Hi Jan,I've taken a very quick look at the AuthenticationManager you've added. It looks to me (based on this very non-thorough glance) that the main effect is to move some of the auth setup code out of WebXmlConfiguration and make it more accessible to programatic setup. For instance instead of having to know to use a BasicServerAuthentication you just need to know the string "BASIC". Is this more or less correct?
I like the idea of making it easier to configure authentication like this, but I think there might be a more flexible and less intrusive way. IIUC the runtime authentication behavior still works through the ServerAuthentication interface, and the added methods on AuthenticationManager are only used for setup. If someone wanted to implement their own ServerAuthentication these extra methods wouldn't really provide any extra value.
What if we had something like a DefaultAuthenticationFactory that you set up with the security handler and called configure(String authMethod, String loginPage, String errorPage, String realm) on and it constructed the appropriate [Basic|Digest|Form| ClientCert]ServerAuthentication and set it in the security handler? We'd need something similar for the jaspi approach.
To me this would seem to separate the configuration and runtime aspects nicely while still providing the advantages of simpler configuration of the default auth methods.
I haven't looked at your jaspi code yet.... jaspi configuration is a bit convoluted IMNSHO and I actually suspect anyone using a jaspi module may want to set it up directly in code rather than dealing with a whole jaspi provider (which I wrote for geronimo but not jetty specifically) I'll look at this in a bit.
Moving the login services seems like a very good idea :-) thanks david jencks On Nov 25, 2008, at 8:53 AM, Jan Bartel wrote:
Hi David, I've made some changes to attempt to make jaspi vs non-jaspi authentication pluggable. I've checked the changes in, as I thought it is easier to see the code than talk about it. In a nutshell, I've introduced an AuthenticationManager that is used by a SecurityHandler to carry out all authentication, and which delegates to either a non-jaspi or jaspi implementation. The ConstraintSecurityHandler uses a DefaultAuthenticationManager(non-jaspi) by default, but one can plug in the JaspiAuthenticationManageras an alternative. The WebXmlConfiguration sets up information from the web.xml such as the auth method and login/error pages on the AuthenticationManager,but no longer sets up the various auth modules such as Basic, Form, Cert etc. That is now done by the AuthenticationManager instance instead when it is started, based on the auth information passed into it by the WebXmlConfiguration(or programmatically of course).I've allowed for the JaspiAuthenticationManager to plugin a jaspi auth module, so that potentially we can plug in 3rd party jaspi auth modules. The question is, is the pluggability at the right level? That is, I've allowed a ServerAuth instance to be set on the JaspiAuthenticationManager, but the JaspiServerAuthentication class expects a ServerAuthContext instead (which all of the FormAuth, BasicAuth etc classes implement) - would a 3rd party jaspi module be likely to implement that interface? Should we be allowing for plugging in some other class entirely?BTW I changed around a couple of packages, most notably the HashLoginService and JDBCLoginService I moved out of org.mortbay.jetty.security.jaspi.modules and intoorg.mortbay.jetty.security, as AFAICT they are not jaspi specific.I noticed along the way that the SSO stuff isn't really hooked up. Difficult to see how to shoe-horn that into the new structure. Perhaps its time to ditch itand allow for integration with "real" SSO implementations instead?The jaspi branch builds and tests without error, but I'm just chasing down anerror when running the test webapp:Failed startup of context [EMAIL PROTECTED]/,/home/janb/src/ jetty-jaspi/webapps/test} java.lang.IllegalArgumentException: Attempt to use undeclared role: content-administrator, known roles: []And the same for the test-jaas webapp:Failed startup of context [EMAIL PROTECTED]/test-jaas,file:/home/ janb/src/jetty-jaspi/webapps/test-jaas/} java.lang.IllegalArgumentException: Attempt to use undeclared role: roleA, known roles: []Looks like something amiss with the role merging, perhaps.Have a look at what I've committed, and please let me know what you think. I'm all ears ifyou've got any suggestions or a better way. cheers Jan Jan Bartel wrote:David, [snip]Lemme see ... as far as the brackets go, I have an eclipse codestyle that I can apply to each file, but the rigorous