It might be possible to use internal repository and AD together, but It does not seam that this is what you want ideally.
Correct me if I am wrong, but it seams that you want to authenticate to AD, but assign roles which are specific to Presto and which don't exist in AD.
We have seen this requirement before. It is possible to implement plugin for AD authentication which would allow you to return any roles you want based on what is stored in AD or not in AD (proprietary config file, DB etc).
Basically you extend existing class and overwrite two methods
1. getGrantedAuthorites returns list of roles for user who is loged in
2. listAllRoles should return all possible roles. This list is shown in UIs and used to assign
roles to Services.
Here is the schematic implementation to give you and idea
public class CustomLdapAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator{
public CustomLdapAuthoritiesPopulator(InitialDirContextFactory initialDirContextFactory, String groupSearchBase) {
super(initialDirContextFactory, groupSearchBase);
}
public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails userDetails) {
GrantedAuthority[] adAuths = super.getGrantedAuthorities(userDetails);
LinkedList resultAuths = new LinkedList();
GrantedAuthority newAuth = new GrantedAuthorityImpl("MyRole");
return (GrantedAuthority[]) resultAuths.toArray(new GrantedAuthority[resultAuths.size()]);
}
public String[] listAllRoles() {
String[] allAdRoles = super.listAllRoles();
String[] allRoles = new String[] {"myRole1","myRole2"};
return allRoles;
}
}
You drop this class into presto/WEB-INF/classes and modify xml config file to "tell presto" to use your class instead of default.
Note, it will not work on vanila 2.7, but only on "jumbo patch" which was issued after 2.7 was released.
Please let us know if approach I described will work for your situation and we will figure out what is the best way to proceed.
Hope this helps, Alexi
Hi Alexi,
Thanks for your answer, it's correct, I'm looking for this kind of solution. I'm configuring this in Presto, and will comment you the results.
Question is how to know whether we're using plain or patched version of Presto?
Config file means refactoring applicationContext-security right, which is the IoC from Spring? OK I'll try it, if is correct.
best,
Gabriel
Hi all,
How can I use active directory user authentication and inner presto roles, together.
Currently I'm using active directory authentication (user and password), and works fine.
My new requirement is using different roles for different mashlets so users can display only the mashlets assigned to it, but not using active directory like a roles storage about Presto, this is a corporate directory and Presto is not world wide app yet. :)
I already created new users typing them in users.properties inside Presto and can authenticate new users reading from this file and reading from AD, but I'm using the Presto_Administrator role always, so my new users enter, display all mashlets, etc. I need them also controlled by roles.
One test I'm thinking is disconnect active directory, then create users and roles inside admin console. Then configuring again AD checking if new roles are still valid. I dont know how since HSQL is not read when other repository is configured, but I'lll try :).
Is there a role archive like users.properties? Any ideas?
Thank u