Menu
▾
▴
bodington-developers — Mailing list for Bodington developers
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(41) |
May
(353) |
Jun
(133) |
Jul
(534) |
Aug
(401) |
Sep
(219) |
Oct
(86) |
Nov
(144) |
Dec
(61) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(200) |
Feb
(130) |
Mar
(345) |
Apr
(153) |
May
(247) |
Jun
(338) |
Jul
(222) |
Aug
(70) |
Sep
(39) |
Oct
(27) |
Nov
(76) |
Dec
(30) |
| 2007 |
Jan
(81) |
Feb
(44) |
Mar
(9) |
Apr
|
May
(3) |
Jun
(2) |
Jul
(34) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
|
Dec
(6) |
| 2008 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Peter C. <Pet...@me...> - 2006-07-01 22:26:07
|
PiBGcm9tOiBTZWFuIE1laGFuIA0KPiBPZiBjb3Vyc2UsIHRoYXQgZGVwZW5kcyBvbiBQQyB0byBh IGxhcmdlIGV4dGVudC4gQW55IGlkZWEgd2hlbiBoZSAgDQo+IGdldHMgYmFjaz8gDQogDQpNb25k YXksIGFsdGhvdWdoIEknbSBzbG93bHkgY2F0Y2hpbmcgdXAgb24gZW1haWwgYmVmb3JlIHRoYXQg d2hlbiBJIGNhbi4gIFRoZXJlIGFwcGVhciB0byBiZSBhIG51bWJlciBvZiBmaXJlcyB0byBmaWdo dCB3aGVuIEkgZ2V0IGJhY2sgaW50byB0aGUgb2ZmaWNlLg0KIA0KLSBQZXRlcg0K |
|
From: Selwyn L. <sel...@ph...> - 2006-06-30 10:02:57
|
Sounds like he is consuming moodle web services in a Java WS client Adam Marshall wrote: >In message <44A...@ou...> wl...@ma... writes: > > >>http://moodle.org/mod/forum/discuss.php?d=44079 >> >>Interesting read. People are hitting problems because moodle error >>messages are HTML... >> >>-- >> -- Matthew Buckett, VLE Developer >> -- Learning Technologies Group, Oxford University Computing Services >> -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ >> >> >> > >What do you make of "Rudi's" posting: > >"So, have far have this SOAP project going? > >I have been asked to build Java application that will do a lot of moodle's >functionality. Rather than building the application from scratch, I think I will >just use what Moodle has provide us, and scale from there. >Since I'm using Java, I'll need Moodle to be exposed as a web service. So I'd be >happy to help you completing this project. > >Rudi" > >is he writing moodle in Java? > >adam >-- >Dr AC Marshall (Bodington developer) OUCS, 13, Banbury Rd. Oxford. OX2 6NN > Cheese of the month: Smoked Wensleydale > >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Bodington-developers mailing list >Bod...@li... >https://lists.sourceforge.net/lists/listinfo/bodington-developers > > > > -- Selwyn Lloyd Phosphorix Open Source Systems for Lifelong Learning tel: 07979240124 irc://irc.ionode.org support channel: #ionode support email: de...@ph... web: http://www.phosphorix.co.uk forum: http://forum.ionetwork.ac.uk |
|
From: Alistair Y. <ali...@sm...> - 2006-06-30 09:59:33
|
> is he writing moodle in Java? no coz of this: > I'll need Moodle to be exposed as a web service whatever that means Sounds like he's doing for moodle what we're doing for tetra, i.e. Service-ify the moodle "tools"? and use a new framework to tie them together. He's wrapping Moodle in Java. Analogy: The Guanxi IdP does what Bod does - it authenticates you against the bod database. However, it doesn't: > building the application from scratch instead, it: > use what Moodle has provide s/Moodle/Bod i.e. it loads the bod authenticator as a "service" and uses it to auth you. Sounds like he's doing the same sort of thing for Moodle. Alistair On 30 Jun 2006, at 10:49, Adam Marshall wrote: > > > In message <44A...@ou...> wl- > te...@ma... writes: >> http://moodle.org/mod/forum/discuss.php?d=44079 >> >> Interesting read. People are hitting problems because moodle error >> messages are HTML... >> >> -- >> -- Matthew Buckett, VLE Developer >> -- Learning Technologies Group, Oxford University Computing >> Services >> -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ >> > > What do you make of "Rudi's" posting: > > "So, have far have this SOAP project going? > > I have been asked to build Java application that will do a lot of > moodle's > functionality. Rather than building the application from scratch, I > think I will > just use what Moodle has provide us, and scale from there. > Since I'm using Java, I'll need Moodle to be exposed as a web > service. So I'd be > happy to help you completing this project. > > Rudi" > > is he writing moodle in Java? > > adam > -- > Dr AC Marshall (Bodington developer) OUCS, 13, Banbury Rd. Oxford. > OX2 6NN > Cheese of the month: Smoked Wensleydale > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Adam M. <ada...@co...> - 2006-06-30 09:49:19
|
In message <44A...@ou...> wl...@ma... writes: > http://moodle.org/mod/forum/discuss.php?d=44079 > > Interesting read. People are hitting problems because moodle error > messages are HTML... > > -- > -- Matthew Buckett, VLE Developer > -- Learning Technologies Group, Oxford University Computing Services > -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ > What do you make of "Rudi's" posting: "So, have far have this SOAP project going? I have been asked to build Java application that will do a lot of moodle's functionality. Rather than building the application from scratch, I think I will just use what Moodle has provide us, and scale from there. Since I'm using Java, I'll need Moodle to be exposed as a web service. So I'd be happy to help you completing this project. Rudi" is he writing moodle in Java? adam -- Dr AC Marshall (Bodington developer) OUCS, 13, Banbury Rd. Oxford. OX2 6NN Cheese of the month: Smoked Wensleydale |
|
From: Sean M. <se...@sm...> - 2006-06-29 17:54:45
|
I don't think sakai folks want to come to an ent sig. bod, maybe, but lets discuss the merits of joining with sakai as tetra before we get bunches of sakai folks to a boring but necc bod dev meeting? s On 28 Jun 2006, at 15:39, Selwyn Lloyd wrote: > I'm happy either way for those watching the enterpise sig list also, i > think it would be good to combine meetings and invite Sakai folks. > > > Adam Marshall wrote: > >> Can I just draw everybody's attention to the date & location dev >> meet: >> >> 17 oct in Exeter [Selwyn's shed (or equivalent!)] >> >> See http://bodington.org/wiki/index.php?title=DevMeet17Oct06 >> >> >> Using Tomcat but need to do more? Need to support web services, >> security? >> Get stuff done quickly with pre-integrated technology to make your >> job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel? >> cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Bodington-developers mailing list >> Bod...@li... >> https://lists.sourceforge.net/lists/listinfo/bodington-developers >> >> >> >> > > -- > Selwyn Lloyd > Phosphorix > Open Source Systems for Lifelong Learning > tel: 07979240124 > irc://irc.ionode.org > support channel: #ionode > support email: de...@ph... > web: http://www.phosphorix.co.uk > forum: http://forum.ionetwork.ac.uk > > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Colin T. <col...@ou...> - 2006-06-29 17:10:08
|
Dunno anything about it (apart from messages from Tomcat that it can't be found) but is it worth looking at the Apache Tomcat Native library: "INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found"... Colin M Thomas wrote: > Already done Jon... ;o) > > Thanks guys, was just checking... but it seems you're all in agreement > that tomcat performs well with out too much config! > > M. > > On 28/06/06, Jon Maber <jo...@te...> wrote: > >>Atif Suleman wrote: >> >>>>Anyway, in the general scheme of things, one is far more likely to >>>>encounter performance problems with the database rather than the servlet >>>> container (if we're talking about bodington here!). >>>> >>>>I presume you're running on JDK 1.5, anyway, the combination with that >>>>should mean that things are running faster than Tomcat 5.0 + J2SDK >>>>v1.4.2 anyway. >>>> >>>>Other than that, I don't have any particular tips. I don't think it's >>>>generally regarded as a slouch in the performance department. >>>> >>>>Alexis >>>> >>>> >>>> >>> >>>yep. >>> >> >>Most obvious tip - use JAVA_OPTS environment variable to set the size of >>the JVM heap to much bigger than the default, including the option to >>set the initial heap to the maximum too. >> >>Jon >> >> >> >> >>Using Tomcat but need to do more? Need to support web services, security? >>Get stuff done quickly with pre-integrated technology to make your job easier >>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>_______________________________________________ >>Bodington-developers mailing list >>Bod...@li... >>https://lists.sourceforge.net/lists/listinfo/bodington-developers >> > > > -- ____________________________________ Colin Tatham VLE Team Oxford University Computing Services http://www.oucs.ox.ac.uk/ltg/vle/ http://bodington.org |
