Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0
    • Component/s: User Management
    • Labels:
      None
    1. rol-1733-v5.zip
      2.61 MB
      David Johnson
    2. rol-1733-v4.zip
      2.56 MB
      David Johnson

      Activity

      Hide
      Glen Mazza added a comment -

      Closed issues related to Roller 5.0 release.

      Show
      Glen Mazza added a comment - Closed issues related to Roller 5.0 release.
      Hide
      David Johnson added a comment -

      URL: http://svn.apache.org/viewvc?rev=826926&view=rev
      Log: Apparently, OpenID4Java has a hard dependency on Apache Xerces. Bummer.

      Added Xerces back and things work again.

      Show
      David Johnson added a comment - URL: http://svn.apache.org/viewvc?rev=826926&view=rev Log: Apparently, OpenID4Java has a hard dependency on Apache Xerces. Bummer. Added Xerces back and things work again.
      Hide
      David Johnson added a comment -

      Regression caused my upgrade to latest Spring. On attempting to login via OpenID I get this:

      Oct 18, 2009 1:47:56 PM org.apache.catalina.core.StandardWrapperValve invoke
      SEVERE: Servlet.service() for servlet default threw exception
      java.lang.ClassNotFoundException: org.apache.xerces.parsers.DOMParser
      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387)
      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:399)

      I will investigate.

      Show
      David Johnson added a comment - Regression caused my upgrade to latest Spring. On attempting to login via OpenID I get this: Oct 18, 2009 1:47:56 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet default threw exception java.lang.ClassNotFoundException: org.apache.xerces.parsers.DOMParser at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:399) I will investigate.
      Hide
      David Johnson added a comment -

      Implemented and now in Roller trunk

      Show
      David Johnson added a comment - Implemented and now in Roller trunk
      Hide
      Anil Gangolli added a comment -

      Screenshots posted on cwiki showed minor grammatical errors in the paragraph below "How will you be authenticated" for the hybrid version. This can be corrected after the initial commit. Haven't had a chance to review the code yet.

      Show
      Anil Gangolli added a comment - Screenshots posted on cwiki showed minor grammatical errors in the paragraph below "How will you be authenticated" for the hybrid version. This can be corrected after the initial commit. Haven't had a chance to review the code yet.
      Hide
      David Johnson added a comment -

      Attached rol-1733-v5.zip, which is designed to be extracted into the trunk directory of Roller, it contains the files below. After you extract, then apply the patch.

      rol-1733-v5.patch
      tools/spring-2.5/spring-security-taglibs-2.0.3.jar
      tools/spring-2.5/spring-security-core-2.0.3.jar
      tools/spring-2.5/spring-security-openid-2.0.3.jar
      tools/spring-2.5/spring-security-acl-2.0.3.jar
      tools/lib/openxri-syntax.jar
      tools/lib/dom3-xercesImpl.jar
      tools/lib/java-openid-sxip.jar
      tools/lib/ehcache-1.4.1.jar
      tools/lib/nekohtml.jar
      tools/lib/apache-xml-security.jar
      tools/lib/dom3-xml-apis.jar
      tools/lib/openxri-client.jar

      Show
      David Johnson added a comment - Attached rol-1733-v5.zip, which is designed to be extracted into the trunk directory of Roller, it contains the files below. After you extract, then apply the patch. rol-1733-v5.patch tools/spring-2.5/spring-security-taglibs-2.0.3.jar tools/spring-2.5/spring-security-core-2.0.3.jar tools/spring-2.5/spring-security-openid-2.0.3.jar tools/spring-2.5/spring-security-acl-2.0.3.jar tools/lib/openxri-syntax.jar tools/lib/dom3-xercesImpl.jar tools/lib/java-openid-sxip.jar tools/lib/ehcache-1.4.1.jar tools/lib/nekohtml.jar tools/lib/apache-xml-security.jar tools/lib/dom3-xml-apis.jar tools/lib/openxri-client.jar
      Hide
      David Johnson added a comment -

      Uploading Tatyan's v4 patch and all required jars as one ZIP file bundle. Soon I will upload a v5 patch that (i contend) is ready for commit to trunk.

      Show
      David Johnson added a comment - Uploading Tatyan's v4 patch and all required jars as one ZIP file bundle. Soon I will upload a v5 patch that (i contend) is ready for commit to trunk.
      Hide
      David Johnson added a comment -

      Continuing my previous comment, I've fixed the remaining four issues. I'm ignoring the "After initial login, when you return to login page somehow the username field is being populated with your OpenID URL" issue, because I believe it is caused by the browser. I'll post a new patch and a bundle of supporting jars tomorrow eve.

      Here are the four remaining (on my list) issues I fixed:

      3) Problem: Requires Spring Security 2.1, which is not due out for a long time
      See this - http://jira.springframework.org/browse/SEC-935

      Solution: We only need 2.1 for the OpenID registration extension stuff,
      which can pre-populate the new user registration form. So for now we can
      use Spring Security 2.0.3 (the latest) and comment out the registration stuff
      in Register.java and CustomOpenIDAuthenticationProcessingFilter.java.

      4) Locale/TZ should be populated by browser or server information and should
      not default to Albanian/ACT.

      Solution: populate the profile with locale from browser and timezone from
      the server as defaults.

      5) Configuration does not allow enough options for OpenID.

      Solution: make it possible to support these three configurations:

      • OpenID disabled: completely turn off OpenID
      • OpenID hybrid: allow username/password and OpenID logins
      • OpenID only: allow login via OpenID only.

      6) Problem: Login and Registration pages do not explain the OpenID field.

      Solution: add text to explain the login situation, which will differ
      depending on the OpenID configuration. Also, rearragned and grouped the
      fields on the new user registration page to better explain the situation.

      Show
      David Johnson added a comment - Continuing my previous comment, I've fixed the remaining four issues. I'm ignoring the "After initial login, when you return to login page somehow the username field is being populated with your OpenID URL" issue, because I believe it is caused by the browser. I'll post a new patch and a bundle of supporting jars tomorrow eve. Here are the four remaining (on my list) issues I fixed: 3) Problem: Requires Spring Security 2.1, which is not due out for a long time See this - http://jira.springframework.org/browse/SEC-935 Solution: We only need 2.1 for the OpenID registration extension stuff, which can pre-populate the new user registration form. So for now we can use Spring Security 2.0.3 (the latest) and comment out the registration stuff in Register.java and CustomOpenIDAuthenticationProcessingFilter.java. 4) Locale/TZ should be populated by browser or server information and should not default to Albanian/ACT. Solution: populate the profile with locale from browser and timezone from the server as defaults. 5) Configuration does not allow enough options for OpenID. Solution: make it possible to support these three configurations: OpenID disabled: completely turn off OpenID OpenID hybrid: allow username/password and OpenID logins OpenID only: allow login via OpenID only. 6) Problem: Login and Registration pages do not explain the OpenID field. Solution: add text to explain the login situation, which will differ depending on the OpenID configuration. Also, rearragned and grouped the fields on the new user registration page to better explain the situation.
      Hide
      David Johnson added a comment -

      I've been reviewing Tatyan's latest patch. It works, but it needs some work before it can be committed to trunk. Here are the problems/issues found and my proposed solutions for some. The ones with numbers are fixed in my workspace. Once I work through these issues I'll create a new patch and try to get consensus to commit it.

      1) Problem: Requires modified version of Spring Security XSD file which won't
      be available until Spring Security 2.0.4 is due out. The 2.0.1 schema files
      did not have OPENID_PROCESSING_FILTER.
      See this - http://jira.springframework.org/browse/SEC-927

      Solution: Use the file src/META-INF/spring.schemas to override
      the XSD included in the Spring Security jar with the one in
      web/WEB-INF/classes/spring-security-2.0.1-openidfix.xsd.

      2) Problem: URL with "/" at end vs. those without
      Solution: always strip trailing slash before storing or comparing OpenID URLs

      *) Problem: Requires Spring Security 2.1, which is not due out for a long time
      See this - http://jira.springframework.org/browse/SEC-935

      Solution: We only need to wait for the Attribute Exchange stuff, which can
      pre-populate the new user registration form. So for now we can use Spring
      Security 2.0.3 (the latest) and comment out the attribute exchange code.

      *) Problem: Login page does not explain the OpenID user name field.

      Solution: add text to explain that user can login with either
      username/password OR OpenID. Also, add OpenID icon to OpenID field.

      *) Problem: Login page. After initial login, when you return to login page some
      how the username field is being populated with your OpenID URL, which should
      go in the OpenID username field.

      Solution: UNKNOWN. Could be caused by the browser?

      *) Problem: User attributes are stashed in hashtable in UserManager interface.

      Solution: UNKNOWN. Store in session instead?

      *) Problem: New user registration, if you choose to register using your OpenID
      then you should not have to enter a password.

      Solution: UNKNOWN. Allow both password and OpenID?

      *) Locale/TZ should be populated by browser or server information and should
      not default to Albanian/ACT.

