Hi, Yes, the documentation is a bit too light. But you guessed it right: we need to have a keystore for encryption.
The saml.identityProviderMetadataPath can point to a local resource or to a remote one, using the right prefix: resource:, file: or an url (by default, it is a file path). This must be documented though. With Okta, I used the defined url (Single Sign On URL = Recipient URL = Destination URL) for the serviceProviderEntityId, but I think it may depends on IdP as well. Reading the spec, it must be an URI, but I'm not sure if the SP metadata should be really available on this url. For Okta, it doesn't matter. According to your SAML configuration, the SP metadata will be generated somewhere and this somewhere can be defined via the serviceProviderMetadataPath parameter. You generally need to update your metadata to the IdP (not required for Okta though). Both the SP and IdP must know each other. When writing the documentation, I went fast on these parameters with the feeling they were regular ones, but indeed, the description in the Knox manual is not enough. This is somehow a bit normal as the real documentation for SAML is on the SAML wiki: https://github.com/pac4j/pac4j/wiki/Clients#details-for-saml-support So I propose to keep the Knox documentation mostly "as is", but add links to the pac4j wiki (where I could more easily made updates). All pac4j integrations need this documentation so it's better to centralize it, from my point of view. What do you think? Thanks. Best regards, Jérôme 2016-01-13 19:37 GMT+01:00 larry mccay <[email protected]>: > Hi Jérôme - > > I'm trying to configure the pac4j provider for an okta "application" that I > created. > The following (from KNOX-642 docs patch) isn't quite enough to make it > clear to me how to go about doing so: > > +saml.keystorePassword | Password of the keystore (storepass) > +saml.privateKeyPassword | Password for the private key (keypass) > +saml.keystorePath | Path of the keystore > +saml.identityProviderMetadataPath | Path of the identity > provider metadata > +saml.maximumAuthenticationLifetime | Maximum lifetime for > authentication > +saml.serviceProviderEntityId | Identifier of the service > provider > +saml.serviceProviderMetadataPath | Path of the service provider > metadata > > I assume that I can use the gateway.jks keystore and the gateway-identity > keypair to do the request signing and that that information is what is > needed for the first 3 params. Unfortunately, I don't see any use of > gateway services to get the master secret therefore it needs to be in clear > text here. This won't work - but may not be a show stopper for committing > to master as long as we follow up with a fix. > > Can saml.identityProviderMetadataPath point to a remote location or does it > have to be local to the SP application. This would likely require it to be > on the local filesystem, provisioned by the contributor into the generated > web app or in some central location via NFS or something like that. > > The okta application that I created is called KnoxSSO - is that the value > for saml.serviceProviderEntityId? > > The saml.serviceProviderMetadataPath has the same questions as the metadata > for the IDP. In addition, is there a sample metadata file that we can > provide for the use of pac4j with KnoxSSO? > > I think that getting this working and clean (no clear text passwords) will > make a great feature and blog for featuring pac4j provider and the 0.8.0 > release. So, let's try and iron this out clearly. > > I would really like to get this working and committed in the next couple > days to free us up for follow up items. In particular we need time to > figure out whether the identity assertion providers that we currently have > will suffice for an apache release that is featuring this new > functionality. > > I will also add the above comments/questions to the JIRA for visibility. > > thanks, > > --larry > > On Fri, Jan 8, 2016 at 12:40 PM, larry mccay <[email protected]> wrote: > > > Jérôme - > > > > My testing of OpenID Connect is blocked. > > Can you see the comments in KNOX-641? > > > > thanks, > > > > --larry > > > > On Wed, Jan 6, 2016 at 2:30 PM, larry mccay <[email protected]> > wrote: > > > >> Jérôme - > >> > >> Please see the comments on KNOX-641. > >> > >> thanks, > >> > >> --larry > >> > >> On Wed, Jan 6, 2016 at 11:24 AM, Kevin Minder < > >> [email protected]> wrote: > >> > >>> I can certainly appreciate the issue of including external resources in > >>> automated tests. Nothing has driven me more crazy over the years. The > >>> flip side of this of course is not finding out about a breakage until > >>> someone is willing to go through the manual testing which will > typically > >>> happen just before a release. Also the implication is that these > testing > >>> procedures must be very will documented so that they can be continue > to be > >>> run once any of us are no longer active in the project. > >>> > >>> > >>> > >>> On 1/6/16, 2:12 AM, "Jérôme LELEU" <[email protected]> wrote: > >>> > >>> >Hi, > >>> > > >>> >Yes, you can hit the CAS server at Heroku. Notice it's a Heroku free > >>> server > >>> >so it needs to be re-activated first (it takes a couple of seconds). > So > >>> for > >>> >a UI test, you should first hit it, wait 30 seconds and then perform > the > >>> >test. > >>> > > >>> >Just my 2 cents: > >>> >Using automated UI tests was my first strategy for pac4j but I > finally > >>> >gave up because public providers change very often, at least enough to > >>> make > >>> >the maintenance tests a nightmare. Currently, I'm using manual tests > >>> (the > >>> >same for all demos), it takes me around 5 minutes to play them all by > >>> hand > >>> >(for a demo) and I launched manually the UI tests I have for every > major > >>> >pac4j release. Just to say UI tests are not that easy. For a CAS > server, > >>> >it's fairly feasible as the CAS server and protocol change rarely. > >>> >That's why for Knox, I did some compromise with a simulated web test > >>> (based > >>> >on the basic auth). See: > >>> > > >>> > https://github.com/apache/knox/pull/2/files#diff-d0c880ca71b310dbe57975c577535e97R47 > >>> > > >>> >Thanks. > >>> >Best regards, > >>> >Jérôme > >>> > > >>> > > >>> > > >>> >2016-01-05 21:20 GMT+01:00 Kevin Minder <[email protected] > >: > >>> > > >>> >> From my perspective it would be ideal if there were some automatable > >>> >> functional tests for this. I’m not advocating that these be > something > >>> >> included in “mvn clean install” as that is running too long as it > is. > >>> >> Given that I don’t have as much context as Larry, I have some > >>> questions > >>> >> about what this would take. Lets say we had permission to hit > >>> >> https://casserverpac4j.herokuapp.com/login as part of some low > >>> frequency > >>> >> automated tests (e.g. Once nighty). What static credentials and > >>> other test > >>> >> automation infrastructure would need to be implemented in support of > >>> this? > >>> >> I understand that the test suite would require at a minimum > >>> >> 1) a test driver > >>> >> 2) a protected mock UI and > >>> >> 3) an appropriately configured Knox > >>> >> 4) a profile enabled maven module > >>> >> 5) an Apache jenkins job > >>> >> but I’m sure I’m missing other things. I’m certainly willing to > help > >>> >> setup the skeleton infrastructure (e.g. test driver, mock UI, maven > >>> module, > >>> >> jenkins job) > >>> >> > >>> >> > >>> >> > >>> >> On 1/5/16, 2:54 PM, "larry mccay" <[email protected]> wrote: > >>> >> > >>> >> >Okay, very good. > >>> >> >I've used TestShib for the picketlink provider - thanks for the > >>> pointers! > >>> >> > > >>> >> >On Tue, Jan 5, 2016 at 1:38 PM, Jérôme LELEU <[email protected]> > >>> wrote: > >>> >> > > >>> >> >> The online CAS server ( > https://casserverpac4j.herokuapp.com/login) > >>> uses > >>> >> >> the > >>> >> >> CAS protocol. SAML support can be tested using some online IdP > like > >>> >> Okta, > >>> >> >> TestShib, OpenFeide, Ssocircle... > >>> >> >> > >>> >> >> > >>> >> >> 2016-01-05 17:32 GMT+01:00 larry mccay <[email protected]>: > >>> >> >> > >>> >> >> > Great - thanks for that pointer! > >>> >> >> > > >>> >> >> > I will take a look at that and help drive the release related > >>> testing. > >>> >> >> > Merge testing will be gated on CAS server (is this SAML or CAS > >>> >> protocol?) > >>> >> >> > and testBasicAuth. > >>> >> >> > > >>> >> >> > On Tue, Jan 5, 2016 at 10:52 AM, Jérôme LELEU < > [email protected]> > >>> >> wrote: > >>> >> >> > > >>> >> >> > > Hi, > >>> >> >> > > > >>> >> >> > > Glad to hear back from you! > >>> >> >> > > > >>> >> >> > > The core pac4j project is fully tested by unit tests (and > some > >>> >> >> > integration > >>> >> >> > > tests I run for major version), then all pac4j > implementations > >>> are > >>> >> each > >>> >> >> > > tested by the appropriate demo: j2e-pac4j-demo tests > j2e-pac4j, > >>> >> >> > > spring-webmvc-pac4j-demo tests spring-webmvc-pac4j, etc. > >>> >> >> > > > >>> >> >> > > So if you take a look at: > >>> >> >> > > > >>> >> >> > > > >>> >> >> > > >>> >> >> > >>> >> > >>> > https://github.com/pac4j/j2e-pac4j-demo/blob/master/src/main/java/org/pac4j/demo/j2e/config/DemoConfigFactory.java#L27 > >>> >> >> > > (for example), you have all the required information to test. > >>> >> >> > > > >>> >> >> > > I can do that on my own, but it can be good for the Knox > >>> community > >>> >> to > >>> >> >> > start > >>> >> >> > > working / testing the pac4j support. It's up to yoy. > >>> >> >> > > > >>> >> >> > > Thanks. > >>> >> >> > > Best regards, > >>> >> >> > > Jérôme > >>> >> >> > > > >>> >> >> > > > >>> >> >> > > 2016-01-05 16:11 GMT+01:00 larry mccay < > [email protected] > >>> >: > >>> >> >> > > > >>> >> >> > > > Hello Jérôme - > >>> >> >> > > > > >>> >> >> > > > Happy New Year! > >>> >> >> > > > > >>> >> >> > > > I am going to start reviewing your updates today, > hopefully. > >>> >> >> > > > I was thinking that we need to start discussions on what > the > >>> key > >>> >> >> > usecases > >>> >> >> > > > are and how to go about testing them. > >>> >> >> > > > We can certainly test the testBasicAuth and against the > >>> hosted CAS > >>> >> >> > server > >>> >> >> > > > but what about FB, openid, OAuth, etc? > >>> >> >> > > > > >>> >> >> > > > I'm not sure that FB would be a key feature but OpenID > >>> Connect and > >>> >> >> > OAuth > >>> >> >> > > > would be - as is SAML. > >>> >> >> > > > I think CAS buys us SAML testing - assuming that the > >>> >> configuration of > >>> >> >> > the > >>> >> >> > > > hosted server is actually a SAML 2 instance. > >>> >> >> > > > > >>> >> >> > > > What about the others? > >>> >> >> > > > > >>> >> >> > > > I don't know that we need to be able to test them all > before > >>> merge > >>> >> >> but > >>> >> >> > > some > >>> >> >> > > > sort of manual verification would be great. > >>> >> >> > > > We would need to be able to test them before the next > release > >>> >> which > >>> >> >> > would > >>> >> >> > > > be featuring the pac4j functionality. > >>> >> >> > > > > >>> >> >> > > > Maybe you can describe how you go about testing such things > >>> for > >>> >> the > >>> >> >> > pac4j > >>> >> >> > > > project itself? > >>> >> >> > > > > >>> >> >> > > > thanks, > >>> >> >> > > > > >>> >> >> > > > --larry > >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > On Tue, Jan 5, 2016 at 9:55 AM, Jérôme LELEU < > >>> [email protected]> > >>> >> >> wrote: > >>> >> >> > > > > >>> >> >> > > > > Hi, > >>> >> >> > > > > > >>> >> >> > > > > Happy new year! > >>> >> >> > > > > > >>> >> >> > > > > A few days ago, I updated my patch of the pac4j gateway > >>> provider > >>> >> >> > > > according > >>> >> >> > > > > to all comments on > >>> >> https://issues.apache.org/jira/browse/KNOX-641 > >>> >> >> as > >>> >> >> > > > well > >>> >> >> > > > > as the documentation on KNOX-642. > >>> >> >> > > > > > >>> >> >> > > > > Is everything ok for the merge? > >>> >> >> > > > > > >>> >> >> > > > > Thanks. > >>> >> >> > > > > Best regards, > >>> >> >> > > > > Jérôme > >>> >> >> > > > > > >>> >> >> > > > > > >>> >> >> > > > > 2015-12-14 15:28 GMT+01:00 larry mccay < > >>> [email protected]>: > >>> >> >> > > > > > >>> >> >> > > > > > Hi Jérôme - > >>> >> >> > > > > > > >>> >> >> > > > > > Not sure if you saw but I added review comments to > >>> KNOX-641. > >>> >> >> > > > > > > >>> >> >> > > > > > I think that we need to determine whether we want the > >>> >> >> testBasicAuth > >>> >> >> > > in > >>> >> >> > > > > the > >>> >> >> > > > > > provider itself. > >>> >> >> > > > > > > >>> >> >> > > > > > Let's follow up on the JIRA. > >>> >> >> > > > > > > >>> >> >> > > > > > thanks, > >>> >> >> > > > > > > >>> >> >> > > > > > --larry > >>> >> >> > > > > > > >>> >> >> > > > > > On Fri, Dec 11, 2015 at 8:44 AM, Jérôme LELEU < > >>> >> [email protected]> > >>> >> >> > > > wrote: > >>> >> >> > > > > > > >>> >> >> > > > > > > Hi, > >>> >> >> > > > > > > > >>> >> >> > > > > > > No problem. It can go into a version 0.8.0 if needed. > >>> The > >>> >> truth > >>> >> >> > is > >>> >> >> > > > that > >>> >> >> > > > > > > there is only one change outside the new pac4j > module, > >>> so I > >>> >> >> think > >>> >> >> > > > risks > >>> >> >> > > > > > are > >>> >> >> > > > > > > extremly limited. > >>> >> >> > > > > > > > >>> >> >> > > > > > > Just let met know. > >>> >> >> > > > > > > > >>> >> >> > > > > > > Thanks. > >>> >> >> > > > > > > Best regards, > >>> >> >> > > > > > > Jérôme > >>> >> >> > > > > > > > >>> >> >> > > > > > > > >>> >> >> > > > > > > 2015-12-11 14:23 GMT+01:00 larry mccay < > >>> >> [email protected] > >>> >> >> >: > >>> >> >> > > > > > > > >>> >> >> > > > > > > > Hi Jérôme - > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > I have unfortunately not had a chance to pull, > >>> review and > >>> >> >> test > >>> >> >> > it > >>> >> >> > > > yet > >>> >> >> > > > > > and > >>> >> >> > > > > > > > have intended to do that today. > >>> >> >> > > > > > > > I apologize for the delay. > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > I was actually thinking that this would go into a > >>> follow > >>> >> up > >>> >> >> > > release > >>> >> >> > > > > > that > >>> >> >> > > > > > > we > >>> >> >> > > > > > > > would try and get done rapidly after the 0.7.0 > >>> release > >>> >> but we > >>> >> >> > can > >>> >> >> > > > > > discuss > >>> >> >> > > > > > > > the target and its chances of destabilizing 0.7.0. > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > I believe that it is rather self-contained with > only > >>> a few > >>> >> >> > > changes > >>> >> >> > > > to > >>> >> >> > > > > > > > external modules. > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > Opening the JIRAs is perfect and I was going to do > >>> that > >>> >> once > >>> >> >> I > >>> >> >> > > > > started > >>> >> >> > > > > > > the > >>> >> >> > > > > > > > review. > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > Let's continue review comments and collaboration on > >>> those > >>> >> >> > JIRAs. > >>> >> >> > > > > > > > I will add you to the contributors list so that we > >>> can > >>> >> assign > >>> >> >> > > them > >>> >> >> > > > to > >>> >> >> > > > > > > you. > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > Thank you for your contributions and your patience, > >>> >> Jérôme! > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > --larry > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > On Fri, Dec 11, 2015 at 3:00 AM, Jérôme LELEU < > >>> >> >> > [email protected]> > >>> >> >> > > > > > wrote: > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > > Hi, > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > I didn't get any new feedback on the pull request > >>> so I > >>> >> >> assume > >>> >> >> > > > > > > everything > >>> >> >> > > > > > > > is > >>> >> >> > > > > > > > > ok from your point of view. > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > I released pac4j v1.8.1 and j2e-pac4j v1.2.1 so I > >>> >> updated > >>> >> >> the > >>> >> >> > > > pull > >>> >> >> > > > > > > > request > >>> >> >> > > > > > > > > to use them and successfully re-tested > everything. > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > I opened KNOX-641 and submitted the corresponding > >>> patch. > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > I also wrote the documentation, opened KNOX-642 > and > >>> >> >> submitted > >>> >> >> > > the > >>> >> >> > > > > > > > > corresponding patch (just to let you know that it > >>> >> doesn't > >>> >> >> > work > >>> >> >> > > > out > >>> >> >> > > > > of > >>> >> >> > > > > > > the > >>> >> >> > > > > > > > > box in Windows, I had to replace mvn.bat by > >>> mvn.cmd to > >>> >> make > >>> >> >> > ant > >>> >> >> > > > > > work). > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > Even if the branch 0.7.0 has already been > created, > >>> I > >>> >> >> assumed > >>> >> >> > > this > >>> >> >> > > > > new > >>> >> >> > > > > > > > pac4j > >>> >> >> > > > > > > > > provider will go into this version 0.7.0 > >>> (dependency on > >>> >> the > >>> >> >> > > > > > > > 0.7.0-SNAPSHOT > >>> >> >> > > > > > > > > parent version). > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > Just let me know if everything is ok and when > it's > >>> >> goind to > >>> >> >> > be > >>> >> >> > > > > > merged. > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > Thanks. > >>> >> >> > > > > > > > > Best regards, > >>> >> >> > > > > > > > > Jérôme > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > 2015-12-04 14:20 GMT+01:00 larry mccay < > >>> >> >> > [email protected] > >>> >> >> > > >: > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > > That ability to configure multiple mechanisms > >>> based on > >>> >> >> > > > clientName > >>> >> >> > > > > > is > >>> >> >> > > > > > > > > really > >>> >> >> > > > > > > > > > interesting for Knox. > >>> >> >> > > > > > > > > > Currently, we require separate topologies per > >>> >> >> > authentication > >>> >> >> > > > > > > mechanism. > >>> >> >> > > > > > > > > > The ability to configure them all in one is > >>> really > >>> >> great. > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > We would need to think through the best way to > >>> provide > >>> >> >> the > >>> >> >> > > > > > clientName > >>> >> >> > > > > > > > > > parameter. > >>> >> >> > > > > > > > > > Since this is