Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Modeling » EMF » [CDO] Setting Security : Authentication & Access control(Setting custom authentication & node access control in a CDO server)
[CDO] Setting Security : Authentication & Access control [message #1005629] Sun, 27 January 2013 13:35 Go to next message
Jean Rebillat is currently offline Jean Rebillat
Messages: 10
Registered: December 2010
Junior Member
Hi.
I work for a big french company, in a Research & Technology service. I am wanting to convince a project leader to switch from JCR Jackrabbit toward EMF/CDO.
There are two particular points on which I must be sure of myself when presenting the solution : authentication with logins and access control on resources, using our own algorithms.

I have searched the web since a week, trying to understand how to do this in CDO.
I first tried to start the server with the XML configuration file, but at first I did not understand the way to add custom factories.

I switched to hand-written server code, with almost the same results : it works until I want to add custom elements.

Falling back to XML configuration, I found this link : https://bugs.eclipse.org/bugs/show_bug.cgi?id=302775
that works to add custom user management concerning authentication.

My questions so far are :
- Is the link above still up-to-date to add a user authentication mechanism ?
- Is there described somewhere the same mechanism for resource access control ?
- Is there a better way to do all that ?

Thanks.
Re: [CDO] Setting Security : Authentication & Access control [message #1005657 is a reply to message #1005629] Mon, 28 January 2013 00:19 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5503
Registered: July 2009
Senior Member
Am 27.01.2013 19:35, schrieb Jean Rebillat:
> Hi.
> I work for a big french company, in a Research & Technology service. I am wanting to convince a project leader to
> switch from JCR Jackrabbit toward EMF/CDO.
> There are two particular points on which I must be sure of myself when presenting the solution : authentication with
> logins and access control on resources, using our own algorithms.
>
> I have searched the web since a week, trying to understand how to do this in CDO.
> I first tried to start the server with the XML configuration file, but at first I did not understand the way to add
> custom factories.
IFactories can be added to IPluginContainer.INSTANCE programmatically or via contribution to the extension point
org.eclipse.net4j.util.factories.

> I switched to hand-written server code, with almost the same results : it works until I want to add custom elements.
Can you give an example of what exactly you tried and how it failed?

> Falling back to XML configuration, I found this link : https://bugs.eclipse.org/bugs/show_bug.cgi?id=302775
> that works to add custom user management concerning authentication.
You may want to examine the newer ISecurityManager:

380629: Design a default Security model
https://bugs.eclipse.org/bugs/show_bug.cgi?id=380629

Here's a diagram of the underlying Security model:

https://bugs.eclipse.org/bugs/attachment.cgi?id=221070

SecurityManager.java can serve as an example on how to use the low level hooks of an IRepository, in case you want to
plug in your own mechansim:

InternalSessionManager sessionManager = repository.getSessionManager();
sessionManager.setAuthenticator(authenticator);
sessionManager.setPermissionManager(permissionManager);
repository.addHandler(writeAccessHandler);

The security manager is comparingly new. I strongly recommend to try it out in the CDO 4.2 stream!

> My questions so far are :
> - Is the link above still up-to-date to add a user authentication mechanism ?
Yes, but it doesn't cover authorization.

> - Is there described somewhere the same mechanism for resource access control ?
See above.

> - Is there a better way to do all that ?
The security manager is the best way we ship. Additional requirements can be implemented with the low level hooks.

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Setting Security : Authentication & Access control [message #1005773 is a reply to message #1005657] Mon, 28 January 2013 11:49 Go to previous messageGo to next message
Erdal Karaca is currently offline Erdal Karaca
Messages: 740
Registered: July 2009
Senior Member
It would be interesting to know why you want to switch from JCR/Jackrabbit to EMF/CDO.
I have heard from people doing the opposite Sad

Anyways, you could use JCR as a backend for CDO. But that has to be developed first...
Re: [CDO] Setting Security : Authentication & Access control [message #1005791 is a reply to message #1005657] Mon, 28 January 2013 13:30 Go to previous messageGo to next message
Jean Rebillat is currently offline Jean Rebillat
Messages: 10
Registered: December 2010
Junior Member
Eike Stepper wrote on Mon, 28 January 2013 00:19

The security manager is the best way we ship. Additional requirements can be implemented with the low level hooks.


That is what I thought, but putting it in a real project is not that easy for me. The examples are always mixing client and server parts, and refers to things like RepositoryConfig.PROP_TEST_SECURITY_MANAGER that is only part of the example packages.

Using the Factories and the XML file is pretty easy, once I know which extension point to use.

