jBoss Portal & Acegi

[assamese]

Folks...new to this forum, so, pardon my ignorance.

I am trying to understand the acegi authentication model & how it fits into the jBoss Portal framework. Our company wants to use jBoss Portal as the front-end to expose several underlying applications. (all of these apps are J2EE, some are spring, most are not)

So, I am wondering if I can somehow
- configure jBoss Portal to use acegi for macro-level authentication (and tie-in acegi with our existing SSO server)

- transfer the autheticated context to the underlying apps

- then tweak the underlying apps to use acegi to manage authorization in a finer granular level.

Am I on the right path ? Am I missing something ? Thanks in advance.

Sanjay

[assamese]

From: John Lewis <jlewis_at_arcanumintl_dot_com>
To: Sanjay Das <assamese_at_hotmail_dot_com>
Subject: Re: Acegi question
Date: Thu, 18 Aug 2005 20:56:52 -0700

Okay -- that gives me a better understanding.

What will determine if your approach will work or not is just which pieces of Acegi that Alfresco is using. The portlet support I put together does not support voters and does not support object-level ACLs. It only supports the basic role-level authentication.

How, here is a different question -- why not just configure Acegi in Alfredo to use CAS directly? There is good support for using CAS with Acegi and this would bypass the portal issues altogether.


Sanjay Das wrote:

John: thanks for your response.
perhaps, I should paint a clearer picture:

1. Alfresco is a jBoss based web-app.
2. Alfresco uses Acegi
3. Alfresco does NOT use jBoss authentication.
4. we can definitely configure jBoss as a CAS-Client
5. CAS integration with jBoss will automatically rope in Alfresco under the SSO umbrella
6. So, then, we need for Alfresco to bypass it's underlying Acegi based authentication

My question is: Do you think of this as a sensible approach ? Do see any holes in it ?

Thanks again - Sanjay


From: John Lewis <jlewis_at_arcanumintl_dot_com>
To: Sanjay Das <assamese_at_hotmail_dot_com>
Subject: Re: Acegi question
Date: Thu, 18 Aug 2005 13:09:51 -0700

Sanjay,

This is pretty different from the work I have done with integrating Acegi w/ JSR-168.

I don't know much about Alfresco, so it's hard for me to speak about it in any specific way. If Alfresco runs in jBoss Portal, does it use the portal authentication or something else? If it is using the Portal authentication, then the real question is can you integrate jBoss Portal w/ CAS. I know that uPortal has a way to integrate w/ CAS, but I don't know about jBoss Portal.

Sorry I couldn't be more helpful.

John


Sanjay Das wrote:


I am trying to integrate AlFresco (alfresco.org) into our jBoss environment. Alfresco uses acegi and it uses jBoss-portal as it's front-end.

Our existing jBoss apps use CAS for SSO. So, I figured that if I can point Acegi Security Provider (being used by Alfresco) to jBoss-protal's security-provider; this way, I will essentially force AlFresco to use CAS for authentication.

I wanted to run this by you & make sure that theoritically, I am doing the right thing ....
Thanks in advance.

Sanjay

[assamese]

John: to answer your question: why not just configure Acegi in Alfresco to use CAS directly?

We do not want AlFresco (or, for that matter, any of our web-apps) to directly involve itself (or be aware of) the underlying SSO infrastructure (which, in our case, happens to be CAS).

We want to SSO-enable jBoss at a host level & have all other underlying web-apps (hosted by jBoss) to automatically fall in line. Normally, if the underlying web-apps are J2EE security compliant, then we can achieve this simply by tweaking their web.xml files. However, AlFresco follows the Acegi model, so, I do not know how I can make AlFresco aware of the security imposed by jBoss....am I making any sense ?

Sanjay

[johnalewis]

Well, one way or another, you are going to be tweaking the Acegi configuration of Alfresco, right? Since there is already very good support for Acegi to use CAS, I'm not sure why you wouldn't implement that. I understand your general philosophy, but in this case configuring Alfresco to use CAS seems like the path of least resistance.

Again, the portlet integration that we build for Acegi only provides a subset of Acegi functionality. If Alfresco is using Voters or ACLs, then what we built is not sufficient. No matter what, you would be building some amount of code to achieve this.

If Alfresco is designed to run in a portal server and to use Acegi, what are they using for authentication now?