Home » Modeling » EMF » [CDO] Setting Security : Authentication & Access control(Setting custom authentication & node access control in a CDO server)
| [CDO] Setting Security : Authentication & Access control [message #1005629] |
Sun, 27 January 2013 13:35  |
 Jean Rebillat
Messages: 10
Registered: December 2010 |
Junior Member |
|
|
Hi.
I work for a big french company, in a Research & Technology service. I am wanting to convince a project leader to switch from JCR Jackrabbit toward EMF/CDO.
There are two particular points on which I must be sure of myself when presenting the solution : authentication with logins and access control on resources, using our own algorithms.
I have searched the web since a week, trying to understand how to do this in CDO.
I first tried to start the server with the XML configuration file, but at first I did not understand the way to add custom factories.
I switched to hand-written server code, with almost the same results : it works until I want to add custom elements.
Falling back to XML configuration, I found this link : https://bugs.eclipse.org/bugs/show_bug.cgi?id=302775
that works to add custom user management concerning authentication.
My questions so far are :
- Is the link above still up-to-date to add a user authentication mechanism ?
- Is there described somewhere the same mechanism for resource access control ?
- Is there a better way to do all that ?
Thanks.
|
|
|
| Re: [CDO] Setting Security : Authentication & Access control [message #1005657 is a reply to message #1005629] |
Mon, 28 January 2013 00:19  |
Eike Stepper
Messages: 5154
Registered: July 2009 |
Senior Member |
|
|
Am 27.01.2013 19:35, schrieb Jean Rebillat:
> Hi.
> I work for a big french company, in a Research & Technology service. I am wanting to convince a project leader to
> switch from JCR Jackrabbit toward EMF/CDO.
> There are two particular points on which I must be sure of myself when presenting the solution : authentication with
> logins and access control on resources, using our own algorithms.
>
> I have searched the web since a week, trying to understand how to do this in CDO.
> I first tried to start the server with the XML configuration file, but at first I did not understand the way to add
> custom factories.
IFactories can be added to IPluginContainer.INSTANCE programmatically or via contribution to the extension point
org.eclipse.net4j.util.factories.
> I switched to hand-written server code, with almost the same results : it works until I want to add custom elements.
Can you give an example of what exactly you tried and how it failed?
> Falling back to XML configuration, I found this link : https://bugs.eclipse.org/bugs/show_bug.cgi?id=302775
> that works to add custom user management concerning authentication.
You may want to examine the newer ISecurityManager:
380629: Design a default Security model
https://bugs.eclipse.org/bugs/show_bug.cgi?id=380629
Here's a diagram of the underlying Security model:
https://bugs.eclipse.org/bugs/attachment.cgi?id=221070
SecurityManager.java can serve as an example on how to use the low level hooks of an IRepository, in case you want to
plug in your own mechansim:
InternalSessionManager sessionManager = repository.getSessionManager();
sessionManager.setAuthenticator(authenticator);
sessionManager.setPermissionManager(permissionManager);
repository.addHandler(writeAccessHandler);
The security manager is comparingly new. I strongly recommend to try it out in the CDO 4.2 stream!
> My questions so far are :
> - Is the link above still up-to-date to add a user authentication mechanism ?
Yes, but it doesn't cover authorization.
> - Is there described somewhere the same mechanism for resource access control ?
See above.
> - Is there a better way to do all that ?
The security manager is the best way we ship. Additional requirements can be implemented with the low level hooks.
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
| |
| Re: [CDO] Setting Security : Authentication & Access control [message #1005791 is a reply to message #1005657] |
Mon, 28 January 2013 13:30 |
Jean Rebillat
Messages: 10
Registered: December 2010 |
Junior Member |
|
|
Eike Stepper wrote on Mon, 28 January 2013 00:19
The security manager is the best way we ship. Additional requirements can be implemented with the low level hooks.
That is what I thought, but putting it in a real project is not that easy for me. The examples are always mixing client and server parts, and refers to things like RepositoryConfig.PROP_TEST_SECURITY_MANAGER that is only part of the example packages.
Using the Factories and the XML file is pretty easy, once I know which extension point to use.
My test base server code - just an aggregation of elements from the examples, to be properly written later - that works is :
public class Server
{
public static void main(String[] args) throws Exception
{
OMPlatform.INSTANCE.setDebugging(false);
OMPlatform.INSTANCE.addTraceHandler(PrintTraceHandler.CONSOLE);
OMPlatform.INSTANCE.addLogHandler(PrintLogHandler.CONSOLE);
Net4jUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the Net4j kernel
TCPUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the TCP support
CDONet4jServerUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the CDO server
String name = "alantea";
IStore store = createStore(name);
Map<String, String> properties = createProperties(name);
IRepository repository = CDOServerUtil.createRepository(name, store, properties);
CDOServerUtil.addRepository(IPluginContainer.INSTANCE, repository);
repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
Net4jUtil.getAcceptor(IPluginContainer.INSTANCE, "tcp", "0.0.0.0:2036");
Map<String, InternalRepository> maprepo = new HashMap<String, InternalRepository>();
maprepo.put("test", (InternalRepository) repository);
CDOServerBrowser br = new CDOServerBrowser(maprepo);
br.activate();
final String port = OMPlatform.INSTANCE.getProperty("org.eclipse.emf.cdo.server.browser.port");
System.out.println("port : "+port+ " "+ br.getPort());
while (System.in.available() == 0)
{
Thread.sleep(100);
}
LifecycleUtil.deactivate(repository);
LifecycleUtil.deactivate(IPluginContainer.INSTANCE);
}
private static IStore createStore(String name)
{
try
{
Class.forName("com.mysql.jdbc.jdbc2.optional.MysqlDataSource");
}
catch (ClassNotFoundException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
MysqlDataSource dts = new MysqlDataSource();
dts.setDatabaseName("cdo1");
dts.setCreateDatabaseIfNotExist(true);
dts.setServerName("localhost");
dts.setUser("cdo1");
dts.setPassword("cdo1");
IMappingStrategy mappingStrategy = CDODBUtil.createHorizontalMappingStrategy(true, true);
IDBAdapter dbAdapter = new MYSQLAdapter();
IDBConnectionProvider dbConnectionProvider = DBUtil.createConnectionProvider(dts);
return CDODBUtil.createStore(mappingStrategy, dbAdapter, dbConnectionProvider);
}
private static Map<String, String> createProperties(String name)
{
Map<String, String> props = new HashMap<String, String>();
props.put(IRepository.Props.OVERRIDE_UUID, name);
props.put(IRepository.Props.SUPPORTING_AUDITS, "true");
props.put(IRepository.Props.SUPPORTING_BRANCHES, "true");
return props;
}
}
I do not see - using the examples - where to add a SecurityManager in it.
|
|
| |
| Re: [CDO] Setting Security : Authentication & Access control [message #1005795 is a reply to message #1005773] |
Mon, 28 January 2013 13:39 |
Jean Rebillat
Messages: 10
Registered: December 2010 |
Junior Member |
|
|
Erdal Karaca wrote on Mon, 28 January 2013 11:49It would be interesting to know why you want to switch from JCR/Jackrabbit to EMF/CDO.
I have heard from people doing the opposite 
JCR has its good points, I understand people willing to use it. We have used it for a few years, with the CRX-Day wrapper. We have left Day to raw Jackrabbit because the licences where much too expensive for the benefit it was giving us. But Jackrabbit is terribly slow.
The point in switching from JCR to EMF/CDO is to avoid having to maintain the 10 000 lines of code to manage the model elements. I have seen Eike's conferences in Stuttgart and he convinced me that EMF was a terrific advantage for a tool using a data model. Then, using CDO as storage was straightforward. And the test we made on small amount (50 000) objects shows that CDO was a lot quicker than JCR for the way we are using it.
Note taht another project in my company is using CDO, with timelines and history - but no user management...
[Updated on: Mon, 28 January 2013 13:42] Report message to a moderator |
|
|
| Re: [CDO] Setting Security : Authentication &amp; Access control [message #1005797 is a reply to message #1005791] |
Mon, 28 January 2013 14:00 |
Eike Stepper
Messages: 5154
Registered: July 2009 |
Senior Member |
|
|
Am 28.01.2013 19:30, schrieb Jean Rebillat:
> Eike Stepper wrote on Mon, 28 January 2013 00:19
>> The security manager is the best way we ship. Additional requirements can be implemented with the low level hooks.
>
>
> That is what I thought, but putting it in a real project is not that easy for me. The examples are always mixing
> client and server parts, and refers to things like RepositoryConfig.PROP_TEST_SECURITY_MANAGER that is only part of
> the example packages.
That is correct if you replace "example" with "test" :P
> Using the Factories and the XML file is pretty easy, once I know which extension point to use.
>
> My test base server code - just an aggregation of elements from the examples, to be properly written later - that
> works is :
> public class Server
> {
> public static void main(String[] args) throws Exception
> {
> OMPlatform.INSTANCE.setDebugging(false);
> OMPlatform.INSTANCE.addTraceHandler(PrintTraceHandler.CONSOLE);
> OMPlatform.INSTANCE.addLogHandler(PrintLogHandler.CONSOLE);
>
> Net4jUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the Net4j kernel
> TCPUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the TCP support
> CDONet4jServerUtil.prepareContainer(IPluginContainer.INSTANCE); // Prepare the CDO server
>
> String name = "alantea";
> IStore store = createStore(name);
> Map<String, String> properties = createProperties(name);
>
> IRepository repository = CDOServerUtil.createRepository(name, store, properties);
> CDOServerUtil.addRepository(IPluginContainer.INSTANCE, repository);
> repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
>
>
> Net4jUtil.getAcceptor(IPluginContainer.INSTANCE, "tcp", "0.0.0.0:2036");
> Map<String, InternalRepository> maprepo = new HashMap<String, InternalRepository>();
> maprepo.put("test", (InternalRepository) repository);
> CDOServerBrowser br = new CDOServerBrowser(maprepo);
> br.activate();
> final String port = OMPlatform.INSTANCE.getProperty("org.eclipse.emf.cdo.server.browser.port");
> System.out.println("port : "+port+ " "+ br.getPort());
> while (System.in.available() == 0)
> {
> Thread.sleep(100);
> }
>
> LifecycleUtil.deactivate(repository);
> LifecycleUtil.deactivate(IPluginContainer.INSTANCE);
> }
>
> private static IStore createStore(String name)
> {
> try
> {
> Class.forName("com.mysql.jdbc.jdbc2.optional.MysqlDataSource");
> }
> catch (ClassNotFoundException e)
> {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
> MysqlDataSource dts = new MysqlDataSource();
> dts.setDatabaseName("cdo1");
> dts.setCreateDatabaseIfNotExist(true);
> dts.setServerName("localhost");
> dts.setUser("cdo1");
> dts.setPassword("cdo1");
> IMappingStrategy mappingStrategy = CDODBUtil.createHorizontalMappingStrategy(true, true);
> IDBAdapter dbAdapter = new MYSQLAdapter();
> IDBConnectionProvider dbConnectionProvider = DBUtil.createConnectionProvider(dts);
> return CDODBUtil.createStore(mappingStrategy, dbAdapter, dbConnectionProvider);
> }
>
> private static Map<String, String> createProperties(String name)
> {
> Map<String, String> props = new HashMap<String, String>();
> props.put(IRepository.Props.OVERRIDE_UUID, name);
> props.put(IRepository.Props.SUPPORTING_AUDITS, "true");
> props.put(IRepository.Props.SUPPORTING_BRANCHES, "true");
> return props;
> }
> }
>
> I do not see - using the examples - where to add a SecurityManager in it.
Please try this *before* you activate the repository:
ISecurityManager securityManager = SecurityManagerUtil.createSecurityManager("/security", getServerContainer());
securityManager.setRepository(repository);
LifecycleUtil.activate(securityManager);
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
| | |
| Re: [CDO] Setting Security : Authentication & Access control [message #1006300 is a reply to message #1006146] |
Wed, 30 January 2013 13:01 |
Jean Rebillat
Messages: 10
Registered: December 2010 |
Junior Member |
|
|
I have a strange problem with the above code.
It works fine, when the datbase already exists and is populated with Security tables.
I tried it a another computer, with an empty database, and it did not work as expected.
In fact, to initialize a database, the order of the calls shall be :
InternalSecurityManager securityManager = (InternalSecurityManager) SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
securityManager.setRepository((InternalRepository) repository);
LifecycleUtil.activate(securityManager);
repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
but when restarting the server on an existing database, it must be :
repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
InternalSecurityManager securityManager = (InternalSecurityManager) SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
securityManager.setRepository((InternalRepository) repository);
LifecycleUtil.activate(securityManager);
Using the second pattern on an empty database leads to :
org.eclipse.net4j.db.DBException: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'cdo1.Realm' doesn't exist
Strangely, using first pattern on a populated database does the same.
I must have missed something.
Or else, is there a way to know if a database exists before opening it ?
|
|
|
| Re: [CDO] Setting Security : Authentication & Access control [message #1006364 is a reply to message #1006300] |
Wed, 30 January 2013 23:51 |
Eike Stepper
Messages: 5154
Registered: July 2009 |
Senior Member |
|
|
Am 30.01.2013 19:01, schrieb Jean Rebillat:
> I have a strange problem with the above code.
> It works fine, when the datbase already exists and is populated with Security tables.
> I tried it a another computer, with an empty database, and it did not work as expected.
>
> In fact, to initialize a database, the order of the calls shall be :
> InternalSecurityManager securityManager = (InternalSecurityManager)
> SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
> securityManager.setRepository((InternalRepository) repository);
> LifecycleUtil.activate(securityManager);
>
> repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
You shouldn't need this call at all. I wonder, though, whether in standalone mode (no extension registry) we should
place this in the security manager:
static
{
SecurityPackage.eINSTANCE.getClass(); // Initialize package in standalone mode
}
Can you please try if this block solves your problem when placed in your main class?
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
>
> but when restarting the server on an existing database, it must be :
> repository.getPackageRegistry().putEPackage(SecurityPackage.eINSTANCE);
>
> InternalSecurityManager securityManager = (InternalSecurityManager)
> SecurityManagerUtil.createSecurityManager("/security", IPluginContainer.INSTANCE);
> securityManager.setRepository((InternalRepository) repository);
> LifecycleUtil.activate(securityManager);
>
> Using the second pattern on an empty database leads to :
> org.eclipse.net4j.db.DBException: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'cdo1.Realm'
> doesn't exist
>
> Strangely, using first pattern on a populated database does the same.
> I must have missed something.
> Or else, is there a way to know if a database exists before opening it ?
|
|
| | |
Goto Forum:
Current Time: Thu May 23 13:58:15 EDT 2013
Powered by FUDForum. Page generated in 0.02359 seconds
|
] 
Search
Help
Register
Login
Home
