9 Replies Latest reply on Feb 13, 2008 8:14 PM by rammy1984

    Using alternative source for JBoss Portal authentication

    engela

      I quite like to use the JBoss Portal, but have to use an LDAP Server for authentication and retrieving the roles of a user. I have read through the Wiki Entry:

      http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingAnLDAPSourceForPortalAuthentication

      Some of the portlets need a fine-grained access a rights and I am considering using Acegi security for this. Since I am quite new to all of this I thought I start simple. Instead of adding a new login-module using the org.jboss.security.auth.spi.LdapExtLoginModule as described in above Wiki I added a new login-module using org.jboss.security.auth.spi.UsersRolesLoginModule and set the flag of org.jboss.portal.identity.auth.IdentityLoginModule to ?sufficient?. So my new login.config.xml in JBOSS_HOME/server/default/deploy/jboss-portla.sar/conf/ looks like:


      <!-- For the JCR CMS -->
      <application-policy name="cms">

      <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/>

      </application-policy>

      <application-policy name="portal">

      <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
      <module-option name="unauthenticatedIdentity">guest</module-option>
      <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
      <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
      <module-option name="additionalRole">Authenticated</module-option>
      <module-option name="password-stacking">useFirstPass</module-option>
      </login-module>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">props/portal-users.properties</module-option>
      <module-option name="rolesProperties">props/portal-roles.properties</module-option>
      </login-module>


      </application-policy>


      I added the portal-users.properties and portal-roles.properties to the correct location.

      portal-roles.properties:

      # A sample users.properties file for use with the UsersRolesLoginModule
      first=first
      second=second

      portal-roles.properties

      first=Administrators,Admin
      second=Users,User

      When logging in as first or second user I get the error message: HTTP Status 403 - Access to the requested resource has been denied

      Questions:
      - Is it possible use integrate an alternative LoginModule e.g. UsersRolesLoginModule or org.jboss.security.auth.spi.LdapExtLoginModule to define Authenication and the roles of the users?
      - Has anyone successfully integrated an external LDAP Directory server which also supplies the roles of the user?
      - Has anyone successfully integrated AcegiSecurity for authentication and retrieving the roles of a user e.g. by using the LoginModule: org.acegisecurity.adapters.jboss.JbossAcegiLoginModule? How do I configure the login-module.xml?

      I have just read through a similar Forum Entry:

      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=103606

      Do I have to sychronize all users in my LDAP directory with the portal database in order to define the role of users? I don?t think it is a practical option for us to maintain two systems in which we hold user information.

      Thanks,

      Anette

        • 1. Re: Using alternative source for JBoss Portal authentication
          bdaw

          It will work if you make:

          
          first=Administrators,Admin,Authenticated
          second=Users,User,Authenitcated
          


          "Authenticated" is the role used to secure portal servlet. look into jboss-portal.sar\portal-server.war\WEB-INF\web.xml

          Yes, with such configuration you need to synchronize user accounts into portal database if you want to enable them personalization inside of portal. This is going to be better supported in JBP 2.6. For 2.6 we also introduced something called SynchronizingLoginModule that can be placed after any other LoginModule in authentication chain. When user is authenticated sucessfully it will be synchronized into portal DB. There is also version integrated with LdapLoginModule. It shouldn be trival to port it for 2.4.

          • 2. Re: Using alternative source for JBoss Portal authentication
            engela

            Thanks a lot for your help. I added the role "Authenticated" and everything is working fine.

            Personalization is not important to my application. The security aspect is what I am really interested in i.e. to be able to configure which pages and portlets a user can access depending on their roles. It seems that as long as I set up the roles in the portal database I can use a UsersRoleLoginModule for authentication and roles a user have. (I hope this works for the LDAPExtLoginModule as well). The roles will be fixed and I am happy to set them up in the portal database. Synchronizing user data with the Portal database is not an option for various reasons.

            Best Regards,

            Anette

            • 3. Re: Using alternative source for JBoss Portal authentication
              antoine_h

              Did you find about configuring the Acegi Security :


              - Has anyone successfully integrated AcegiSecurity for authentication and retrieving the roles of a user e.g. by using the LoginModule: org.acegisecurity.adapters.jboss.JbossAcegiLoginModule? How do I configure the login-module.xml?


              is it a good / easy / reliable solution ?

              thanks,

              • 4. Re: Using alternative source for JBoss Portal authentication
                engela


                I haven't had the time to try to integrate my portal with Acegi yet. If I can figure out how, I will post it here.

                Best Regards,

                Anette

                • 5. Re: Using alternative source for JBoss Portal authentication
                  bdaw

                   

                  "engela" wrote:

                  I haven't had the time to try to integrate my portal with Acegi yet. If I can figure out how, I will post it here.


                  If you figure out could you create a wiki page for it?
                  http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossPortal

                  Many people asked about Acegi and its easier to find information in the wiki than in the forums. Your contribution is highly welcome!:)

                  • 6. Re: Using alternative source for JBoss Portal authentication
                    engela

                    I came across some documentation about the org.acegisecurity.adapters.jboss.JbossAcegiLoginModule which may be used to integrate Acegi in JBoss Portal. I haven't yet had the time to test it but here is the link.

                    http://sun.calstatela.edu/~cysun/documentation/acegi/acegi.html#ca-jboss

                    Regards,

                    Anette

                    • 7. Re: Using alternative source for JBoss Portal authentication
                      engela

                      For anyone following this thread: I have finally managed to authenticate using Acegi Security. For information see:

                      http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4028742#4028742

                      Regards,

                      Anette

                      • 8. Re: Using alternative source for JBoss Portal authentication
                        lucboudreau

                        I was able to use ACEGI as an alternative. I can't post any specific code or details because we're using a custom extension to the CAS specification, but a simple Google search will tell you enough to do this.

                        • 9. Re: Using alternative source for JBoss Portal authentication
                          rammy1984

                          Hi iam using the portal server 2.6.3GA and iam trying to configure the server so that the user is authenticated against the LDAP server for which ia using the openDS server.

                          i went through the Jboss docs . i want to know how to get the users from LDAP using the JBoss API provided for this.

                          iam new to this environment so plz bare with this naive question.

                          P.S : iam actually using the Spring AOP to intercept the service calls and wanted to authenticate the user against the LDAP.

                          i want know how to do this programmatically..... any suggestions for this ?