On 02/06/14 14:45, Jesse Eichar wrote:
On Thu, Feb 6, 2014 at 2:17 PM, Landry Breuil <breuil@anonymised.com
<mailto:breuil@anonymised.com>> wrote:
On 02/06/14 14:11, Jesse Eichar wrote:
Yes i also thought about this, but it's a bit awkward if
you want to
have multiple values for the given new field. Say, user a
could be in
groups g1 and g2, being able to write to workspaces g1* and
g2* - that's
doable if you have a mapping on groups (and then, an
additional table,
like the existing user groups) but not really possible with
a single
field (or you cheat and concatenate values in a single
field having
'g1,g2' value - which is a bit gross IMO)
I was talking about a Java object field, which could be a
collection.
It would be read direct from LDAP, it doesn't ahve to be in
the database.
Right, but in that case, how would you populate it without being
tied to a ldap ?
In Spring-security the code that loads users is a strategy and is
configured in the config-security***.xml files.
You would change the existing LDAP code that loads the users to populate
your new field/collection in User.
By default the field in the User object will be empty and you can add
some default behaviour if it is empty (or you can provide some defaults
for the field).
Then in the future if there is a system where the Geoserver and
Geonetwork authorithies are loaded from a Non-LDAP source (eg database,
github account, google account, whatever). The future developer will
slot in his implementation code for the User loading code.
That means the LDAP dependency stays at the User loading site and does
not spread itself further into the code base creating a tighter link to
LDAP.
Does that make sense?
Currently the LDAP strategy is set by including config-security-ldap.xml
in the config-security.xml file.
AbstractLDAPUserDetailsContextMapper has much of the common code for
doing the LDAP access but there are a couple utility classes and subclasses.
I see more or less how all that stuff works, so to summarize for you it'd be:
- add a new mapping in config-security-overrides.properties to map a new ldap attr to a new user field/collection, defaulting to empty
- modify one (or create a new?) of the ldapUserContextMapper (here i use the one with profile search) in config-security-ldap.xml to load that field into one of the attributes of the ContextMapper class
- store that information in a new field in the user database table (or cheat and reuse an existing one, in my case that would map to organisation)
- use it in the geopublisher code to know in which geoserver workspace the user can write
But then, how do you handle multiple values in the database table, how do you store them in a single ldap attr, and how does a java Collection helps here ? there has to be some serialization at some point..
Or, to handle multiple values, it has to be a new table mapping uids to geoserver workspaces, like it's done for geonetwork groups.
Since i'm going to probably move the geoserver node configuration to a new database table, that would be 'simple' to map uids to geoserver node ids..
--
Landry Breuil
Mouton a 5 pattes du CRAIG