Skip navigation

Clearspace 2.0 made several improvements to the internal security mechanisms within the product that serve to streamline and standardize the way authentication, authorization and auditing occur within the application. Following on Dolan's blog about Spring in Clearspace 2.0, this post will cover the Acegi-related changes for 2.0 security.

 

Motivation

There were several motivations for using Acegi Security in Clearspace 2.0:

  • Reuse of standard, community reviewed code - At the time of writing, Acegi is planned to be incorporated into Spring proper in the near future. Particularly with security-related code, community review is essential to producing a more robust end result.

  • Removal of unnecessary, Jive-specific code - There really wasn't a need for us to manage our own authentication framework, authorization framework, X509 handling, etc. when Acegi has already made available a solid implementation. Additionally, Acegi gives us out of the box AuthenticationProvider and Filter implementations for things that previously we had to roll from scratch such as SiteMinder integration or X509 authentication. Acegi's implementations will still require some customization, largely due to the way we perform authorization, but the jive-managed code can be substantially reduced.

  • Community - As with Spring, Acegi has a healthy community that we can leverage, both through shared code as well as by contributing back to the project.

  • Flexibility - Acegi is well written and tends to give us extension points where we need them. For example, we needed to support existing LDAP configurations from Clearspace 1.x installations. This required us to inject custom LDAP search properties into the Acegi BindAuthenticator which was easily done through the setUserSearch method on the authenticator.

  • Leverage Existing Enterprise Competencies - Acegi and Spring are fairly well known in Java enterprise development. Existing skill sets around Acegi will translate to SSO implementations with Clearspace 2.0 as opposed to the 1.x model which required a customer's developers to learn an entirely new security model.

 

Implementation

Authentication

The Clearspace 2.0 authentication model follows standard Acegi authentication, defining a Spring-managed FilterChainProxy bean in web.xml which then delegates to URL-mapped filter chains. These chains manage various security-related concerns including Session expiration, authentication cookie management, password encoding, user profile loading and federated identity features of Clearspace. One notable change is the move to a stronger password hash using a SHA-256 hash of a salted password. Additionally, the amount of Jive-specific LDAP code has been dramatically reduced instead delegating to Acegi's LDAP lookup and bind implementation.

 

Authorization

Clearspace 2.0 authorization has not changed substantially from 1.x with the exception that contextual information about a user is now accessed via the Acegi SecurityContext rather than explicitly passed through the application as AuthToken objects. This change focused the APIs on business concerns and moved security concerns to more of a cross-cutting realm, a change we're leveraging in 2.1 to make authorization driven by annotation rather than proxied objects. The hope for 2.1 is that this will greatly reduce the amount of authoirzation code while improving security.

 

Auditing

Acegi fundamentally feeds into the new auditing features of Clearspace 2.0. Based on contextual authentication information accessed by Acegi's SecurityContext, the auditing functionality logs operations performed by the effective user performing an action in the system.

 

Customization

 

Customization of authentication and authorization have several extension mechanisms in Clearspace 2.0 and the required APIs have been simplified. The older AuthFactory class has been removed and implementing jive-specific interfaces is no-longer required to customize the authentication mechanism. The goal for 2.0 authentication customization has shifted focus to a more modular, composition and inversion of control-driven approach. This better aligns with the Spring-standard Acegi approach and focuses customization on Spring-managed filters and/or AuthenticationProvider implementations. The Clearspace 2.0 documentation has more information on creating new authentication customizations or migrating 1.x authentication customizations.

 

 

 

 

 

The hope for these changes is that they will improve, standardize and simplify security as it exists in Clearspace. Let us know your feedback!

 

 

dawn

New Plugin: Member Map

Posted by dawn Mar 26, 2008

Jim Tremlett just released, Member Map, a new plugin for Clearspace based on Google Maps.

 

The Member Map plugin builds on the Google Map plugin developed by Jay Allen. The plugin displays the location of members of a community based on their addresses. The plugin employs Google's Map API for both the display of the map as well as the geocoding of addresses. As such, the address may be as general as a zip code or state, or as specific as a full address including street address.

 

dawn

Prototype in Clearspace 2.0

Posted by dawn Mar 25, 2008

In this video, Clearspace developer, Nick Hill, talks about how Prototype, Scriptaculous and other Javascript technologies are used within Clearspace 2.0. This was originally presented as an internal Jive training to get our developers up to speed on some of the newer technologies used in Clearspace 2.0, and we wanted to share it with other people doing Clearspace development. If you want to learn more about the Clearspace 2.0 beta, you can visit the beta area on Jivespace.

 

The pdf file with the complete slides from the presentation is attached below.

 

 

 

You can watch a larger Flash version or download the Quicktime Movie version (Caution: 179MB file)

For those of you who are fans of Spring, or those who are just plain curious, I'd like to briefly go over the parts of the framework we used in the latest release of Clearspace.  One of our goals for the new release was to take advantage of the power the framework offered where it made sense to us, and in the end it turned out Spring and Clearspace are a good fit for eachother.

 

Core Context and Struts: The JiveContext now extends the Spring ApplicationContext.  Everything registered with the context is a Spring bean.  Struts actions and interceptors are autowired using these bean definitions.  Writing Actions just got a whole lot simpler.