|
From: Atif S. <BM...@bm...> - 2006-06-29 16:59:10
|
Alistair Young wrote: >I think whole site is a no no for us. Our users would go radio rental! > >Also, there's no way to login as sysadmin with the whole site approach. As >we've seen, being a member of the sysadmins group is not the same as being >the sysadmin user. > >How do the bio lot get in as sysadmin? > sysadmin uses the /opensite/* url which is not protected by the guard. >> >> >>>do you have a spare room up at Oxford where I lock up bio >>>department users??? >>> >>> >>can offer a cave on the Isle of Eigg! >> >> >> Cool. Expect a load of users to be coming to the cave on the Isle of Eigg! Thanks. :-) |
|
From: Sean M. <se...@sm...> - 2006-06-29 16:53:11
|
This needs to be written up somewhere (wiki, readme.txt in sp dir on code) that this is a feature/limitation of 2.8 implementation so that anyone pulling it down can figure out what is happening. Atif, do you want to take a stab at writing it up on the wiki? thanks, s On 29 Jun 2006, at 17:49, Atif Suleman wrote: >> >> >>> The single url protection does have drawbacks............. >>> >>> >> >> Apart from having to have the user select the authentication mode, >> any >> >> others? >> > In my original design I wanted to use the single url protection > approach > but the users at leeds bio department did not want to have the > burden of > selecting the authentication mode. To meet the leeds bio department > requirement I implemented the entire bodington protection method. O:-) > > Thanks for the feedback. > > Ta > Atif. > > p.s. do you have a spare room up at Oxford where I lock up bio > department users??? > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Alistair Y. <ali...@sm...> - 2006-06-29 16:52:07
|
I think whole site is a no no for us. Our users would go radio rental! Also, there's no way to login as sysadmin with the whole site approach. A= s we've seen, being a member of the sysadmins group is not the same as bein= g the sysadmin user. How do the bio lot get in as sysadmin? > do you have a spare room up at Oxford where I lock up bio > department users??? can offer a cave on the Isle of Eigg! --=20 Alistair Young Senior Software Engineer UHI@Sabhal M=F2r Ostaig Isle of Skye Scotland >> >> >>>The single url protection does have drawbacks............. >>> >>> >> >>Apart from having to have the user select the authentication mode, any >> >>others? >> > In my original design I wanted to use the single url protection approac= h > but the users at leeds bio department did not want to have the burden o= f > selecting the authentication mode. To meet the leeds bio department > requirement I implemented the entire bodington protection method. O:-) > > Thanks for the feedback. > > Ta > Atif. > > p.s. do you have a spare room up at Oxford where I lock up bio > department users??? > > Using Tomcat but need to do more? Need to support web services, securit= y? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron= imo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Atif S. <BM...@bm...> - 2006-06-29 16:45:38
|
> > >>The single url protection does have drawbacks............. >> >> > >Apart from having to have the user select the authentication mode, any > >others? > In my original design I wanted to use the single url protection approach but the users at leeds bio department did not want to have the burden of selecting the authentication mode. To meet the leeds bio department requirement I implemented the entire bodington protection method. O:-) Thanks for the feedback. Ta Atif. p.s. do you have a spare room up at Oxford where I lock up bio department users??? |
|
From: Alistair Y. <ali...@sm...> - 2006-06-29 16:42:16
|
