Plone en Single Sign On

published Sep 19, 2007, last modified Sep 20, 2007

Door Duco Dokter van Goldmund, Wildebeast & Wunderliebe op de Nederlandse Plone gebruikersdag, 19 september 2007.

Existentiële zaken

Wat is het? Eenmalig authenticeren voor meerdere applicaties. 1 metasessie. Je hebt ook Web SSO, specifiek voor webapplicaties.

Waarom zou je het willen? Gebruikers willen het graag, al draagt het niets wezenlijks toe. Het is gewoon gemakkelijk. Wel heb je minder accounts nodig, net zoals bij bijvoorbeeld OpenID. Ook ligt de focus van het beveiligingsbeleid centraal, dus beleids- en beheersmatig is het handig.

Hoe gaat het in zijn werk? Er is 1 bron die de authenticatie regelt. Die bron wordt vertrouwd door andere applicaties. Een betrouwbaar protocol is opgesteld voor deze relatie.

Plone en SSO

Je kan regelen dat meerdere Plone sites dezelfde gebruikersgegevens hebben en inloggen bij de een je meteen authenticeert voor de ander. Plone kan je als front-end gebruiken voor andere sites, bijvoorbeeld middels atom of rss feeds. Je kan andere (non)webapplicaties in dezelfde sessies hebben. Plone kan ook net als anderen gebruik maken van LDAP, al hebben we het daar vanavond niet over.

CAS is een SSO server gebouwd aan de Yale universiteit. Het is een open protocol. Plone kan daarmee praten, middels PlonePAS en CAS4PAS en optioneel PloneCASLogin.

Sessie A

Je bezoekt (maakt een http request naar) Plone site A. Je krijgt een zogenoemde challenge (uitdaging) van CAS4PAS, die je redirect naar de CAS server over https. Daar log je in. Die CAS server zet een cookie en redirect je terug naar de callback service (dus Plone site A) met een ticket. Plone Site A gaat met dat ticket zelf weer terug naar de CAS server en vraagt of het ticket geldig is. Als het klopt, verwijdert de CAS server de ticket, zegt tegen Plone site A dat het in orde is en geeft het netID, de gebruikersnaam van de persoon die zich zojuist heeft aangemeld. Plone site A geeft vervolgens een response aan de gebruiker, met een Plone cookie.

Sessie B

Je bezoekt Plone Site B. Je kiest de inloglink naar de CAS server of krijgt automatisch een redirect naar de authenticatie. De CAS server herkent de sessie op basis van je cookie. CAS stuurt dus meteen een ticket terug, zonder dat je je gebruikersnaam en wachtwoord in hoeft te vullen. Daarna gaat het hetzelfde als bij sessie A.

Qua backend wordt vaak LDAP gebruikt of SQL.

Maurits van Rees, BICT

published Jul 19, 2007

I am now a Bachelor of ICT!

Today I got my diploma. I have finished my study of Informatics (specializing in Software Engineering) at the Rotterdam University. So I can now call myself Maurits van Rees, BICT (Bachelor of Information and Communication Technologies).

At the moment I am extremely happy, relieved, proud, joyful and very much in want of a short, well deserved, vacation. Tomorrow I am heading for a week to the Dutch New Wine Summer Conference.

Cheers!

Ing. Maurits van Rees

published Jul 19, 2007

Ik ben nu afgestudeerd ingenieur!

Vandaag heb ik mijn diploma gekregen. Ik heb dus mijn studie Informatica (afstudeerrichting Software Engineering) aan de Hogeschool Rotterdam afgerond. Ik mag mezelf dus ing. Maurits van Rees noemen. :-) Of op z'n Engels: Maurits van Rees, BICT (Bachelor of Information and Communication Technology).

Ik ben dus op het moment behoorlijk vrolijk, trots, blij, opgelucht, uitzinnig, gelukkig en hard toe aan een behoorlijk verdiende vakantie. Morgen vertrek ik voor een week naar de New Wine zomerconferentie.

Proost!

Discovering GenericSetup

published Jun 25, 2007, last modified Jun 25, 2007

I looked at GenericSetup trunk recently and I discovered some things I was not yet aware of.

If you want to know more about the current state of the trunk of GenericSetup, this thread on the CMF list is a good start.

I had some things to say there too, including a patch.

Rob Miller gave me some helpful pointers, especially about import_various steps.

I learned some things from him and from rummaging around in the code myself.

Context

A GenericSetup handler gets passed a context when called. This context is not the Plone Site or some other content. It is a special GenericSetup context, as defined in GenericSetup/context.py. One of the things you can do with that context is passing it some text for its logger so you get some messages in your log files and in the GenericSetup log:

logger = context.getLogger('eXtremeManagement')
logger.info('eXtremeManagement_various step imported')

Various import steps

When you apply a GenericSetup profile (base or extension does not matter) all registered import steps are executed. So if you have an extension profile that only has a propertiestool.xml file, still all import steps (which can be a few dozen) are run. If all authors of those import steps have done their work correctly, all but one exit immediately as they realize they do not need to do anything.

I will quote Rob Miller here:

It is the responsibility of an import step's implementation to ensure that it is indeed appropriate to perform its actions during any given invocation of the step.

All of the XML-based import steps already do this; they check for the existence of a specific XML file, and if they find it they perform the action. If they do not find the file, no problem, they do nothing.