My test base server code - just an aggregation of elements from the examples, to be properly written later - that works is :
public class Server
{
  public static void main(String[] args) throws Exception
  {
    OMPlatform.INSTANCE.setDebugging(false);
    OMPlatform.INSTANCE.addTraceHandler(PrintTraceHandler.CONSOLE);
    OMPlatform.INSTANCE.addLogHandler(PrintLogHandler.CONSOLE);

    Net4jUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the Net4j kernel
    TCPUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the TCP support
    CDONet4jServerUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the CDO server

    String name = "alantea";
    IStore store = createStore(name);
    Map<String, String> properties = createProperties(name);

    IRepository repository = CDOServerUtil.createRepository(name, store, properties);
    CDOServerUtil.addRepository(IPluginContainer.INSTANCE, repository);
    repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);


    Net4jUtil.getAcceptor(IPluginContainer.INSTANCE, "tcp", "0.0.0.0:2036");
    
    Map<String, InternalRepository> maprepo = new HashMap<String, InternalRepository>();
    maprepo.put("test", (InternalRepository) repository);
    CDOServerBrowser br = new CDOServerBrowser(maprepo);
    br.activate();
    final String port = OMPlatform.INSTANCE.getProperty("org.eclipse.emf.cdo.server.browser.port");
    System.out.println("port : "+port+ " "+ br.getPort());
    
    while (System.in.available() == 0)
    {
      Thread.sleep(100);
    }

    LifecycleUtil.deactivate(repository);
    LifecycleUtil.deactivate(IPluginContainer.INSTANCE);
  }

  private static IStore createStore(String name)
  {
    try
    {
      Class.forName("com.mysql.jdbc.jdbc2.optional.MysqlDataSource");
    }
    catch (ClassNotFoundException e)
    {
      // TODO Auto-generated catch block
      e.printStackTrace();
    }
    MysqlDataSource dts = new MysqlDataSource();
    dts.setDatabaseName("cdo1");
    dts.setCreateDatabaseIfNotExist(true);
    dts.setServerName("localhost");
    dts.setUser("cdo1");
    dts.setPassword("cdo1");
    IMappingStrategy mappingStrategy = CDODBUtil.createHorizontalMappingStrategy(true, true);
    IDBAdapter dbAdapter = new MYSQLAdapter();
    IDBConnectionProvider dbConnectionProvider = DBUtil.createConnectionProvider(dts);
    return CDODBUtil.createStore(mappingStrategy, dbAdapter, dbConnectionProvider);
  }

  private static Map<String, String> createProperties(String name)
  {
    Map<String, String> props = new HashMap<String, String>();
    props.put(IRepository.Props.OVERRIDE_UUID, name);
    props.put(IRepository.Props.SUPPORTING_AUDITS, "true");
    props.put(IRepository.Props.SUPPORTING_BRANCHES, "true");
    return props;
  }
}


I do not see - using the examples - where to add a SecurityManager in it.
Re: [CDO] Setting Security : Authentication &amp;amp; Access control [message #1005794 is a reply to message #1005773] Mon, 28 January 2013 13:34 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5503
Registered: July 2009
Senior Member
Am 28.01.2013 17:49, schrieb Erdal Karaca:
> It would be interesting to know why you want to switch from JCR/Jackrabbit to EMF/CDO.
> I have heard from people doing the opposite :(
It would be interesting to know why those wanted to switch:P

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Setting Security : Authentication &amp; Access control [message #1005795 is a reply to message #1005773] Mon, 28 January 2013 13:39 Go to previous messageGo to next message
Jean Rebillat is currently offline Jean Rebillat
Messages: 10
Registered: December 2010
Junior Member
Erdal Karaca wrote on Mon, 28 January 2013 11:49
It would be interesting to know why you want to switch from JCR/Jackrabbit to EMF/CDO.
I have heard from people doing the opposite Sad


JCR has its good points, I understand people willing to use it. We have used it for a few years, with the CRX-Day wrapper. We have left Day to raw Jackrabbit because the licences where much too expensive for the benefit it was giving us. But Jackrabbit is terribly slow.

The point in switching from JCR to EMF/CDO is to avoid having to maintain the 10 000 lines of code to manage the model elements. I have seen Eike's conferences in Stuttgart and he convinced me that EMF was a terrific advantage for a tool using a data model. Then, using CDO as storage was straightforward. And the test we made on small amount (50 000) objects shows that CDO was a lot quicker than JCR for the way we are using it.

Note taht another project in my company is using CDO, with timelines and history - but no user management...