The Guard only protects what you tell it to protect. As there's no suppor= t in bod for parallel auth it has to protect the whole site. However, you could use bod's normal auth trap to throw the user to the normal login page and take the Athens route of offering a different login link on the page: External user login: www.dev.clan.uhi.ac.uk/site/shibblogin and get the Guard to protect that url alone. I call this method a Shunnel (terrible name I know!). Could have named it a Gwunnel (Guanxi Tunnel, sounds sort of Cornish). Anyway, it means a Shibboleth Funnel. mvnForum has one. It's an area to send users who want to auth via shibb. All the shibb functionality in an application is concentrated in the shunnel (grimace). Ever seen Wallace and Gromit? A shunnel is the scene in the Wrong Trouser= s where the machines dress Wallace. The analogy is Wallace is the user and the machines are the shunnel. They provide all necessary bits 'n bobs for the user to enter bod via shibb. Once they're past the shunnel (ouch) they're just a normal bod user. All that site/shibblogin does is redirect you to the page you originally requested. It's a switch you must flick to get into bod and you prove you're ability to flick the switch by the attributes the Guard presents on your behalf. Local users just login as normal, ignoring the "external users login" lin= k. So, shunnel++ for me - anyone got a better name? --=20 Alistair Young Senior Software Engineer UHI@Sabhal M=F2r Ostaig Isle of Skye Scotland > Atif Suleman wrote: >> Matthew Buckett wrote: >> >>> Ok, but this isn't a very good solution as you end up saying >>> >>> "To read my notes on this go to >>> http://bodington/opensite/building/floor/ if you are a member of Leed= s >>> or someone else with an account on bodington or if you are a member o= f >>> the Leeds Shibb federation go to http://bodington/site/building/floor= / >>> >>> >>> >> Indeed. >> >> Getting past the sp guard to do parallel auth (i.e. internal) is gone = be >> a miracle. >> >> The problem is the sp guard is protecting the entire bodington i.e. >> /site/* >> >> I could protect a single page in bodington for example >> /site/bs_template_sp_login.html THEN we can do parallel auth (i.e. >> internal) >> >> The reason why we could do parallel auth is that the guard would be >> protecting the following url: >> * /site/bs_template_sp_login.html >> >> The guard would allow all urls under /site/* through but NOT >> /site/bs_template_sp_login.html > > This is how we do WebAuth. > >> The single url protection does have drawbacks............. > > Apart from having to have the user select the authentication mode, any > others? > > > -- > -- Matthew Buckett, VLE Developer > -- Learning Technologies Group, Oxford University Computing Services > -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ > > Using Tomcat but need to do more? Need to support web services, securit= y? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron= imo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Matthew B. <mat...@ou...> - 2006-06-29 16:17:09
|
Atif Suleman wrote: > Matthew Buckett wrote: > >> Ok, but this isn't a very good solution as you end up saying >> >> "To read my notes on this go to >> http://bodington/opensite/building/floor/ if you are a member of Leeds >> or someone else with an account on bodington or if you are a member of >> the Leeds Shibb federation go to http://bodington/site/building/floor/ >> >> >> > Indeed. > > Getting past the sp guard to do parallel auth (i.e. internal) is gone be > a miracle. > > The problem is the sp guard is protecting the entire bodington i.e. /site/* > > I could protect a single page in bodington for example > /site/bs_template_sp_login.html THEN we can do parallel auth (i.e. > internal) > > The reason why we could do parallel auth is that the guard would be > protecting the following url: > * /site/bs_template_sp_login.html > > The guard would allow all urls under /site/* through but NOT > /site/bs_template_sp_login.html This is how we do WebAuth. > The single url protection does have drawbacks............. Apart from having to have the user select the authentication mode, any others? -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
|
From: Atif S. <BM...@bm...> - 2006-06-29 16:12:18
|