naming of data membersBTW, the code needs to be reformatted to jetty standard conventions (http://docs.codehaus.org/display/JETTY/Jetty+Coding+Standards) orhmm.... I thought I'd done pretty well imitating the code style. Do yougregw will have conniptions ;)have some way to fix it automatically?with leading _ or __ would have to be done manually.aha.... I can fix that, probably tomorrow. The brackets might be tougher for me.I've reformatted and checked in classes in jetty and jetty-security packages.Correct me if I'm wrong, but the constraint preprocessing behaviour isseparablefrom the jaspi authentication, so we could make that common between aConstraintSecurityHandler that invoked non-jaspi authentication and another ConstraintSecurityHandler that invoked jaspi authentication?The authentication (jaspi or ServerAuthentication) and authorization(constraints or jacc or....??) are completely separable, but I would not try to guarantee that the behavior of the legacy constraint security handler would be unchanged if we combined the constraints up front. Ifyou guys are willing to risk that the legacy behavior will change or analyze it carefully enough so you're sure it won't, combining theconstraints up front would really simplify the code. I don't understandhow the legacy code works well enough to be comfortable claiming anything about it.Well, I think the existing "legacy" code is a bit difficult to understand,which is why I think it is clearer to go with your new structure that does the preprocessing.In terms of pluggability, I think so far I'm still leaning towards adefault of current jetty authentication impl, with pluggability of the jaspi impl (probably via plugging in a JaspiConstraintSecurityHandler).not sure what you mean here.... if you don't want to use theServerAuthentication, RunAsToken, and UserIdentity abstractions it may be difficult to switch back and forth. If you mean you want to use the [Basic|Digest|Form|ClientCert]ServerAuthentication implementations for the known auth methods rather than the jaspi modules, I wholeheartedlyagree.What gregw has been discussing with me is the possibility to retain the existing jetty-7 authorization code, making judicious changes as necessary in order to permit a jaspi-flavoured implementation to be plugged in bychoice. The new jaspi stuff could be debugged, profiled and generally kicked around a bit more until we could be comfortable that its atleast as correct and performant (in the sense of least object creationper request, lazy auth all in the right places etc) so that it could then move to being the default authorization impl. Hence, a couple of emails ago I was starting to sketch out some ideas of how we could achieve that, but the code base has moved onsomewhat since then, so I'm not sure how applicable those nascent ideasstill are until I get a better grip on the changes. cheers JanBTW, thanks for putting so much work into the security refactoring!np! david jencksJanthanks! david jenckscheers Jan David Jencks wrote:Hi Jan,I rewrote the standard auth methods as ServerAuthentication classes on the plane ride home. I implemented Lazy and Caching (in session and SSO) as wrappers. Seems to compile but I haven't tried the tck yet.I'm not sure if I've put in all the necessary stuff e.g. timeouts?? but I think this is a lot more plausible than the pure jaspi implementations. thanks david jencks On Nov 3, 2008, at 9:13 AM, David Jencks wrote:Hi Jan,I'm about to hop on a plane so will respond in more detail later.I share your concerns about efficiency of the jaspi model, which is why I tried to put another hopefully efficient layer of interfaces in between the AbstractSecurityHandler and the jaspi auth modules. Iwashoping that we could simply implement the known auth methods (FORM, BASIC,...) in terms of the ServerAuthentication interface directly and retain all possible efficiencies. Not having done it yet I mighthave missed some important points :-) I'll think some more about your comments and get back to you. thanks david jencks On Nov 3, 2008, at 1:56 AM, Jan Bartel wrote:Hi David, Having pored over the jaspi spec a few more times, and then having looked more closely at the code, I'm in a position to give some more detailed comments. Firstly, I like the cleaner distinction in functionality made with the UserIdentity and LoginService as compared with the previous UserPrincipal and UserRealm. I alsolike very much the refactoring of Abstract/ ConstraintSecurityHandlermethods. Here's the place where your antennae should sense a "but" coming :) But ... I have some reservations about the efficiency of the Jaspi Way. In particular, every request