hmm that's another need. Here how i see things: 1) the LazyRealm manage the classloader stuff 2) another realm (DelegatorRealm?) does the same using bean matching (almost) signatures of realm using java types (java == not tomcat) and uses reflection to invoke the delegate
wdyt? *Romain Manni-Bucau* *Twitter: @rmannibucau* *Blog: http://rmannibucau.wordpress.com* 2012/8/23 Enrico Olivelli <[email protected]> > Because realmClass needs to be a implementation of > org.apache.catalina.Realm > and so in my app I will always need to add a compile time dep on tomcat in > my app > I would like not to have any compile time dep neither on Tomcat nor on > OpenEJB/TomEE if possibile > > > Il 23/08/2012 08:48, Romain Manni-Bucau ha scritto: > >> Why is there a dep? That's just xml >> Le 23 août 2012 07:55, "Enrico Olivelli" <[email protected]> a écrit : >> >> Thank you >>> Your impl is great! >>> >>> But with this LazyRealm the app needs to depend compile-time from >>> tomcat-catalina "realm" interface (even if it can be created with CDI, >>> so I >>> think that in this way devs can lookup EJBs) >>> I think it should be more powerful to provide a Realm that could call >>> directly one business method inside the app (as the EJB example or the EL >>> example) >>> the EL example is very powerfull, because devs who use JSF often declare >>> <commandButton action="#{usermanager.login(..****....)" > >>> >>> but I think that an EJB stub would be enough >>> >>> maybe it would be useful to let the app provide a implementation of JASS >>> LoginModule or some other "standard" way to authenticate the user >>> (without >>> deploying it in the container, that is sometimes out of the possibilities >>> of the dev, IT rules!) >>> >>> another idea >>> you can add a wrapper to the application "realm" in LazyRealm to adapt it >>> to the Realm interface, I think the only useful method is >>> authenticate(username,****password) method as the example I sent, Tomcat >>> >>> wants it to return a Tomcat specific Principal impl that contains the >>> roles >>> list >>> >>> Thanks >>> - Enrico >>> >>> >>> Il 22/08/2012 21:39, Romain Manni-Bucau ha scritto: >>> >>> PS: the realm should be able to use cdi, simply add cdi="true" to the >>>> realm >>>> definition (that's not the default) >>>> >>>> *Romain Manni-Bucau* >>>> *Twitter: @rmannibucau* >>>> *Blog: http://rmannibucau.wordpress.****com<http://rmannibucau.** >>>> wordpress.com <http://rmannibucau.wordpress.com>> >>>> * >>>> >>>> >>>> >>>> >>>> 2012/8/22 Romain Manni-Bucau <[email protected]> >>>> >>>> already looked it several times and the IDE was opened ;) >>>> >>>>> *Romain Manni-Bucau* >>>>> *Twitter: @rmannibucau* >>>>> >>>>> *Blog: http://rmannibucau.wordpress.****com<http://rmannibucau.** >>>>> wordpress.com <http://rmannibucau.wordpress.com>> >>>>> * >>>>> >>>>> >>>>> >>>>> >>>>> 2012/8/22 Thiago Veronezi <[email protected]> >>>>> >>>>> Dude, you are incredibly fast!!! :O) >>>>> >>>>>> >>>>>> On Wed, Aug 22, 2012 at 2:21 PM, Romain Manni-Bucau >>>>>> <[email protected]>wrote: >>>>>> >>>>>> >>>>>> https://issues.apache.org/****jira/browse/TOMEE-400<https://issues.apache.org/**jira/browse/TOMEE-400> >>>>>> <https://**issues.apache.org/jira/browse/**TOMEE-400<https://issues.apache.org/jira/browse/TOMEE-400> >>>>>> > >>>>>> >>>>>>> *Romain Manni-Bucau* >>>>>>> *Twitter: @rmannibucau* >>>>>>> *Blog: http://rmannibucau.wordpress.****com<http://rmannibucau.** >>>>>>> wordpress.com <http://rmannibucau.wordpress.com>> >>>>>>> >>>>>>> * >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2012/8/22 Enrico Olivelli <[email protected]> >>>>>>> >>>>>>> Il 22/08/2012 19:29, Romain Manni-Bucau ha scritto: >>>>>>> >>>>>>>> hmm, the point is you tomcat creates the realm before the app is >>>>>>>> >>>>>>>> started >>>>>>> (== the webapp classloader is not available) so you have to put your >>>>>>> >>>>>>>> realm >>>>>>>> in the container >>>>>>>> >>>>>>>>> it is exactly the reason for I'm asking you to put this kind of >>>>>>>>> >>>>>>>> support >>>>>>> in >>>>>>> >>>>>>> TomEE, because you cannot deploy a "Realm" implementation directly >>>>>>>> in >>>>>>>> >>>>>>>> your >>>>>>> >>>>>>> own application >>>>>>>> My trick is just to let the developer of the app bundle in its own >>>>>>>> app >>>>>>>> >>>>>>>> the >>>>>>> >>>>>>> only "logic" that implements the real autentication, leaving the >>>>>>>> >>>>>>>> container >>>>>>> >>>>>>> to "manage" security >>>>>>>> >>>>>>>> in order to lookup beans you have to make a JNDI lookup only for >>>>>>>> every >>>>>>>> call to "autenticate", so the realm actually doesn't need to have >>>>>>>> >>>>>>>> access >>>>>>> to >>>>>>> >>>>>>> the application context before initialization >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> FYI you can use the tomee maven plugin: >>>>>>>> >>>>>>>>> <plugin> >>>>>>>>> <groupId>org.apache.openejb.