[Updated on: Mon, 28 January 2013 13:42]

Report message to a moderator

Re: [CDO] Setting Security : Authentication &amp;amp; Access control [message #1005797 is a reply to message #1005791] Mon, 28 January 2013 14:00 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5503
Registered: July 2009
Senior Member
Am 28.01.2013 19:30, schrieb Jean Rebillat:
> Eike Stepper wrote on Mon, 28 January 2013 00:19
>> The security manager is the best way we ship. Additional requirements can be implemented with the low level hooks.
>
>
> That is what I thought, but putting it in a real project is not that easy for me. The examples are always mixing
> client and server parts, and refers to things like RepositoryConfig.PROP_TEST_SECURITY_MANAGER that is only part of
> the example packages.
That is correct if you replace "example" with "test" :P

> Using the Factories and the XML file is pretty easy, once I know which extension point to use.
>
> My test base server code - just an aggregation of elements from the examples, to be properly written later - that
> works is :
> public class Server
> {
> public static void main(String[] args) throws Exception
> {
> OMPlatform.INSTANCE.setDebugging(false);
> OMPlatform.INSTANCE.addTraceHandler(PrintTraceHandler.CONSOLE);
> OMPlatform.INSTANCE.addLogHandler(PrintLogHandler.CONSOLE);
>
> Net4jUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the Net4j kernel
> TCPUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the TCP support
> CDONet4jServerUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the CDO server
>
> String name = "alantea";
> IStore store = createStore(name);
> Map<String, String> properties = createProperties(name);
>
> IRepository repository = CDOServerUtil.createRepository(name, store, properties);
> CDOServerUtil.addRepository(IPluginContainer.INSTANCE, repository);
> repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
>
>
> Net4jUtil.getAcceptor(IPluginContainer.INSTANCE, "tcp", "0.0.0.0:2036");
> Map<String, InternalRepository> maprepo = new HashMap<String, InternalRepository>();
> maprepo.put("test", (InternalRepository) repository);
> CDOServerBrowser br = new CDOServerBrowser(maprepo);
> br.activate();
> final String port = OMPlatform.INSTANCE.getProperty("org.eclipse.emf.cdo.server.browser.port");
> System.out.println("port : "+port+ " "+ br.getPort());
> while (System.in.available() == 0)
> {
> Thread.sleep(100);
> }
>
> LifecycleUtil.deactivate(repository);
> LifecycleUtil.deactivate(IPluginContainer.INSTANCE);
> }
>
> private static IStore createStore(String name)
> {
> try
> {
> Class.forName("com.mysql.jdbc.jdbc2.optional.MysqlDataSource");
> }
> catch (ClassNotFoundException e)
> {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
> MysqlDataSource dts = new MysqlDataSource();
> dts.setDatabaseName("cdo1");
> dts.setCreateDatabaseIfNotExist(true);
> dts.setServerName("localhost");
> dts.setUser("cdo1");
> dts.setPassword("cdo1");
> IMappingStrategy mappingStrategy = CDODBUtil.createHorizontalMappingStrategy(true, true);
> IDBAdapter dbAdapter = new MYSQLAdapter();
> IDBConnectionProvider dbConnectionProvider = DBUtil.createConnectionProvider(dts);
> return CDODBUtil.createStore(mappingStrategy, dbAdapter, dbConnectionProvider);
> }
>
> private static Map<String, String> createProperties(String name)
> {
> Map<String, String> props = new HashMap<String, String>();
> props.put(IRepository.Props.OVERRIDE_UUID, name);
> props.put(IRepository.Props.SUPPORTING_AUDITS, "true");
> props.put(IRepository.Props.SUPPORTING_BRANCHES, "true");
> return props;
> }
> }
>
> I do not see - using the examples - where to add a SecurityManager in it.
Please try this *before* you activate the repository:

ISecurityManager securityManager = SecurityManagerUtil.createSecurityManager("/security", getServerContainer());
securityManager.setRepository(repository);
LifecycleUtil.activate(securityManager);

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Re: [CDO] Setting Security : Authentication &amp;amp; Access control [message #1005801 is a reply to message #1005794] Mon, 28 January 2013 14:25 Go to previous messageGo to next message
Erdal Karaca is currently offline Erdal Karaca
Messages: 740
Registered: July 2009
Senior Member
I am not sure if they are happy now... maybe, just a short trip Smile

Eike Stepper wrote on Mon, 28 January 2013 19:34
Am 28.01.2013 17:49, schrieb Erdal Karaca:
> It would be interesting to know why you want to switch from JCR/Jackrabbit to EMF/CDO.
> I have heard from people doing the opposite Sad
It would be interesting to know why those wanted to switch:P

[CDO] [Resolved] Setting Security : Authentication & Access control [message #1006146 is a reply to message #1005801] Wed, 30 January 2013 03:48 Go to previous messageGo to next message
Jean Rebillat is currently offline Jean Rebillat
Messages: 10
Registered: December 2010
Junior Member
Thanks for the help.