targeting KnoxSSO it can actually > >>> be > >>> >> added > >>> >> >> to > >>> >> >> > > the > >>> >> >> > > > > > > > > providerURL > >>> >> >> > > > > > > > > > used to redirect from the participating > >>> application. > >>> >> >> > > > > > > > > > Regardless of the authentication mechanism used > >>> each > >>> >> >> > > > application > >>> >> >> > > > > > will > >>> >> >> > > > > > > > > still > >>> >> >> > > > > > > > > > get the same JWT based cookie. > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > I think that should work really nicely. > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > On Fri, Dec 4, 2015 at 7:17 AM, larry mccay < > >>> >> >> > > > > [email protected] > >>> >> >> > > > > > > > >>> >> >> > > > > > > > > wrote: > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > > Excellent, Jérôme. > >>> >> >> > > > > > > > > > > Thanks! > >>> >> >> > > > > > > > > > > > >>> >> >> > > > > > > > > > > On Fri, Dec 4, 2015 at 2:40 AM, Jérôme LELEU > < > >>> >> >> > > > [email protected] > >>> >> >> > > > > > > >>> >> >> > > > > > > > wrote: > >>> >> >> > > > > > > > > > > > >>> >> >> > > > > > > > > > >> Hi, > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> I will write how to configure the pac4j > >>> provider in > >>> >> >> the > >>> >> >> > > > > > > > documentation, > >>> >> >> > > > > > > > > > but > >>> >> >> > > > > > > > > > >> I can already give you some insights. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> My main goal is always to respect the key > >>> design > >>> >> >> > > principles > >>> >> >> > > > of > >>> >> >> > > > > > > pac4j > >>> >> >> > > > > > > > > > >> whatever the environment / framework in > which > >>> it is > >>> >> >> > > > > implemented. > >>> >> >> > > > > > > For > >>> >> >> > > > > > > > > > Knox, > >>> >> >> > > > > > > > > > >> I'm pretty happy with the use of the > j2e-pac4j > >>> >> >> library, > >>> >> >> > > > which > >>> >> >> > > > > > > means > >>> >> >> > > > > > > > > that > >>> >> >> > > > > > > > > > >> almost all the pac4j features are available, > >>> >> >> especially > >>> >> >> > > both > >>> >> >> > > > > > > direct > >>> >> >> > > > > > > > > and > >>> >> >> > > > > > > > > > >> indirect clients. So it can do what Shiro > >>> already > >>> >> does > >>> >> >> > but > >>> >> >> > > > > also, > >>> >> >> > > > > > > as > >>> >> >> > > > > > > > we > >>> >> >> > > > > > > > > > >> agreed together, supports remote > >>> authentications. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> It is only limited by what you can currently > >>> >> >> configure. > >>> >> >> > > And > >>> >> >> > > > > even > >>> >> >> > > > > > > > > > >> configuration is a pac4j feature as the CAS > >>> server > >>> >> has > >>> >> >> > the > >>> >> >> > > > > same > >>> >> >> > > > > > > > need. > >>> >> >> > > > > > > > > > >> Everything happens in this class: > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > >>> >> >> > > > > > > >>> >> >> > > > > > >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > >>> >> >> > >>> >> > >>> > https://github.com/pac4j/pac4j/blob/master/pac4j-config/src/main/java/org/pac4j/config/client/ConfigPropertiesFactory.java > >>> >> >> > > > > > > > > > >> , > >>> >> >> > > > > > > > > > >> which allows you to configure Facebook, > >>> Twitter, a > >>> >> CAS > >>> >> >> > > > > server, a > >>> >> >> > > > > > > > SAML > >>> >> >> > > > > > > > > > IdP > >>> >> >> > > > > > > > > > >> or an OpenID Connect provider. All the > >>> provided > >>> >> >> > parameters > >>> >> >> > > > to > >>> >> >> > > > > > the > >>> >> >> > > > > > > > > pac4j > >>> >> >> > > > > > > > > > >> provider are put into a Map and the > >>> >> >> > > ConfigPropertiesFactory > >>> >> >> > > > is > >>> >> >> > > > > > > built > >>> >> >> > > > > > > > > > with > >>> >> >> > > > > > > > > > >> this Map to return the built client (= > >>> >> authentication > >>> >> >> > > > > > mechanism). > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> You have one more specific option for Knox > as > >>> a > >>> >> basic > >>> >> >> > > > > > > authentication > >>> >> >> > > > > > > > > > popup > >>> >> >> > > > > > > > > > >> where the username must match the password, > >>> you can > >>> >> >> > define > >>> >> >> > > > > that > >>> >> >> > > > > > > by: > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> <param> > >>> >> >> > > > > > > > > > >> <name>clientName</name> > >>> >> >> > > > > > > > > > >> <value>testBasicAuth</value> > >>> >> >> > > > > > > > > > >> </param> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> It's for testing only. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> For a CAS server: > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> <param> > >>> >> >> > > > > > > > > > >> <name>cas.loginUrl</name> > >>> >> >> > > > > > > > > > >> <value> > >>> >> https://casserverpac4j.herokuapp.com/login > >>> >> >> > > </value> > >>> >> >> > > > > > > > > > >> </param> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> Here are all the properties available for > >>> building > >>> >> >> > clients > >>> >> >> > > > > > (their > >>> >> >> > > > > > > > > > meaning > >>> >> >> > > > > > > > > > >> is obvious): > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> facebook.id > >>> >> >> > > > > > > > > > >> facebook.secret > >>> >> >> > > > > > > > > > >> facebook.scope > >>> >> >> > > > > > > > > > >> facebook.fields > >>> >> >> > > > > > > > > > >> twitter.id > >>> >> >> > > > > > > > > > >> twitter.secret > >>> >> >> > > > > > > > > > >> saml.keystorePassword > >>> >> >> > > > > > > > > > >> saml.privateKeyPassword > >>> >> >> > > > > > > > > > >> saml.keystorePath > >>> >> >> > > > > > > > > > >> saml.identityProviderMetadataPath > >>> >> >> > > > > > > > > > >> saml.maximumAuthenticationLifetime > >>> >> >> > > > > > > > > > >> saml.serviceProviderEntityId > >>> >> >> > > > > > > > > > >> saml.serviceProviderMetadataPath > >>> >> >> > > > > > > > > > >> cas.loginUrl > >>> >> >> > > > > > > > > > >> cas.protocol > >>> >> >> > > > > > > > > > >> oidc.id > >>> >> >> > > > > > > > > > >> oidc.secret > >>> >> >> > > > > > > > > > >> oidc.discoveryUri > >>> >> >> > > > > > > > > > >> oidc.customParamKey1 > >>> >> >> > > > > > > > > > >> oidc.customParamValue1 > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> If you define multiple clients, the first > one > >>> will > >>> >> be > >>> >> >> > used > >>> >> >> > > > for > >>> >> >> > > > > > > > > > >> authentication, but you can explicitly > choose > >>> the > >>> >> >> client > >>> >> >> > > you > >>> >> >> > > > > > want > >>> >> >> > > > > > > to > >>> >> >> > > > > > > > > use > >>> >> >> > > > > > > > > > >> via the clientName parameter, assuming you > >>> want to > >>> >> >> > switch > >>> >> >> > > > from > >>> >> >> > > > > > > > client > >>> >> >> > > > > > > > > > >> depending on environment for example. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> So if you want to add some new > authentication > >>> >> >> mechanism, > >>> >> >> > > you > >>> >> >> > > > > > must > >>> >> >> > > > > > > > > first > >>> >> >> > > > > > > > > > >> check that it is available in pac4j (if it's > >>> not, > >>> >> it's > >>> >> >> > > > another > >>> >> >> > > > > > > > > > discussion, > >>> >> >> > > > > > > > > > >> but generally, it is). Then, you'll need to > >>> upgrade > >>> >> >> the > >>> >> >> > > > > > > > > > >> ConfigPropertiesFactory by submitting a new > >>> pull > >>> >> >> request > >>> >> >> > > to > >>> >> >> > > > > the > >>> >> >> > > > > > > > pac4j > >>> >> >> > > > > > > > > > >> project (I can do it myself, but I'm sure > you > >>> >> could do > >>> >> >> > > that > >>> >> >> > > > > > > easily), > >>> >> >> > > > > > > > > > >> finally wait for the new pac4j release and > >>> switch > >>> >> >> pac4j > >>> >> >> > > > > versions > >>> >> >> > > > > > > in > >>> >> >> > > > > > > > > Knox > >>> >> >> > > > > > > > > > >> to > >>> >> >> > > > > > > > > > >> benefit from the new feature. > >>> >> >> > > > > > > > > > >> The good thing is that if someone related to > >>> the > >>> >> CAS > >>> >> >> > > server > >>> >> >> > > > > does > >>> >> >> > > > > > > the > >>> >> >> > > > > > > > > > same > >>> >> >> > > > > > > > > > >> thing for CAS (in pac4j), you will > >>> automatically > >>> >> get > >>> >> >> it > >>> >> >> > > when > >>> >> >> > > > > > > you'll > >>> >> >> > > > > > > > > > >> upgrade > >>> >> >> > > > > > > > > > >> pac4j. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> To go even further, replacing LDAP Shiro > >>> >> >> authentication > >>> >> >> > is > >>> >> >> > > > > just > >>> >> >> > > > > > a > >>> >> >> > > > > > > > > matter > >>> >> >> > > > > > > > > > >> of > >>> >> >> > > > > > > > > > >> making pac4j LDAP authentication available > via > >>> >> >> > > configuration > >>> >> >> > > > > > > > > parameters. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> I hope it was clear enough. > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> Thanks. > >>> >> >> > > > > > > > > > >> Best regards, > >>> >> >> > > > > > > > > > >> Jérôme > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> 2015-12-03 20:45 GMT+01:00 larry mccay < > >>> >> >> > > > [email protected] > >>> >> >> > > > > >: > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > >> > Excellent! > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > I will carve out some time to do code > >>> review. > >>> >> >> > > > > > > > > > >> > We will need to get some insights into how > >>> to go > >>> >> >> about > >>> >> >> > > > > > testing: > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > * is the CAS server going to be available > >>> for > >>> >> >> testing? > >>> >> >> > > > > > > > > > >> > * what are the specific and > >>> generic/standard (if > >>> >> >> any) > >>> >> >> > > > > > > > authentication > >>> >> >> > > > > > > > > > >> > mechanisms available - for instance: > >>> >> >> > > > > > > > > > >> > - Facebook, Google, LinkedIn and CAS > are > >>> >> >> specifics > >>> >> >> > > > > > > > > > >> > - OAuth 2, OpenID Connect, SAML are > >>> >> >> > > generic/standards > >>> >> >> > > > - > >>> >> >> > > > > > that > >>> >> >> > > > > > > > may > >>> >> >> > > > > > > > > > be > >>> >> >> > > > > > > > > > >> > used for the above specifics... > >>> >> >> > > > > > > > > > >> > * how do we test things other than CAS - > in > >>> >> terms of > >>> >> >> > > > getting > >>> >> >> > > > > > > > > > >> credentials, > >>> >> >> > > > > > > > > > >> > configuration, etc > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > We could certainly do this is phases as > >>> well. > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > If you can enumerate the things that > should > >>> work > >>> >> and > >>> >> >> > > > provide > >>> >> >> > > > > > > some > >>> >> >> > > > > > > > > > >> testing > >>> >> >> > > > > > > > > > >> > details for CAS or as many as possible and > >>> OpenID > >>> >> >> > > Connect > >>> >> >> > > > > then > >>> >> >> > > > > > > we > >>> >> >> > > > > > > > > can > >>> >> >> > > > > > > > > > >> test > >>> >> >> > > > > > > > > > >> > the specific implementations that you > >>> provide and > >>> >> >> > enable > >>> >> >> > > > the > >>> >> >> > > > > > > > testing > >>> >> >> > > > > > > > > > of > >>> >> >> > > > > > > > > > >> > another OpenID Connect effort that is in > the > >>> >> works > >>> >> >> in > >>> >> >> > > the > >>> >> >> > > > > > > > community. > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > I'm not sure whether we want to commit > >>> >> contributions > >>> >> >> > > that > >>> >> >> > > > > are > >>> >> >> > > > > > > > > > dependent > >>> >> >> > > > > > > > > > >> on > >>> >> >> > > > > > > > > > >> > snapshots - we certainly can't release > with > >>> any > >>> >> such > >>> >> >> > > > > > > dependencies. > >>> >> >> > > > > > > > > > >> > I would hate to add a cleanup task to a > >>> release > >>> >> to > >>> >> >> > make > >>> >> >> > > > sure > >>> >> >> > > > > > > there > >>> >> >> > > > > > > > > are > >>> >> >> > > > > > > > > > >> no > >>> >> >> > > > > > > > > > >> > snapshots in there. > >>> >> >> > > > > > > > > > >> > We will probably wait until after the > pac4j > >>> >> releases > >>> >> >> > to > >>> >> >> > > > > > commit. > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > I am really happy that this integration is > >>> >> happening > >>> >> >> > and > >>> >> >> > > > > that > >>> >> >> > > > > > it > >>> >> >> > > > > > > > > went > >>> >> >> > > > > > > > > > >> > rather smoothly. > >>> >> >> > > > > > > > > > >> > These sorts of authentication protocols > are > >>> >> complex > >>> >> >> > and > >>> >> >> > > I > >>> >> >> > > > > > think > >>> >> >> > > > > > > we > >>> >> >> > > > > > > > > > >> lined up > >>> >> >> > > > > > > > > > >> > pretty well overall. > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > Thanks for your work! > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > On Thu, Dec 3, 2015 at 2:28 PM, Jérôme > >>> LELEU < > >>> >> >> > > > > > [email protected]> > >>> >> >> > > > > > > > > > wrote: > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > > Hi, > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > I just sync'ed with master, cleaned > >>> >> dependencies > >>> >> >> and > >>> >> >> > > > added > >>> >> >> > > > > > > > missing > >>> >> >> > > > > > > > > > >> > > Javadocs. Everything works correctly > now. > >>> Many > >>> >> >> > thanks. > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > The pull request is ready for a full > code > >>> >> review: > >>> >> >> > > > > > > > > > >> > > https://github.com/apache/knox/pull/2 > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > I'll write the documentation after the > >>> pac4j > >>> >> >> > releases > >>> >> >> > > (I > >>> >> >> > > > > > hope > >>> >> >> > > > > > > > next > >>> >> >> > > > > > > > > > >> week). > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > Thanks. > >>> >> >> > > > > > > > > > >> > > Best regards, > >>> >> >> > > > > > > > > > >> > > Jérôme > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > 2015-12-02 19:18 GMT+01:00 larry mccay < > >>> >> >> > > > > > [email protected] > >>> >> >> > > > > > > >: > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > > Fixed in > >>> >> >> > > > https://issues.apache.org/jira/browse/KNOX-636 > >>> >> >> > > > > . > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > On Wed, Dec 2, 2015 at 12:42 PM, larry > >>> mccay > >>> >> < > >>> >> >> > > > > > > > > > [email protected] > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > > > wrote: > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > > Sure - I can file a JIRA and commit > a > >>> fix. > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > The secret generation should be done > >>> in one > >>> >> >> > > instance > >>> >> >> > > > > and > >>> >> >> > > > > > > > > > >> replicated > >>> >> >> > > > > > > > > > >> > > > across > >>> >> >> > > > > > > > > > >> > > > > others. > >>> >> >> > > > > > > > > > >> > > > > This replication/management of the > >>> >> credential > >>> >> >> > > stores > >>> >> >> > > > > is > >>> >> >> > > > > > > > > outside > >>> >> >> > > > > > > > > > of > >>> >> >> > > > > > > > > > >> > the > >>> >> >> > > > > > > > > > >> > > > > scope of Knox itself as of now. > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > Documentation is done in markdown > and > >>> is > >>> >> >> > > > contributing > >>> >> >> > > > > > > > details > >>> >> >> > > > > > > > > > are > >>> >> >> > > > > > > > > > >> > > > > available at: > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > >>> >> >> > > > > > > >>> >> >> > > > > > >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > >>> >> >> > >>> >> > >>> > https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-DocumentationContributorWorkflow > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > Which should give you a general > idea. > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > Find an example like: > >>> ./trunk/books/0.7.0/ > >>> >> >> > > > > > > > > > >> > > config_preauth_sso_provider.md > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > For an example of typical content > and > >>> >> format. > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > Here is how that example renders: > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > >>> >> >> > > > > > > >>> >> >> > > > > > >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > >>> >> >> > >>> >> > >>> > http://knox.apache.org/books/knox-0-7-0/user-guide.html#Preauthenticated+SSO+Provider > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > You'll need to tie it into the rest > >>> of the > >>> >> >> book > >>> >> >> > - > >>> >> >> > > > just > >>> >> >> > > > > > > grep > >>> >> >> > > > > > > > > for > >>> >> >> > > > > > > > > > >> where > >>> >> >> > > > > > > > > > >> > > > that > >>> >> >> > > > > > > > > > >> > > > > filename is referenced. > >>> >> >> > > > > > > > > > >> > > > > To test how it renders build the > site > >>> with: > >>> >> >> > "ant" > >>> >> >> > > > and > >>> >> >> > > > > > note > >>> >> >> > > > > > > > the > >>> >> >> > > > > > > > > > >> url to > >>> >> >> > > > > > > > > > >> > > the > >>> >> >> > > > > > > > > > >> > > > > 0.7.0 book. > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > On Wed, Dec 2, 2015 at 12:12 PM, > >>> Jérôme > >>> >> LELEU > >>> >> >> < > >>> >> >> > > > > > > > > [email protected] > >>> >> >> > > > > > > > > > > > >>> >> >> > > > > > > > > > >> > > wrote: > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Hi, > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> Why it doesn't work for pac4j while > >>> it > >>> >> works > >>> >> >> > for > >>> >> >> > > > > others > >>> >> >> > > > > > > is > >>> >> >> > > > > > > > a > >>> >> >> > > > > > > > > > bit > >>> >> >> > > > > > > > > > >> > > strange > >>> >> >> > > > > > > > > > >> > > > >> to > >>> >> >> > > > > > > > > > >> > > > >> me, but if you have the patch in > >>> front of > >>> >> >> your > >>> >> >> > > > eyes, > >>> >> >> > > > > > I'd > >>> >> >> > > > > > > > > rather > >>> >> >> > > > > > > > > > >> > prefer > >>> >> >> > > > > > > > > > >> > > > you > >>> >> >> > > > > > > > > > >> > > > >> to commit it. In all cases, I'll > >>> sync with > >>> >> >> the > >>> >> >> > > > > master. > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> There