tomee-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roberto Cortez <radcor...@yahoo.com.INVALID>
Subject Re: Java EE Security API for EE 8
Date Wed, 09 Jan 2019 17:32:26 GMT
Hi,

I’ve merged the current state of the code.

In the meanwhile, I’ll write some documentation to help to understand the implementation.

Cheers,
Roberto

> On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cgerdogdu@gmail.com> wrote:
> 
> Hello Roberto,
> Thank you for initiating this integration.
> Can you prepare a small documentation (and also send to here) which helps
> contributors to understand the internals about your current commit.
> Regards.
> Gurkan
> 
> 
> On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez <radcortez@yahoo.com.invalid>
> wrote:
> 
>> Hi folks,
>> 
>> I think I’m now done with the FormAuthentication.
>> 
>> There are still things left to implement. At the moment, the code is part
>> of the project but is not part of the binary. I would like to merge the
>> current PR:
>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>> 
>> I think this will give a chance for the community to contribute some of
>> the missing pieces. I can make a list in JIRA.
>> 
>> So, if there is no strong opinions about merging this, I will be doing
>> this in the end of the day.
>> 
>> Cheers,
>> Roberto
>> 
>>> On 30 Dec 2018, at 23:42, Roberto Cortez <radcortez@yahoo.com> wrote:
>>> 
>>> Thanks! I’ll have a look!
>>> 
>>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jencks@gmail.com>
>> wrote:
>>>> 
>>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for
>> Jetty (at eclipse).  The code I’ve found at
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> <
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/>
>> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall any
>> details of how I modified tomcat’s auth setup: I might have made one that
>> was more adapted to JASPIC and the geronimo security framework than the
>> plain tomcat one.  If this code is of any use to you, great, otherwise,
>> good luck!
>>>> 
>>>> many thanks
>>>> David Jencks
>>>> 
>>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>> <radcortez@yahoo.com.INVALID> wrote:
>>>>> 
>>>>> Hi David,
>>>>> 
>>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
>> underneath the implementation, so your code might be a good fit. Can you
>> point me out to the sources so I can have a look?
>>>>> 
>>>>> Thank you!
>>>>> 
>>>>> Cheers,
>>>>> Roberto
>>>>> 
>>>>>> On 28 Dec 2018, at 03:40, David Jencks <david.a.jencks@gmail.com>
>> wrote:
>>>>>> 
>>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server
>> long ago. Although the JASPIC deployment model was somewhat
>> incomprehensibly bizarre, the conversation model was very nice. Depending
>> on what the EE 8 api is (I haven’t looked) the JASPIC implementation might
>> be a source for webserver-independent code for from authentication that
>> could be easily adapted.
>>>>>> 
>>>>>> David Jencks
>>>>>> 
>>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>> <radcortez@yahoo.com.INVALID> wrote:
>>>>>>> 
>>>>>>> Update:
>>>>>>> 
>>>>>>> I’ve started the implementation of the FormAuthenticationMechanism.
>> Is not as easy as it sounds, since it requires some conversation chat
>> across requests. I thought about wrapping all the logic and use the Tomcat
>> FormAuthenticator, since it does exactly what we need. Unfortunately, it is
>> too tied to the Tomcat code and it would require to instantiate a lot to
>> Tomcat objects to be able to use it. I’m not sure if it would be worth it.
>> I ended up following the spec suggestion to use a CDI interceptor and I’m
>> copying / reusing some pieces of the FormAuthentication when possible.
>>>>>>> 
>>>>>>> PR updated:
>>>>>>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> Roberto
>>>>>>> 
>>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
>> <radcortez@yahoo.com.INVALID> wrote:
>>>>>>>> 
>>>>>>>> Hi folks,
>>>>>>>> 
>>>>>>>> I’ve updated the PR with new changes:
>>>>>>>> 
>>>>>>>> - I’ve implemented a CDI Extension to create
>> AuthenticationMechanism beans and a CDI class to keep track of the mapping
>> between the authentication mechanism and the servlet that should be
>> checked. When a Servlet is executed the mapping is checked and if there is
>> and associated AuthenticationMechanism, we validate the request with the
>> associated type (Basic, Form, etc).
>>>>>>>> 
>>>>>>>> - Implemented the BasicAuthenticationMechanism and all the
plumbing
>> required to be executed. This required an HttpMessageContext to pass
>> information around, plus store some state to make decisions on things to
>> do, including the CallbackHandler to pass in additional Callbacks to create
>> the Principal and Groups
>>>>>>>> 
>>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase,
that
>> reads user data from tomcat-users.xml
>>>>>>>> 
>>>>>>>> I’ll probably move to implement the missing
>> AuthenticationMechanisms (FORM and Custom) next.
>>>>>>>> 
>>>>>>>> Any feedback, always welcomed :)
>>>>>>>> 
>>>>>>>> Cheers,
>>>>>>>> Roberto
>>>>>>>> 
>>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <brunobat@gmail.com>
>> wrote:
>>>>>>>>> 
>>>>>>>>> TomEE Security works for me.
>>>>>>>>> 
>>>>>>>>> Bruno Baptista
>>>>>>>>> https://twitter.com/brunobat_
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
>>>>>>>>>> Hi folks,
>>>>>>>>>> 
>>>>>>>>>> Work is progressing.
>>>>>>>>>> 
>>>>>>>>>> I’ve added a good chunk of the API (as needed)
to allow me to
>> proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, it
>> is full of dependencies to the other Jakarta dependent projects, some not
>> in central yet, so I couldn’t even build the project.
>>>>>>>>>> 
>>>>>>>>>> At the moment, I’ve added the structure to register
a JASPIC
>> provider to serve as a bride to the Security implementation code. With a
>> CDI extension, we can register the required AuthenticationMechanisms and
>> then look them up to delegate the authentication code.
>>>>>>>>>> 
>>>>>>>>>> I’ve also wrote a default IdentityStoreHandler
to validate user
>> credentials and retrieve user groups. This is just going through the
>> container registered IdentityStores and using the spec rules to identify
>> the credentials.
>>>>>>>>>> 
>>>>>>>>>> Right now, I’m just calling this TomEE Security.
If someone has a
>> more fancy idea for a name, feel free to suggest it :)
>>>>>>>>>> 
>>>>>>>>>> Cheers,
>>>>>>>>>> Roberto
>>>>>>>>>> 
>>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
>> <radcortez@yahoo.com.INVALID> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Hi folks,
>>>>>>>>>>> 
>>>>>>>>>>> I’ve now created a PR to push the work:
>>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>>>>>>>>>>> 
>>>>>>>>>>> It is still in the early stages. I’ve just
spent a good amount
>> of time trying to understand the spec. The ideia here is that with a
>> ServerAuthModule we could verify each of the spec authentication mechanisms
>> that will be implemented with a CDI Bean and use a CDI Extension to create
>> the bean depending on the annotation you use.
>>>>>>>>>>> 
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Roberto
>>>>>>>>>>> 
>>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
>> <radcortez@yahoo.com.INVALID> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Hi folks,
>>>>>>>>>>>> 
>>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365
<
>> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE
>> Security API that came up in EE 8. We are missing this spec implementation,
>> and until we have it we cannot even say we are EE 8 compatible.
>>>>>>>>>>>> 
>>>>>>>>>>>> I plan to start working on this. If anyone
wants to collaborate
>> with me, let me know.
>>>>>>>>>>>> 
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> Roberto
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
>> 


Mime
View raw message