Wiki

Workflow features

General

	Version 5	Version 4
Variant	main - en	main - en
Document Name	Workflow features	Workflow features
Creation time	12/3/08 8:56:35 AM	11/5/08 9:32:31 AM
Created by	Karel Vervaeke	Karel Vervaeke
State:	publish	publish

Changes to parts

Part "Content" has changed

	Version 5	Version 4
Mime type	text/xml	text/xml
File name
Size (bytes)	2865	2746

Content changes

<html>

<body>

<h3>Status updates</h3>

<ul>

<li>Branch created here:

http://svn.cocoondev.org/viewsvn/branches/<del>BRANCH_WORKFLOW_MULTIVALUE</del>/

(based on trunk rev 4792).</li>

</ul>

<p class="note">the branch was later renamed to BRANCH_2_3_RC1</p>

</blockquote>

<ul>

http://svn.cocoondev.org/viewsvn/branches/BRANCH_WORKFLOW_MULTIVALUE/ (based on

trunk rev 4792)</li>

<li>First iteration checked in: multi-value string variables can be persisted

and loaded. The wiki correctly renders multi-value string fields.</li>

</ul>

<h3>Next steps</h3>

<ul>

<li>Querying</li>

<li>Allow other datatypes than "string" be multi-valued</li>

</ul>

<h2>Multi-valued variables</h2>

<p>Currently, the concept of multi-value variables only exists in Daisy document

fields. We would like to enhance the Daisy's workflow component with the same

feature</p>

<p>Suggested daisy-process-meta.xml syntax:</p>

...

</variables>

...

</workflowMeta>

<strong>(alternative:)</strong>

<p>Suggested task-update api usage:</p>

<pre>// No api change needed here: TaskupdateData.setVariable(String name, Object value) -> just let the value be an array

taskUpdateData.setVariable("my-mv-string", new String[] { "foo", "bar" });</pre>

<p>In taskupdate.xml this would become:</p>

<pre><strong>alternative 1:</strong>

<variable name="my-mv-string" multiValue="true"> // needed to specify to distinct between a string and a multi-value-string variable with one element

</variable>

<strong>alternative 2:</strong>

<multi>

</multi>

</variable></pre>

<p>Work involved:</p>

<ul>

<li>repository</li>

<ul>

<li>persistence: hibernate fields</li>

</ul>

<ul>

<li>querying:</li>

<ul>

<li>Support querying multivalue fields</li>

<li>possibly: new operators: hasAll, hasNone, hasExactly, hasAny</li>

</ul>

<ul>

<ul>

<li>cforms styling for the multivalue fields</li>

</ul>

<h2>Custom form templates</h2>

<p>On the wiki, allow workflow developers to customize way the forms are

rendered on the wiki.<br/>

This would be done by adding a custom wftask_to_cform_template.xsl to the

wiki-data dir, which will override the built-in one.</p>

<h2>Disable "reassign" task</h2>

<p>Currently it is always possible to reassign a task to someone else. There

should be a possibility to disable this feature.<br/>

Suggested syntax:<br/>

(in daisy-process-meta.xml)</p>

</body>

</html>

Changes to links

No changes detected

Changes to fields

No changes detected

Show diff

Workflow features

Status updates

Branch created here: http://svn.cocoondev.org/viewsvn/branches/~~BRANCH_WORKFLOW_MULTIVALUE~~/ (based on trunk rev 4792).

the branch was later renamed to BRANCH_2_3_RC1

First iteration checked in: multi-value string variables can be persisted and loaded. The wiki correctly renders multi-value string fields.

Next steps

Querying
Allow other datatypes than "string" be multi-valued

Multi-valued variables

Currently, the concept of multi-value variables only exists in Daisy document fields. We would like to enhance the Daisy's workflow component with the same feature

Suggested daisy-process-meta.xml syntax:

<workflowMeta xmlns="http://outerx.org/daisy/1.0#workflowmeta">
 ...
  <variables>
    <variable name="my-mv-string" type="string" multiValue="true" scope="..."/>
  </variables>
  ...
</workflowMeta>

(alternative:)
    <variable name="my-mv-string" type="multi-string" scope="..."/>

Suggested task-update api usage:

// No api change needed here: TaskupdateData.setVariable(String name, Object value) -> just let the value be an array
taskUpdateData.setVariable("my-mv-string", new String[] { "foo", "bar" });

In taskupdate.xml this would become:

alternative 1:
<variable name="my-mv-string" multiValue="true"> // needed to specify to distinct between a string and a multi-value-string variable with one element
  <string>foo</string>
  <string>bar</string>
</variable>

alternative 2:
<variable name="my-mv-string">
  <multi>
    <string>foo</string>
    <string>bar</string>
  </multi>
</variable>

Work involved:

repository

persistence: hibernate fields

querying:

Support querying multivalue fields
possibly: new operators: hasAll, hasNone, hasExactly, hasAny

wiki

cforms styling for the multivalue fields

Custom form templates

On the wiki, allow workflow developers to customize way the forms are rendered on the wiki.
This would be done by adding a custom wftask_to_cform_template.xsl to the wiki-data dir, which will override the built-in one.

