9 Replies Latest reply on Jun 28, 2010 4:20 AM by bdaw

    Implementing IdentityStore


      We are currently trying to integrate GateIn portal with our own Role/Group framework. We store our roles and groups in the corporate entitlement framework. Therefore, we cannot just plug in the IDM LDAP or Hibernate IdentityStore. Can someone point us to the right direction or documentation/examples on how to  implement the customized IdentityStore, so that we can retrieve the group and role information from our framework, and feed in the information upon logging in to GateIn? Thank you.

        • 1. Re: Implementing IdentityStore

          I'm afraid that we don't have any dedicated examples or documentation for IdentityStore implementation yet. For now you need to jump in into sources and use existing LDAP and Hibernate implementations as an example. I think that existing testsuite could be easily extended to test such custom implementation as API tests are quite generic. You can limit capabilities of your implementation by using metadata layer describing IdentityStore features. Role of FallbackIdentityStoreRepository is to operate with such stores that doesn't expose all features and fallback other operations to Hibernate store. I can advise you if you have any specific questions.

          • 2. Re: Implementing IdentityStore

            Thank you Blesslaw very much for replying. Yes, the next step I was going to do is to decompile the LDAPIdentityStoreImpl, since there seem to be no place to download source code, to find out what methods need to be implemented. Can you explain a little bit on what you meant by "using metadata layer describing IdentityStore 'features'"? You meant I don't need to implement all the methods for all the attributes of user/group/role, and ,they will be defauled to the default store?

            • 3. Re: Implementing IdentityStore

              Hej, you are talking about an Open Source project here. Are you really want to decompile opensource libraries? I bet there are more interesting things to do






              Please take a look at FeaturesDescription interface in the SPI and read ReferenceGuide. Then I'll be happy to anwser your questions

              • 4. Re: Implementing IdentityStore

                Thank you for pointing to the source and the documentation. I successfully used the LDAP implementation as the base and changed some methods to integrate our own implementation. From the documentation, it states LDAP does not support role relationship which I can understand. With my test code to try to associate the user and group with role, I am getting this error "Role management not supported by underlying configuration identity stores". My question is how do I make my implementation to support role relationship? The sentence in the document "..IdentifyObjectRelationship has a IdentityObjectRelationshipName which is simple mapping of RoleType used in API..." seems to be the key. How and where do I create this IdentityObjectRelationshipName to support the Role as the supported relationship type? I did added in the XML under the supported-relationship-types with JBOSS_IDENTITY_ROLE, but that didn't seem to have any impacts.

                • 5. Re: Implementing IdentityStore

                  I thought by implementing the set of xxxRelationshipName/Properties methods, the role manager would be supported. However, it did not work. By looking at the source where the stacktrace throwing error and found that it looks like it's getSupportedFeatures() in the identity store repository. So, how do I set isNamedRelationshipSupported() to true?

                  • 6. Re: Implementing IdentityStore

                    Just implement getSupportedFeatures() in your IdentityStore impl to return proper metadata information about store capabilities. FallbackIdentityStoreRepository should return value that match configured stores capabilities. WrapperIdentityStoreRepository will just transparently pass all method calls to the store below. You can also look at the HibernateIdentityStoreImpl as it implements all features.

                    • 7. Re: Implementing IdentityStore

                      Finally got a better understanding by looking at the method calls of the HibernateIdentityStoreImpl. We also have login module bridge to use our company's authentication. So, we successfully login and got the session token with the user name. In the IdentityStoreImpl.bootstrap(), I tried to just create IdentityObject for with the login user name as USRE type IdentityObject, and "users" as platform type IdentityObject. Then createRelationship for the login user name and the "users" IdentityObjects for both JBOSS_IDENTITY_ROLE and MEMBERSHIP relationships. Also, we added <security-constraint> in web.xml for /private/* to use the <auth-constraint><role-name>users</role-name></auth-constriaint>.


                      So, if I have /private in the URL, I got challenged with my company's authentication. Then after I login, I see the user name is used to create an IdentityObject, and, relationships are also created with the "users" object. Still, I am getting this "HTTP 403 access to this resource has been denied " error. What else is missing? Is there any other role or group memberships need to be created for the logged in user? Thanks.

                      • 8. Re: Implementing IdentityStore

                        Further more, I put some debug statements in the Hibernate implementation and found that with the Hibernate implementation, the resolveRelationships() is called with the login name to get the relationships for this user. However, with our login module and the IdentityStore implementation, the resolvedRelationships() is not called after login. This would explain why I am getting the access denied error. Any idea why the method is not called to retrieve the membership information for my login user? In our login module, we created the exoplatform Identity with the user name, and then set it to shareState.

                        • 9. Re: Implementing IdentityStore

                          Honestly it is hard to tell without looking into code and configuration. I would suggest some remote debugging session going thru JAAS, GateIn OrganizationService and PickeLinkIDM to find out what is happening here...


                          You could also try to hit the problem from different angle


                          http://community.jboss.org/wiki/GateInIdentityandSecurityFAQ - Q3)


                          You can find some suggestions about implementing RolesExtractor. Also some kind of workaround would be a LoginModule implementation that would authenticate via your custom database and synchronize into default GateIn storage.