roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Johnson (Commented) (JIRA)" <>
Subject [jira] [Commented] (ROL-1933) Crowd Login Authentication Roller Integration
Date Sat, 11 Feb 2012 15:37:59 GMT


Dave Johnson commented on ROL-1933:

This looks pretty good, code-wise, but I would like to see a couple of changes before I introduce
it into the Roller code-base:

1) There are a couple of e.printStackTrace() statements that should be replaced with log.debug()
or log.error() depending on what is appropriate.

2) Instead of introducing a new properties file, the Crowd properties should be added into and the normal Roller properties classes should be used to access them.
> Crowd Login Authentication Roller Integration
> ---------------------------------------------
>                 Key: ROL-1933
>                 URL:
>             Project: Roller
>          Issue Type: New Feature
>            Reporter: Nick Padilla
>            Assignee: Roller Unassigned
>              Labels: authentication, integration
>         Attachments: BasicUserAutoProvision.txt,,,, pox-xml.txt, security-xml.txt
>   Original Estimate: 1h
>  Remaining Estimate: 1h
> 1. First off how do we want to handle the demotion or elevation of permissions,groups
rather.  Say an admin goes to just an editor or an editor goes to admin, currently there will
be no change on Roller.
> 2. If user has permissions for the application but is not part of a group, currently
it gives editor roles; does that work? If not we need to make a that change.
> 3. Old users can continue to use thier Roller accounts, if the user is a user of the
Roller application in Crowd they will authenticate through Crowd. This is as long as the two
accounts have the same
> user name.  Once authenticated through Crowd, Roller Authentication will not work. So
if Crowd goes down and all users are in Crowd then no one will be able to enter the site.
 Recommendation is to have 
> at least one admin user that doesn't have an account in Crowd, this way there will always
be a way in.  
> 4. If the file is not on the classpath then we never use crowd to authenticate,
however if you have users that were authenticated through crowd then they will not be able
to login.  
> 5. If the user exists in Crowd and has permissions to access Roller and Roller doesn't
contain this user account then a new user will be registered automatically; if no groups are
setup then the user
> will have editor role, if the user is part of a group that contains the string "admin"
or "ADMIN" then that user will be given Admin rights. 
> 6. Here is an example file, currently we get the file every time there
is a need for it; so that resource will be continually accessed.  If this is problem, which
I can understand I can
> create a singleton that will hanlde the file and only load it once.
 This means if any changes are made to the file we have to restart the application.
> 		#required fields
> 		crowd.application.password=password
> 		crowd.port=8095
> 		crowd.context=crowd
> 		#end required fields
> 		#this setting allows the use of https, defaults to false; not present we will use plain
> 		crowd.useSecureConnection=false
> 		crowd.default.timezone=
> 		crowd.default.locale=
> You can add this file the same way you add the TimeZone and
Locale are not required, but standard format.
> 7. These are the settings that need to be set in the to enable
the use of Crowd Authentication:
> 		# Crowd Auth, need these settings to be enabled
> 		users.sso.enabled=true
> 		users.sso.autoProvision.enabled=true
> If these are not set Crowd authentication will not work correctly.  The AutoProvision
is what makes this all work, the users from Crowd and not in Roller will be saved to Rollers
db the first time the log in. The reason this is needed 
> is so that permissions can be written for Roller. Will still need to add some code to
ensure when users get promoted or demoted, those changes make it to the Roller DB.
> Please see attached files as they contain these changes and are in sync with Trunk, as
of today.  We can extend this functionality but here is working starting point.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message