topic Re: making explorer2 more SSO friendly in Alfresco Archive

making explorer2 more SSO friendly

heymjo — Tue, 31 May 2011 12:38:50 GMT

Hi,I have created a patch that makes the explorer behave nicely when you place it behind an SSO. Typically when users are authenticated in-container to the web application then request.getUserPrincipal() will give you the current user principal. There is not much to it as you will see from the patch

Re: making explorer2 more SSO friendly

p4w3l — Tue, 31 May 2011 19:45:56 GMT

In my opinion Activiti should externalize identity service more radically. I understand the team wants to deliver complete working out-of-the-box "toy" and must provide own identity service. Unfortunately it is still badly designed: 1. nothing to do with container provided identity ( realms ); and even worse: 2. Pluggability is almost impossible for backends like LDAP. Why not follow something like in Tomcat realms?! Can be implemented also with SQL for having something out-of-the-box but also allow to use existing backends. Who today creates own identity service in every possible system in the company?! I observe and wait patiently for a possibility to connect Acitiviti to external identity backend but still eveluate it as impossible. It is easy to imagine identity backend that doesn't persist passwords today - only a hash. Current Activiti 5.5 version unfortunately needs password in IdentityServiceImpl and CheckPassword so it cannot be used with backends that don't provide passwords.

Re: making explorer2 more SSO friendly

ronald_van_kuij — Wed, 01 Jun 2011 00:00:43 GMT

1. nothing to do with container provided identity ( realms );

Simply because activity does not need to be be used in a container, so independence of that is needed

2. Pluggability is almost impossible for backends like LDAP.

Might be, feel free to write a decent indepth proposal (preferably in the form of java code) that takes everything into account, so not only solves your issue.

Who today creates own identity service in every possible system in the company?

Maybe you are one of the lucky few where someone else once decided on a one-size-fits-all solution for SSO etc… Many, many companies are not that advanced/progressive etc…

! I observe and wait patiently for a possibility to connect Acitiviti to external identity backend but still eveluate it as impossible

Shame on you… feels like complaying and doing nothing… hmmm gives me not so nice feelings..

Re: making explorer2 more SSO friendly

p4w3l — Wed, 01 Jun 2011 08:58:58 GMT

You really encouraged me to go Ron! It is my second ( third if I count jBPM ) to make Activiti work with LDAP and please then make following modification in the source code:

replace execute method in org.activiti.engine.impl.cmd.CheckPassword to the following:

  public Boolean execute(CommandContext commandContext) {
   return commandContext.getUserManager().checkPassword(user, password);
  }

this will delegate user/password check to org.activiti.engine.impl.persistence.entity.UserManager where please add one more method:

  public Boolean checkPassword( String user, String password ) {
   User user = findUserById( user );
    if ( (user!=null)
         && (password!=null)
         && (password.equals(user.getPassword()))
       ) {
      return true;
    }
    return false;   
  }

This will let us override the method in customised UserManager and implement different behaviour like i.e. verification with LDAP bind attempt instead of string compare.

Would you please create the patch for me or I have to learn all that development cycle stuff myself?

Re: making explorer2 more SSO friendly

ronald_van_kuij — Thu, 02 Jun 2011 10:33:27 GMT

Thanks, greate to called a motivator 🙂 I'll give it a go next week, but creating a real patch is not that hard. Just select both classes in you ide and in the context menu (right click) there must be something about team (eclipse) or something related (netbeans, intellij or whatever)

Oh and make sure all tests run green 😉

Besides that it is also a good idea to create a jira for this (and then attach the patch there) so it won't be forgotten. You may assign that issue to me.

Thanks

Re: making explorer2 more SSO friendly

ronald_van_kuij — Thu, 02 Jun 2011 21:36:09 GMT

Ouch, stupid me… The original post already contained a jira AND a patch…

Re: making explorer2 more SSO friendly

p4w3l — Mon, 06 Jun 2011 11:53:19 GMT

I have published my patch in http://jira.codehaus.org/browse/ACT-833

It doesn't change any existing functionality in Activiti only delegates login method from IdentityServiceImpl to UserManager. The second one is pluggable with activiti.cfg.xml and allows to customise login now

It is tested with 5.5 and 5.6 ( all test passed with "ant clean distro" ) and works for me.

Who accepts to incorporate it into next release?

Re: making explorer2 more SSO friendly

frederikherema1 — Mon, 06 Jun 2011 12:00:20 GMT

Last week, I did some refactoring of the Login mechanism of the Explore2 webapp, to allow pluggable authenticating:

- LoggedInUser is now interface
- LoginHandler can be plugged in using spring-contenxt.
- LoginHandler exposes authenticate(user, pwd) and authenticate() (for automatic authentication eg. existing session-data)

So the SSO patch you suggested can be easilly implemented by a LoginHandler. The other patch (moving check to UserManager) makes sense from a plugability perspective and will take this one on trunk this release.

Re: making explorer2 more SSO friendly

ronald_van_kuij — Mon, 06 Jun 2011 15:30:58 GMT

@frederik: Thanks 🙂

Re: making explorer2 more SSO friendly

heymjo — Tue, 07 Jun 2011 09:39:05 GMT

Great, thanks !