Disable "reassign" task

Currently it is always possible to reassign a task to someone else. There should be a possibility to disable this feature.
Suggested syntax:
(in daisy-process-meta.xml)

<options allowReassign="false"/>

Creating a multi role authentication scheme

Show document

General

	Version 5	Version 4
Variant	main - en	main - en
Document Name	Creating a multi role authentication scheme	Creating a multi role authentication scheme
Creation time	11/30/08 10:40:40 PM	11/15/08 2:30:35 PM
Created by	Andreas Deininger	Tim McDonald
State:	publish	publish

Changes to parts

Part "Content" has changed

	Version 5	Version 4
Mime type	text/xml	text/xml
File name
Size (bytes)	19950	19950

Content changes

<html>

<body>

<p>This step by step instruction explains how to extend the Daisy CMS with your

own authentication scheme that fits your needs.</p>

<p><strong>Assumption</strong>: You already set up daisy on a windows system and

everything's working great. Your also doing the codeing and compiling on a

separate system (a mac) because you too lazy to install the dev tool on the

windows server...</p>

windows sever...</p>

<p><strong>Task</strong>: You would like new daisy users to be allocated a given

role when they first logon. The system admin chaps would ideally like the group

the user belongs to on a windows network to dictate this role allocation.</p>

<p class="note">This solution is useful where there are a number of different

users who need to see different resources on the same server (ie. student and

staff at a university).</p>

<h2>Step 1: Checking out the sources</h2>

<p>Download the daisy sources daisy-x.x.x.tar.gz of the latest stable (or

milestone) release at the

<a href="http://svn.cocoondev.org/dist/daisy/">download area</a> (or

<a href="http://cocoondev.org/daisydocs-1_3/152.html">check out</a> the latest

<a href="http://cocoondev.org/daisydocs-1_3/152.html">check out</a> the lastest

version from SVN, whatever you prefer). Extract the tarball into a directory on

your local machine (although you do not have to create that environment

variable, I will refer to that directory as DAISY_SRC during the rest ot this

tutorial):</p>

<pre>$ tar xvzf daisy-x.x.x.tar.gz</pre>

<h2>Step 2: Copy the sources of the Ntlm-authentication</h2>

<p>Descend to the dircectory $DAISY_SRC/services/ and make a copy of the

directory ntlm-auth, which contains the sources for the Ntlm authentication

scheme. We take these sources as starting point and we will modify them to fit

our needs.</p>

<pre>$ cp -R ntlm-auth/ ntlm-group-auth</pre>

<h2>Step 3: Create the java classes for authentication</h2>

<h3>Step 3a: Rename the existing sourcefiles for AuthenticationFactory and

AuthenticationScheme</h3>

<p>Descend into the directory

$DAISY_SRC/services/ssh-auth/src/java/org/outerj/daisy/authentication/impl<br/>

Rename the both existing sourcefiles for the AuthenticationFactory and the

AuthenticationScheme</p>

<pre>$ mv NtlmAuthenticationFactory.java NtlmGroupAuthenticationFactory.java

$ mv NtlmAuthenticationScheme.java NtlmGroupAuthenticationScheme.java</pre>

<h3>Step 3b: Edit NTLMGroupAuthenticationFactory.java</h3>

<p>In your favourite editor or IDE, edit the source file for the NTLM Group

Authentication Factory and change it to:</p>

<pre>package org.outerj.daisy.authentication.impl;

import org.apache.avalon.framework.configuration.Configuration;

import org.apache.avalon.framework.configuration.ConfigurationException;

import org.outerj.daisy.authentication.spi.*;

import org.outerj.daisy.plugin.PluginRegistry;

import javax.annotation.PreDestroy;

import java.util.Map;

import java.util.HashMap;

/**

* Constructs and registers NtlmGroupAuthenticationSchemes with the UserAuthenticator.

public class NtlmGroupAuthenticationFactory {

private PluginRegistry pluginRegistry;

private Map<String, AuthenticationScheme> schemes = new HashMap<String, AuthenticationScheme>();

public NtlmGroupAuthenticationFactory(Configuration configuration, PluginRegistry pluginRegistry) throws Exception {

this.pluginRegistry = pluginRegistry;

this.configure(configuration);

registerSchemes();

}

@PreDestroy

public void destroy() {

unregisterSchemes();

}

private void registerSchemes() throws Exception {

for (Map.Entry<String, AuthenticationScheme> entry : schemes.entrySet()) {

pluginRegistry.addPlugin(AuthenticationScheme.class, entry.getKey(), entry.getValue());

}

private void unregisterSchemes() {

for (Map.Entry<String, AuthenticationScheme> entry : schemes.entrySet()) {

pluginRegistry.removePlugin(AuthenticationScheme.class, entry.getKey(), entry.getValue());

}

private void configure(Configuration configuration) throws ConfigurationException {

Configuration[] schemeConfs = configuration.getChildren("scheme");

for (Configuration schemeConf : schemeConfs) {

String name = schemeConf.getAttribute("name");

String description = schemeConf.getAttribute("description");

String domainControllerAddress = schemeConf.getChild("domainControllerAddress").getValue();

