, thanks ;-) Regards Felix -Eric On Sun, Mar 1, 2009 at 7:16 PM, yanjie yanshaozhi...@gmail.com wrote: HI felix: Glad to recieve your answer , I think it's important for a content manager system to have authentication control. If there is no authenticatioin control , user management will be less useful. I think the users of sling really hope sling can add the authentication's function early. waiting ... thanks. 2009-03-02 yanjie 发件人: Felix Meschberger 发送时间: 2009-02-28 05:03:18 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? Hi, yanjie schrieb: Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Sling employs the authentication and access control functionality of the underlying JCR repository (Jackrabbit by default). So you have to create users and groups in Jackrabbit (I have applied the SLING-875 patches by Eric Norman today to enable user/group management in Sling. In addition you have to set access control in the repository. This is more problematic at the moment because Jackrabbit 1.5 embedded in Sling only contains partial support for JSR-283 (aka JCR 2.0) access control support. Maybe others on the list are more knowledgeable in this respect... Regards Felix
Re: How can I realize authentication in sling?
Hi Eric Eric Norman schrieb: Hi yanjie, For my own project, I've implemented some custom sling POST handlers (similar to the usermanager actions I contributed earlier) to add/modify/delete access control entries for users/groups using the early access JSR-283 access control support in jackrabbit 1.5. It seems to work well for my use cases, and I was planning on submitting a patch when I get some free time to clean it up a bit. If that is something you would be interested in using, I can try to submit a patch for consideration in the next few days. Yes, please, thanks ;-) Regards Felix -Eric On Sun, Mar 1, 2009 at 7:16 PM, yanjie yanshaozhi...@gmail.com wrote: HI felix: Glad to recieve your answer , I think it's important for a content manager system to have authentication control. If there is no authenticatioin control , user management will be less useful. I think the users of sling really hope sling can add the authentication's function early. waiting ... thanks. 2009-03-02 yanjie 发件人: Felix Meschberger 发送时间: 2009-02-28 05:03:18 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? Hi, yanjie schrieb: Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Sling employs the authentication and access control functionality of the underlying JCR repository (Jackrabbit by default). So you have to create users and groups in Jackrabbit (I have applied the SLING-875 patches by Eric Norman today to enable user/group management in Sling. In addition you have to set access control in the repository. This is more problematic at the moment because Jackrabbit 1.5 embedded in Sling only contains partial support for JSR-283 (aka JCR 2.0) access control support. Maybe others on the list are more knowledgeable in this respect... Regards Felix
Re: How can I realize authentication in sling?
Hi Yanjie From your first post, it seems you're really more interested in authorization than authentication, but both are handled (to different degrees) in Sling. For authentication, you can configure one of the provided handlers (HTTP Basic or OpenID) to be active on one or more paths or host/path combinations. This takes care of extracting the credentials of the remote user from the request providing them to Sling. For user management, you can use the new SlingPostOperations to create update users (or groups) associated with the above credentials. These are the Jackrabbit/repository -level identities that are needed in order to use the authorization features. For authorization, you can use the AccessControlUtil class to add/remove/update ACLs on repository nodes, referring to the above users/groups. This last part is from memory and may be incorrect :-): by default a fresh Jackrabbit 1.5 repository has 2 users (admin and anonymous), and 3 groups (administrators, UserAdmin, and GroupAdmin). There are no ACLs initially, though the admin user always has full permissions anyway. After you set an initial ACL, I think you will see a root-level ACL will be added explicitly giving the admin user full permissions (though *not* the administrators group!!!). I believe the details of the above are covered elsewhere in the mailing archives - let me know if this doesn't resolve your questions. Regards, Rory yanjie wrote: HI felix: Glad to recieve your answer , I think it's important for a content manager system to have authentication control. If there is no authenticatioin control , user management will be less useful. I think the users of sling really hope sling can add the authentication's function early. waiting ... thanks. 2009-03-02 yanjie 发件人: Felix Meschberger 发送时间: 2009-02-28 05:03:18 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? Hi, yanjie schrieb: Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Sling employs the authentication and access control functionality of the underlying JCR repository (Jackrabbit by default). So you have to create users and groups in Jackrabbit (I have applied the SLING-875 patches by Eric Norman today to enable user/group management in Sling. In addition you have to set access control in the repository. This is more problematic at the moment because Jackrabbit 1.5 embedded in Sling only contains partial support for JSR-283 (aka JCR 2.0) access control support. Maybe others on the list are more knowledgeable in this respect... Regards Felix -- Rory Douglas | Senior Principal Consultant Fax: +1-201-604-6428 | Mobile: +1-917-498-5344 Oracle North America Consulting ORACLE United States | | San Diego, CA Please consider your environmental responsibility before printing this e-mail
Re: Re: How can I realize authentication in sling?
HI felix: Glad to recieve your answer , I think it's important for a content manager system to have authentication control. If there is no authenticatioin control , user management will be less useful. I think the users of sling really hope sling can add the authentication's function early. waiting ... thanks. 2009-03-02 yanjie 发件人: Felix Meschberger 发送时间: 2009-02-28 05:03:18 收件人: sling-dev 抄送: 主题: Re: How can I realize authentication in sling? Hi, yanjie schrieb: Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Sling employs the authentication and access control functionality of the underlying JCR repository (Jackrabbit by default). So you have to create users and groups in Jackrabbit (I have applied the SLING-875 patches by Eric Norman today to enable user/group management in Sling. In addition you have to set access control in the repository. This is more problematic at the moment because Jackrabbit 1.5 embedded in Sling only contains partial support for JSR-283 (aka JCR 2.0) access control support. Maybe others on the list are more knowledgeable in this respect... Regards Felix
Re: How can I realize authentication in sling?
Hi, yanjie schrieb: Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Sling employs the authentication and access control functionality of the underlying JCR repository (Jackrabbit by default). So you have to create users and groups in Jackrabbit (I have applied the SLING-875 patches by Eric Norman today to enable user/group management in Sling. In addition you have to set access control in the repository. This is more problematic at the moment because Jackrabbit 1.5 embedded in Sling only contains partial support for JSR-283 (aka JCR 2.0) access control support. Maybe others on the list are more knowledgeable in this respect... Regards Felix
How can I realize authentication in sling?
Hi everyone: I want to give a user some policy to handle a node(read or write or modify..) , and other users don't have the policy . Or a group has the policy and the users in the group all have the authentication . how can I use sling to realize it? Thanks. 2009-02-26 yanjie