Re: tapestry-security and sso
Vangel, thank you so much for your clean explanation and the online example you offer... I 'll take all this into account, cheers! Nicolás.- On Thu, Aug 11, 2011 at 10:27 PM, Vangel V. Ajanovski wrote: > > Of course comments are welcome by anyone, especially regarding how to > better the solution security-wise.
Re: tapestry-security and sso
Sorry for late answer - we use CAS at our institution and I found it is very easy to front Tapestry with CAS even from scratch. Some 2-3 years ago I found a tutorial on the web how to do that with help of Spring Security (previuosly named Acegi), but later I learned a bit how to do it from scratch because I don't want Spring wasting more resources. Basically there exists a ready to use CAS SSO filter that you include in the project and configure (let's say via dependency in pom.xml and config in web.xml) so that it will be called before a set of pages that you need to protect. So, how it works? The filter will check for tickets and if you are logged in it will pass you to the page, otherwise will redirect to the cas login address. In your application you just check the REMOTE_USER variable which will be set to the username of the logged in user. This is set by the CAS filter and will only be set if someone is logged in. Very simple. Check here for examples from our students information system (enrollment, grades, courses): http://develop.ii.edu.mk/projects/isii/browser/trunk Especially check for CAS references in: pom.xml web.xml mk.edu.ii.isii.upisi.model.UserInfo UserInfo is a sessionstate object that we keep arround in the session that holds who is logged in and what role, etc. Of course since CAS is only for authentication (login logout), we implemented some access control by checking the logged in user in the database and using annotations (ex. @AdministratorPage) placed on page classes for various roles. The access controller only allows access if the page is accessed by a username that has the appropriate role. For this check: mk.edu.ii.isii.upisi.model.UserInfo mk.edu.ii.isii.upisi.services.AccessController mk.edu.ii.isii.upisi.annotations... Of course comments are welcome by anyone, especially regarding how to better the solution security-wise. smime.p7s Description: S/MIME Cryptographic Signature
Re: tapestry-security and sso
Thanks clement, will take it into account when implementing sso (although that would be in some time from here) cheers all and thanks again! Nicolás.- 2011/7/22 Clément OUDOT > 2011/7/22 Nicolas Barrera : > > Hi, > > > > just wondered... (nothing concrete) > > > > about a tapestry app implementing single -sign on... > > > > does tapestry-security integrates with a CAS server? ( I 'm thinking > about > > that because I 've never used shiro although I could start using it, no > > problem. But I come from acegi where it integrated with CAS for > > single-sign-on) > > > > perhaps single sign on would be better implemented any other way rather > than > > a cas server..., > > > > I 've heard about tynamo federeated-accounts using OAuth but I really > don't > > know if that would fill the gaps of a requirement that I got which is, to > > build a couple of (tapestry) web apps and that they should > > perform as in single sign on scenario..., like once logged on an app I > could > > acess the other without logging in again. > > > > I would appreaciate any advice or insight you may have on this... > > > > cheers and thanks > > > > Hello Nicolas, > > we use LemonLDAP::NG (http://lemonldap-ng.org) as WebSSO solution (to > be fully transparent, I am developer of this solution). > > You can see how to use it in T5 with the LinShare project: > http://www.linpki.org/projects/linshare/wiki/HttpHeaderSSOEN > > Hope it helps, > > Clément. > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
Re: tapestry-security and sso
2011/7/22 Nicolas Barrera : > Hi, > > just wondered... (nothing concrete) > > about a tapestry app implementing single -sign on... > > does tapestry-security integrates with a CAS server? ( I 'm thinking about > that because I 've never used shiro although I could start using it, no > problem. But I come from acegi where it integrated with CAS for > single-sign-on) > > perhaps single sign on would be better implemented any other way rather than > a cas server..., > > I 've heard about tynamo federeated-accounts using OAuth but I really don't > know if that would fill the gaps of a requirement that I got which is, to > build a couple of (tapestry) web apps and that they should > perform as in single sign on scenario..., like once logged on an app I could > acess the other without logging in again. > > I would appreaciate any advice or insight you may have on this... > > cheers and thanks > Hello Nicolas, we use LemonLDAP::NG (http://lemonldap-ng.org) as WebSSO solution (to be fully transparent, I am developer of this solution). You can see how to use it in T5 with the LinShare project: http://www.linpki.org/projects/linshare/wiki/HttpHeaderSSOEN Hope it helps, Clément. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: tapestry-security and sso