      Solution: UNKNOWN, but probably an easy fix.

      *) Configuration does not allow enough options for OpenID. I would like to make
      it possible to support these three configurations:

      • OpenID disabled: completely turn off OpenID
      • OpenID hybrid: allow username/password and OpenID logins
      • OpenID only: allow login via OpenID only.
      Show
      David Johnson added a comment - I've been reviewing Tatyan's latest patch. It works, but it needs some work before it can be committed to trunk. Here are the problems/issues found and my proposed solutions for some. The ones with numbers are fixed in my workspace. Once I work through these issues I'll create a new patch and try to get consensus to commit it. 1) Problem: Requires modified version of Spring Security XSD file which won't be available until Spring Security 2.0.4 is due out. The 2.0.1 schema files did not have OPENID_PROCESSING_FILTER. See this - http://jira.springframework.org/browse/SEC-927 Solution: Use the file src/META-INF/spring.schemas to override the XSD included in the Spring Security jar with the one in web/WEB-INF/classes/spring-security-2.0.1-openidfix.xsd. 2) Problem: URL with "/" at end vs. those without Solution: always strip trailing slash before storing or comparing OpenID URLs *) Problem: Requires Spring Security 2.1, which is not due out for a long time See this - http://jira.springframework.org/browse/SEC-935 Solution: We only need to wait for the Attribute Exchange stuff, which can pre-populate the new user registration form. So for now we can use Spring Security 2.0.3 (the latest) and comment out the attribute exchange code. *) Problem: Login page does not explain the OpenID user name field. Solution: add text to explain that user can login with either username/password OR OpenID. Also, add OpenID icon to OpenID field. *) Problem: Login page. After initial login, when you return to login page some how the username field is being populated with your OpenID URL, which should go in the OpenID username field. Solution: UNKNOWN. Could be caused by the browser? *) Problem: User attributes are stashed in hashtable in UserManager interface. Solution: UNKNOWN. Store in session instead? *) Problem: New user registration, if you choose to register using your OpenID then you should not have to enter a password. Solution: UNKNOWN. Allow both password and OpenID? *) Locale/TZ should be populated by browser or server information and should not default to Albanian/ACT. Solution: UNKNOWN, but probably an easy fix. *) Configuration does not allow enough options for OpenID. I would like to make it possible to support these three configurations: OpenID disabled: completely turn off OpenID OpenID hybrid: allow username/password and OpenID logins OpenID only: allow login via OpenID only.
      Hide
      Tatyana Tokareva added a comment -

      I've added the spring security openID package patch, which allows simple registration extension

      Show
      Tatyana Tokareva added a comment - I've added the spring security openID package patch, which allows simple registration extension
      Hide
      Tatyana Tokareva added a comment -

      To check progress on the official library you can refer to the http://jira.springframework.org/browse/SEC-935
      The existing official patch actually doesn't work at all (that's what Luke Taylor is talking about), so I had to make a library by myself.
      The official library relese date is still unknown (it was planned to include it in the spring-security 2.0.4, but now the release moved to the 2.1)
      I will also upload the my library's source code.

      Show
      Tatyana Tokareva added a comment - To check progress on the official library you can refer to the http://jira.springframework.org/browse/SEC-935 The existing official patch actually doesn't work at all (that's what Luke Taylor is talking about), so I had to make a library by myself. The official library relese date is still unknown (it was planned to include it in the spring-security 2.0.4, but now the release moved to the 2.1) I will also upload the my library's source code.
      Hide
      David Johnson added a comment -

      Thanks for the v4 patch and jars Tatyana. I've got your code working now.

      Where did you download the jar "spring-security-openid-2.0.2-regext.jar"?

      Do you know when the final version of that jar and the new Spring Security XSD files will finally be released?

      • Dave
      Show
      David Johnson added a comment - Thanks for the v4 patch and jars Tatyana. I've got your code working now. Where did you download the jar "spring-security-openid-2.0.2-regext.jar"? Do you know when the final version of that jar and the new Spring Security XSD files will finally be released? Dave
      Hide
      Tatyana Tokareva added a comment -

      As subversion diff cannot include binary files, I've attached all the neccesary libraries

      Show
      Tatyana Tokareva added a comment - As subversion diff cannot include binary files, I've attached all the neccesary libraries
      Hide
      Tatyana Tokareva added a comment -

      should be placed in the tools\spring-2.5 directory

      Show
      Tatyana Tokareva added a comment - should be placed in the tools\spring-2.5 directory
      Hide
      Tatyana Tokareva added a comment -

      should be placed in the tools\lib directory

      Show
      Tatyana Tokareva added a comment - should be placed in the tools\lib directory
      Hide
      Tatyana Tokareva added a comment -

      should be placed in the tools\lib directory

      Show
      Tatyana Tokareva added a comment - should be placed in the tools\lib directory
      Hide
      Tatyana Tokareva added a comment -

      should be placed in the tools\lib directory

      Show
      Tatyana Tokareva added a comment - should be placed in the tools\lib directory
      Hide
      David Johnson added a comment -

      Here are some initial comments on this patch and the GSoC submission in general:

      • Patch does not include the new Spring XSDs required to run code
        (I had to download them myself and add them to the build)
      • Patch does not include jars required to run code
        (I downloaded them myself from various locations and I'm not certain they are the correct ones)
      • Project proposal was never updated to match what is implemented in the patch
        (it still references the OpenID specific methods that no longer exist)
      • No documentation has been provided, though documentation was specified in the plan
      • Even after adding the required XSD and jars, patch does not work. When I attempt to login via OpenID, I am never directory to my OpenID provider's login page and when the Roller login page appears I get a "Wrong username and password combination" error and my OpenID URL appears in the Username field instead of the OpenID URL field. Also, this error appears in the logs:

      ERROR 2008-08-19 11:25:56,973 OpenIDAuthenticationProcessingFilter:determineFailureUrl -
      Unable to consume claimedIdentity http://rollerweblogger.org/roller
      org.springframework.security.ui.openid.OpenIDConsumerException: Error processing ConumerManager authentication
      at org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:115)
      at org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter.determineFailureUrl(OpenIDAuthenticationProcessingFilter.java:111)
      at org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter.unsuccessfulAuthentication(OpenIDAuthenticationProcessingFilter.java:189)
      at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:253)
      at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      ...
      Caused by: org.openid4java.message.MessageException: 769:
      Realm verification failed for: http://macsnoopdave:8080/roller/roller_j_openid_security_check
      at org.openid4java.message.AuthRequest.validate(AuthRequest.java:358)
      at org.openid4java.message.AuthRequest.createAuthRequest(AuthRequest.java:101)
      at org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:1000)
      at org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:937)
      at org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:112)
      ... 35 more

      (I was able to login with an earlier version of the patch, so this appears to be a regression)

      Show
      David Johnson added a comment - Here are some initial comments on this patch and the GSoC submission in general: Patch does not include the new Spring XSDs required to run code (I had to download them myself and add them to the build) Patch does not include jars required to run code (I downloaded them myself from various locations and I'm not certain they are the correct ones) Project proposal was never updated to match what is implemented in the patch (it still references the OpenID specific methods that no longer exist) No documentation has been provided, though documentation was specified in the plan Even after adding the required XSD and jars, patch does not work. When I attempt to login via OpenID, I am never directory to my OpenID provider's login page and when the Roller login page appears I get a "Wrong username and password combination" error and my OpenID URL appears in the Username field instead of the OpenID URL field. Also, this error appears in the logs: ERROR 2008-08-19 11:25:56,973 OpenIDAuthenticationProcessingFilter:determineFailureUrl - Unable to consume claimedIdentity http://rollerweblogger.org/roller org.springframework.security.ui.openid.OpenIDConsumerException: Error processing ConumerManager authentication at org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:115) at org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter.determineFailureUrl(OpenIDAuthenticationProcessingFilter.java:111) at org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter.unsuccessfulAuthentication(OpenIDAuthenticationProcessingFilter.java:189) at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:253) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) ... Caused by: org.openid4java.message.MessageException: 769: Realm verification failed for: http://macsnoopdave:8080/roller/roller_j_openid_security_check at org.openid4java.message.AuthRequest.validate(AuthRequest.java:358) at org.openid4java.message.AuthRequest.createAuthRequest(AuthRequest.java:101) at org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:1000) at org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:937) at org.springframework.security.ui.openid.consumers.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:112) ... 35 more (I was able to login with an earlier version of the patch, so this appears to be a regression)
      Hide
      David Johnson added a comment -

      I'm evaluating the patch now for GSoC final evaluation week and will report back ASAP.

      Thanks,

      • Dave
      Show
      David Johnson added a comment - I'm evaluating the patch now for GSoC final evaluation week and will report back ASAP. Thanks, Dave
      Hide
      Tatyana Tokareva added a comment -

      I've attached a new patch, which allows roller to support OpenID login and registration using simple registration extension.

      Note if you are gonna use the patch you'll need to change the schema file reference in the security.xml and download a new spring-security-openid-2.0.2-regext.jar library, attached to the issue.

      Show
      Tatyana Tokareva added a comment - I've attached a new patch, which allows roller to support OpenID login and registration using simple registration extension. Note if you are gonna use the patch you'll need to change the schema file reference in the security.xml and download a new spring-security-openid-2.0.2-regext.jar library, attached to the issue.
      Hide
      Tatyana Tokareva added a comment -

      Below are comments on what has been changed and added in the second version of the patch.

      I've managed to make openid url an editable option for user.
      I've also accounted of comments to the previous patch and made some changes in the code.

      When the new user is logging via openID url after successful login on the provider's website he is redirected to the registration page (I had to specify exception mappings in the security.xml to make it work) I want to prefill fields on this page with data, retrieved from the openid provider with help of Simple Registration Extension.
      It is not supported officially in the spring security library yet, so I had to made it by myself.
      By this moment they've created a patch in response to my issue ( jira http://jira.springframework.org/browse/SEC-935 ) and I've switched to an official version, but I had to change code a little bit to make the library it working. User attributes are saved in the OpenIDAuthenticationToken as a User object and it's method getPrincipal() returns this object.
      Right now I'm trying to find a way how to retrieve this object in the Register action to prefill fields.
      Could someone suggest the right approach?

      I also had to put an openid-specific code into the RollerSession - I can't make up my mind right now how to get rid of it.
      Also maybe it will be better to put user attributes in some kind of properties file.

      Note if you are gonna use the patch you'll need to change the schema file reference in the security.xml
      ( http://jira.springframework.org/browse/SEC-927 )

      Show
      Tatyana Tokareva added a comment - Below are comments on what has been changed and added in the second version of the patch. I've managed to make openid url an editable option for user. I've also accounted of comments to the previous patch and made some changes in the code. When the new user is logging via openID url after successful login on the provider's website he is redirected to the registration page (I had to specify exception mappings in the security.xml to make it work) I want to prefill fields on this page with data, retrieved from the openid provider with help of Simple Registration Extension. It is not supported officially in the spring security library yet, so I had to made it by myself. By this moment they've created a patch in response to my issue ( jira http://jira.springframework.org/browse/SEC-935 ) and I've switched to an official version, but I had to change code a little bit to make the library it working. User attributes are saved in the OpenIDAuthenticationToken as a User object and it's method getPrincipal() returns this object. Right now I'm trying to find a way how to retrieve this object in the Register action to prefill fields. Could someone suggest the right approach? I also had to put an openid-specific code into the RollerSession - I can't make up my mind right now how to get rid of it. Also maybe it will be better to put user attributes in some kind of properties file. Note if you are gonna use the patch you'll need to change the schema file reference in the security.xml ( http://jira.springframework.org/browse/SEC-927 )
      Hide
      David Johnson added a comment -

      Here are some comments on the 1st patch (July 8, 2008)

      • createdb.vm
      • New table should be named roller_userattibute to match Roller conventions
      • Also need to add table to 400-to-410-migration.vm script
      • build.xml / properties.xmlf
      • Put new OpenID jars in directory tools/openid4java
      • JPAUserManagerImpl
      • Adding logic to getUserByUserName() does not seem like the right approach
        How about getUserWithAttributeValue(String attrName, String attrValue)?
      • No need for new query "User.getById" – that's what getUserById() does
      • Login.jsp
      • Need to add I18N strings to WEB-INF/classes/ApplicationResources.properties
      • User.java
      • It's not clear that we need add a user attributes array here
      Show
      David Johnson added a comment - Here are some comments on the 1st patch (July 8, 2008) createdb.vm New table should be named roller_userattibute to match Roller conventions Also need to add table to 400-to-410-migration.vm script build.xml / properties.xmlf Put new OpenID jars in directory tools/openid4java JPAUserManagerImpl Adding logic to getUserByUserName() does not seem like the right approach How about getUserWithAttributeValue(String attrName, String attrValue)? No need for new query "User.getById" – that's what getUserById() does Login.jsp Need to add I18N strings to WEB-INF/classes/ApplicationResources.properties User.java It's not clear that we need add a user attributes array here
      Hide
      Tatyana Tokareva added a comment -

      OpenID support using built-in Spring Security 2.0 OpenID login system

      Show
      Tatyana Tokareva added a comment - OpenID support using built-in Spring Security 2.0 OpenID login system

        People

        • Assignee:
          David Johnson
          Reporter:
          David Johnson
        • Votes:
          1 Vote for this issue
          Watchers:
          2 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development