5 Replies Latest reply on Jul 30, 2007 2:45 PM by Luc Boudreau

    Portal Authentication with Acegi

    Anette Engel Newbie

      I have managed to use Acegi Security for Authentication:

      Portal Authentication with Acegi

      To use Acegi Security for authentication open the login-config.xml in JBOSS_HOME\server\default\deploy\jboss-portal.sar\config. Change the flag of org.jboss.portal.identity.auth.IdentityLoginModule to ?sufficient? and add new login-module configuration using the org.acegisecurity.adapters.jboss.JbossAcegiLoginModule Login Module.

      <application-policy name="portal">
       <authentication>
       <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
       <module-option name="unauthenticatedIdentity">guest</module-option>
       <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
       <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
       <module-option name="additionalRole">Authenticated</module-option>
       <module-option name="password-stacking">useFirstPass</module-option>
       </login-module>
      
       <login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"
       flag = "required">
       <module-option name = "appContextLocation">acegisecurity.xml</module-option>
       <module-option name = "key">my_password</module-option>
       </login-module>
       </authentication>
       </application-policy>

      The value in the "appContextLocation" is the name of the the acegi security configuration file e.g. in the example acegisecurity.xml. Copy the acegi security configuration file to the directory:

      JBOSS_HOME\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF

      The acegi configuration file contains the spring context definition including all the authentication manager beans (For more information consult the Acegi Security documentation). For Portal Authentication it is sufficient to define the authentication manager.


      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
      
      <beans>
      
       <bean id="authenticationManager"
       class="org.acegisecurity.providers.ProviderManager">
       <property name="providers">
       <list>
       <ref bean="daoAuthenticationProvider" />
       </list>
       </property>
       </bean>
      
      
       <bean id="daoAuthenticationProvider"
       class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
       <property name="userDetailsService" ref="userDetailsService" />
       </bean>
      
       <bean id="userDetailsService"
       class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
       <property name="userMap">
       <value>
       myadmin=myadmin,Admin,Authenticated,
       myuser=mysuser,User,Authenticated
       </value>
       </property>
       </bean>
      
      </beans>

      Another approach is to use the second approach is to use Spring singleton capabilities for more information see: http://sun.calstatela.edu/~cysun/documentation/acegi/acegi.html#ca-jboss

      My next step will be to use Acegi Security within Portlets. Has anyone experience with this?

      Best Regards,

      Anette


        • 1. Re: Portal Authentication with Acegi
          Antoine Herzog Master

          Thanks a lot !
          I have just started looking at Acegi.
          That was my first question...

          for using in portlets.

          what could be is : try to inject the principal coming from acegi into the portlet.
          For this : find where this is done in the portal management of portlets (which service or interceptor is doing this).

          May be look at the jmx service for the locale interceptor :
          name="portal:service=Interceptor,type=Server,name=Locale"
          the way it works is similar, and if I remember, there is a security service in the same stack of interceptors.
          that should be the place.

          but still, it would be only the principal, so you won't get all the features from acegi...

          so direct access of Acegi SecurtityContextHolder, from within the portlet code, should be better.

          for what I have seen in Acegi doc (very well done), you access the Acegi authentication context through a singleton class (SecurtityContextHolder), that is ThreadLocal.

          As SecurtityContextHolder is a ThreadLocal singleton, I guess there is something more to do, to have the same singleton for all the portlets. The one that was built during the authentification process (not a new one from the portlet instance thread).

          so the thing would be to have this SecurtityContextHolder stored in the session, or in a jmx service that give it for each active session...

          Thing to look at : what classloader/thread is making the instance of SecurtityContextHolder ?... and see how to get it from there, for any portlet.

          hope it helps...

          • 3. Re: Portal Authentication with Acegi
            Syed H Newbie

            Hi,

            The information was really useful and I have configured my JBoss portal to use Acegi Login Module.

            I am currently working on bringing up SSO with Alfresco and JBoss portal using CAS.

            I have integrated Alfresco with CAS.

            Do you have any idea about integrating the Acegi module with CAS ?

            If so, please share your ideas.

            Thanks..

            • 4. Re: Portal Authentication with Acegi
              Luc Boudreau Newbie

               

              "SyedH" wrote:

              The information was really useful and I have configured my JBoss portal to use Acegi Login Module.


              Can you provide more details on this ? I'm trying to do exactly that and ran into a couple nagging bugs. Please post more details here or contact me via email at lucboudreau at gmail.

              thanks

              • 5. Re: Portal Authentication with Acegi
                Luc Boudreau Newbie

                Okay, I was able to make it work. There is one thing not mentionned anywhere and it's crucial to do it before it can work. You have to activate the SynchronizingLoginModule in login-config.xml.

                <login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
                 <module-option name="synchronizeIdentity">true</module-option>
                 <module-option name="synchronizeRoles">true</module-option>
                 <module-option name="additionalRole">Authenticated</module-option>
                 <module-option name="defaultAssignedRole">User</module-option>
                 <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
                 <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
                 <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
                 <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
                 </login-module>