String domain = schemeConf.getChild("domain").getValue();

String file1 = schemeConf.getChild("fileLocation1").getValue();

String file2 = schemeConf.getChild("fileLocation2").getValue();

Configuration subUserCreator1 = schemeConf.getChild("subUserCreator1");

UserCreator userCreator1 = UserCreatorFactory.createUser(subUserCreator1, name);

Configuration subUserCreator2 = schemeConf.getChild("subUserCreator2");

UserCreator userCreator2 = UserCreatorFactory.createUser(subUserCreator2, name);

AuthenticationScheme scheme = new NtlmGroupAuthenticationScheme(name, description, domainControllerAddress, domain, file1, userCreator1, file2, userCreator2);

Configuration cacheConf = schemeConf.getChild("cache");

if (cacheConf.getAttributeAsBoolean("enabled")) {

int maxCacheSize = cacheConf.getAttributeAsInteger("maxCacheSize", 3000);

long maxCacheDuration = cacheConf.getAttributeAsLong("maxCacheDuration", 30 * 60 * 1000); // default: half an hour

scheme = new CachingAuthenticationScheme(scheme, maxCacheDuration, maxCacheSize);

}

if (schemes.containsKey(name))

throw new ConfigurationException("Duplicate authentication scheme name: " + name);

schemes.put(name, scheme);

}

}</pre>

<p>Note that this authentication factory reads in the configuration for two

files and userCreators which are then passed to the authentication scheme.</p>

<h3>Step 3c: Edit NTLMGroupAuthenticationScheme.java</h3>

<p>In your favourite editor or IDE, edit the source file for the NTLM Group

Authentication Scheme and change it to:</p>

<pre>package org.outerj.daisy.authentication.impl;

import org.outerj.daisy.authentication.spi.AuthenticationScheme;

import org.outerj.daisy.authentication.spi.AuthenticationException;

import org.outerj.daisy.authentication.spi.UserCreator;

import org.outerj.daisy.repository.Credentials;

import org.outerj.daisy.repository.user.User;

import org.outerj.daisy.repository.user.UserManager;

import jcifs.smb.SmbException;

import jcifs.smb.SmbAuthException;

import jcifs.smb.SmbSession;

import jcifs.smb.NtlmPasswordAuthentication;

import jcifs.smb.*;

import jcifs.UniAddress;

import java.net.UnknownHostException;

import java.net.MalformedURLException;

public class NtlmGroupAuthenticationScheme implements AuthenticationScheme {

private final String name;

private final String description;

private final String domainControllerAddress;

private final String domain;

private final String file1;

private final UserCreator userCreator1;

private final String file2;

private final UserCreator userCreator2;

public NtlmGroupAuthenticationScheme(String name, String description, String domainControllerAddress, String domain, String file1, UserCreator userCreator1, String file2, UserCreator userCreator2) {

this.name = name;

this.description = description;

this.domainControllerAddress = domainControllerAddress;

this.domain = domain;

this.file1 = file1;

this.userCreator1 = userCreator1;

this.file2 = file2;

this.userCreator2 = userCreator2;

}

public String getName() {

return name;

}

public String getDescription() {

return description;

}

public boolean check(Credentials credentials) throws AuthenticationException {

if ( check1(credentials) ) {

return true;

}

if ( check2(credentials) ) {

return true;

}

return false;

}

public boolean check1(Credentials credentials) throws AuthenticationException {

UniAddress mydomaincontroller;

try {

mydomaincontroller = UniAddress.getByName(domainControllerAddress);

} catch (UnknownHostException e) {

throw new AuthenticationException("Error authenticating using NTLM.", e);

}

NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication(domain, credentials.getLogin(), credentials.getPassword());

jcifs.Config.registerSmbURLHandler();

SmbFile smbf;

try {

smbf = new SmbFile(file1, mycreds);

} catch( MalformedURLException seed ) {

// NETWORK PROBLEMS?

throw new AuthenticationException("Can't find the file specified", seed);

}

try {

return smbf.exists();

} catch( SmbAuthException sae ) {

// AUTHENTICATION FAILURE

return false;

} catch( SmbException se ) {

// NETWORK PROBLEMS?

throw new AuthenticationException("Error authenticating using NTLM.", se);

}

public boolean check2(Credentials credentials) throws AuthenticationException {

UniAddress mydomaincontroller;

try {

mydomaincontroller = UniAddress.getByName(domainControllerAddress);

} catch (UnknownHostException e) {

throw new AuthenticationException("Error authenticating using NTLM.", e);

}

NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication(domain, credentials.getLogin(), credentials.getPassword());

jcifs.Config.registerSmbURLHandler();

SmbFile smbf;

try {

smbf = new SmbFile(file2, mycreds);

} catch( MalformedURLException seed ) {

// NETWORK PROBLEMS?

throw new AuthenticationException("Can't find the file specified", seed);

}

try {

return smbf.exists();

} catch( SmbAuthException sae ) {

// AUTHENTICATION FAILURE

return false;

} catch( SmbException se ) {

// NETWORK PROBLEMS?

throw new AuthenticationException("Error authenticating using NTLM.", se);

}

public void clearCaches() {

// do nothing

}

public User createUser(Credentials crendentials, UserManager userManager) throws AuthenticationException {

if (userCreator1 != null) {

if (check1(crendentials)) {

User aUser = userCreator1.create(crendentials.getLogin(), userManager);

return aUser;

}

if (userCreator2 != null) {

if (check2(crendentials)) {

User aUser = userCreator2.create(crendentials.getLogin(), userManager);

return aUser;

}

return null;

}

</pre>

<p>The jcifs library which daisy uses to perform NTLM authentication does not

provide a simple method for checking if a user belongs to a certain windows

group. However, by using the SmbFile() method for the jcifs library we can see

if a user with a siven set of creidentials can access a file on a windows share.