for which there is a role restriction will result in the user being fully reauthenticated. I understand that even this is an optimization and departure from the jaspi spec, which requires validateRequest to be called on each and every request, unless you know apriori that there is an exclusion constraint for the resource of the request. BTW the lazy authentication when there are no role constraints is another good optimization. As there is going to be more authenticating going on as compared with the previous situation, my next reservation takes on more significance, and that is the amount of object creation required to satisfy the convoluted jaspi callback design. Finally, IIUC the FormAuthenticator will call session.setAttribute(__J_AUTHENTICATED, form_cred) every time authentication is done (see line 365 of FormAuthenticator). In a clustered environment that would be undesirable. It seems to me that although we could tweak things a bit, to make them more efficient, we'd be getting ever farther away from the spec which does not seem to have efficiency as a design goal. Do you agree, or do you have some optimizations in mind? I'm wondering whether we could give the user the choice of security implmentation, but making both jetty "default" security AND jaspi security pluggable alternatives? I've had a brief poke around and I don't think it would take that much to achieve, but at this stage its a thought experiment without code to show. The ideas I've been tossing around to make it pluggable areto modify some of the interfaces of UserIdentity and LoginServiceand introduce a SecurityManager class to orchestrate things a little: UserIdentity ------------ Principal getUserPrincipal() String getAuthMethod() boolean isUserInRole(String role) setRunAsRole(RunAsToken) setServletHandler(ServletHandler) UserRealm (was LoginService) --------- UserIdentity authenticate (String user, Object credential) boolean reauthenticate (UserIdentity) SecurityManager -------------- UserIdentity authenticate (Request, Response) DefaultSecurityManager //implements SecurityManager ---------------------- JaspiSecurityManager //implements SecurityManager -------------------- AbstractSecurityHandler ---------------------- + setSecurityManager (SecurityManager)The AbstractSecurityHandler would be pretty much unchanged as itis now, except for the addition of a setter and getter for a SecurityManager instance, and the invocation of that manager where it currently invokes JaspiServerAuthentication.validateRequest(...) (around line 169). The DefaultSecurityManager implementation would call the authenticator (Basic, Form, Credential etc) directly, much as the ConstraintSecurityHandler did in the pre-jaspi version.The JaspiSecurityManager implementation would be equivalent to theJaspiServerAuthentication class functionality.Perhaps the biggest change would be to the LoginService, which I'venamed back to UserRealm, simply because its behaviour is more authentication related, rather than strictly login related. No problem though to keep the name LoginService if preferred. The authenticate() method returns a UserIdentity object, instead of ultimately setting a LoginCallbackinstance on the Subject (via the ServletCallbackHandler). I don't see that as a major problem - the ServletCallbackHandler could set the UserIdentity object on the Subject instead. Note that in a jaspiimplementation, I expect that reauthenticate would never be called, or if it was, it would call authenticate() instead. The other issue is the Form, Basic, Digest etc AuthModules.I think we'd need another set for the default jetty implementationthat had no jaspi-style interfaces in it. I think though that they should be able to share a majority of code - avoiding duplication would be highly desirable.From the user's perspective, it would be simple to configure jaspi:WebAppContext webApp = ...; webApp.getSecurityHandler().setSecurityManager(new JaspiSecurityManager());I'm sure I haven't considered all aspects of pluggability. I'll try and get some time to turn the thoughts into code, which are a) moreeasily comprehended and b) will show up any areas I've neglected. cheers Jan David Jencks wrote:Yup, that's wrong.... should be fixed now hoping to read your messages carefully before replying in the future, thanks david jencks On Oct 31, 2008, at 12:42 AM, Jan Bartel wrote:Hi David, No, I'm referring to this code:ConstraintSecurityHandler.checkUserDataPermissions line 235 and259. It is doing a redirect there to get the request to come in again onthe right connector (either the confidential or integral port asappropriate). cheers Jan David Jencks wrote:On Oct 30, 