authentication with a security provider

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

authentication with a security provider

Adolfo Benedetti
Hi *,

 We are working in a site that have components that require
authentication. One of the features that our site will provide is to
allow to the users to register themselves directly in the site, some
of those users will be assigned to a group without access to the CMS.
- What are the good practices to achieve this with a Security
Provider(i.e. ldap[2]) ?  (Security Provider synchronization should be
triggered when the user is registered, etc)
- In order to provide different search results to the authenticated
users, will be enough via the configuration in the "Repository Level
Authorization Integration"[1] ?

Hippo 7.6

Cheers,

Adolfo Benedetti
Software Engineer
http://www.Iprofs.nl

[1]https://wiki.onehippo.com/display/CMS7/HST-2+Authentication+and+Authorization+Support
[2]https://wiki.onehippo.com/display/CMS7/Repository+Authorization+and+Permissions

--
Adolfo Benedetti
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: authentication with a security provider

Woonsan Ko-3
Hi Adolfo,

On 01/18/2012 04:08 AM, Adolfo Benedetti wrote:
> Hi *,
>
>  We are working in a site that have components that require
> authentication. One of the features that our site will provide is to
> allow to the users to register themselves directly in the site, some
> of those users will be assigned to a group without access to the CMS.
> - What are the good practices to achieve this with a Security
> Provider(i.e. ldap[2]) ?  (Security Provider synchronization should be
> triggered when the user is registered, etc)

I think LDAP is good because CMS can sync users with LDAP. [1]

And, you can easily integrate with LDAP for a site application by
providing a custom AuthenticationProvider. [2]
Or you may simply take advantage of HST Spring Security Support Forge
module. [3]

So, in your site applications, you may authenticate a user against the
external LDAP system directly without communicating with repository.
And then you may have users use different jcr sessions. To do that, you
can override "org.hippoecm.hst.core.request.ContextCredentialsProvider"
component:

  <!-- Default request context based credentials provider -->
  <bean id="org.hippoecm.hst.core.request.ContextCredentialsProvider"
class="...">
     ...
  </bean>

For example, you return a separate credentials, for each group or role,
which is mapped to a separate session pool. Then you can achieve
repository based authorization.

[1]
https://wiki.onehippo.com/display/CMS7/Repository+Authorization+and+Permissions
[2]
https://wiki.onehippo.com/display/CMS7/HST-2+Authentication+and+Authorization+Support#HST-2AuthenticationandAuthorizationSupport-9.%28Optional%29HowtocustomizeAuthenticationProviderofHST2SecurityComponents
[3] http://hst-springsec.forge.onehippo.org/

> - In order to provide different search results to the authenticated
> users, will be enough via the configuration in the "Repository Level
> Authorization Integration"[1] ?

Yes, I think so.
But, HST-2 security, whether it is from the default or HST Spring
Security Support, does provide session-level user/roles determination,
while Hippo Repository Authorization provides more advanced options
based on "domain" (Each domain could have separate configurations).

Regards,

Woonsan

>
> Hippo 7.6
>
> Cheers,
>
> Adolfo Benedetti
> Software Engineer
> http://www.Iprofs.nl
>
> [1]https://wiki.onehippo.com/display/CMS7/HST-2+Authentication+and+Authorization+Support
> [2]https://wiki.onehippo.com/display/CMS7/Repository+Authorization+and+Permissions
>
> --
> Adolfo Benedetti
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html