As a windows server can restrict access using groups this provides a cunning

workaround.</p>

<p>The location of the file and other parameters are read from a the

configuration file myconfig.xml, which we will create later on. This information

is used inside the constructor of a new instance of our SSHAuthenticationScheme,

which we created above.</p>

<p>You'll notice this section of code contains a number of fairly similar

methods [i.e. check1() and check2()]. The methods which Daisy itself uses [i.e.

check() and createUser()] calls these in order to perform the authentication at

the two different levels .</p>

<p class="note">I'm sure there a more elegent way of doing this....</p>

<h2>Step 4: Building the authentication scheme</h2>

<h3>Step 4a: Compiling and packing your classes</h3>

<p>I compile the files on my mac something like this:</p>

<p class="note">Use the method of your choice to compile the code (Ant, Maven,

your IDE, ...). When using the command below, we hope you know enough about this

that everything should be on one line. For Windows, replace $DAISY_HOME with

%DAISY_HOME% and the colons with semicolons)</p>

<pre>javac -classpath

~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-repository-api-2.2.jar:

~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-repository-server-spi-2.2.jar:

~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-pluginregistry-api-2.2.jar:

~/Documents/intranet/daisy-2.2/lib/avalon-framework/jars/avalon-framework-api-4.3.jar:

~/Documents/intranet/daisy-2.2/lib/jcifs/jars/jcifs-1.1.11.jar:

~/Documents/intranet/daisy-2.2/lib/javax.annotation/jars/jsr250-api-1.0.jar:

~/Documents/intranet/daisy-2.2/lib/javax.servlet/jars/servlet-api-2.4.jar:

~/Documents/intranet/ntlm-group-auth/src/org/outerj/daisy/authentication/impl/NtlmGroupAuthenticationScheme.class

~/Documents/intranet/ntlm-group-auth/src/org/outerj/daisy/authentication/impl/NtlmGroupAuthenticationFactory.java

~/Documents/intranet/ntlm-group-auth/src/org/outerj/daisy/authentication/impl/NtlmGroupAuthenticationScheme.java

jar cvf ntlm-group-auth.jar *</pre>

<p>I run this command from the directory shown below:</p>

<pre>~/Documents/intranet/ntlm-group-auth/src/</pre>

<h3>Step 4b: Copying the jar-file into place</h3>

<p>Copy the newly created jar file both into the lib directory of your daisy

binary distribution ($DAISY_HOME/lib). Copy the file

daisy-auth-ssh-<version>.jar into the directory daisy/jars/.</p>

<pre>$ cp target/daisy-auth-ssh-<version>.jar $DAISY_HOME/lib/daisy/jars/</pre>

<p class="note">If you don't want to create a binary distribution of daisy it

might be sufficient to copy the jar-file to the $DAISY_HOME/lib directory only.

</p>

<p class="warn">Details from this point on are a little sketchy, need to check

the info on a different PC.</p>

<h2>Step 5: Registering and configuring the new component</h2>

<h3>Step 5a: Registering the new component</h3>

<p>Edit the file $DAISY_HOME/repository-server/conf/block.xml. Inside the

container named authentication, include your newly created scheme. The element

<container> of block.xml now should look like (adapt the versions of your

jar files for ntlm and ssh authentication!):</p>

<source>authenticator</source>

</service>

<source>authenticator</source>

</service>

</services>

</configuration>

</component>

</configuration>

</component>

</container></pre>

<h3>Step 5b: Configuring the new component</h3>

<p>Inside the directory $DAISY_HOME/repository-server/conf/ you will find a file

myconfig.xml.template. Copy this file into the directory conf/ inside your

repository and rename it to myconfig.xml</p>

<pre>$ cp $DAISY_HOME/repository-server/conf/myconfig.xml.template /path/to/your/repository/conf/myconfig.xml</pre>

<p>Edit the newly created file myconfig.xml. Add a target in order to configure

your authentication scheme, inside that target, fill in the IP or host name of

your SSH-server. Also, in order to enable automatically creation of user

accounts once the user logs in to daisy for the first time, define our newly

created scheme as authentification scheme for user creation as shown below:</p>

<target path="..."

...