For memory, I modified the code, just after creating and adding the repository, like this :

    repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
    InternalSecurityManager securityManager = (InternalSecurityManager) SecurityManagerUtil.createSecurityManager("/security",IPluginContainer.INSTANCE);
    securityManager.setRepository((InternalRepository) repository);
    LifecycleUtil.activate(securityManager);

    securityManager.addUser("jean", "aiplus");


With this, I am able to control the access.
Re: [CDO] Setting Security : Authentication & Access control [message #1006300 is a reply to message #1006146] Wed, 30 January 2013 13:01 Go to previous messageGo to next message
Jean Rebillat is currently offline Jean Rebillat
Messages: 10
Registered: December 2010
Junior Member
I have a strange problem with the above code.
It works fine, when the datbase already exists and is populated with Security tables.
I tried it a another computer, with an empty database, and it did not work as expected.

In fact, to initialize a database, the order of the calls shall be :
InternalSecurityManager securityManager = (InternalSecurityManager) SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
securityManager.setRepository((InternalRepository) repository);
LifecycleUtil.activate(securityManager);

    repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);


but when restarting the server on an existing database, it must be :
    repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);

InternalSecurityManager securityManager = (InternalSecurityManager) SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
securityManager.setRepository((InternalRepository) repository);
LifecycleUtil.activate(securityManager);


Using the second pattern on an empty database leads to :
org.eclipse.net4j.db.DBException: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'cdo1.Realm' doesn't exist


Strangely, using first pattern on a populated database does the same.
I must have missed something.
Or else, is there a way to know if a database exists before opening it ?
Re: [CDO] Setting Security : Authentication &amp; Access control [message #1006364 is a reply to message #1006300] Wed, 30 January 2013 23:51 Go to previous messageGo to next message
Eike Stepper is currently offline Eike Stepper
Messages: 5503
Registered: July 2009
Senior Member
Am 30.01.2013 19:01, schrieb Jean Rebillat:
> I have a strange problem with the above code.
> It works fine, when the datbase already exists and is populated with Security tables.
> I tried it a another computer, with an empty database, and it did not work as expected.
>
> In fact, to initialize a database, the order of the calls shall be :
> InternalSecurityManager securityManager = (InternalSecurityManager)
> SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
> securityManager.setRepository((InternalRepository) repository);
> LifecycleUtil.activate(securityManager);
>
> repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
You shouldn't need this call at all. I wonder, though, whether in standalone mode (no extension registry) we should
place this in the security manager:

static
{
SecurityPackage.eINSTANCE.getClass(); // Initialize package in standalone mode
}

Can you please try if this block solves your problem when placed in your main class?

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper


>
> but when restarting the server on an existing database, it must be :
> repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
>
> InternalSecurityManager securityManager = (InternalSecurityManager)
> SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
> securityManager.setRepository((InternalRepository) repository);
> LifecycleUtil.activate(securityManager);
>
> Using the second pattern on an empty database leads to :
> org.eclipse.net4j.db.DBException: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'cdo1.Realm'
> doesn't exist
>
> Strangely, using first pattern on a populated database does the same.
> I must have missed something.
> Or else, is there a way to know if a database exists before opening it ?
Re: [CDO] Setting Security : Authentication &amp; Access control [message #1006423 is a reply to message #1006364] Thu, 31 January 2013 05:31 Go to previous messageGo to next message
Jean Rebillat is currently offline Jean Rebillat
Messages: 10
Registered: December 2010
Junior Member
That's it !
It works fine.
I will open another post for the following questions.

Many thanks !
Re: [CDO] Setting Security : Authentication &amp;amp; Access control [message #1006460 is a reply to message #1006423] Thu, 31 January 2013 05:43 Go to previous message
Eike Stepper is currently offline Eike Stepper
Messages: 5503
Registered: July 2009
Senior Member
Am 31.01.2013 11:31, schrieb Jean Rebillat:
> That's it !
> It works fine.
Excellent. Please submit an enhancement request so that I can add that static initializer block to SecurityManager.java!

Cheers
/Eike

----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Previous Topic:JMerge error when merging annotations on EnumLiteral
Next Topic:[CDO] Dealing with extended meta model
Goto Forum:
  


Current Time: Fri Aug 29 12:35:56 EDT 2014

Powered by FUDForum. Page generated in 0.04288 seconds