Investigate future Security framework options

Details

Type: Task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.2
Fix Version/s: Backlog
Component/s: Users/Security
Labels:
None

Number of attachments :
0

Description

This is just a stub ticket as we have been rumbling about replacing/improving our choice of security framework in 1.2

Ideally it should be very easy for administrators of Archiva to back auth onto a variety of systems - LDAP, Active Directory, Atlassian Crowd, OpenSSO, etc

Possible frameworks:

Redback (Current, could do with some love) - http://redback.codehaus.org
Spring-Security (was ACEGI) - http://static.springframework.org/spring-security/site/
JSecurity (new Apache Incubator project) - http://www.jsecurity.org/

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Emmanuel Venisse added a comment - 11/Jun/08 3:20 AM

LDAP support is very good now in Redback.
Maybe I'm wrong but I think AD connection is a standard LDAP connection.

Spring-security is the most powerful framework, it is alone to support LDAP, AD, Crowd, JOSSO (I don't think OpenSSO) and more (http://static.springframework.org/spring-security/site/reference/html/introduction.html)

As we already use Spring, I think spring-security would be the best option for users.

Show

Emmanuel Venisse added a comment - 11/Jun/08 3:20 AM LDAP support is very good now in Redback. Maybe I'm wrong but I think AD connection is a standard LDAP connection. Spring-security is the most powerful framework, it is alone to support LDAP, AD, Crowd, JOSSO (I don't think OpenSSO) and more ( http://static.springframework.org/spring-security/site/reference/html/introduction.html ) As we already use Spring, I think spring-security would be the best option for users.

Hide

Permalink

James William Dumay added a comment - 11/Jun/08 7:12 PM

One thing I would like to avoid is possibly requiring users to edit the spring configuration directly to get ldap going - is that possible with spring-security ?

Show

James William Dumay added a comment - 11/Jun/08 7:12 PM One thing I would like to avoid is possibly requiring users to edit the spring configuration directly to get ldap going - is that possible with spring-security ?

Hide

Permalink

Emmanuel Venisse added a comment - 12/Jun/08 3:23 AM

you want admin pages to manage connection, users, groups and roles, right?
I'm not sure it exist and I think it is specific to a project, but I'm sure all API are there. I'll must do it in few weeks for a customerFlex project.

Show

Emmanuel Venisse added a comment - 12/Jun/08 3:23 AM you want admin pages to manage connection, users, groups and roles, right? I'm not sure it exist and I think it is specific to a project, but I'm sure all API are there. I'll must do it in few weeks for a customerFlex project.

Hide

Permalink

Andreas Christoforides added a comment - 19/Jun/08 4:08 PM

I would also vote for Spring security. I personally wasn't even aware of the Redback project until I started looking into Archiva and Continuum. I believe that is probably the case for most Java developers not involved in the Apache community. On the other hand, Acegi/Spring security is what most Java developers are familiar with.

Show

Andreas Christoforides added a comment - 19/Jun/08 4:08 PM I would also vote for Spring security. I personally wasn't even aware of the Redback project until I started looking into Archiva and Continuum. I believe that is probably the case for most Java developers not involved in the Apache community. On the other hand, Acegi/Spring security is what most Java developers are familiar with.

Hide

Permalink

Wolfgang Strunk added a comment - 20/Jul/08 3:32 PM

Configuration of Spring security looks much simpler than redback configuration.
Although LDAP support is available for Redback, I still do have problems unless I use the latest SNAPSHOT of Redback ant put it into archiva WEBINF/lib. Only this version utilizes my security.properties file.

Show

Wolfgang Strunk added a comment - 20/Jul/08 3:32 PM Configuration of Spring security looks much simpler than redback configuration. Although LDAP support is available for Redback, I still do have problems unless I use the latest SNAPSHOT of Redback ant put it into archiva WEBINF/lib. Only this version utilizes my security.properties file.

Hide

Permalink

Maria Odea Ching added a comment - 20/Jul/08 8:59 PM

Btw, Archiva 1.1 already uses the latest released version of redback which contains the LDAP fixes so you won't need to copy the snapshot version to WEB-INF/lib.

Show

Maria Odea Ching added a comment - 20/Jul/08 8:59 PM Btw, Archiva 1.1 already uses the latest released version of redback which contains the LDAP fixes so you won't need to copy the snapshot version to WEB-INF/lib.

Hide

Permalink

Justin Koke added a comment - 18/Jun/09 8:18 PM

I would also really like to add my voice to this issue.

Security is hard to get right, and it usually scares me when I find 'yet another security framework'.

I didn't know about Redback until I found it in Archiva and I am astonished that it was chosen as an option for this project.

I would highly recommend moving away from Redback and use Spring Security.

Show

Justin Koke added a comment - 18/Jun/09 8:18 PM I would also really like to add my voice to this issue. Security is hard to get right, and it usually scares me when I find 'yet another security framework'. I didn't know about Redback until I found it in Archiva and I am astonished that it was chosen as an option for this project. I would highly recommend moving away from Redback and use Spring Security.

Hide

Permalink

Olivier Lamy added a comment - 27/Oct/11 4:58 PM

shiro (with a wrapper in redback) ?

Show

Olivier Lamy added a comment - 27/Oct/11 4:58 PM shiro (with a wrapper in redback) ?

People

Assignee:

Unassigned

Reporter:

James William Dumay

Vote (2)

Watch (3)

Dates

Created:

10/Jun/08 9:40 PM

Updated:

27/Oct/11 4:58 PM