Savvas Triantafyllou added a comment - 08/Nov/09 07:11 PM

Savvas Triantafyllou added a comment - 08/Nov/09 07:11 PM BetaCMS content developers are able to build BetaCMS clients which can login to a repository by providing user's name and a predefined secret key but not user's password. This secret key is defined by BetaCMS administrator in betacms-repositories-configuration.xml file which is located in JBOSS_HOME/server/default/conf directory. RepositoryService interface contains new methods String login(String repositoryId, String username, String key, String permanentKey) String login(String repositoryId, String username, String key) which serve this functionality. Parameter permanentKey is used to request for a permanent authentication token, that is user session is never expired. In order for login to be successful the following xml excerpt must be added to BetaCMS configuration file <secretUserKeyList> <administratorSecretKey userid="SYSTEM" key="secretAdminKey"/> <secretUserKey userid="username" key="secretTestKey"/> </secretUserKeyList> inside security element as shown in the attachment. Xml element 'administratorSecretKey' is obligatory as well and its use will be explained in future comments

Savvas Triantafyllou added a comment - 08/Nov/09 07:13 PM

Savvas Triantafyllou added a comment - 08/Nov/09 07:13 PM Enhance issue description

Savvas Triantafyllou added a comment - 08/Nov/09 07:30 PM

Savvas Triantafyllou added a comment - 08/Nov/09 07:30 PM On top of the above methods, the following methods have been built String loginAsAdministrator(String repositoryId, String key); String loginAsAdministrator(String repositoryId, String key, String permanentKey); String loginAsAnonymous(String repositoryId); String loginAsAnonymous(String repositoryId, String permanentKey); These extra methods allow, applications mostly, to be able to login to a repository either as Administrators or as Anonymous users and use BetaCMS services without the need to store any credentials at all. As you may have notice, login methods do not even require user names! Repository identifier and in some cases predefined key is all that an application should provide. Login methods which provide access as an Administrator, find administrator user name inside BetaCMS configuration file in element administratorSecretKey and if provided key matches the predefined key, login is successful. By default, administrator user is SYSTEM and during installation, you will be prompted to supply predefined key. Of course at any time, content developers who have access to configuration file, can change administrator user name and/or predefined key accordingly. Login methods which provide access as Anonymous user they do not even require a predefined key! This is acceptable since Anonymous user is assigned ROLE_CMS_EXTERNAL_VIEWER in BetaCMS and therefore has read only access to published content only. In both cases, when login is successful, logged in users carry all assigned roles and from that point on, they can access BetaCMS services respectively. This is the main difference with obsolete but not deprecated login methods which required javax.security.auth.Subject instead of a password. This way, a client could provide the preferred roles bypassing the roles assigned to user by BetaCMS administrator. These methods are not deprecated but their use is limited only in local API, that is, only local clients (clients which run inside the same JVM with BetaCMS server) have the ability to login to a repository by providing user name and user roles.

Gregory Chomatas added a comment - 10/Nov/09 01:38 PM

Gregory Chomatas added a comment - 10/Nov/09 01:38 PM The xml excerpt for the admin and user secrets keys should be added between the <security> </security> tags inside the BetaCMS repositories configuration file, like the following example: <?xml version="1.0" encoding="UTF-8" ?> <ns:betacmsRepositories         xmlns:ns="http://www.betaconceptframework.org/schema/betacms/betacmsRepositories"         serverURL="http://localhost:8080">                  <betacmsRepository                 id="myrepo"                 jcr-repository-jndi-name="java:jcr/myrepo"                 betacms-db-jndi-name="java:jdbc/myrepo"                 serverAliasURL="http://localhost:8080">                 <localization>                         <localizedLabel locale="en">My Repository</localizedLabel>                 </localization>                 <security>                         <permanentUserKeyList>                                 <permanentUserKey userid="anonymous,SYSTEM" key="myPermanetUserKey"/>                         </permanentUserKeyList>                         <secretUserKeyList>                                 <administratorSecretKey userid="SYSTEM" key="adminSecretKey"/>                                 <secretUserKey userid="testuser" key="testUserSecretKey"/>                         </secretUserKeyList>                 </security>          </betacmsRepository> </ns:betacmsRepositories>