2008, at 10:54 PM, Jan Bartel wrote:Hi David,I'll reply to your reply in a later posting. For now, I justnoticed something odd in the ConstraintSecurityHandler. If checkUserDataPermissions()notices the request was received on the wrong connector (ie onhttp instead ofhttps) and does a redirect, the AbstractSecurityHandler.handle()method goesahead and subjects the request to JASPI authentication. It seemsto me that at that point we want to stop processing the request altogether. It willbe the redirected request that we're interested in processingfurther(either doing the auth or doing a redirect to a login form).I think you are referring to this code? if (!checkUserDataPermissions(pathInContext, base_request, base_response, constraintInfo)) { if (!base_request.isHandled()) {response.sendError(Response.SC_FORBIDDEN);base_request.setHandled(true); } return; }I think there's something odd here, but IIUC something other thanwhat you see. This is not proposing a redirect, it is plainly denying the request.I've been worrying about this because it prevents redirectinghttprequests to the equivalent https requests. Until recently Ididn'tthink it was possible to do this redirect using jacc permissionsbut I think there is a solution....If the actual request is denied and is http we could create a newrequest with the url converted to https and checkUserDataPermissions onit.... if that check succeeds we can redirect to the more secureurl. This is somewhat analogous to the way we determine if authentication is mandatory, namely by doing a web resource permission check with the unauthenticated user. I might also have missed what you are looking at... thanks david jenckscheers Jan David Jencks wrote:Hi Jan, On Oct 29, 2008, at 7:37 PM, Jan Bartel wrote:Hi David,I'm still snatching time to tiptoe further around the jaspibranch. A couple of thoughts to run by you:1. UserIdentity and LoginService classnames. These are quasianalogousto UserPrincipal and UserRealm (although the behaviour hasbeen refactored).I'm wondering whether it might not be a good idea to retainthe old classnames, just so it might be easier for jetty users/developers to ease into understanding the new security structures?I'm not sure that keeping the old names would help anyone understand thenew code, I rather think it would be confusing. I'd reallyrather notcall UserIdentity a Principal since it isn't a Principal anddepending on the security handler implementation can contain rather differentthings. The main point of introducing it was that in jettyintegrations(Geronimo and from distant memory JBoss) the UserPrincipal wasridiculously overloaded to contain incredible amounts of non-principalinformation associated with the user's identity. I think thatinstead it makes sense to have an object that supplies the UserPrincipal, pluswhatever else the security system needs. I don't have strongobjectionto calling the LoginService UserRealm but I think its goingto be confusing and less informative since it doesn't have the non-login-service methods any more.1a. Actually thinking about this, it will probably be quiteMaybe. I think the new interfaces are a lot clearer and more descriptive for embedding jetty that the old ones. I couldimportant forJetty users to be able to make a smooth transition over to ajaspi-basedimplementation. Do you think we can retain a UserRealm and aUserPrincipal with all their methods intact, but just "blend in" the jaspi-ness withsome extra methods and some changed implementations of theexisting apis?look into writing adapters from UserIdentity to UserPrincipal and LoginService to UserRealm but I'm not entirely sure it will work. In particular I'm notat all sure the non login-service methods on UserRealm couldplausibly be called.2. We allow a UserRealm to be explicitly set on a WebAppContext (well, strictly speaking itsWebAppContext .getSecurityHandler().setUserRealm(UserRealm)).I couldn't see specific support for that, only getting a list of LoginServices from the Server instance. Should be easy enough to put in though?I'm not sure how my code is different, except the LoginService is finaland set in the constructor of ServletCallbackHandler, aroundline 1042of WebXmlConfiguration. I don't recall changing this codemuch...I could misunderstand the DefaultCallbackHandler but I think3. With the JAAS stuff, which has its own set of callbacks ituses to obtain info, we used a DefaultCallbackHandler to plug inthe right info, such as credentials, passwords, usernames and also extra request parameters from the login. I notice you'reusingan anonymous CallbackHandler instead to pass into the JAASLoginContext.Is it possible to use the