</target>

... many more targets

<authenticationSchemeForUserCreation>ntlmgroup1</authenticationSchemeForUserCreation>

</configuration>

</target>

... many more targets

<!-- Notes:

- the name of a scheme should not be daisy, no two schemes can have the same name

- the autoCreateUser element is optional

-->

<fileLocation1>afilelocation</fileLocation1>

<fileLocation2>afilelocation</fileLocation2>

<roles>

</roles>

</autoCreateUser>

<test>astring</test>

</subUserCreator1>

<roles>

</roles>

</autoCreateUser>

</subUserCreator2>

</scheme>

</configuration>

</target>

</targets></pre>

<h2>Step 6: Running and testing the new scheme</h2>

<p>Now we are ready to test our new scheme! Restart the repository server and

the daisy wiki.<br/>

Try to log on to daisy with any username/password combination which should have

permissions to access one of the files at either FileLocation1 or FileLocation2.

</p>

<p>Log in should be successfull, you should be logged on with the role defined

in the myconfig.xml configuration file. Login as an administrator, invoke the

user administration. In the user list, an account should exist with the username

you just logged on as. Also, if you create a new user or edit an existing user,

in the drop-down box for the authentication scheme, you now should have the

choice between the daisy built in scheme and the scheme we newly created.</p>

<p>It's worth noting a couple of points:</p>

<ul>

<li>if a user can access both files at FileLocation1 and FileLocation2 they

don't get both sets of roles</li>

<li>the roles associated with FileLocation1 and subUserCreator1 are checked

before FileLocation2 and subUserCreator1</li>

</ul>

<p>Best of luck getting it to work. A working example is provided

<p class="warn">Java's not my strong point; I'd never coded in it before tying

this. I'm sure that there's a better way of structuring this code, possibly

involving passing arrays of FileLocations and subUserCreators from the

authentication factory to the authentication scheme. <em>Please leave some

hints. :)</em></p>

</body>

</html>

Changes to links

Removed links

Author: Tim McDonald
mailto:t_mcdonald@meng.ucl.ac.uk

Added links

Author: Andreas Deininger
mailto:andreas@deininger.net

Changes to fields

No changes detected

Show diff

Creating a multi role authentication scheme

This step by step instruction explains how to extend the Daisy CMS with your own authentication scheme that fits your needs.

Assumption: You already set up daisy on a windows system and everything's working great. Your also doing the codeing and compiling on a separate system (a mac) because you too lazy to install the dev tool on the windows server...

Task: You would like new daisy users to be allocated a given role when they first logon. The system admin chaps would ideally like the group the user belongs to on a windows network to dictate this role allocation.

This solution is useful where there are a number of different users who need to see different resources on the same server (ie. student and staff at a university).

Step 1: Checking out the sources

Download the daisy sources daisy-x.x.x.tar.gz of the latest stable (or milestone) release at the download area (or check out the latest version from SVN, whatever you prefer). Extract the tarball into a directory on your local machine (although you do not have to create that environment variable, I will refer to that directory as DAISY_SRC during the rest ot this tutorial):

$ tar xvzf daisy-x.x.x.tar.gz

Step 2: Copy the sources of the Ntlm-authentication

Descend to the dircectory $DAISY_SRC/services/ and make a copy of the directory ntlm-auth, which contains the sources for the Ntlm authentication scheme. We take these sources as starting point and we will modify them to fit our needs.

$ cp -R ntlm-auth/ ntlm-group-auth

Step 3: Create the java classes for authentication

Step 3a: Rename the existing sourcefiles for AuthenticationFactory and AuthenticationScheme

Descend into the directory $DAISY_SRC/services/ssh-auth/src/java/org/outerj/daisy/authentication/impl
Rename the both existing sourcefiles for the AuthenticationFactory and the AuthenticationScheme

$ mv NtlmAuthenticationFactory.java NtlmGroupAuthenticationFactory.java
$ mv NtlmAuthenticationScheme.java NtlmGroupAuthenticationScheme.java

Step 3b: Edit NTLMGroupAuthenticationFactory.java

In your favourite editor or IDE, edit the source file for the NTLM Group Authentication Factory and change it to:

package org.outerj.daisy.authentication.impl;

import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.ConfigurationException;
import org.outerj.daisy.authentication.spi.*;
import org.outerj.daisy.plugin.PluginRegistry;

import javax.annotation.PreDestroy;
import java.util.Map;
import java.util.HashMap;

/**
 * Constructs and registers NtlmGroupAuthenticationSchemes with the UserAuthenticator.
 *
 */
public class NtlmGroupAuthenticationFactory  {
    private PluginRegistry pluginRegistry;
    private Map<String, AuthenticationScheme> schemes = new HashMap<String, AuthenticationScheme>();

    public NtlmGroupAuthenticationFactory(Configuration configuration, PluginRegistry pluginRegistry) throws Exception {
        this.pluginRegistry = pluginRegistry;
        this.configure(configuration);
        registerSchemes();
    }

