-
Notifications
You must be signed in to change notification settings - Fork 6
Authentication
When a user accesses the repository, he or she should usually authenticate himself or herself. In some cases (for public pages) you may want to skip the authentication and let the user browse the public part of the repository as an anonymous user.
Details on how the authentication is done are managed by the authentication service.
By default, ECR provides authentication support based on JAAS. A generic JAAS login module is provided. When invoked this module will call the service implementing org.eclipse.ecr.runtime.api.login.Authenticator to do the actual authentication.
Usually this interface should be implemented by a service that manages users and groups and provides an
public Principal authenticate(String name, String password)
method for doing the authentication.
The default implementation provided by ECR is a simple user manager that stores user and group definitions on the file system using the extension point mechanism.
In production servers, you will want to replace this implementation using more advanced ones (like LDAP or database storage for users). ECR will provide in the future a full user manager service (providing LDAP and database connection).
Before accessing the repository (i.e. opening a session) you always need to login if the login was not already done. And to logout when the session is no more needed.
When executing in a servlet context you can use the authentication filter provided by ECR and let the filter automatically handle the login for you.
When running your code in other contexts like background jobs you must login before opening a session and logout in a try / finally block.
Usually when running code in a servlet you may want to login using the submitted user information - we will call this an user login. When running background jobs you usually want to use an unrestricted login since your code is not running in an user context and may need all privileges when accessing a document. We will call this kind of authentication: system login.
If you want to expose content without doing a login (for public pages - in anonymous mode) you can create a special "anonymous" user with restreint privileges and automatically do the authentication in the name of that user.
To perform a system-login you can invoke:
LoginContext lc = Framework.login();
try {
... here we are in an authenticated context
} finally {
if (lc != null) lc.logout();
}
To perform an user-login you can invoke:
LoginContext lc = Framework.login("username", "password");
try {
... here we are in an authenticated context
} finally {
if (lc != null) lc.logout();
}
The Framework.login method is a shortcut to new LoginContext("moduleName", subject, handler).login();
As any configuration in ECR, the login module is defined using a contribution to an extension point. Here it is:
<extension target="org.eclipse.ecr.runtime.LoginComponent" point="domains">
<domain name="nuxeo-system-login">
<login-module code="org.eclipse.ecr.runtime.api.login.SystemLoginModule" flag="required"/>
<login-module code="org.eclipse.ecr.core.api.local.ClientLoginModule" flag="required">
<option name="password-stacking">true</option>
<option name="multi-threaded">true</option>
</login-module>
</domain>
<domain name="nuxeo-client-login">
<login-module code="org.eclipse.ecr.runtime.api.login.AuthenticationLoginModule"
flag="required">
</login-module>
<login-module code="org.eclipse.ecr.core.api.local.ClientLoginModule" flag="required">
<option name="password-stacking">true</option>
<option name="restore-login-identity">true</option>
<option name="multi-threaded">true</option>
</login-module>
</domain>
</extension>
This defines two security domains (i.e. login module chains): the first named nuxeo-system-login is used to create unrestricted system logins (the code doing this will have unrestricted access to the repository) - and the second named nuxeo-client-login is used to create real user logins (given an username and a password).
The nuxe-client-login uses the org.eclipse.ecr.auth.SimpleLoginModule for doing the authentication. This one, as we explained above, will look up the service implementing org.eclipse.ecr.runtime.api.login.Authenticator interface to do the actual authentication.
Users in ECR are represented using org.eclipse.ecr.core.api.NuxeoPrincipal objects (which extends the Java Principal interface). Groups are represented using org.eclipse.ecr.core.api.NuxeoGroup objects.
A NuxeoPrincipal provides the following informations:
- a name - the user name which will be used in document ACLs to reference an user
- a password
- a first name
- a last name
- a company field
- an email field
- a list of roles
- a set of groups to which the user is member
When implementing a custom NuxeoPrincipal object, you can add any other additional field you need.
A NuxeoGroup object provides the following information:
- a name - which can be used in document ACLs to reference the group.
- a list of principals it contains
- a list of member groups
- a list of parent groups
When implementing a custom NuxeoGroup object you can add any other additional field you need.
If you don't need other extra fields for your principals and groups, then you can use the default implementations provided by ECR:
org.eclipse.ecr.core.api.impl.UserPrincipal and org.eclipse.ecr.core.api.impl.NuxeoGroupImpl
As explained above, ECR provides a simple user manager implementation which you may want to replace with your own implementation.
Here are instructions on how to do this.
-
remove the
org.eclipse.ecr.authbundle which provides the default user manager implementation. -
implement the
Authenticatorto provide an authentication method against your own user/group storage. -
Expose the
Authenticatorservice implementation as a service. For this add a service entry in your XML component descriptor - see Services:<service> <provide interface="org.eclipse.ecr.runtime.api.login.Authenticator" /> </service> -
Add your new plugin to ECR.
Now, every time the user login login module will be invoked, your authenticator will be used.
Next: go to the Content Automation section to learn about this high level API to automate the work with the content repository and the services it provides.