Information

Created in: 2006-04-09 17:12:40

Author: martin

Size: 8212 bytes

Last updated: 2006-04-09 17:12:40

Categories

Help & Support

You may be interested in...

There isn't related documents

Using External Security Systems

As you probably may know, jLibrary uses its own security infrastructure. So, when you open jLibrary you have groups, users, and roles. jLibrary security system is very flexible. You can add restrictions over those groups and users, you can users to groups, you can add groups and users to roles, etc. This makes jLibrary able to offer users a good control about their data.

But of course, though this is a flexible system, the reality is that probably your company wants to leverage their currently infrastructure. Most companies have their own systems like LDAP registries, user databases, etc., and it will be really great if jLibrary would be able to talk to this third party security systems. The good nows are that in fact jLibrary is able to talk them. :)

Login against an external security system.

jLibrary uses JAAS to perfor the login to security systems. Note that by default, jLibrary comes configured with a very weak security system. So, even though only jLibrary users will be able to login through the jLibrary client, the fact is that everybody will be able to login on the simple web browser and on the WebDAV view. So if this is a big problem for you, you should disable those server views on the web.xml configuration file.

Fortunately, you can use any JAAS login module to perform the login to your system. You can find information about how to configure jLibrary to use an external login module on this link. So, you can use your application server login modules to do the login through your LDAP registry, or create a custom login module to do the login through your users company database, etc.

Synchronizing groups, users and roles

Ok, so half of the problem is already solved. But what about users, groups and roles? Even though you already can use an external system to login to your system, probably you would like to have all your system users, groups and roles on your jLibrary Users, Groups and Roles views. The good news are that this can be done thanks to the jLibrary security synchronization feature. The bad news are that this comes at a price, you will have to do some coding on yourself. If you download jLibrary server sources, you will find a synchronization sample at org.jlibrary.core.jcr.security.test package. I will follow briefly that sample on this document.

jLibrary defines an abstract class that does all the synchronization stuff: org.jlibrary.core.jcr.security.SynchronizerTemplate. This class defines three abstract methods:

	/**
	 * Returns users from the third party authorization system that should be 
	 * synchronized.
	 *
	 * If an user does not exist then it will be created. If an user already 
	 * exist then its data, if available, will be updated.
	 *  
	 * @return User[] Array with all the users that must be synchronized
	 * 
	 * @throws SecurityException If the users cannot be obtained
	 */
	public abstract User[] getUsersToSynchronize() throws SecurityException;

	/**
	 * Returns roles from the third party authorization system that should be 
	 * synchronized.
	 *
	 * If a role does not exist then it will be created. If a role already 
	 * exist then its data, if available, will be updated.
	 *  
	 * @return Rol[] Array with all the roles that must be synchronized
	 * 
	 * @throws SecurityException If the roles cannot be obtained
	 */	
	public abstract Rol[] getRolesToSynchronize() throws SecurityException;
	
	/**
	 * Returns groups from the third party authorization system that should be 
	 * synchronized.
	 *
	 * If a group does not exist then it will be created. If a group already 
	 * exist then its data, if available, will be updated.
	 *  
	 * @return Group[] Array with all the groups that must be synchronized
	 * 
	 * @throws SecurityException If the groups cannot be obtained
	 */	
	public abstract Group[] getGroupsToSynchronize() throws SecurityException;

As you probably have guessed for the method names, you only have to overwrite this class and provide an implementation for these methods. After you have your own synchronizer class, you only have to run a jLibrary utility class org.jlibrary.core.jcr.security.CommandLineSynchronizerRunner and jLibrary will perform all the synchronization for you. Let's see the example.

The example synchronizer will use two property files that has inside the different groups and users. The example does not synchronize roles as there isn't really very useful. This is the example synchronizer source code:

public class PropertiesTestSynchronizer extends SynchronizerTemplate {

	
	
	public User[] getUsersToSynchronize() throws SecurityException {
		
		List users = new ArrayList();
		try {			
			Properties userProperties = new Properties();
			InputStream stream = ResourceLoader.getResourceAsStream(
					"org/jlibrary/core/jcr/security/test/users.xml");
			userProperties.loadFromXML(stream);
			
			Iterator it = userProperties.entrySet().iterator();
			while (it.hasNext()) {
				Map.Entry entry = (Map.Entry)it.next();
				String value = (String)entry.getValue();
				String[] attributes = StringUtils.split(value,",");
				
				User user = new User();
				user.setName(attributes[0]);
				user.setFirstName(attributes[1]);
				user.setLastName(attributes[2]);
				user.setEmail(attributes[3]);
				user.setAdmin(Boolean.valueOf(attributes[4]).booleanValue());
				
				users.add(user);
			}
			stream.close();
		} catch (Exception e) {
			e.printStackTrace();
			throw new SecurityException(e);
		}
		return (User[])users.toArray(new User[]{});		
	}

	public Rol[] getRolesToSynchronize() throws SecurityException {
		
		// No extra roles defined
		return new Rol[]{};
	}

	public Group[] getGroupsToSynchronize() throws SecurityException {

		List groups = new ArrayList();
		try {			
			Properties userProperties = new Properties();
			InputStream stream = ResourceLoader.getResourceAsStream(
					"org/jlibrary/core/jcr/security/test/groups.xml");
			userProperties.loadFromXML(stream);
			
			Iterator it = userProperties.entrySet().iterator();
			while (it.hasNext()) {
				Map.Entry entry = (Map.Entry)it.next();
				String value = (String)entry.getValue();
				String[] attributes = StringUtils.split(value,",");
				
				Group group = new Group();
				group.setName(attributes[0]);
				group.setDescription(attributes[1]);
				
				groups.add(group);
			}
			stream.close();
		} catch (Exception e) {
			e.printStackTrace();
			throw new SecurityException(e);
		}
		return (Group[])groups.toArray(new Group[]{});		
	}

}

As you can see, the example is extremely easy. You only have to lookup your users and groups and return them. The base synchronizer does all the work for you. Probably, it shouldn't be very hard to replace this methods with ones that do load the users from an LDAP registry or from a custom database.

As I said previously, once you have your own synchronizer, you only have to invoke the command line synchronizer utility. You have to provide to the utility several parameters to get it working. You can see the parameteres on the application help message:

	Usage: CommandLineSynchronization synchronization-class-name jlibrary-workspace ->
									  user password repositories-home config-file

	Where:
		synchronization-class: Synchronizer to execute
		jlibrary-workspace: jLibrary workspace to synchronize
		user: Name of an user with administrative rights on the workspace
		password: Password for the given user
		repositories-home: Location of the directory in which the jLibrary repository is stored
		config-file: Repository.xml configuration file path

	Example: 
		CommandLineSynchronization my.company.ldap.LDAPSynchronizer myWorkspace admin changeme ->
								   c:\temp\repositories c:\temp\conf\repository.xml

And that's all. As you can see you don't have to do a lot of work or coding to get your data synchronized. So, Have a good integraton!!