Matthew Buckett wrote: > >Ok, but this isn't a very good solution as you end up saying > >"To read my notes on this go to >http://bodington/opensite/building/floor/ if you are a member of Leeds >or someone else with an account on bodington or if you are a member of >the Leeds Shibb federation go to http://bodington/site/building/floor/ > > > Indeed. Getting past the sp guard to do parallel auth (i.e. internal) is gone be a miracle. The problem is the sp guard is protecting the entire bodington i.e. /site/* I could protect a single page in bodington for example /site/bs_template_sp_login.html THEN we can do parallel auth (i.e. internal) The reason why we could do parallel auth is that the guard would be protecting the following url: * /site/bs_template_sp_login.html The guard would allow all urls under /site/* through but NOT /site/bs_template_sp_login.html The single url protection does have drawbacks............. I would add this feature for 2.10 i.e. allow the depolyers to decide if single url protection will be used OR entire bodington protection ( i.e. /site/* url) For 2.8 it's going to entire bodington protection ( i.e. /site/* url) because at moment I am neck deep in socket work until August 4th Ta Atif. |
|
From: Matthew B. <mat...@ou...> - 2006-06-29 15:18:10
|
Atif Suleman wrote: >> Is it possible to set it up to allow both shibb and another >> >> authentication mechanism to work at the same time? >> >> >> The reason I asked was we currently have 3 authentication methods >> (anonymous, internal and WebAuth) here at Oxford. > The problem is the SP guard because it protecteds the entire bodington > i.e. : /site/* > > The solution we using at leeds bio department is to have: > * SP guard protect the url /site/* , so we can do sp auth > * And have a another url /opensite/* to do the INTERNAL, X509, BASIC auth. > > INTERNAL auth is the login page in bodington. > > The following urls are mapped onto the same servelt i.e. > org.bodington.servlet.BuildingServlet: > * /site/* > * /opensite/* Ok, but this isn't a very good solution as you end up saying "To read my notes on this go to http://bodington/opensite/building/floor/ if you are a member of Leeds or someone else with an account on bodington or if you are a member of the Leeds Shibb federation go to http://bodington/site/building/floor/ > p.s. sorry the email is bit long. NXT tym transl8 it 2 somTIN Ls ;-) - http://www.transl8it.com/cgi-win/index.pl?convertPL -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
|
From: Atif S. <BM...@bm...> - 2006-06-29 15:00:42
|
Alistair Young wrote: >Atif, any chance you can exempt "sysadmin" from the shibb auth? The >LDAPAuthenticator does this. It uses local auth for the "sysadmin" user. > >Would exempting sysadmin user be ok for 2.8 and maybe think about >allowing parallel auths for 2.10? > > > Hopeful my previous email should have cleared up these questions. Ta Atif. |
|
From: Atif S. <BM...@bm...> - 2006-06-29 14:55:53
|
>3) Are groups created on the fly?
>
>Come to think of it, 3) is daft question. Of course they aren't. No
>point creating a new group as it won't have access to anything. So
>the mapper refers to existing groups in the bod sp. Answered my
>question!
>
Groups are not created on the fly. Yes the mapper refers to the
existing groups in the bod sp.
>2) If the concept of sysadmin doesn't translate between bods then
>we'll need a local auth option.
>
The concept of sysadmin translate between bods. This is how it translates:
Lets say user sys...@ww... comes along with following
group attributes:
* sysadmins
* allusers
* campus.test
Lets say you have the policy file www.dev.clan.uhi.ac.uk.xml setup with
the following content:
<bodington>
<groups-mapper-policy>
<group>
<idp-group>sysadmins</idp-group>
<map-to>sysadmins</map-to>
</group>
<group>
<idp-group>campus.test</idp-group>
<map-to>campus.work</map-to>
</group>
</groups-mapper-policy>
</bodington>
User sys...@ww... will be added to the following
existing groups in the bod sp because of the above POLICY file:
* sysadmins
* campus.work
* allusers
* campus.allusers
This above method of sysadmin translattion between bods has the
following advantages:
* More control, i.e. you decide which user from particular idp gets
added to the sysadmin group.
For example you could have user sys...@le... come along with
with following group attributes:
* sysadmins
* allusers
Lets say you have the policy file leeds.ac.uk.xml setup with the
following content:
<bodington>
<groups-mapper-policy>
<group>
<idp-group>campus.test</idp-group>
<map-to>campus.work</map-to>
</group>
</groups-mapper-policy>
</bodington>
User sys...@le... will be added to the following existing groups
in the bod sp because of the above POLICY file:
* allusers
* campus.allusers
>1) How did it know to put sys...@ww... into the
>Bod1 sysadmins group when my mapper file was called dev.clan.uhi.ac.uk?
