6 Replies Latest reply on Nov 16, 2010 10:01 AM by Mahdi Rajabi

    GateIn and remote authenticator and authorizer

    Mahdi Rajabi Newbie

      Dear guys

       

      Hi,

       

      I'm new in GateIn, I'm looking for a way to configure the GateIn Authenticator to use My PortLet users. the users specifications are defiend in remote server, so i have to make a web service call for authentication. now i'm looking for a way to write a module or use an already existing module to do my bussiness(make a service call).(Kind of SSO without using of solution exists like LDAP, JOSSO, OSSO or CAS)

       

      Is there any solution ?????

       

      Regards

        • 1. Re: GateIn and remote authenticator and authorizer
          Mahdi Rajabi Newbie

          I think i can use PicketLink IDM and write my own implementation for IdentityStore ... i'm trying to do so ... if that's not right way solving problem please notify me. is there any one who has a similar experiaces ????

          • 2. Re: GateIn and remote authenticator and authorizer
            Mahdi Rajabi Newbie

            I was thinking  no one would offer me solution and thats up to me to do my best

            PickletIDM is my only way, it seems......

            • 3. Re: GateIn and remote authenticator and authorizer
              Amao Xu Newbie

              Try to specify your question, if you want a valuable answer. You are asking a solution, which is firstly hard to explain in few words, second depends highly on the requirement of application.

               

              And to be frankly, people helps to solve the concrete problem here, but not supply the whole solution. You may need to keep it in your mind.

               

              ======================

              For your question, you have authentication service, you want use it to replace the original one from picketlink project.

              Then you need try to find out the authentication process in gatein, which component is relevant in this process. choose which component should be rewrite to redirect the authentication process to your web services.

               

              It is hard decision, and depends highly on the requirement and circumstance of your applications landscape.

              And what is your plan for authorization, do you want also use authorization from picketlink or you also have independent authorization service?

               

              in class ShareStateLoginModule.java in GateIn project.

               

              there is code:

              /*================================

              String username = (String)sharedState.get("javax.security.auth.login.name");
                       String password = (String)sharedState.get("javax.security.auth.login.password");
                       if (username == null || password == null)
                          return false;


                       Authenticator authenticator = (Authenticator)getContainer().getComponentInstanceOfType(Authenticator.class);

               

                       if (authenticator == null)
                          throw new LoginException("No Authenticator component found, check your configuration");

               

                       Credential[] credentials =
                          new Credential[]{new UsernameCredential(username), new PasswordCredential(password)};

               

               

                       String userId = authenticator.validateUser(credentials);

                       Identity identity = authenticator.createIdentity(userId);

              =====================================*/

               

              which i believe is the authentication action for login.

              It can be the start point for you to redesign your authentication:  Either rewrite here or rewrite the class Authenticator, or the class it uses.

               

              IDM.pdf is a general relationship between different classes from different package in gateIn. It may not be 100% correct and precise.

              I hope it can help you to understand the work principle of IDM in gatein.

              • 4. Re: GateIn and remote authenticator and authorizer
                Mahdi Rajabi Newbie

                Dear Amoa Xu

                 

                Thank for response. If I be true, I can't change the architecture of software. I'm gonna transfer my web application as a prtlet in GateIn. so, the Application has it's own security services for authentication and authorization- central service as a module and brings web services. i'm looking for a solution to change GateIn security or login center to use my own services, of course i will do it by attaching my module, not by changing gate in Code. i don't have time to do such time-consuming job, the dead line is on the way ... .

                 

                In fact i just want to change the repository of Users and theire access to some web services and not more.... . othere actions is note better that gateIn is offred.

                 

                the over writing of the class that you offered is very nice, but there is a question. does it handle the users access and sessions?

                 

                thanks a lot

                • 5. Re: GateIn and remote authenticator and authorizer
                  Amao Xu Newbie

                  First of all, users access and session is another service from Picketlink. It defines who have write to access which portlet. ( in portal level).

                  It may be implemented as IdentitySessionImp.java, see the IDM.pdf you may need find it by yourself.

                   

                  Second, if you want implement your application as independent service in gatein, without code change, then you mean you write independent session control for login logout, and access control for your application instead of change the code from gatein.

                  In this way, you need to remember, this application also follows the security policy of gatein. If this application has own security services, it works only inside this portlet.

                   

                  In this way, there are actually two levels for authentication.

                  1. User can login in the portal Gatein. After that, he will be authorized to be able to see your portlet or not. And user uses Username from repository of Picketlink.

                  2. User can login in your portlet. After that, he will be authorized by you to be able to access your services in this portlet, or other you implemented portlet. And user uses Username from your "personal" repository.

                   

                   

                  As my opinion, to cover your requirement,  either you try to connect pinketlink to your repository for authentication, and following the authorization policy of gatein to redesign the process and access for your web application.

                   

                  or

                   

                  you try to write your web application as independent portlet in gatein. However in this way, i don't way what kind of other services can you still use from gatein.

                   

                  And in fact, change the repository of users and their access to web application (Web service has another meaning! ) is BIG change. It represents almost all tasks of Picketlink. If you have time, my suggestion is read the documents about it.

                  • 6. Re: GateIn and remote authenticator and authorizer
                    Mahdi Rajabi Newbie

                    Dear Amao xu

                     

                    Your answer helps me as much as possible. know i'm sure what i get from IDM.pdf in correct and this paragraphs whould be a good solution :

                     

                    as you say :

                     

                    "you try to write your web application as independent portlet in gatein.  However in this way, i don't way what kind of other services can you  still use from gatein."

                     

                    "....It represents almost all tasks of Picketlink"

                     

                    Thanks a lot...

                     

                    I will announce my future experiance here