    @PreDestroy
    public void destroy() {
        unregisterSchemes();
    }

    private void registerSchemes() throws Exception {
        for (Map.Entry<String, AuthenticationScheme> entry : schemes.entrySet()) {
            pluginRegistry.addPlugin(AuthenticationScheme.class, entry.getKey(), entry.getValue());
        }
    }

    private void unregisterSchemes() {
        for (Map.Entry<String, AuthenticationScheme> entry : schemes.entrySet()) {
            pluginRegistry.removePlugin(AuthenticationScheme.class, entry.getKey(), entry.getValue());
        }
    }

    private void configure(Configuration configuration) throws ConfigurationException {
        Configuration[] schemeConfs = configuration.getChildren("scheme");
        for (Configuration schemeConf : schemeConfs) {
            String name = schemeConf.getAttribute("name");
            String description = schemeConf.getAttribute("description");
            String domainControllerAddress = schemeConf.getChild("domainControllerAddress").getValue();
            String domain = schemeConf.getChild("domain").getValue();
			
			String file1 = schemeConf.getChild("fileLocation1").getValue();
			String file2 = schemeConf.getChild("fileLocation2").getValue();
			
			Configuration subUserCreator1 = schemeConf.getChild("subUserCreator1");
			UserCreator userCreator1 = UserCreatorFactory.createUser(subUserCreator1, name);
			
			
			Configuration subUserCreator2 = schemeConf.getChild("subUserCreator2");			
			UserCreator userCreator2 = UserCreatorFactory.createUser(subUserCreator2, name);

		
			AuthenticationScheme scheme = new NtlmGroupAuthenticationScheme(name, description, domainControllerAddress, domain, file1, userCreator1, file2, userCreator2);
			Configuration cacheConf = schemeConf.getChild("cache");
			if (cacheConf.getAttributeAsBoolean("enabled")) {
				int maxCacheSize = cacheConf.getAttributeAsInteger("maxCacheSize", 3000);
				long maxCacheDuration = cacheConf.getAttributeAsLong("maxCacheDuration", 30 * 60 * 1000); // default: half an hour
				scheme = new CachingAuthenticationScheme(scheme, maxCacheDuration, maxCacheSize);
			}

			if (schemes.containsKey(name))
				throw new ConfigurationException("Duplicate authentication scheme name: " + name);
			
			schemes.put(name, scheme);
				

            
        }
    }
}

Note that this authentication factory reads in the configuration for two files and userCreators which are then passed to the authentication scheme.

Step 3c: Edit NTLMGroupAuthenticationScheme.java

In your favourite editor or IDE, edit the source file for the NTLM Group Authentication Scheme and change it to:

package org.outerj.daisy.authentication.impl;

import org.outerj.daisy.authentication.spi.AuthenticationScheme;
import org.outerj.daisy.authentication.spi.AuthenticationException;
import org.outerj.daisy.authentication.spi.UserCreator;
import org.outerj.daisy.repository.Credentials;
import org.outerj.daisy.repository.user.User;
import org.outerj.daisy.repository.user.UserManager;
import jcifs.smb.SmbException;
import jcifs.smb.SmbAuthException;
import jcifs.smb.SmbSession;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.*;
import jcifs.UniAddress;

import java.net.UnknownHostException;
import java.net.MalformedURLException;

public class NtlmGroupAuthenticationScheme implements AuthenticationScheme {
    private final String name;
    private final String description;
    private final String domainControllerAddress;
    private final String domain;
	private final String file1;
    private final UserCreator userCreator1;
	private final String file2;
    private final UserCreator userCreator2;

    public NtlmGroupAuthenticationScheme(String name, String description, String domainControllerAddress, String domain, String file1, UserCreator userCreator1, String file2, UserCreator userCreator2) {
        this.name = name;
        this.description = description;
        this.domainControllerAddress = domainControllerAddress;
        this.domain = domain;
		this.file1 = file1;
		this.userCreator1 = userCreator1;
		this.file2 = file2;
        this.userCreator2 = userCreator2;
    }

    public String getName() {
        return name;
    }

    public String getDescription() {
        return description;
    }

    public boolean check(Credentials credentials) throws AuthenticationException {
		if ( check1(credentials) ) {
			return true;
		}
		if ( check2(credentials) ) {
			return true;
		}			
		return false;
    }

    public boolean check1(Credentials credentials) throws AuthenticationException {
        UniAddress mydomaincontroller;
        try {
            mydomaincontroller = UniAddress.getByName(domainControllerAddress);
        } catch (UnknownHostException e) {
            throw new AuthenticationException("Error authenticating using NTLM.", e);
        }
        NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication(domain, credentials.getLogin(), credentials.getPassword());		
		jcifs.Config.registerSmbURLHandler();
		SmbFile smbf;
		try {
			smbf = new SmbFile(file1, mycreds);

		}	catch( MalformedURLException seed ) {
            // NETWORK PROBLEMS?
            throw new AuthenticationException("Can't find the file specified", seed);
        }

        try {			
            return smbf.exists();	
        } catch( SmbAuthException sae ) {
            // AUTHENTICATION FAILURE
            return false;
        } catch( SmbException se ) {
            // NETWORK PROBLEMS?
            throw new AuthenticationException("Error authenticating using NTLM.", se);
        }
    }

    public boolean check2(Credentials credentials) throws AuthenticationException {
        UniAddress mydomaincontroller;
        try {
            mydomaincontroller = UniAddress.getByName(domainControllerAddress);
        } catch (UnknownHostException e) {
            throw new AuthenticationException("Error authenticating using NTLM.", e);
        }
        NtlmPasswordAuthentication mycreds = new NtlmPasswordAuthentication(domain, credentials.getLogin(), credentials.getPassword());
		
		jcifs.Config.registerSmbURLHandler();
		