The so-called importVarious steps, i.e. any step that uses a plain old python function as its handler (as opposed to building on the existing XML parsing infrastructure), must perform this check explicitly. you could restrict it to only running when the intended profile is the one being imported, or you could check for the existence of a specific file within the profile. I like the latter choice.

The summary in my own words: if you want to be a good CMF citizen, you had better make sure that the importVarious step of your profile (or any other import step you define yourself) is only executed when your profile is applied and not when the profile of some unrelated product is applied.

So, taking some pointers from how CMFPlone and CMFEditions do it, I fixed eXtremeManagement. I added a file profiles/default/extrememanagement_various.txt. This can remain empty but it is clearer to add a comment, like this:

The eXtremeManagement_various step is run if this file is present in
the profile.

Then I changed setuphandlers.py:

def importVarious(context):
    # Only run step if a flag file is present
    if context.readDataFile('extrememanagement_various.txt') is None:
        return

For reference, this is the profiles/default/import_steps.xml file that tells GenericSetup about this handler:



  
    
    
    
    Import steps that couldn't be mapped to other handlers.

So if you have a CMF/Plone product which defines an own import step (like import various, but it can be a totally different step) please make sure that this step only runs when your own profile is applied.

Upgrade profiles

GenericSetup now has support for profiles that you can use to upgrade a product, instead of applying the complete profile again. I only looked at the code and have not actually tried this. But this is absolutely something I want to use in eXtremeManagement too. So I will probably write about that later.

Report on eXtremeManagement

published Jun 21, 2007

I finished a report for school about work I did on eXtremeManagement at Zest Software the past months. Biggest parts: getting xm to run on Plone 3.0 and use Zope 3 technologies. Download the report or read the preface, abstract and conclusion.

I made a report (link to pdf) for school about the eXtremeManagement project management tool for Plone. Now I just need to finish two other classes and then I am done studying. Read on for the preface, conclusion and abstract.

Preface

This report describes my final assignment for my study Informatics at the Rotterdam Institute for Informatics Studies (RIVIO) of the Hogeschool Rotterdam. The assignment lasted from February till June 2007. It was carried out for web development company Zest Software in Hoogvliet, The Netherlands. I have been working there since November 2005. Previous reports for school of my work for Zest Software (including this report) can be found on my website.

The main subject of this report is eXtremeManagement. This is a project management tool for the open source content management system Plone. At Zest Software we use this tool on a daily basis to keep track of what our customers want and how much time we have worked for them.

This eXtremeManagement tool can use some updates, which is the goal of this assignment. The focus is on the underlying technology: using more and more features made available by newer versions of Plone and the Zope web development framework that Plone is built on. Also some user interface improvements will be made.

I thank Hans Manni from RIVIO for keeping me on track for finishing my study. I thank Aad van Raamt for being the second teacher next to Hans on the committee. I thank Jean-Paul and Esther Ladage for giving me the opportunity to work on eXtremeManagement for five months. I thank Reinout for the photo on the front page. I thank my colleagues from all over the world for their feedback, their own additions to eXtremeManagement and for making Zest Software a very nice team to work and have fun with.

Conclusion

eXtremeManagement has been given a thorough cleanup. It runs on the current Plone 3.0 beta. Where useful, Zope 3 technologies have been put to good use. Personally, I have learned a lot about these new software versions and I am sharing that knowledge on my weblog and in mailing lists. At Zest Software we are happily using the latest version of eXtremeManagement and are full of ideas for further improvement.

Some recommendations and further actions to take:

Release a new version of eXtremeManagement soon: it is ready.
Building on the foundation laid during this assignment, do more work on the user interface. There are lots of ideas floating around. See Future plans (Appendix A).
Once Plone 3.0 is officially out, copy the current subversion trunk to a maintenance branch and continue development for Plone 3.0 only on trunk.

In closing, I will say I had a great time with eXtremeManagement and its users and co-developers on the mailing list. eXtremeManagement is a rocking product, ready to handle the future.

Abstract

This report describes my final assignment for school, which is: improve the eXtremeManagement tool: a project management tool based on Extreme Programming principles and running on content management system Plone.

The Introduction (chapter 1) paints the landscape of this assignment. What is Zope? What is Plone? What is eXtremeManagement? How do they fit together?

I made some improvements to the User Interface (chapter 2). Most of the original ideas there were not implemented however, for various reasons, ranging from simple lack of time to fresh insights that invalidated the original plan. The focus of the assignment was shifted to improving the core, instead of the front door.

Plone 3.0 (chapter 3) tells the tale of getting eXtremeManagement ready to run on the new (still in beta status) version 3.0 of Plone. I did some standard fixes applicable to all third party Plone products. I also did some other changes that were found to be needed. Finally I added an improvement to core Plone to make this upgrade easier for other products.

With Zope 3 (chapter 4) we come to the heart of the matter. More than originally envisioned the focus needed to be put here. I added marker and functional interfaces. I created browser views to make a clearer Model-View-Controller distinction. I introduced annotations for keeping track of estimates and hours worked. All three work together to make a far cleaner version of eXtremeManagement than was there at the beginning of this assignment.

I draw the Conclusion (chapter 5) that eXtremeManagement is clean and future-proof and that I have learned a lot in this assignment.