DefaultCallbackHandler instead? Itsupports a couple more callback types that some LoginModule implementations may depend on.that theextensions to a user-password callback handler all involveextracting credentials from the request. In the jaspi architecture this is the function of the auth module, not the password validation service. Alogin module that fishes directly in the request ought to berefactoredinto a plain login module that just validates the credentialsand anauth module that extracts the credentials from the message.Despite allthe weirdness in jaspi I think this is a good idea and worthenforcing.I guess someone who really really wanted to preserve theirlogin modulecould write a subclass of LoginCallback that dealt with request parameters, and a JAASLoginService subclass. This would bemade easier by factoring out the CallbackHandler creation in JAASLoginService into a protected method. Looks like I left out some exception handling there too :-( I'd rather not encourage this however.This is an embedding thing also. It's pretty unclear what4. Minor thing - is there a lot of value in the RunAsTokenmarker interface as opposed to just having a String? The roles and role mappings are themselves just Strings, so I was wondering what the utility is?run-as isactually supposed to mean and how things like supplying theidentity fora web service client or other remote call is supposed to work.(If the web service is supposed to be called as the user, rather than the server's identity, and you are in a run-as role, what credentials does this run-as-role identity supply????) In Geronimo we represent therun-as role by a Subject obtained by logging into a securityrealm. So,the geronimo run-as token has this Subject in it. We mightwant tostore a UserIdentity there instead..... anyway I don't think constraining the representation of the run-as identity is wise.BTW remember that the current auth modules implementingBASIC/DIGEST/FORM auth are more or less temporary until wemore or lessagree on the main interfaces, at which time I plan to rewritethem in more jetty-friendly form (also after apachecon :-) Many thanks! david jencksbest regards Jan David Jencks wrote:On Oct 16, 2008, at 11:59 PM, Jan Bartel wrote:Hi David, Firstly, let me genuflect in recognition of your extraordinary efforts for a) reading the spec b) being able to make heads or tails of it c) coming up with an implementation based on it!:-Dsee org.mortbay.jetty.plus.jaas in modules/plus/jetty- plusI'm surpressing the urge to have a bit of rant at yet another jcp specthat is at the same time heavy on the verbiage and light oncomprehensibility. Your email was way more informative than what 29 people managed to produce in the spec.Anyway, looking at the code in the jetty-7-jaspi branch,and I admitthat so far I've only just had a cursory nosey around, wherewould we integrate the JAAS side of things? Implement a JAASLoginService?Not sure if it is ideal, it's pretty much a simple modification of the former JAASUserRealmI'll have a deeper look at the code and get back to you withmoreinformed comments. This mail is to re-assure you that yourpost hasn't fallen into the void and that we are looking forward to integrating this into jetty-7 trunk!The main thing to remember might be that the current implementations ofbuilt-in security (FORM, BASIC, DIGEST etc) are in jaspi"modules" only until we agree on the jetty api at which point I was thinking to convertthem back into more jetty specific code. Of course if youdecide you really like jaspi.... :-)Several parts of the jaspi spec look to me as if they areJan PS I love this code-comment in ServletCallbackHandler:* Idiot class required by jaspi stupidity @#*($)#@&^) [EMAIL PROTECTED]&*$@sort of stuckon at the end when someone realized it was incomplete, andthe heavy useof CallbackHandler for two way communication between thejaspi modules and the container strikes me as one such point. thanks david jencks:) David Jencks wrote:Greg and Jan were kind enough to create a branch for me toplay around with a JASPI (Java Authentication Service Provider Interface)integration with jetty and its getting to a point where I'mwilling to talk about it. Code is at https://svn.codehaus.org/jetty/jetty/branches/jetty-7-jaspiJASPI attempts to provide a uniform framework for messagingsystems, both client and server side, to plug in message authentication. On theclient you can add auth info to a request and validate authinfo on aresponse. On the server you can validate auth info on arequest and add auth info to a response. The auth code can conduct arbitrary messageexchanges to negotiate what info is needed and transmit