was one question you didn't > >>> answer > >>> >> >> > > > previously: > >>> >> >> > > > > is > >>> >> >> > > > > > > the > >>> >> >> > > > > > > > > > >> password > >>> >> >> > > > > > > > > > >> > > > >> generated for the pac4j provider > the > >>> same > >>> >> >> > across > >>> >> >> > > > all > >>> >> >> > > > > > > > gateway > >>> >> >> > > > > > > > > > >> > > instances? > >>> >> >> > > > > > > > > > >> > > > >> Because I expect to have the same > >>> value > >>> >> as I > >>> >> >> > use > >>> >> >> > > it > >>> >> >> > > > > to > >>> >> >> > > > > > > > > encrypt > >>> >> >> > > > > > > > > > / > >>> >> >> > > > > > > > > > >> > > decrypt > >>> >> >> > > > > > > > > > >> > > > >> data. > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> I will add the Javadoc. After that, > >>> you > >>> >> can > >>> >> >> > > review > >>> >> >> > > > > the > >>> >> >> > > > > > > pull > >>> >> >> > > > > > > > > > >> request > >>> >> >> > > > > > > > > > >> > > more > >>> >> >> > > > > > > > > > >> > > > >> completely. > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> What do you expect for the > >>> documentation? > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> Notice that pac4j dependencies are > >>> still > >>> >> >> > > snapshots, > >>> >> >> > > > > but > >>> >> >> > > > > > > > they > >>> >> >> > > > > > > > > > >> will be > >>> >> >> > > > > > > > > > >> > > > >> released in a week or two. > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> Thanks. > >>> >> >> > > > > > > > > > >> > > > >> Best regards, > >>> >> >> > > > > > > > > > >> > > > >> Jérôme > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> 2015-12-02 17:51 GMT+01:00 larry > >>> mccay < > >>> >> >> > > > > > > > > [email protected] > >>> >> >> > > > > > > > > > >: > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > >> > Jérôme - > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > If you would like to add that > >>> change as > >>> >> >> part > >>> >> >> > of > >>> >> >> > > > > your > >>> >> >> > > > > > > > patch > >>> >> >> > > > > > > > > or > >>> >> >> > > > > > > > > > >> as a > >>> >> >> > > > > > > > > > >> > > > >> > separately filed JIRA to fix a > bug > >>> that > >>> >> >> would > >>> >> >> > > > > > certainly > >>> >> >> > > > > > > > be > >>> >> >> > > > > > > > > > >> > welcomed. > >>> >> >> > > > > > > > > > >> > > > >> > Otherwise, I can do it. > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > Let me know. > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > thanks, > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > --larry > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > On Wed, Dec 2, 2015 at 11:44 AM, > >>> larry > >>> >> >> mccay > >>> >> >> > < > >>> >> >> > > > > > > > > > >> > [email protected] > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > >> > wrote: > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > > Okay - I had to add an override > >>> of > >>> >> >> > > > > > getUserPrincipal() > >>> >> >> > > > > > > > to > >>> >> >> > > > > > > > > > the > >>> >> >> > > > > > > > > > >> > > > >> > > > >>> >> IdentityAsserterHttpServletRequestWrapper > >>> >> >> > and > >>> >> >> > > > > > return > >>> >> >> > > > > > > > the > >>> >> >> > > > > > > > > > >> member > >>> >> >> > > > > > > > > > >> > > > >> variable > >>> >> >> > > > > > > > > > >> > > > >> > > username and it works like a > >>> charm. > >>> >> >> > > > > > > > > > >> > > > >> > > > >>> >> >> > > > > > > > > > >> > > > >> > > Why I haven't seen this same > >>> behavior > >>> >> >> with > >>> >> >> > > > other > >>> >> >> > > > > > > > > providers > >>> >> >> > > > > > > > > > >> is a > >>> >> >> > > > > > > > > > >> > > bit > >>> >> >> > > > > > > > > > >> > > > >> of a > >>> >> >> > > > > > > > > > >> > > > >> > > mystery but they must be adding > >>> other > >>> >> >> > > wrappers > >>> >> >> > > > > that > >>> >> >> > > > > > > > > handle > >>> >> >> > > > > > > > > > >> it. > >>> >> >> > > > > > > > > > >> > > > >> > > This is quite cool, Jérôme! > >>> >> >> > > > > > > > > > >> > > > >> > > > >>> >> >> > > > > > > > > > >> > > > >> > > On Wed, Dec 2, 2015 at 10:41 > AM, > >>> larry > >>> >> >> > mccay > >>> >> >> > > < > >>> >> >> > > > > > > > > > >> > > [email protected] > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > wrote: > >>> >> >> > > > > > > > > > >> > > > >> > > > >>> >> >> > > > > > > > > > >> > > > >> > >> That was it - thanks! > >>> >> >> > > > > > > > > > >> > > > >> > >> > >>> >> >> > > > > > > > > > >> > > > >> > >> On Wed, Dec 2, 2015 at 10:20 > AM, > >>> >> Jérôme > >>> >> >> > > LELEU > >>> >> >> > > > < > >>> >> >> > > > > > > > > > >> > [email protected]> > >>> >> >> > > > > > > > > > >> > > > >> wrote: > >>> >> >> > > > > > > > > > >> > > > >> > >> > >>> >> >> > > > > > > > > > >> > > > >> > >>> This is my exact command > line: > >>> mvn > >>> >> >> > > -Prelease > >>> >> >> > > > > > clean > >>> >> >> > > > > > > > > > install > >>> >> >> > > > > > > > > > >> > > > >> -DskipTests > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >>> You use an internal Maven > >>> >> repository to > >>> >> >> > > fetch > >>> >> >> > > > > > > > > > dependencies > >>> >> >> > > > > > > > > > >> > from > >>> >> >> > > > > > > > > > >> > > > >> > internet: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > >>> >> >> > > > >>> http://nexus-private.hortonworks.com/nexus/content/groups/public/ > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >>> Does this repository have > >>> access to > >>> >> the > >>> >> >> > > > remote > >>> >> >> > > > > > > > > Snapshots > >>> >> >> > > > > > > > > > >> > > Sonatype > >>> >> >> > > > > > > > > > >> > > > >> repo? > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >>> 2015-12-02 16:16 GMT+01:00 > >>> larry > >>> >> mccay > >>> >> >> < > >>> >> >> > > > > > > > > > >> [email protected] > >>> >> >> > > > > > > > > > >> > >: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >>> > hmmm - I used: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > mvn clean install > >>> -DskipTests=true > >>> >> >> > > > -Prelease > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > The repository entry is in > >>> there > >>> >> >> > already. > >>> >> >> > > > > > > > > > >> > > > >> > >>> > No worky. > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > On Wed, Dec 2, 2015 at > 10:12 > >>> AM, > >>> >> >> Jérôme > >>> >> >> > > > > LELEU < > >>> >> >> > > > > > > > > > >> > > [email protected] > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> wrote: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Hi, > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > You need the j2e-pac4j > >>> >> dependencies > >>> >> >> > as > >>> >> >> > > > well > >>> >> >> > > > > > as > >>> >> >> > > > > > > > the > >>> >> >> > > > > > > > > > >> pac4j-* > >>> >> >> > > > > > > > > > >> > > > >> > >>> dependencies, > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > but you don't need to > >>> build them > >>> >> >> > > locally > >>> >> >> > > > > > > > > (hopefully). > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > But you need a dependency > >>> on the > >>> >> >> > > Sonatype > >>> >> >> > > > > > > > snapshots > >>> >> >> > > > > > > > > > >> > > repository > >>> >> >> > > > > > > > > > >> > > > >> > >>> (where the > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > snapshot versions are > >>> hosted), > >>> >> >> which > >>> >> >> > is > >>> >> >> > > > > added > >>> >> >> > > > > > > for > >>> >> >> > > > > > > > > > >> Maven in > >>> >> >> > > > > > > > > > >> > > the > >>> >> >> > > > > > > > > > >> > > > >> root > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > pom.xml: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > >>> >> >> > > > > > > >>> >> >> > > > > > >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > >>> >> >> > >>> >> > >>> > https://github.com/apache/knox/pull/2/files#diff-600376dffeb79835ede4a0b285078036R123 > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > If you use Ant for the > >>> build, > >>> >> there > >>> >> >> > is > >>> >> >> > > > > maybe > >>> >> >> > > > > > a > >>> >> >> > > > > > > > > glitch > >>> >> >> > > > > > > > > > >> to > >>> >> >> > > > > > > > > > >> > > find > >>> >> >> > > > > > > > > > >> > > > >> the > >>> >> >> > > > > > > > > > >> > > > >> > >>> > Sonatype > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Maven repo. > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Thanks. > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Best regards, > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Jérôme > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > 2015-12-02 16:06 > GMT+01:00 > >>> larry > >>> >> >> > mccay > >>> >> >> > > < > >>> >> >> > > > > > > > > > >> > > [email protected] > >>> >> >> > > > > > > > > > >> > > > >: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > Oh - do I need to build > >>> >> j2e-pac4 > >>> >> >> > > > locally > >>> >> >> > > > > in > >>> >> >> > > > > > > > order > >>> >> >> > > > > > > > > > to > >>> >> >> > > > > > > > > > >> > > resolve > >>> >> >> > > > > > > > > > >> > > > >> the > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > dependencies? > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > [ERROR] Failed to > execute > >>> >> goal on > >>> >> >> > > > project > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> gateway-provider-security-pac4j: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > Could not resolve > >>> dependencies > >>> >> >> for > >>> >> >> > > > > project > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > >>> >> org.apache.knox:gateway-provider-security-pac4j:jar:0.7.0-SNAPSHOT: > >>> >> >> > > > > > > > > > >> > > > >> The > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > following artifacts > >>> could not > >>> >> be > >>> >> >> > > > > resolved: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > org.pac4j:j2e-pac4j:jar:1.2.1-SNAPSHOT, > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > org.pac4j:pac4j-http:jar:1.8.1-SNAPSHOT, > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > > org.pac4j:pac4j-config:jar:1.8.1-SNAPSHOT: > >>> >> >> > > > > > > > Could > >>> >> >> > > > > > > > > > not > >>> >> >> > > > > > > > > > >> > find > >>> >> >> > > > > > > > > > >> > > > >> > artifact > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > org.pac4j:j2e-pac4j:jar:1.2.1-SNAPSHOT > >>> >> >> > > > in > >>> >> >> > > > > > > > public > >>> >> >> > > > > > > > > ( > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > >>> >> >> > http://nexus-private.hortonworks.com/nexus/content/groups/public/ > >>> >> >> > > > > > > > > > >> > ) > >>> >> >> > > > > > > > > > >> > > > >> > >>> -> > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > [Help > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > 1] > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > On Wed, Dec 2, 2015 at > >>> 10:05 > >>> >> AM, > >>> >> >> > > larry > >>> >> >> > > > > > mccay > >>> >> >> > > > > > > < > >>> >> >> > > > > > > > > > >> > > > >> > >>> [email protected]> > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > wrote: > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> gateway-provider-security-pac4j > >>> >> >> > > > doesn't > >>> >> >> > > > > > > > build - > >>> >> >> > > > > > > > > > do > >>> >> >> > > > > > > > > > >> you > >>> >> >> > > > > > > > > > >> > > > have > >>> >> >> > > > > > > > > > >> > > > >> a > >>> >> >> > > > > > > > > > >> > > > >> > >>> pending > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > change for your > >>> pom.xml or > >>> >> >> > > something? > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> >> >> > > > > > > > > > >> > > > >> > >> > >>> >> >> > > > > > > > > > >> > > > >> > >> > >>> >> >> > > > > > > > > > >> > > > >> > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> >> >> > > > > > > > > > >> > > > >>> >> >> > > > > > > > > > >> > > >>> >> >> > > > > > > > > > >> > >>> >> >> > > > > > > > > > > > >>> >> >> > > > > > > > > > > > >>> >> >> > > > > > > > > > > >>> >> >> > > > > > > > > > >>> >> >> > > > > > > > > >>> >> >> > > > > > > > >>> >> >> > > > > > > >>> >> >> > > > > > >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > >>> >> >> > >>> >> > >>> > >> > >> > > >
