tomee-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roberto Cortez <>
Subject Re: Java EE Security API for EE 8
Date Thu, 27 Dec 2018 23:53:25 GMT

I’ve started the implementation of the FormAuthenticationMechanism. Is not as easy as it
sounds, since it requires some conversation chat across requests. I thought about wrapping
all the logic and use the Tomcat FormAuthenticator, since it does exactly what we need. Unfortunately,
it is too tied to the Tomcat code and it would require to instantiate a lot to Tomcat objects
to be able to use it. I’m not sure if it would be worth it. I ended up following the spec
suggestion to use a CDI interceptor and I’m copying / reusing some pieces of the FormAuthentication
when possible.

PR updated: <>


> On 26 Dec 2018, at 22:11, Roberto Cortez <> wrote:
> Hi folks,
> I’ve updated the PR with new changes:
> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans and a CDI
class to keep track of the mapping between the authentication mechanism and the servlet that
should be checked. When a Servlet is executed the mapping is checked and if there is and associated
AuthenticationMechanism, we validate the request with the associated type (Basic, Form, etc).
> - Implemented the BasicAuthenticationMechanism and all the plumbing required to be executed.
This required an HttpMessageContext to pass information around, plus store some state to make
decisions on things to do, including the CallbackHandler to pass in additional Callbacks to
create the Principal and Groups
> - A default IdentityStore, using the Tomcat UserDatabase, that reads user data from tomcat-users.xml
> I’ll probably move to implement the missing AuthenticationMechanisms (FORM and Custom)
> Any feedback, always welcomed :)
> Cheers,
> Roberto
>> On 19 Dec 2018, at 10:00, Bruno Baptista <> wrote:
>> TomEE Security works for me.
>> Bruno Baptista
>> On 19/12/18 00:20, Roberto Cortez wrote:
>>> Hi folks,
>>> Work is progressing.
>>> I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve
tried to use the Jakarta Security API jar. Unfortunately, it is full of dependencies to the
other Jakarta dependent projects, some not in central yet, so I couldn’t even build the
>>> At the moment, I’ve added the structure to register a JASPIC provider to serve
as a bride to the Security implementation code. With a CDI extension, we can register the
required AuthenticationMechanisms and then look them up to delegate the authentication code.
>>> I’ve also wrote a default IdentityStoreHandler to validate user credentials
and retrieve user groups. This is just going through the container registered IdentityStores
and using the spec rules to identify the credentials.
>>> Right now, I’m just calling this TomEE Security. If someone has a more fancy
idea for a name, feel free to suggest it :)
>>> Cheers,
>>> Roberto
>>>> On 14 Dec 2018, at 23:44, Roberto Cortez <>
>>>> Hi folks,
>>>> I’ve now created a PR to push the work:
>>>> <>
>>>> It is still in the early stages. I’ve just spent a good amount of time
trying to understand the spec. The ideia here is that with a ServerAuthModule we could verify
each of the spec authentication mechanisms that will be implemented with a CDI Bean and use
a CDI Extension to create the bean depending on the annotation you use.
>>>> Cheers,
>>>> Roberto
>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez <>
>>>>> Hi folks,
>>>>> I’ve created <>
to implement the Java EE Security API that came up in EE 8. We are missing this spec implementation,
and until we have it we cannot even say we are EE 8 compatible.
>>>>> I plan to start working on this. If anyone wants to collaborate with
me, let me know.
>>>>> Cheers,
>>>>> Roberto

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message