theinfo. I've been working on the server side auth for jetty.The actual spec jaspi interfaces are not 100% ideal forhttp and don't allow stuff like lazy authentication for unsecured resources so I'vecome up with interfaces similar in spirit to the jaspiones.I've also tried to rework the implementation so it is morefriendly tointegration with other app servers with their own ideasabout securityframeworks such as geronimo and in particular make jaccimplementations easier. I expect these changes will also simplify integration with e.g.jboss and glassfish but I haven't seriously tried to verifythis. Currently all the authentication code (replacing the *Authenticatorclasses) is implemented in terms of jaspi but I plan tochange this soon to use the jetty specific interfaces directly.So.... lets follow a HttpServletRequest/Response pair onits voyage through the security system...... it arrives at AbstractSecurityHandler.handle. Thisis a templatemethod that runs through the following structure callingout to subclasses and the authentication system: 1. calls checkUserDataPermissions(pathInContext, base_request,base_response, constraintInfo). This checks the user dataconstraints,basically that the request arrived over the right kind ofconnection(http/https). Two obvious implementations of this are theexistingjetty constraint based implementation or one based on JACC.2. calls isAuthMandatory(base_request, base_response, constraintInfo) todetermine if the request actually needs authentication.If it does notwe can often delay authentication until a method relying onauth results is called (such as getUserPrincipal or isUserInRole). Again this can be implemented using constraints or JACC.3. packs the request, response, and authManditory into a JettyMessageInfo holder object which can also pass variousauth info in a map. 4. delegates the authentication to the jaspi-like ServerAuthResult authResult = serverAuthentication.validateRequest(messageInfo);assuming we are not doing lazy auth, this will extract thecredentials from the request (possibly conducing a multi-message exchange with the client to request the credentials) and validate them.Validation can use a LoginService possibly provided to the ServerAuthentication which could be JAAS, Hash, JDBC, etcetc.Lazy auth results in returning a lazy result that onlyattempts authentication when info is actually needed. In this case no message exchange with the client is possible. <<<<<<<<<<<<<<<<<<<<5. Assuming that authentication succeeded (this includesthe lazy case where the request would be allowed even without authentication), we wrap up the result in an identity delegate:UserIdentity userIdentity = newUserIdentity(authResult);base_request.setUserIdentity(userIdentity); The UserIdentity is the delegate for run-as role implementation andactually answering auth questions from the applicationprogram. Thisallows app servers to handle run-as roles however theywant. 6. Assuming authentication is mandatory, now that we know the user, we can find out if they are in the appropriate roles:checkWebResourcePermissions(pathInContext, base_request,base_response, constraintInfo, userIdentity) 7. On success, we can actually handle the request: getHandler().handle(pathInContext, messageInfo.getRequestMessage(), messageInfo.getResponseMessage(), dispatch);8. Assuming no exceptions were thrown, we can now securethe response (normally a no-op for http): serverAuthentication.secureResponse(messageInfo, authResult); ------------------------------------------- JASPI implementationsI wrote a fairly complete jaspi framework implementationfor geronimo(rather than the bits actually needed for http which Iwrote for jetty)and have a nearly-untested openid implementation. This(theoretically)lets you openid-enable your app by supplying an appropriatelogin page and useing the openid auth module. Theres also a glassfish implementation that I haven't looked at andsomeone wrote a SPNEGO auth module that works with it.http://spnego.ocean.net.au/ -------------------------------------------- How does this differ from what's there now?SecurityHandler: AbstractSecurityHandler now just has thebasicworkflow described about and delegates all actual work toeither subclasses (for authorization decisions and object creation) or theauthentication delegate. This makes it easy to plug inalternateimplementations such as a JACC implementation for an EEserver.Authentication results and run-as roles: Formerly thesewere either directly set in the request (possibly using lazy evaluation, with code again in Request) or stuffed into a Principal implementation via theUserRealm. This really overloaded the idea of a