>
>
Are sure sys...@ww... was added to the Bod1 sysadmins
group when my mapper file was called dev.clan.uhi.ac.uk.xml?
If the username attribute is sys...@ww... THEN it
would look for the mapper file: www.dev.clan.uhi.ac.uk.xml
I can't seem to replicate this behaviour you have described.
???????
>Is it possible to set it up to allow both shibb and another
>>> authentication mechanism to work at the same time?
>
>
>
>The reason I asked was we currently have 3 authentication methods
>(anonymous, internal and WebAuth) here at Oxford.
>
The problem is the SP guard because it protecteds the entire bodington
i.e. : /site/*
The solution we using at leeds bio department is to have:
* SP guard protect the url /site/* , so we can do sp auth
* And have a another url /opensite/* to do the INTERNAL, X509, BASIC auth.
INTERNAL auth is the login page in bodington.
The following urls are mapped onto the same servelt i.e.
org.bodington.servlet.BuildingServlet:
* /site/*
* /opensite/*
Ta
Atif.
p.s. sorry the email is bit long.
|
|
From: Matthew B. <mat...@ou...> - 2006-06-29 14:44:55
|
tetraAlistair Young wrote: > ok, I see now. So it's impossible to translate sysadmin between bods. > Prolly a good idea anyway. Yep as you don't know which group has sysadmin at the root of the site. > Atif, any chance you can exempt "sysadmin" from the shibb auth? The > LDAPAuthenticator does this. It uses local auth for the "sysadmin" user. But how will the local sysadmin user get past the guard to authenticate to bod? > Would exempting sysadmin user be ok for 2.8 and maybe think about > allowing parallel auths for 2.10? -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
|
From: Alistair Y. <ali...@sm...> - 2006-06-29 14:33:52
|
ok, I see now. So it's impossible to translate sysadmin between bods. Prolly a good idea anyway. Atif, any chance you can exempt "sysadmin" from the shibb auth? The LDAPAuthenticator does this. It uses local auth for the "sysadmin" user. Would exempting sysadmin user be ok for 2.8 and maybe think about allowing parallel auths for 2.10? Alistair On 29 Jun 2006, at 15:17, Matthew Buckett wrote: > Alistair Young wrote: >> yep, you're correct. So the sysadmins group has the same rights as >> the allusers group! What's it for then? > > Sysadmin has less rights than allusers. allusers has see and view > at /site > >> Is it the case that the user "sysadmin" has rights to everything but >> the sysadmins group is basically meaningless? > > Yep. > >> Logging in as "sysadmin" lets you see all resources but no-one >> specifically granted access to the user who logs in as "sysadmin". >> Being added to the sysadmins group gets you access to nothing that >> isn't public. > > Yep. the sysadmin group is worthless until it is granted some > permissions to a resource. > >> To get sysadmin access to a resource you have to be in that >> resource's owners group. So is the user who logs in as "sysadmin" a >> member of every group on the system? Create a new group and >> "sysadmin" gets added automatically? > > No. Sysadmin is only a member of some owners groups and some of the > special groups by default. > > To get sysadmin rights to a resource you have to have the sysadmin > permission over that resource (sysadmin is automatically inherited > even > if inherit is unchecked). > > As an example you *COULD* grant the allusers group sysadmin rights to > /site and then every user would have sysadmin rights to the whole > site. > > -- > -- Matthew Buckett, VLE Developer > -- Learning Technologies Group, Oxford University Computing Services > -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Matthew B. <mat...@ou...> - 2006-06-29 14:18:01
|
Alistair Young wrote: > yep, you're correct. So the sysadmins group has the same rights as > the allusers group! What's it for then? Sysadmin has less rights than allusers. allusers has see and view at /site > Is it the case that the user "sysadmin" has rights to everything but > the sysadmins group is basically meaningless? Yep. > Logging in as "sysadmin" lets you see all resources but no-one > specifically granted access to the user who logs in as "sysadmin". > Being added to the sysadmins group gets you access to nothing that > isn't public. Yep. the sysadmin group is worthless until it is granted some permissions to a resource. > To get sysadmin access to a resource you have to be in that > resource's owners group. So is the user who logs in as "sysadmin" a > member of every group on the system? Create a new group and > "sysadmin" gets added automatically? No. Sysadmin is only a member of some owners groups and some of the special groups by default. To get sysadmin rights to a resource you have to have the sysadmin permission over that resource (sysadmin is automatically inherited even if inherit is unchecked). As an example you *COULD* grant the allusers group sysadmin rights to /site and then every user would have sysadmin rights to the whole site. -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