		SmbFile smbf;
		
		try {
			smbf = new SmbFile(file2, mycreds);
		}	catch( MalformedURLException seed ) {
            // NETWORK PROBLEMS?
            throw new AuthenticationException("Can't find the file specified", seed);
        }

        try {
									
			return smbf.exists();
			
        } catch( SmbAuthException sae ) {
            // AUTHENTICATION FAILURE
            return false;
        } catch( SmbException se ) {
            // NETWORK PROBLEMS?
            throw new AuthenticationException("Error authenticating using NTLM.", se);
        }
    }

    public void clearCaches() {
        // do nothing
    }

    public User createUser(Credentials crendentials, UserManager userManager) throws AuthenticationException {
        if (userCreator1 != null) {
		if (check1(crendentials)) {
				User aUser = userCreator1.create(crendentials.getLogin(), userManager);
				return aUser;				
			}
        }
		if (userCreator2 != null) {
			if (check2(crendentials)) {
				User aUser = userCreator2.create(crendentials.getLogin(), userManager);
				return aUser;					
			}
        }
        return null;
    }
}

The jcifs library which daisy uses to perform NTLM authentication does not provide a simple method for checking if a user belongs to a certain windows group. However, by using the SmbFile() method for the jcifs library we can see if a user with a siven set of creidentials can access a file on a windows share. As a windows server can restrict access using groups this provides a cunning workaround.

The location of the file and other parameters are read from a the configuration file myconfig.xml, which we will create later on. This information is used inside the constructor of a new instance of our SSHAuthenticationScheme, which we created above.

You'll notice this section of code contains a number of fairly similar methods [i.e. check1() and check2()]. The methods which Daisy itself uses [i.e. check() and createUser()] calls these in order to perform the authentication at the two different levels .

I'm sure there a more elegent way of doing this....

Step 4: Building the authentication scheme

Step 4a: Compiling and packing your classes

I compile the files on my mac something like this:

Use the method of your choice to compile the code (Ant, Maven, your IDE, ...). When using the command below, we hope you know enough about this that everything should be on one line. For Windows, replace $DAISY_HOME with %DAISY_HOME% and the colons with semicolons)

javac -classpath 
   ~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-repository-api-2.2.jar:
   ~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-repository-server-spi-2.2.jar:
   ~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-pluginregistry-api-2.2.jar:
   ~/Documents/intranet/daisy-2.2/lib/daisy/jars/daisy-pluginregistry-api-2.2.jar:
   ~/Documents/intranet/daisy-2.2/lib/avalon-framework/jars/avalon-framework-api-4.3.jar:
   ~/Documents/intranet/daisy-2.2/lib/jcifs/jars/jcifs-1.1.11.jar:
   ~/Documents/intranet/daisy-2.2/lib/javax.annotation/jars/jsr250-api-1.0.jar:
   ~/Documents/intranet/daisy-2.2/lib/javax.servlet/jars/servlet-api-2.4.jar:
   ~/Documents/intranet/ntlm-group-auth/src/org/outerj/daisy/authentication/impl/NtlmGroupAuthenticationScheme.class 
   ~/Documents/intranet/ntlm-group-auth/src/org/outerj/daisy/authentication/impl/NtlmGroupAuthenticationFactory.java 
   ~/Documents/intranet/ntlm-group-auth/src/org/outerj/daisy/authentication/impl/NtlmGroupAuthenticationScheme.java

jar cvf ntlm-group-auth.jar *

I run this command from the directory shown below:

~/Documents/intranet/ntlm-group-auth/src/

Step 4b: Copying the jar-file into place

Copy the newly created jar file both into the lib directory of your daisy binary distribution ($DAISY_HOME/lib). Copy the file daisy-auth-ssh-<version>.jar into the directory daisy/jars/.

$ cp target/daisy-auth-ssh-<version>.jar $DAISY_HOME/lib/daisy/jars/

If you don't want to create a binary distribution of daisy it might be sufficient to copy the jar-file to the $DAISY_HOME/lib directory only.

Details from this point on are a little sketchy, need to check the info on a different PC.

