1 Reply Latest reply on May 7, 2005 6:00 AM by Viet

    how do you work around the Slide security framework?

    mazz Master

      How did you guys work around issues when dealing with Slide's security implementation? [apologies up front - this is probably a question for the slide users list, but since I'm integrating the JBoss Portal CMS and you've probably already came across things like this, I'll take alittle liberty here]

      For example, I have a JAAS login module configured - I go to a database to get authentication/authorization information (i.e. users and roles are obtained via JAAS). However, for some reason, Slide still wants me to put the role and user information in the Domain.xml configuration.

      <!-- why is this required here? JAAS defines the users -->
      <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/john" />
      ...
      <objectnode
       classname="org.apache.slide.structure.SubjectNode"
       uri="/roles/webdav">
      <!-- why do I need this? the webdav role is detected by JAAS -->
      <revision>
       <property name="group-member-set">
       [CDATA[<D:href xmlns:D='DAV:'>/users/john</D:href>]]
       </property>
      </revision>
      </objectnode>
      


      If I comment out the "revision" element and below, I get a 403 "Forbidden" error (even though JAAS says I have the webdav role, it sees this in the DB). But if I uncomment that and configure it as above, it works fine. Slide wants me to confirm JAAS in this /roles/webdav "group-member-set" property! It also is forcing me to declare the /user/john user node - even though JAAS sees this user in the DB as well.

      I suppose I can add my user and the roles to Slide via WebDAV, but that's a bit of a pain having to maintain two security databases - the true database that JAAS looks at and the Slide "database" which is simply a CDATA string in the "group-member-set" property that contains the names of all the users in that role and the /user nodes as well.

      Seems to defeat JAAS to me - I was wondering how JBoss Portal handles role-based authorization and what it does wrt this Slide issue?