Acegi in portlets

[dreed]

Hi All:

Hope this isn't too far off topic. I am wondering if anyone has experience using the LifeRay portlet container (www.liferay.com). In its newest version. the business tier is built using Spring (and optionally EJB) . but JAAS is used for authentication. I would like to use Acegi ACL-based authorization within a portlet. I am assuming that once the principals are placed in the session on login, that I can simply retrieve them and use Acegi authorization within the context of the individual portlet. Does this seem like a tenable approach?

Any feedback much appreciated.

Thanks!

Dave

[Ben Alex]

Try using the container adapters included with Acegi Security, which will integrate with your container authentication system and ensure the Principal made available to web applications is actually Acegi Security's Authentication. This can thus be used with Acegi Securty's ACL package.

[dreed]

Thanks, Ben. I'll give it a try .

[garpinc2]

What the recommened approach for implementation independent security in portals.. In Sun One Portal there is a proprietary class called SSOTokenManager. How does that fit into Acegi?

[johnalewis]

One of the biggest problem with using Acegi with Portlets is that the Filters in the portlet's wepapp don't run. Since there is no servlet request, there is nothing to filter.

I've built a custom PortalAuthenticationProvider, SecurityEnforcementInterceptor, and SessionIntegrationInterceptor for use with Spring Portlet MVC and with Acegi security. They are working very well for us at this point. What I have doesn't support ObjectDefinitionSource or AbstractSecurityInterceptor, so there is no support for Voters, but it does support Also it is currently based on 0.6.1, so it is a bit dated -- I am planning to update to 0.8.2 later this month.

If you are interested in seeing these, I'll be happy to send them to you. Send me an email: jlewis at arcanumintl dot com.

Ben, if you are interested in working on more mainstream support of portlets within Acegi, I would be really happy to help. I am one of the main people working on the Spring Portlet MVC framework and I've had a number of people ask about Acegi already.

[garpinc2]

Perhaps... security belongs at the level of portal I have since realized... What might be more benefitial is to integrate acegi with jetspeed2 for instance..

[johnalewis]

The problem we found is that the security framework offered by most portals was too coarse for our needs. We needed something very fine-grained, like we have with Acegi.

We still use the portal for authentication, but we handle role-level authorization within our own app via Acegi.

[garpinc2]

Can you give an example? Where it is too course grained?

[johnalewis]

In our commercial application, we need to manage access down to the object and even field level and manage what kind of access the user has to that object/field (i.e. create, read, update, delete). There are hundreds of these permissions. We then allow the organization to aggregate a set of these permissions into a user role and then assign multiple roles to a given user. None of the portals we looked at could manage this kind of detail.

To further complicate things, we have some servlet-based content that is integrated into our portlet application (such as images) that also need to be security controller. By using Acegi, we can use the portal authentication to check authorization on the servlet side as well.

[Ben Alex]

Sounds like an interesting implementation. Is it something you could share with the community, or is it internal?