 

Data Access: We changed a lot of our code to use Spring's JdbcTemplate and SimpleJdbcTemplate.  This has the advantage of making our DAO code much simpler and less error prone, as well as quicker to write.  Some classes ended up half the size after this effort.  We used annotation-based transactions, wired in using Spring's AspectJ support via the AnnotationTransactionAspect.  This allowed us to quickly add transactional coverage of far more DAO methods than before, and more easily make methods transactional in future development.  Finally we used Spring's LDAPTemplate in several places to simplify directory access code.

 

Security: We're using Acegi (Spring Security) for authentication.  This allows the possibility to authenticate against more than one data store.  For example, you could have one account that authenticates against LDAP, and a separate machine account that authenticates against a database.  It also provides a well documented, peer-reviewed framework to use as a platform for developing custom authentication solutions.  We are investigating using Acegi more fully for authorization in future releases.

 

Tasks: We worked hard to externalize timed tasks so that they each have bean definitions.  This gives greater insight into what is being fired, why, and where.  It also makes it much easier to control when a task is firing, or turn it off completely for testing purposes.

 

Plugins: We allow plugins to add their own Spring bean definitions to the context, so that Plugin actions and interceptors can be autowired as expected.  This is done via the plugin's "spring.xml" file.

 

Web Services and AJAX: Apache CXF is now used to expose SOAP and REST style web services.  It relies heavily on Spring for its configuration.  We are also using Spring for DWR configuration, via the Spring 2.0 DWR namespace.

 

Customizations: As part of the new release we also parse any XML file in the <jive home>/etc directory with the expectation that it's a Spring configuration file.  Developers can use this to extend or override bean definitions in the core application context.

 

In the end, we found Spring very helpful to simplifying our codebase and providing a point of cohesion.  We look forward to using it even more fully as we continue to develop Clearspace, and as the Spring framework itself evolves.

Following up on Nick's post from yesterday, there is now a public sandbox for the 2.0 beta. The beta sandbox is set up with Clearspace, not Clearspace X, but you can check out all of the new features that are in both products in the sandbox. You can register as a new user in the sandbox, but please be aware that the instance and data will be taken offline in early April with the general release of 2.0.

 

The best place to contribute is in the Clearspace Beta space. Thanks again for all your questions, comments, and feedback over the past few weeks!

nick

Clearspace 2.0 Public Beta 4

Posted by nick Employee Mar 18, 2008

The fourth update to the public beta has just been released. Thanks to all your activity in the community the past few weeks, we have resolved over 200 issues since the first public beta. We encourage all of you using a previous version of the beta to download the latest and let us know what you think.

 

Same as before, the best place to contribute is in the Clearspace Beta space. You can download the new beta releases from your Jive Software website account where you find other releases.

 

Documentation for the new beta release is available here and includes upgrade information.

 

Thanks again for all your questions, comments, and feedback over the past few weeks!

I took the best 6 minutes out of a presentation that Fred Brock of Jive Software delivered to our engineering teams to teach all of us about the best ways to develop widgets for Clearspace 2.0. This is a must-see for anyone wanting to write widgets for Clearspace 2.0! I've also attached a PDF version of the slides from Fred's presentation.

 

 

 

Or you can download the Quicktime movie (Caution: ~85MB file)

Clearspace 2.0 Public Beta

Posted by greg2 Mar 11, 2008

We're very excited to announce the release the public beta of Clearspace and Clearspace X 2.0 today. We'll announce further details with the full release of 2.0, but this beta includes new features like:

 

  • Projects, intended to help groups of people coordinate with each other toward a common goal on a particular target date.

  • An end-user personalizable and administrator customizable home page.

  • Organizational chart views allowing people to better understand organizational relationships and leverage existing information maintained in LDAP or Active Directory.

  • Enhanced integration with Openfire 3.5, including easier setup, full integration of users and groups, shared authentication, auditing of administrative actions in both Clearspace/Clearspace X and Openfire, and the same administrative look and feel in Clearspace.

  • Great improvements to the rich text editor.

  • On the technical side there is an improved plugin framework, Spring support and an upgrade to Struts 2.0

 

We would love to get your feedback on the beta. The best place to contribute is in the Clearspace Beta space. You can download the beta releases from your Jive Software website account where you find other releases.

 

Documentation for the beta release is available here and includes upgrade information

 

In the coming weeks we will also be hosting a beta Clearspace instance so that you can try out the new release without installing a copy locally. We will post more details when that instance is ready.

Hello Jivespace! We here at Jive are reaching out to collect feedback on how companies are using wikis to collaborate on a large scale. We often hear stories from users who have moved to Clearspace.

 

But, you have a unique perspective on wikis as developers: technical details of the back-end installation and maintenance, troubleshooting, supporting end-users, and the myriad of other facets that come with administering wikis in a large organization. Do any of these questions sound familiar...

 

  • Did your company use wiki technology before using Clearspace?

  • Did you maintain multiple wikis? How were they connected?

  • Did you outgrow a wiki solution? What were the technical limitations?

  • Were you looking for a stand-alone wiki, or a more comprehensive solution?

  • What was the biggest hurdle faced by your end-users?

 

 

Wikis are great tools. But, when do you need more than a wiki? We'd love to hear your wiki stories from the trenches of IT.

 

 

(As a thank-you, we'll send out a Jivespace t-shirt to those who can provide some good stories on wiki usage in the enterprise!)

 

 

Filter Blog

By date: By tag: