tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fjodor Vershinin <fjo...@vershinin.net>
Subject Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x
Date Wed, 10 Jun 2015 12:34:10 GMT
Hi, guys!
This week goal is to replace current valve based authentication with JASPIC
based mechanism. It is what I am currently working on.
>From my research Geronimo's implementation is also based on tomcat's
valves, and it's pretty straightforward how to integrate SecurityValve into
Tomcat's codebase. However, I am not sure, is that correct way? Do you have
better ideas? And what about code backward compatibility for Geronimo,
should code ported back, or new Geronimo release can use our
implementation? We are implementing JASPIC 1.1, and there will be quite a
lot changes anyway. Also, Geronimo uses OSGi framework in their code, which
must be dropped off, because Tomcat is not OSGi based.
What about JASPIC configuration, I am curious, where we want to hold
configuration files. Different vendors use special xml files, for example
geronimo-web.xml, for configuring realms and other security stuff. Do we
need something like tomcat-web.xml?
And what about JACC support? Geronimo uses JACC for authorization config,
what about Tomcat?

Thanks,
Fjodor

2015-05-04 16:49 GMT+03:00 Arjan Tijms <arjan.tijms@gmail.com>:

> Hi,
>
> Great news!
>
> Do you have any definite start date for the actual coding already?
>
> A short while ago I did a very small and simple implementation of the
> Servlet BASIC auth mechanism using JASPIC, which is one of the 4 mechanisms
> required by Servlet.
>
> See:
>
> https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/jaspic/authmodules/BasicAuthModule.java
>
> Calling out to the "identity store" is however not standardised yet (the
> example code simply uses CDI) and has to be done in a Tomcat specific way.
>
> Kind regards,
> Arjan Tijms
>
>
> On Monday, May 4, 2015, Fjodor Vershinin [via Tomcat] <
> ml-node+s10n5034072h8@n6.nabble.com> wrote:
>
> > Good news, everyone!
> > I am happy to announce that our project has been accepted to participate
> > in
> > GSoC. Now it's community binding period, so I need to introduce myself to
> > other developers.
> > Some brief information about me: My name is Fjodor Vershinin, I am 2'th
> > grade computer science student from Estonia. One of my hobbies is writing
> > OSS software, mainly in Java and Python. I hope to finish JASPIC
> > implementation during this summer and make Tomcat better ;)
> > Fjodor.
> >
> >
> > 2015-03-04 11:09 GMT+02:00 Fjodor Vershinin <[hidden email]
> > <http:///user/SendEmail.jtp?type=node&node=5034072&i=0>>:
> >
> > > Hello!
> > > It looks like ASF has been selected for GSOC 2015 and I am interested
> in
> > > pushing this project forward. So, in meantime I'll start writing
> > proposal
> > > and hope this project will be selected to participate in Gsoc program.
> > > Best regards,
> > > Fjodor.
> > >
> > > 2015-02-10 22:44 GMT+02:00 Arjan Tijms <[hidden email]
> > <http:///user/SendEmail.jtp?type=node&node=5034072&i=1>>:
> > >
> > >> Hi,
> > >>
> > >> On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat]
> > >> <[hidden email] <http://
> /user/SendEmail.jtp?type=node&node=5034072&i=2>>
> > wrote:
> > >> > If you do look at JBoss keep in mind it is GPL licensed and we need
> > to
> > >> > be very careful that we don't end up with GPL'd code in Tomcat.
> > >>
> > >> That's absolutely true. The code there shouldn't not be copied in any
> > >> way. It's only useful as an example of how a Tomcat Valve can
> > >> integrate with something like JASPIC. As for the JASPIC code there, it
> > >> wouldn't make sense to copy it anyway, since A) it's JBoss specific
> > >> (builds up JBoss principal, calls JBoss security service, etc) and B)
> > >> there are various issues with it (it looks like JBoss pretty much
> > >> rewrote everything from scratch for Undertow, which is completely
> > >> different).
> > >>
> > >> > Personally, I'd look more much more closely at Geronimo.
> > >>
> > >> You're right, and since that one is Apache licensed one can even copy
> > >> from it if needed.
> > >>
> > >> > Keep in mind that part of the goal is to replace the existing
> > >> > authenticators with JASPIC modules. (As suggested on the Servlet EG
> > >> list.)
> > >>
> > >> It's good to have that as part of the goal indeed. Such auth modules
> > >> could even be implemented by a separate (group) of students if needed,
> > >> as they would not necessarily depend on the JASPIC implementation for
> > >> Tomcat. As long as that one is not finished they could test it on any
> > >> existing JASPIC implementation (e.g. the RI, GlassFish).
> > >>
> > >> > I think we all know that feeling - hence why I suggested it for
> GSoC.
> > >>
> > >> Yeah, I get that, thanks! It's still something that I'd really love to
> > >> do, but with the work for the startup zeef.com, open source projects
> > >> OmniFaces and OmniSecurity, the work for the JSF EG and perhaps soon
> > >> for the security EG, there is not always much time left. I had this on
> > >> my sketchy todo list for ~end of this month, but I'll see what happens
> > >> with the GSoC project now ;)
> > >>
> > >> Kind regards,
> > >> Arjan
> > >>
> > >>
> > >>
> > >>
> > >> >
> > >> > Mark
> > >> >
> > >> >
> ---------------------------------------------------------------------
> > >> > To unsubscribe, e-mail: [hidden email]
> > >> > For additional commands, e-mail: [hidden email]
> > >> >
> > >> >
> > >> >
> > >> > ________________________________
> > >> > If you reply to this email, your message will be added to the
> > discussion
> > >> > below:
> > >> >
> > >>
> >
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html
> > >> > To unsubscribe from Consider support for the Servlet profile of JSR
> > 196
> > >> > (JASPIC) in Tomcat 7.0.x, click here.
> > >> > NAML
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> View this message in context:
> > >>
> >
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029664.html
> > >> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
> > >>
> > >
> > >
> >
> >
> > ------------------------------
> >  If you reply to this email, your message will be added to the discussion
> > below:
> >
> >
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034072.html
> >  To unsubscribe from Consider support for the Servlet profile of JSR 196
> > (JASPIC) in Tomcat 7.0.x, click here
> > <
> http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4993387&code=YXJqYW4udGlqbXNAZ21haWwuY29tfDQ5OTMzODd8LTM3MzU5NTg0OA==
> >
> > .
> > NAML
> > <
> http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
> >
>
>
>
>
> --
> View this message in context:
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034079.html
> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
>



-- 
Thanks,
Fjodor

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message