SEC-477: [patch] Acegi adapter for WebSphere 6.x #738

Closed
spring-issuemaster opened this Issue Apr 27, 2007 · 8 comments

Projects

None yet

1 participant

@spring-issuemaster

Stephane Manciot (Migrated from SEC-477) said:

I propose a contribution for Spring Acegi so as to integrate a WebSphere adapter

@spring-issuemaster

Ben Alex said:

Thank you for your contribution.

We would like to add this feature to our 2.0 release. However, I noticed you have added a new JAR dependency that contains an IBM JAR. I presume this JAR is not released under an open source license compatible with Apache License, 2.0.

If the above is correct, would you kindly resubmit the patch in a manner that does not require a compile-time dependency on this JAR. My recommendation would be to use reflection to invoke the required methods, such that at runtime the user will ensure the JAR is in the classpath and thereby the reflective invocations will succeed. Whilst I can easily refactor your patch to do this, I do not have a WebSphere environment in which to test it.

Thanks once again for your work on this issue.

@spring-issuemaster

Stephane Manciot said:

You’re welcome :)
I will resubmit the patch as soon as possible (I hope before the 15th of December)

@spring-issuemaster

Stephane Manciot said:

This is the version without dependencies to websphere specific libraries

@spring-issuemaster

Ruud Senden said:

Too me this looks like another instance of a pre-authenticated authentication provider, although in it’s current form it isn’t actually implemented as an Acegi authentication provider.

Would it make sense to rewrite this as a real authentication provider, possibly based on the pre-authenticated authentication provider that I proposed (see http://jira.springframework.org/browse/SEC-576)? It will be basically the same as the J2EE authentication provider, but instead retrieves the Acegi granted authorities using the WebSphere UserRegistry.

I think this would make this proposal more flexible and more in line with other Acegi authentication providers.

@spring-issuemaster

Ruud Senden said:

Spring Security integration for WebSphere security, based on the Spring Security pre-authenticated authentication provider. This code is based on Spring Security SVN checkout done on 2008-03-14. So it already uses for example the new (Mutable)GrantedAuthoritiesContainer

This code includes some non-websphere related extensions to the Spring Security AuthenticationDetails* classes and interfaces. These are also separately available in SEC-716

@spring-issuemaster

Stephane Manciot said:

Thanks a lot. I will shortly have a look on it.

@spring-issuemaster

Luke Taylor said:

I’ve committed the preautheticated implementation code. If there are no objections to this I’ll close the issue.

@spring-issuemaster

Peter Gathua said:

Thanks to Ruud and Stephane this is very helpful!!
I am testing your code and ran into a peculiar issue. In WebSphere 6.1.0.19 server configured with ADS SSO. When I get the groups for user I get the entire DN not just the group names from Active Directory Server which is my user registry. I added some system out statements to see what is happening, and this what I see:
[12/30/08 12:21:26:718 EST] 00000022 SystemOut O PreAuthenticated WebSphere principal: wasadmin
[12/30/08 12:21:26:734 EST] 00000022 SystemOut O Groups for user wasadmin: [CN=supervisor,OU=vsp,dc=xfdomain,dc=local, CN=vso,OU=vsp,dc=xfdomain,dc=local]WebSphere groups [{CN=supervisor,OU=vsp,dc=xfdomain,dc=local,CN=vso,OU=vsp,dc=xfdomain,dc=local}] mapped to Granted Authorities: [{ROLE_CN=SUPERVISOR,OU=VSP,DC=XFDOMAIN,DC=LOCAL,ROLE_CN=VSO,OU=VSP,DC=XFDOMAIN,DC=LOCAL}]

My question is wheter there is a way to make websphere return only the cn value, or do you think I have misconfigured the server?

@spring-issuemaster spring-issuemaster added this to the 2.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment