1. First off how do we want to handle the demotion or elevation of permissions,groups rather. Say an admin goes to just an editor or an editor goes to admin, currently there will be no change on Roller.
2. If user has permissions for the application but is not part of a group, currently it gives editor roles; does that work? If not we need to make a that change.
3. Old users can continue to use thier Roller accounts, if the user is a user of the Roller application in Crowd they will authenticate through Crowd. This is as long as the two accounts have the same
user name. Once authenticated through Crowd, Roller Authentication will not work. So if Crowd goes down and all users are in Crowd then no one will be able to enter the site. Recommendation is to have
at least one admin user that doesn't have an account in Crowd, this way there will always be a way in.
4. If the crowd.properties file is not on the classpath then we never use crowd to authenticate, however if you have users that were authenticated through crowd then they will not be able to login.
5. If the user exists in Crowd and has permissions to access Roller and Roller doesn't contain this user account then a new user will be registered automatically; if no groups are setup then the user
will have editor role, if the user is part of a group that contains the string "admin" or "ADMIN" then that user will be given Admin rights.
6. Here is an example crowd.properties file, currently we get the file every time there is a need for it; so that resource will be continually accessed. If this is problem, which I can understand I can
create a singleton that will hanlde the crowd.properties file and only load it once. This means if any changes are made to the file we have to restart the application.
#end required fields
#this setting allows the use of https, defaults to false; not present we will use plain socket.
You can add this file the same way you add the roller-custom.properties. TimeZone and Locale are not required, but standard format.
7. These are the settings that need to be set in the roller-custom.properties to enable the use of Crowd Authentication:
- Crowd Auth, need these settings to be enabled
If these are not set Crowd authentication will not work correctly. The AutoProvision is what makes this all work, the users from Crowd and not in Roller will be saved to Rollers db the first time the log in. The reason this is needed
is so that permissions can be written for Roller. Will still need to add some code to ensure when users get promoted or demoted, those changes make it to the Roller DB.
Please see attached files as they contain these changes and are in sync with Trunk, as of today. We can extend this functionality but here is working starting point.