tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arjan Tijms <arjan.ti...@gmail.com>
Subject Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x
Date Wed, 10 Jun 2015 15:34:59 GMT
Hi,

On Wed, Jun 10, 2015 at 3:09 PM, markt [via Tomcat] <
ml-node+s10n5035886h42@n6.nabble.com> wrote:

> A Valve is certainly a likely candidate since the current Authenticator
> implementations are all Valves. It really depends on whether access is
> required to Tomcat's internals. If you need access to the internals, a
> Valve is probably the way to go. If the Servlet API is sufficient then a
> Filter may be an option. Depending on exactly what the integration
> points are there may be other options.


Traditionally it has not been really possible to implement JASPIC via the
Servlet API.

A requirement of JASPIC is that a SAM is called before the Servlet chain is
invoked, which is by definition not possible (Filters are part of that
chain).

Even if you relax the rules a little, then you'd need to make sure that the
Filter that's calling the SAM is absolutely guaranteed to be the very
first, with no possible way that any other Filter could be placed before it.

Then, via the standard Servlet API you cannot really establish the
authenticated identity. You can fake it a little by wrapping
HttpServletRequest and returning your own values for things like
isUserInRole, but you'd also have to process auth-constraints defined in
web.xml and @WebServlet annotations, which is quite hard to do from a
filter (you'd be duplicating the web.xml parsing and annotation scanning
from the Servlet container).

Also, a SAM should be called when HttpServletRequest.authenticate and
HttpServletRequest.logout is called from a Filter or Servlet.

Typically the best thing is that whatever kind of code the Servlet
container is already using to implement the standard authentication
mechanisms BASIC, FORM, etc is also used to implement JASPIC. I have to
double check, but if I'm not mistaken this is what most containers are
indeed doing.



> Is the configuration always going to be per web application (in which
> case context.xml is a likely candidate) or can it be per Host or per
> Engine (which suggests server.xml)?


There are two options in JASPIC:

1. Per web application.

Programmatically (from within the application) this is done by passing an
"appContextID" to the JASPIC factory that is used for registration. This
appContextID is computed as follows:

String getAppContextID(ServletContext context)
 return context.getVirtualServerName() + " " + context.getContextPath();
}

2. Globally for the entire container (all applications running on it).

Programmatically this is done by passing a null to the JASPIC factory.
Doing this from an application is maybe rare, but with it you could
theoretically "deploy" an authentication module to a server by deploying a
war that only contains the SAM and the registration code.



> Are there any 'standard'
> configuration files defined by JASPIC?
>

Nope. I more or less happened to mention this in my reply to Fjodor, but
there is not a single standard configuration file. The only standardized
way is by using the AuthConfigFactory.

