Spring Security
  1. Spring Security
  2. SEC-477

[patch] Acegi adapter for WebSphere 6.x

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.0 RC1
    • Component/s: Core
    • Labels:
      None

      Description

      I propose a contribution for Spring Acegi so as to integrate a WebSphere adapter

        Activity

        Hide
        Ben Alex added a comment -

        Thank you for your contribution.

        We would like to add this feature to our 2.0 release. However, I noticed you have added a new JAR dependency that contains an IBM JAR. I presume this JAR is not released under an open source license compatible with Apache License, 2.0.

        If the above is correct, would you kindly resubmit the patch in a manner that does not require a compile-time dependency on this JAR. My recommendation would be to use reflection to invoke the required methods, such that at runtime the user will ensure the JAR is in the classpath and thereby the reflective invocations will succeed. Whilst I can easily refactor your patch to do this, I do not have a WebSphere environment in which to test it.

        Thanks once again for your work on this issue.

        Show
        Ben Alex added a comment - Thank you for your contribution. We would like to add this feature to our 2.0 release. However, I noticed you have added a new JAR dependency that contains an IBM JAR. I presume this JAR is not released under an open source license compatible with Apache License, 2.0. If the above is correct, would you kindly resubmit the patch in a manner that does not require a compile-time dependency on this JAR. My recommendation would be to use reflection to invoke the required methods, such that at runtime the user will ensure the JAR is in the classpath and thereby the reflective invocations will succeed. Whilst I can easily refactor your patch to do this, I do not have a WebSphere environment in which to test it. Thanks once again for your work on this issue.
        Hide
        Stephane Manciot added a comment -

        You're welcome
        I will resubmit the patch as soon as possible (I hope before the 15th of December)

        Show
        Stephane Manciot added a comment - You're welcome I will resubmit the patch as soon as possible (I hope before the 15th of December)
        Hide
        Stephane Manciot added a comment -

        This is the version without dependencies to websphere specific libraries

        Show
        Stephane Manciot added a comment - This is the version without dependencies to websphere specific libraries
        Hide
        Ruud Senden added a comment -

        Too me this looks like another instance of a pre-authenticated authentication provider, although in it's current form it isn't actually implemented as an Acegi authentication provider.

        Would it make sense to rewrite this as a real authentication provider, possibly based on the pre-authenticated authentication provider that I proposed (see http://jira.springframework.org/browse/SEC-576)? It will be basically the same as the J2EE authentication provider, but instead retrieves the Acegi granted authorities using the WebSphere UserRegistry.

        I think this would make this proposal more flexible and more in line with other Acegi authentication providers.

        Show
        Ruud Senden added a comment - Too me this looks like another instance of a pre-authenticated authentication provider, although in it's current form it isn't actually implemented as an Acegi authentication provider. Would it make sense to rewrite this as a real authentication provider, possibly based on the pre-authenticated authentication provider that I proposed (see http://jira.springframework.org/browse/SEC-576)? It will be basically the same as the J2EE authentication provider, but instead retrieves the Acegi granted authorities using the WebSphere UserRegistry. I think this would make this proposal more flexible and more in line with other Acegi authentication providers.
        Hide
        Ruud Senden added a comment -

        Spring Security integration for WebSphere security, based on the Spring Security pre-authenticated authentication provider. This code is based on Spring Security SVN checkout done on 2008-03-14. So it already uses for example the new (Mutable)GrantedAuthoritiesContainer

        This code includes some non-websphere related extensions to the Spring Security AuthenticationDetails* classes and interfaces. These are also separately available in SEC-716

        Show
        Ruud Senden added a comment - Spring Security integration for WebSphere security, based on the Spring Security pre-authenticated authentication provider. This code is based on Spring Security SVN checkout done on 2008-03-14. So it already uses for example the new (Mutable)GrantedAuthoritiesContainer This code includes some non-websphere related extensions to the Spring Security AuthenticationDetails* classes and interfaces. These are also separately available in SEC-716
        Hide
        Stephane Manciot added a comment -

        Thanks a lot. I will shortly have a look on it.

        Show
        Stephane Manciot added a comment - Thanks a lot. I will shortly have a look on it.
        Hide
        Luke Taylor added a comment -

        I've committed the preautheticated implementation code. If there are no objections to this I'll close the issue.

        Show
        Luke Taylor added a comment - I've committed the preautheticated implementation code. If there are no objections to this I'll close the issue.
        Hide
        Peter Gathua added a comment -

        Thanks to Ruud and Stephane this is very helpful!!
        I am testing your code and ran into a peculiar issue. In WebSphere 6.1.0.19 server configured with ADS SSO. When I get the groups for user I get the entire DN not just the group names from Active Directory Server which is my user registry. I added some system out statements to see what is happening, and this what I see:
        [12/30/08 12:21:26:718 EST] 00000022 SystemOut O PreAuthenticated WebSphere principal: wasadmin
        [12/30/08 12:21:26:734 EST] 00000022 SystemOut O Groups for user wasadmin: [CN=supervisor,OU=vsp,dc=xfdomain,dc=local, CN=vso,OU=vsp,dc=xfdomain,dc=local]WebSphere groups [

        {CN=supervisor,OU=vsp,dc=xfdomain,dc=local,CN=vso,OU=vsp,dc=xfdomain,dc=local}

        ] mapped to Granted Authorities: [

        {ROLE_CN=SUPERVISOR,OU=VSP,DC=XFDOMAIN,DC=LOCAL,ROLE_CN=VSO,OU=VSP,DC=XFDOMAIN,DC=LOCAL}

        ]

        My question is wheter there is a way to make websphere return only the cn value, or do you think I have misconfigured the server?

        Show
        Peter Gathua added a comment - Thanks to Ruud and Stephane this is very helpful!! I am testing your code and ran into a peculiar issue. In WebSphere 6.1.0.19 server configured with ADS SSO. When I get the groups for user I get the entire DN not just the group names from Active Directory Server which is my user registry. I added some system out statements to see what is happening, and this what I see: [12/30/08 12:21:26:718 EST] 00000022 SystemOut O PreAuthenticated WebSphere principal: wasadmin [12/30/08 12:21:26:734 EST] 00000022 SystemOut O Groups for user wasadmin: [CN=supervisor,OU=vsp,dc=xfdomain,dc=local, CN=vso,OU=vsp,dc=xfdomain,dc=local] WebSphere groups [ {CN=supervisor,OU=vsp,dc=xfdomain,dc=local,CN=vso,OU=vsp,dc=xfdomain,dc=local} ] mapped to Granted Authorities: [ {ROLE_CN=SUPERVISOR,OU=VSP,DC=XFDOMAIN,DC=LOCAL,ROLE_CN=VSO,OU=VSP,DC=XFDOMAIN,DC=LOCAL} ] My question is wheter there is a way to make websphere return only the cn value, or do you think I have misconfigured the server?

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Stephane Manciot
          • Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: