Announcement Announcement Module
Collapse
No announcement yet.
WebSphere for Authentication and Acegi for Authorization ? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • WebSphere for Authentication and Acegi for Authorization ?

    Hello,

    I suppose I have a slightly unique situation in regards to my security implementation. Bear in mind I am a complete newbie to J2EE, Spring and Acegi so if I mess up terminology or am completely wrong in a certain sense let me know but be nice

    So I am developing security architecture for a J2EE web app running on WebSphere Portal Server 5.1. We are currently using Spring as a middle tier IoC framework, JSF for the presentation tier, and WebSphere managed security against an IBM Tivoli Directory Server (LDAP). Id like to use Acegi in our architecture as it provides many advantages over the container managed WebSphere security. Most importantly it would allow my architecture team to push new security configurations to developers via source code control without having to reconfigure WebSphere instances (which you need to do if you use WebSpheres security). Also the declarative approach to fine grained security would also make the lives of developers MUCH easier. If life were only this easy..

    Im not entirely sure why but I am told that we must use WebSphere security for authentication and that we can use Acegi for authorization. To me this can either translate as using JaasAuthenticationProvider or AuthByAdapterProvider. Im not sure which one would provide the WebSphere container managed authentication and allow Acegi to handle authorization policies.

    If I need to use AuthByAdapterProvider then I must ask if anyone has written a Web Sphere adapter. If not than I would like to be pointed to a reference explaining how to write a container adapter. Clearly this reference would need to explain the hooks into a container that Acegi needs and the hooks into Acegi that the container would need. Just reading the provided adapters I checked out of CVS gave me little frame of reference towards a solution.

    I am also wondering if I will run into any bumps in the road with JSF and Acegi or Acegi and WebSphere Portal Filters (Our porlets are written using JSR168 Standard)

    Thanks for the help.

    DanHorowitzNYC

  • #2
    Hi!

    I have almost the same situation. To be more specific; Our application will recieve a user id and user role from a 3rd party security solution (IBM Tivoli Access Manager/WebSeal in this case) where the authentication is done. So we will do the authorization based on the user role using Acegi Security. I'm totally new to Acegi but see that we need to create our Authentication implementation using some kind of Provider.

    My question is; Do we need to create our own Provider or does Acegi have some kind of support for authorization when the authentication is already taken care of?

    Thanks for all help!

    -jh

    Comment


    • #3
      [quote="My question is; Do we need to create our own Provider or does Acegi have some kind of support for authorization when the authentication is already taken care of?[/quote]

      Most of the time you'll need to write a Filter which can obtain the username and roles from a trusted source - probably a HttpServletRequest attribute. This approach is exemplified in HttpRequestIntegrationFilter.

      Sometimes the trusted source might only offer a username, and you have to populate the GrantedAuthority[]s yourself. This is exemplified in X509ProcessingFilter.

      To write a container adapter, basically you are implementing your container's stock-standard realm interface. Thus the container will authenticate the user via standard container managed authentication. Importantly, instead of returning a java.security.Principal to the container you should return net.sf.acegisecurity.Authentication (which is a subclass of Principal). That way the Authentication contains the GrantedAuthority[]s as well.

      Comment


      • #4
        Acegi with Tam

        Ben,

        Is it possible to post an example for this solution? We are planning to integrate our JAAS authentication with Acegi. It would be good, if we have an example as a reference. Thanks

        Comment


        • #5
          Also interested

          I'm also interested... Can you please post some impl details here?
          I'll do the same, if I can progress on this topic.

          Comment


          • #6
            Hi,

            This is possible but not for the faint of heart.

            1. You need WebSphere 6.1.0.13 (or higher) or 6.0.2.21 (or higher).
            2. You need this custom property set to TRUE on all application servers that will be serving spring-security applications (google this for details).
            com.ibm.ws.webcontainer.invokefilterscompatibility =true
            3. You must use Spring-Security 2.0M2 (or higher).

            Once this is in place the included preauth sample will work.

            Regards,

            Brett

            Comment


            • #7
              I unfortunately use WAS 5.1...

              Comment


              • #8
                You might be okay with that, the 6.x requirement was so that the filter compatibility issue didn't cause problems. This was a bug they 'introduced' in WebSphere 6.0.2.x. I don't believe (but can't confirm) the filter compatibility issue exists in 5.1

                Your best bet is to try the sample preauth application included with spring-security 2.0M2 and see if it works. If it does then you'll be fine.

                Regards,

                Brett

                Comment


                • #9
                  There is also a preauth patch customized for websphere

                  http://jira.springframework.org/browse/SEC-477

                  Comment

                  Working...
                  X