Principalfor no apparent reason and made integration into app servers slightlyconvoluted. This is replaced with a UserIdentity interfaceprovidingseparate access to the auth results (user principal) androle handling (isUserInRole, and run-as handling). Subclasses of AbstractSecurityHandler can provide their own implementations of thisinterface. These typically delegate to implementations of ServerAuthResult, which can handle lazy authentication ifnecessary.UserRealm IMO glues together a lot of unrelated functions,primarily therole handling code now in UserIdentity and the credentialvalidation nowin LoginService. Credential validation may not even beneeded by theserver (e.g. openid). If needed it's called from somethingthatextracts credentials from the request. Implementations aregoing to do something like look up the user in a file or table or delegate to JAAS.On the other hand the role handling is called by jettyor by the application and the implementation is done by the app server (jetty or e.g. geronimo). Aside from being related somehow to security, these are totally unrelated concerns. --------------------------------------------------How does ServerAuthentication and LoginService relate toJASPI?The JASPI interface similar to ServerAuthentication isServerAuthContext:void cleanSubject(MessageInfo messageInfo, Subject subject)throws AuthException;AuthStatus secureResponse(MessageInfo messageInfo, SubjectserviceSubject) throws AuthException;AuthStatus validateRequest(MessageInfo messageInfo, SubjectclientSubject, Subject serviceSubject) throws AuthException;The main difference is that ServerAuthentication packagesall the results into a ServerAuthResult object rather than modifying theclientSubject directly and hiding user principal and groupinfo in somecallback handers. This lets ServerAuthentication supportlazy auth. As far as configuration goes. you get a ServerAuthContext by calling awhole lotta methods on some other stuff. or.... you canjust create oneand stuff it into an adapter, JaspiServerAuthentication.Probably we want to implement the built in auth methods as direct ServerAuthentication implementations rather than the currentServerAuthModule implementations (a ServerAuthContext issupposed todelegate to one or more ServerAuthModules, which have thesame interface).LoginService is a pretty straightforward way of asking forpassword validation and getting some info back. JASPI has a peculiar IMO systembased on Callbacks. The container (jetty) supplies theauth context with a CallbackHandler that enables bi-directional communication. Callbacks providing services to the auth module: PasswordValidationCallback: this lets the auth module ask for password validation: this is the closest to LoginService. CertStoreCallback, PrivateKeyCallback, SecretKeyCallback, and TrustStoreCallback all let the auth module ask for certificateservices. AFAICT these are mostly for securing responsemessages, which is typically not done for http.Callbacks letting the auth module pass info to the server: CallerPrincipalCallback: supplies the caller principal sogetCallerPrincipal can return something.GroupPrincipalCallback supplies "groups" the user may bein. The meaning here is rather undefined but can be mapped to roles in some way,such as by assuming the groups and roles are the same.The use of callbacks here still seems rather weird to mebut may make more sense in the context of other messaging systems: jaspi is supposedto be applicable to all sorts of messaging, including ejbcalls, jms, web services, etc etc. I've put the caller principal and groups into the ServerAuthResult object where they can be accessed directly (although possibly determined lazily). -------------------------------------------------------------- Comments... Right now it looks to me as if form auth needs to be non-lazy since part of the message exchange involves a request to j_security_check which isnormally not a secured response. Trying to evaluate authfor thislazily doesn't work... you never get back to the originalrequest.I don't see how this implementation could be significantlysimplified orsped up.... I'm certainly willing to look at problems.I've been discussing JACC with Greg for a long time now.The only thingI can see that is possible with constraint implementationsthat is notpossible with jacc is redirecting an http request to the"equivalent"https request if a user data constraint is violated. I'mcurious aboutwhether this is something people want to do or usually setup. Many thanks, david jencks --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email-- Jan Bartel, Webtide LLC | [EMAIL PROTECTED] | http://www.webtide.com