Hi, Thanks Kalle for your response... On Fri, Jul 22, 2011 at 12:39 PM, Kalle Korhonen wrote: > Well, there are plenty of single-sign-on solutions but if you have a > CAS server that's what you need to use. > In fact, we ain't got nothing implemented yet and I could choose among different solutions, and I mentioned CAS because it was the only thing I knew from a years ago when I had a look a this subject... perhaps somebody rises up here telling me "don't use cas because X, try this newer, more practical solution"... I would be glad to investigate about any recommendations anyone could give :) well thanks again for your answer about shiro statu's, cheers! Nicolás.- On Fri, Jul 22, 2011 at 12:39 PM, Kalle Korhonen wrote: > On Fri, Jul 22, 2011 at 7:11 AM, Nicolas Barrera > wrote: > > about a tapestry app implementing single -sign on... > > does tapestry-security integrates with a CAS server? ( I 'm thinking > about > > that because I 've never used shiro although I could start using it, no > > problem. But I come from acegi where it integrated with CAS for > > single-sign-on) > > There's a not-yet-integrated CAS patch in shiro trunk. > Tapestry-security would gain CAS integration once Shiro 1.2 is > released and integrated into tapestry-security (I don't expect much > work there). > > > perhaps single sign on would be better implemented any other way rather > than > > a cas server..., > > Well, there are plenty of single-sign-on solutions but if you have a > CAS server that's what you need to use. > > > I 've heard about tynamo federeated-accounts using OAuth but I really > don't > > know if that would fill the gaps of a requirement that I got which is, to > > build a couple of (tapestry) web apps and that they should > > perform as in single sign on scenario..., like once logged on an app I > could > > acess the other without logging in again. > > OAuth, OpenID might work but then you'd need to roll a different > authentication server. Amber server > (http://incubator.apache.org/amber/) is a possibility for an OAuth > server. > > Kalle > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
Re: tapestry-security and sso
On Fri, Jul 22, 2011 at 7:11 AM, Nicolas Barrera wrote: > about a tapestry app implementing single -sign on... > does tapestry-security integrates with a CAS server? ( I 'm thinking about > that because I 've never used shiro although I could start using it, no > problem. But I come from acegi where it integrated with CAS for > single-sign-on) There's a not-yet-integrated CAS patch in shiro trunk. Tapestry-security would gain CAS integration once Shiro 1.2 is released and integrated into tapestry-security (I don't expect much work there). > perhaps single sign on would be better implemented any other way rather than > a cas server..., Well, there are plenty of single-sign-on solutions but if you have a CAS server that's what you need to use. > I 've heard about tynamo federeated-accounts using OAuth but I really don't > know if that would fill the gaps of a requirement that I got which is, to > build a couple of (tapestry) web apps and that they should > perform as in single sign on scenario..., like once logged on an app I could > acess the other without logging in again. OAuth, OpenID might work but then you'd need to roll a different authentication server. Amber server (http://incubator.apache.org/amber/) is a possibility for an OAuth server. Kalle - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
tapestry-security and sso
Hi, just wondered... (nothing concrete) about a tapestry app implementing single -sign on... does tapestry-security integrates with a CAS server? ( I 'm thinking about that because I 've never used shiro although I could start using it, no problem. But I come from acegi where it integrated with CAS for single-sign-on) perhaps single sign on would be better implemented any other way rather than a cas server..., I 've heard about tynamo federeated-accounts using OAuth but I really don't know if that would fill the gaps of a requirement that I got which is, to build a couple of (tapestry) web apps and that they should perform as in single sign on scenario..., like once logged on an app I could acess the other without logging in again. I would appreaciate any advice or insight you may have on this... cheers and thanks Nicolás.-