Kind regards,
Arjan Tijms




>
> > And what about JACC support? Geronimo uses JACC for authorization
> config,
> > what about Tomcat?
>
> Tomcat currently uses Realms. It was not intended to implement JACC as
> part of the GSoC project. If the project goes well and the JASPIC work
> is completed early, taking a look at JACC would be a useful thing to do.
>
> Mark
>
>
> >
> > Thanks,
> > Fjodor
> >
> > 2015-05-04 16:49 GMT+03:00 Arjan Tijms <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=5035886&i=0>>:
> >
> >> Hi,
> >>
> >> Great news!
> >>
> >> Do you have any definite start date for the actual coding already?
> >>
> >> A short while ago I did a very small and simple implementation of the
> >> Servlet BASIC auth mechanism using JASPIC, which is one of the 4
> mechanisms
> >> required by Servlet.
> >>
> >> See:
> >>
> >>
> https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/jaspic/authmodules/BasicAuthModule.java
> >>
> >> Calling out to the "identity store" is however not standardised yet
> (the
> >> example code simply uses CDI) and has to be done in a Tomcat specific
> way.
> >>
> >> Kind regards,
> >> Arjan Tijms
> >>
> >>
> >> On Monday, May 4, 2015, Fjodor Vershinin [via Tomcat] <
> >> [hidden email] <http:///user/SendEmail.jtp?type=node&node=5035886&i=1>>
> wrote:
> >>
> >>> Good news, everyone!
> >>> I am happy to announce that our project has been accepted to
> participate
> >>> in
> >>> GSoC. Now it's community binding period, so I need to introduce myself
> to
> >>> other developers.
> >>> Some brief information about me: My name is Fjodor Vershinin, I am
> 2'th
> >>> grade computer science student from Estonia. One of my hobbies is
> writing
> >>> OSS software, mainly in Java and Python. I hope to finish JASPIC
> >>> implementation during this summer and make Tomcat better ;)
> >>> Fjodor.
> >>>
> >>>
> >>> 2015-03-04 11:09 GMT+02:00 Fjodor Vershinin <[hidden email]
> >>> <http:///user/SendEmail.jtp?type=node&node=5034072&i=0>>:
> >>>
> >>>> Hello!
> >>>> It looks like ASF has been selected for GSOC 2015 and I am interested
> >> in
> >>>> pushing this project forward. So, in meantime I'll start writing
> >>> proposal
> >>>> and hope this project will be selected to participate in Gsoc
> program.
> >>>> Best regards,
> >>>> Fjodor.
> >>>>
> >>>> 2015-02-10 22:44 GMT+02:00 Arjan Tijms <[hidden email]
> >>> <http:///user/SendEmail.jtp?type=node&node=5034072&i=1>>:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat]
> >>>>> <[hidden email] <http://
> >> /user/SendEmail.jtp?type=node&node=5034072&i=2>>
> >>> wrote:
> >>>>>> If you do look at JBoss keep in mind it is GPL licensed and
we need
> >>> to
> >>>>>> be very careful that we don't end up with GPL'd code in Tomcat.
> >>>>>
> >>>>> That's absolutely true. The code there shouldn't not be copied in
> any
> >>>>> way. It's only useful as an example of how a Tomcat Valve can
> >>>>> integrate with something like JASPIC. As for the JASPIC code there,
> it
> >>>>> wouldn't make sense to copy it anyway, since A) it's JBoss specific
> >>>>> (builds up JBoss principal, calls JBoss security service, etc) and
> B)
> >>>>> there are various issues with it (it looks like JBoss pretty much
> >>>>> rewrote everything from scratch for Undertow, which is completely
> >>>>> different).
> >>>>>
> >>>>>> Personally, I'd look more much more closely at Geronimo.
> >>>>>
> >>>>> You're right, and since that one is Apache licensed one can even
> copy
> >>>>> from it if needed.
> >>>>>
> >>>>>> Keep in mind that part of the goal is to replace the existing
> >>>>>> authenticators with JASPIC modules. (As suggested on the Servlet
EG
> >>>>> list.)
> >>>>>
> >>>>> It's good to have that as part of the goal indeed. Such auth modules
> >>>>> could even be implemented by a separate (group) of students if
> needed,
> >>>>> as they would not necessarily depend on the JASPIC implementation
> for
> >>>>> Tomcat. As long as that one is not finished they could test it on
> any
> >>>>> existing JASPIC implementation (e.g. the RI, GlassFish).
> >>>>>
> >>>>>> I think we all know that feeling - hence why I suggested it
for
> >> GSoC.
> >>>>>
> >>>>> Yeah, I get that, thanks! It's still something that I'd really love
> to
> >>>>> do, but with the work for the startup zeef.com, open source
> projects
> >>>>> OmniFaces and OmniSecurity, the work for the JSF EG and perhaps
soon
> >>>>> for the security EG, there is not always much time left. I had this
> on
> >>>>> my sketchy todo list for ~end of this month, but I'll see what
> happens
> >>>>> with the GSoC project now ;)
> >>>>>
> >>>>> Kind regards,
> >>>>> Arjan
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> Mark
> >>>>>>
> >>>>>>
> >> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: [hidden email]
> >>>>>> For additional commands, e-mail: [hidden email]
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ________________________________
> >>>>>> If you reply to this email, your message will be added to the
> >>> discussion
> >>>>>> below:
> >>>>>>
> >>>>>
> >>>
> >>
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html
> >>>>>> To unsubscribe from Consider support for the Servlet profile
of JSR
> >>> 196
> >>>>>> (JASPIC) in Tomcat 7.0.x, click here.
> >>>>>> NAML
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> View this message in context:
> >>>>>
> >>>
> >>
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029664.html
> >>>>> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
> >>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> ------------------------------
> >>>  If you reply to this email, your message will be added to the
> discussion
> >>> below:
> >>>
> >>>
> >>
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034072.html
> >>>  To unsubscribe from Consider support for the Servlet profile of JSR
> 196
> >>> (JASPIC) in Tomcat 7.0.x, click here
> >>> <
> >>
> >>> .
> >>> NAML
> >>> <
> >>
> http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >>>
> >>>
> >>
> >>
> >>
> >>
> >> --
> >> View this message in context:
> >>
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034079.html
> >> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
> >>
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> <http:///user/SendEmail.jtp?type=node&node=5035886&i=2>
> For additional commands, e-mail: [hidden email]
> <http:///user/SendEmail.jtp?type=node&node=5035886&i=3>
>
>
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035886.html
>  To unsubscribe from Consider support for the Servlet profile of JSR 196
> (JASPIC) in Tomcat 7.0.x, click here
> <http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4993387&code=YXJqYW4udGlqbXNAZ21haWwuY29tfDQ5OTMzODd8LTM3MzU5NTg0OA==>
> .
> NAML
> <http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035890.html
Sent from the Tomcat - Dev mailing list archive at Nabble.com.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message