Step 5: Registering and configuring the new component

Step 5a: Registering the new component

Edit the file $DAISY_HOME/repository-server/conf/block.xml. Inside the container named authentication, include your newly created scheme. The element <container> of block.xml now should look like (adapt the versions of your jar files for ntlm and ssh authentication!):

<container name="authentication">
  <services>
    <service type="org.outerj.daisy.authentication.UserAuthenticator">
      <source>authenticator</source>
    </service>
    <service type="org.outerj.daisy.authentication.AuthenticationSchemeRegistrar">
      <source>authenticator</source>
    </service>
  </services>

  <component name="authenticator" class="org.outerj.daisy.authentication.impl.UserAuthenticatorImpl"/>

  <component name="daisy-native" class="org.outerj.daisy.authentication.impl.DaisyAuthenticationFactory">
    <configuration>
      <cache enabled="true" maxCacheSize="3000" maxCacheDuration="1800000"/>
    </configuration>
  </component>

  <component name="ldap" class="org.outerj.daisy.authentication.impl.LdapAuthenticationFactory">
    <configuration>
      <!-- See myconfig.xml.template for an example configuration -->
    </configuration>
  </component>

  <include name="ntlm" id="daisy:daisy-auth-ntlm" version="1.4-dev"/>
  <include name="ssh" id="daisy:daisy-auth-ssh" version="1.4-dev"/>
  <include name="ntlm-group" id="daisy:daisy-auth-ssh" version="1.4-dev"/>

</container>

Step 5b: Configuring the new component

Inside the directory $DAISY_HOME/repository-server/conf/ you will find a file myconfig.xml.template. Copy this file into the directory conf/ inside your repository and rename it to myconfig.xml

$ cp $DAISY_HOME/repository-server/conf/myconfig.xml.template /path/to/your/repository/conf/myconfig.xml

Edit the newly created file myconfig.xml. Add a target in order to configure your authentication scheme, inside that target, fill in the IP or host name of your SSH-server. Also, in order to enable automatically creation of user accounts once the user logs in to daisy for the first time, define our newly created scheme as authentification scheme for user creation as shown below:

<targets>
  <target path="..."
    ...
  </target>

  ... many more targets

  <target path="/daisy/repository/authentication/authenticator">
    <configuration>
      <!-- Indicates which authentication scheme to use, if any, to automatically create new users. -->
      <authenticationSchemeForUserCreation>ntlmgroup1</authenticationSchemeForUserCreation>
    </configuration>
  </target>

  ... many more targets

  <target path="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
    <configuration>
       <!-- You can configure one or more NTLM-based authentication schemes here -->
          <!-- Notes:
                - the name of a scheme should not be daisy, no two schemes can have the same name
                - the autoCreateUser element is optional
          -->
          <scheme name="ntlmgroup1" description="Test NTLM Group config">
            <domainControllerAddress>127.0.0.1</domainControllerAddress>
            <domain>yum</domain>
            <cache enabled="true" maxCacheSize="3000" maxCacheDuration="1800000"/>
			<fileLocation1>afilelocation</fileLocation1>
			<fileLocation2>afilelocation</fileLocation2>
			<subUserCreator1>
			   <autoCreateUser>
				  <roles>
					<role>User</role>
				  </roles>
				  <defaultRole>User</defaultRole>
				  <updateableByUser>true</updateableByUser>
				</autoCreateUser>
				<test>astring</test>
                         </subUserCreator1>
			 <subUserCreator2>
			   <autoCreateUser>
				  <roles>
					<role>User</role>
				  </roles>
				  <defaultRole>User</defaultRole>
				  <updateableByUser>true</updateableByUser>
				</autoCreateUser>
                         </subUserCreator2>
	</scheme>
    </configuration>
  </target>
</targets>

Step 6: Running and testing the new scheme

Now we are ready to test our new scheme! Restart the repository server and the daisy wiki.
Try to log on to daisy with any username/password combination which should have permissions to access one of the files at either FileLocation1 or FileLocation2.

Log in should be successfull, you should be logged on with the role defined in the myconfig.xml configuration file. Login as an administrator, invoke the user administration. In the user list, an account should exist with the username you just logged on as. Also, if you create a new user or edit an existing user, in the drop-down box for the authentication scheme, you now should have the choice between the daisy built in scheme and the scheme we newly created.

It's worth noting a couple of points:

if a user can access both files at FileLocation1 and FileLocation2 they don't get both sets of roles
the roles associated with FileLocation1 and subUserCreator1 are checked before FileLocation2 and subUserCreator1

Best of luck getting it to work. A working example is provided here (application/octet-stream, 11.4 kB, info).

Java's not my strong point; I'd never coded in it before tying this. I'm sure that there's a better way of structuring this code, possibly involving passing arrays of FileLocations and subUserCreators from the authentication factory to the authentication scheme. Please leave some hints. :)

Wiki

Workflow features

General

Changes to parts

Part "Content" has changed

Changes to links

Changes to fields

Workflow features

Status updates

Next steps

Multi-valued variables

Custom form templates

Disable "reassign" task

Creating a multi role authentication scheme

General

Changes to parts

Part "Content" has changed

Changes to links

Removed links

Added links

Changes to fields

Creating a multi role authentication scheme

Step 1: Checking out the sources

Step 2: Copy the sources of the Ntlm-authentication

Step 3: Create the java classes for authentication

Step 3a: Rename the existing sourcefiles for AuthenticationFactory and AuthenticationScheme

Step 3b: Edit NTLMGroupAuthenticationFactory.java

Step 3c: Edit NTLMGroupAuthenticationScheme.java

Step 4: Building the authentication scheme

Step 4a: Compiling and packing your classes

Step 4b: Copying the jar-file into place

Step 5: Registering and configuring the new component

Step 5a: Registering the new component

Step 5b: Configuring the new component

Step 6: Running and testing the new scheme

Links