Is it possible ot have multiple authentication strategies in single instance of plone?

Is there a way to say this folder should use one authentication plugin but another folder should use a different authentication plugin?   How is this usually done for restricted content?
I have one set of internal users who do content editing but then other users are customers who are granted access to white papers, downloads etc.
How is this typically done?  I'm looking for a best practices suggestion.
Thanks!

Plone uses a *central* authentication service which is pluggable and flexible enough to handle that usecase but not as you described it. Assign dedicated roles to users coming from a particular user source and grant the related permission on per folder basis. The 'Sharing' tab is your friend..

-aj

prb75 wrote:

Is there a way to say this folder should use one authentication plugin but another folder should use a different authentication plugin?   How is this usually done for restricted content?
I have one set of internal users who do content editing but then other users are customers who are granted access to white papers, downloads etc.
How is this typically done?  I'm looking for a best practices suggestion.
Thanks!

OK the picture is getting a little clearer.  How would I go about altering the *central* authentication service to pre-determine the user's role based on what content they are trying to access?

ajung wrote:

Plone uses a *central* authentication service which is pluggable and flexible enough to handle that usecase but not as you described it. Assign dedicated roles to users coming from a particular user source and grant the related permission on per folder basis. The 'Sharing' tab is your friend..

-aj

prb75 wrote:

Is there a way to say this folder should use one authentication plugin but another folder should use a different authentication plugin?   How is this usually done for restricted content?
I have one set of internal users who do content editing but then other users are customers who are granted access to white papers, downloads etc.
How is this typically done?  I'm looking for a best practices suggestion.
Thanks!

prb75 wrote:

OK the picture is getting a little clearer.  How would I go about altering the *central* authentication service to pre-determine the user's role based on what content they are trying to access?

It sounds like what you'll want to do is set up different groups and assign your users to those groups. Then you can use the sharing tab and assign the groups different roles there.

So on Folder 1, you would assign Group A editor rights on the sharing tab; Group B would then get view rights on the sharing tab for the same folder.

Does that make sense?

prb75 wrote at 2009-11-3 13:36 -0800:
>Is there a way to say this folder should use one authentication plugin but
>another folder should use a different authentication plugin?

This is in principle possible but not supported by the stock plugins.

Many (but not all) plugins (e.g. the extraction plugins) get the
request as a parameter. Such a plugin can look into the request to find
out which object is accessed and change behaviour based on this
information.

The solution proposed by Andreas may, however, be more straight forward.



--
Dieter

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users

I think I can work around the problem by having multiple authentication plugins and then using the sharing capabilities of Plone.
The real crux of the problem I have now is that once I activate NTLM authentication, then the standard plone form authentication doesn't work.  It's as if these different mechanism can't coexist.
Is there a way to order the sequence of the PAS plugins so that it tries NTLM first but then fails over to try native Plone authentication?

Dieter Maurer wrote:

prb75 wrote at 2009-11-3 13:36 -0800:
>Is there a way to say this folder should use one authentication plugin but
>another folder should use a different authentication plugin?

This is in principle possible but not supported by the stock plugins.

Many (but not all) plugins (e.g. the extraction plugins) get the
request as a parameter. Such a plugin can look into the request to find
out which object is accessed and change behaviour based on this
information.

The solution proposed by Andreas may, however, be more straight forward.



--
Dieter

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
Plone-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/plone-users

prb75 wrote at 2009-11-6 06:35 -0800:
>
>I think I can work around the problem by having multiple authentication
>plugins and then using the sharing capabilities of Plone.
>The real crux of the problem I have now is that once I activate NTLM
>authentication, then the standard plone form authentication doesn't work.
>It's as if these different mechanism can't coexist.
>Is there a way to order the sequence of the PAS plugins so that it tries
>NTLM first but then fails over to try native Plone authentication?

I expect that your problem comes from the "challenge" plugin.
PlonePAS has complex logic to control the plugin which should challenge.
I fear that I have not yet fully understood this logic. Thus, help
from a PlonePAS expert may be necessary.

>From what I understand so far:

  PlonePAS selects a list of candidate challenge plugins based on the request
  protocol. This is to separate e.g. normal (browser)
  access from WebDAV access.
  It then activates the challenge plugins in turn. If such a plugin
  call returns "True", PlonePAS expects that it has challenged
  and stops calling further challenge plugins, otherwise, it
  continues.

Thus, your NTLM challenge plugin may need to recognize situations
in which it cannot authenticate and then give the standard challenge
a chance to get called.



--
Dieter

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users