THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
So that it can stand-alone without an external user repository, Roller stores
users and role information in it's own database tables.
...
Those tables are represented in Roller by the User and UserRole objects, simple
POJO objects stored by Roller's ORM based UserManager.
...
For sites that have an external user repository or user permissions system,
this is a problem. Some would like user information like email address, locale,
timezone, fullname and etc. pulled from an external system. Some would like
user's roles to be pulled from an external system. Some would like both.
...
Reduce the User class down to just two fields, id and username. Everything
else goes into a new UserProfile class. UserProfiles can be stored externally
so Roller should obtain them through a new User Respotory API
...
Roller uses a framework called Acegi to handle authentication and authorization.
Instead of relying on the authentication and authorization features built into
the container on which Roller runs, Roller relies on Acegi.
When Acegi is authenticating a user it pulls username, password and role
information the RollerUserDetailsService, which in turn fetches that
information from the User and UserRole objects via UserManager.
Acegi is implemented as a Servlet Filter, which intercepts each request and
decides if the user is authenticated, needs to login first, etc. Acegi takes
care of routing the user to the login page and back to the original page that
the user requested. Acegi wraps the ServletRequest so that it can return the
right value when request.getUserPrincipal() is called by the application.
...
Using Acegi makes Roller installation painless in standalone situations, but
some Acegi skills are required to reconfigure Roller to authenticate against
an LDAP system. And the only SSO system that Acegi supports out of the box is
Yale CAS. And some folks would like to disable Acegi to take advantage of the
auth & auth services that are built into containers now, e.g. SSO support
that's built into Websphere, Glassfish, etc.
...
Make it possible to turn off Acegi by modifying web.xml and to extend the
Roller application class RollerContext to init without Acegi. Moving forward,
we should not introduce further dependencies on Acegi in Roller.
...
Because Roller uses the ORM system to load a User's Roles, the roles must come
from the database. And because Roles are part of the User, some sort of join
must happen to load each User object with Roles.
...
Instead of relying on ORM supported role methods in the user object, Roller
front-end code should call the user manager:
...
And instead of calling role-related methods on the user object, Roller code
should use either request.isUserInRole() or the isUserInRole() method provided
by the UserManager.
Our UserManager implemenation will in turn call the User Repository API.
...
Roller will include a User Repository API that stores data in the Roller
database. Other implementations can be plugged in via DI.
...