|
From: Alistair Y. <ali...@sm...> - 2006-06-29 14:00:14
|
yep, you're correct. So the sysadmins group has the same rights as the allusers group! What's it for then? Is it the case that the user "sysadmin" has rights to everything but the sysadmins group is basically meaningless? Logging in as "sysadmin" lets you see all resources but no-one specifically granted access to the user who logs in as "sysadmin". Being added to the sysadmins group gets you access to nothing that isn't public. To get sysadmin access to a resource you have to be in that resource's owners group. So is the user who logs in as "sysadmin" a member of every group on the system? Create a new group and "sysadmin" gets added automatically? Am I missing something? Alistair On 29 Jun 2006, at 14:42, Matthew Buckett wrote: > Alistair Young wrote: >> ok, that's confusing now! The Group tool states: > > Yeah too many sysadmins, sysadmin group, sysadmin permission, > sysadmin user. > >> sysadmins : System administrators for this web site >> >>> The group with all the power is the /site owners group >>> which by default contains sysadmin > >> do you mean the sysadmin user or the sysadmins group? The Group tool >> seems to state that adding someone to the sysadmins groups makes >> them a >> sysadmin with all rights over the whole site. > > With the default database setup that is incorrect (and looking at the > DemoSiteBuilder it seem that is the same). The sysadmin group has > permissions on no extra resources. > >> So whether they end up in >> the sysadmins group via the Group tool or the shibb auth shouldn't >> make >> any difference. But it does for some reason. > > Sysadmin group has no extra permissions. > > I suspect that this may have changed because of Zones as you may have > several sysadmins but not all of them have sysadmin rights to the > whole > site. > > -- > -- Matthew Buckett, VLE Developer > -- Learning Technologies Group, Oxford University Computing Services > -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Matthew B. <mat...@ou...> - 2006-06-29 13:42:32
|
Alistair Young wrote: > ok, that's confusing now! The Group tool states: Yeah too many sysadmins, sysadmin group, sysadmin permission, sysadmin user. > sysadmins : System administrators for this web site > >> The group with all the power is the /site owners group >> which by default contains sysadmin > do you mean the sysadmin user or the sysadmins group? The Group tool > seems to state that adding someone to the sysadmins groups makes them a > sysadmin with all rights over the whole site. With the default database setup that is incorrect (and looking at the DemoSiteBuilder it seem that is the same). The sysadmin group has permissions on no extra resources. > So whether they end up in > the sysadmins group via the Group tool or the shibb auth shouldn't make > any difference. But it does for some reason. Sysadmin group has no extra permissions. I suspect that this may have changed because of Zones as you may have several sysadmins but not all of them have sysadmin rights to the whole site. -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
|
From: Alistair Y. <ali...@sm...> - 2006-06-29 13:32:18
|
ok, that's confusing now! The Group tool states: sysadmins : System administrators for this web site > The group with all the power is the /site owners group > which by default contains sysadmin do you mean the sysadmin user or the sysadmins group? The Group tool seems to state that adding someone to the sysadmins groups makes them a sysadmin with all rights over the whole site. So whether they end up in the sysadmins group via the Group tool or the shibb auth shouldn't make any difference. But it does for some reason. Alistair On 29 Jun 2006, at 14:27, Matthew Buckett wrote: > Alistair Young wrote: >> Interesting question and the answer I suspect depends on the answer >> to this one: >> >> I logged in to Bod1 using Bod2 as an IdP. I logged in as sysadmin on >> Bod2's IdP and got into Bod1 using the shibb authenticator but wasn't >> made a sysadmin. I was put into the sysadmins group as >> sys...@ww.... > > The sysadmin group doesn't get any extra rights in a standard Bod > install I think. The group with all the power is the /site owners > group > which by default contains sysadmin and has sysadmin permission. > > If you grant the sysadmin group sysadmin permission to the /site > resource this should work. > >>> Is it possible to set it up to allow both shibb and another >>> authentication mechanism to work at the same time? > > The reason I asked was we currently have 3 authentication methods > (anonymous, internal and WebAuth) here at Oxford. > > -- > -- Matthew Buckett, VLE Developer > -- Learning Technologies Group, Oxford University Computing Services > -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Matthew B. <mat...@ou...> - 2006-06-29 13:27:10
|
Alistair Young wrote: > Interesting question and the answer I suspect depends on the answer > to this one: > > I logged in to Bod1 using Bod2 as an IdP. I logged in as sysadmin on > Bod2's IdP and got into Bod1 using the shibb authenticator but wasn't > made a sysadmin. I was put into the sysadmins group as > sys...@ww.... The sysadmin group doesn't get any extra rights in a standard Bod install I think. The group with all the power is the /site owners group which by default contains sysadmin and has sysadmin permission. If you grant the sysadmin group sysadmin permission to the /site resource this should work. >> Is it possible to set it up to allow both shibb and another >> authentication mechanism to work at the same time? The reason I asked was we currently have 3 authentication methods (anonymous, internal and WebAuth) here at Oxford. -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
|
From: Alistair Y. <ali...@sm...> - 2006-06-29 13:11:40
|
Interesting question and the answer I suspect depends on the answer to this one: I logged in to Bod1 using Bod2 as an IdP. I logged in as sysadmin on Bod2's IdP and got into Bod1 using the shibb authenticator but wasn't made a sysadmin. I was put into the sysadmins group as sys...@ww.... I also logged in as a student from Bod2 but the group mapping didn't result in a new group being created. So some questions: 1) How did it know to put sys...@ww... into the Bod1 sysadmins group when my mapper file was called dev.clan.uhi.ac.uk? 2) If the concept of sysadmin doesn't translate between bods then we'll need a local auth option. 3) Are groups created on the fly? Come to think of it, 3) is daft question. Of course they aren't. No point creating a new group as it won't have access to anything. So the mapper refers to existing groups in the bod sp. Answered my question! Nice work though Atif. The shibb login works a treat! Alistair On 29 Jun 2006, at 13:46, Matthew Buckett wrote: > Atif Suleman wrote: >> Alistair Young wrote: >> >>> can you explain how the sp works Atif? I've done all that now but >>> how do I >>> actually log in using shibboleth? Is there a special shibboleth >>> login page >>> in bod now? >>> >>> >>> >> There is no special shibboleth login page. Because of the following >> filter mapping in web.xml >> >> <filter-mapping> >> <filter-name>Guanxi Resource Guard</filter-name> >> <url-pattern>/site/*</url-pattern> >> </filter-mapping> >> >> The entire bodington is protected. > > Is it possible to set it up to allow both shibb and another > authentication mechanism to work at the same time? > > -- > -- Matthew Buckett, VLE Developer > -- Learning Technologies Group, Oxford University Computing Services > -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ > > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Matthew B. <mat...@ou...> - 2006-06-29 12:46:26
|
Atif Suleman wrote: > Alistair Young wrote: > >> can you explain how the sp works Atif? I've done all that now but how do I >> actually log in using shibboleth? Is there a special shibboleth login page >> in bod now? >> >> >> > There is no special shibboleth login page. Because of the following > filter mapping in web.xml > > <filter-mapping> > <filter-name>Guanxi Resource Guard</filter-name> > <url-pattern>/site/*</url-pattern> > </filter-mapping> > > The entire bodington is protected. Is it possible to set it up to allow both shibb and another authentication mechanism to work at the same time? -- -- Matthew Buckett, VLE Developer -- Learning Technologies Group, Oxford University Computing Services -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/ |
19 messages has been excluded from this view by a project administrator.