******maven</groupId> >>>>>>>>> <artifactId>tomee-maven-******plugin</artifactId> >>>>>>>>> <version>1.0.0-SNAPSHOT</******version> >>>>>>>>> <configuration> >>>>>>>>> <libs> >>>>>>>>> <lib>examples:EJBRealm:1.0-******SNAPSHOT</lib> >>>>>>>>> >>>>>>>>> </libs> >>>>>>>>> </configuration> >>>>>>>>> </plugin> >>>>>>>>> >>>>>>>>> I don't know if tomcat already have a kind of lazy realm >>>>>>>>> instantiator >>>>>>>>> >>>>>>>>> but >>>>>>>> we could add one in tomee to manage such cases >>>>>>>> >>>>>>>>> *Romain Manni-Bucau* >>>>>>>>> *Twitter: @rmannibucau* >>>>>>>>> *Blog: http://rmannibucau.wordpress.******com< >>>>>>>>> >>>>>>>>> http://rmannibucau.wordpress.****com < >>>>>>>> http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com> >>>>>>>> > >>>>>>>> >>>>>>>> * >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2012/8/22 Thiago Veronezi <[email protected]> >>>>>>>>> >>>>>>>>> Hmmmm... I like your idea! >>>>>>>>> >>>>>>>>> I will try to implement something like that now. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> []s, >>>>>>>>>> Thiago. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Aug 22, 2012 at 1:12 PM, Enrico Olivelli < >>>>>>>>>> >>>>>>>>>> [email protected] >>>>>>>>> >>>>>>>> wrote: >>>>>>> >>>>>>>> This is not what I meant >>>>>>>>>>> I'm attaching an example >>>>>>>>>>> >>>>>>>>>>> EJBRealm.zip is a simple Tomcat Realm that performs a JNDI lookup >>>>>>>>>>> >>>>>>>>>>> to >>>>>>>>>> >>>>>>>>> get >>>>>>> >>>>>>> an application provided EJB and invokes a method to authenticate >>>>>>>> >>>>>>>>> the >>>>>>>>>> >>>>>>>>> user >>>>>>> >>>>>>>> <Realm className="ejbrealm.EJBRealm" >>>>>>>>>>> >>>>>>>>>>> beanname="java:global/********localhost/MyAuth/AuthBean" >>>>>>>>>>> >>>>>>>>>> realmname="MyRealm" loginMethod="loginUser" /> >>>>>>>>>> >>>>>>>>>>> MyAuth.zip is an example webapp which uses it >>>>>>>>>>> >>>>>>>>>>> - Enrico >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Il 22/08/2012 18:38, Romain Manni-Bucau ha scritto: >>>>>>>>>>> >>>>>>>>>>> realm are typically managed by tomcat so tomcat pacakging >>>>>>>>>>> should >>>>>>>>>>> >>>>>>>>>>> work >>>>>>>>>> >>>>>>>>> the link between realm and ejbcontext is done through a wrapper >>>>>>>> >>>>>>>>> realm >>>>>>>>>>> >>>>>>>>>> called tomeerealm (added automcatically on the snapshot) so simply >>>>>>> >>>>>>>> define >>>>>>>>>>>> >>>>>>>>>>> the jaasrealm: >>>>>>>>>>> >>>>>>>>>>> http://svn.apache.org/repos/********asf/openejb/trunk/openejb/* >>>>>>>>>>>> ***<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**> >>>>>>>>>>>> <http://svn.apache.org/**repos/****asf/openejb/trunk/** >>>>>>>>>>>> openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**> >>>>>>>>>>>> > >>>>>>>>>>>> **< >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**> >>>>>>>>>>> **<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>> examples/cdi-ejbcontext-jaas/********src/main/tomee/conf/** >>>>>>>> server.** >>>>>>>> >>>>>>>>> **xml< >>>>>>>>>>>> >>>>>>>>>>>> http://svn.apache.org/repos/**** >>>>>>>>>>>> **asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**> >>>>>>>>>>>> **<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>> examples/cdi-ejbcontext-jaas/******src/main/tomee/conf/server.** >>>>>>>>>> **xml< >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**> >>>>>>>>> >>>>>>>> examples/cdi-ejbcontext-jaas/****src/main/tomee/conf/server.**xml< >>>>>> http://svn.apache.org/**repos/asf/openejb/trunk/** >>>>>> openejb/examples/cdi-**ejbcontext-jaas/src/main/** >>>>>> tomee/conf/server.xml<http://svn.apache.org/repos/asf/openejb/trunk/openejb/examples/cdi-ejbcontext-jaas/src/main/tomee/conf/server.xml> >>>>>> > >>>>>> >>>>>> here is a sample: >>>>>>> >>>>>>>> >>>>>>>> http://svn.apache.org/repos/********asf/openejb/trunk/openejb/****<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**> >>>>>>>>>>>> <http://svn.apache.org/**repos/****asf/openejb/trunk/** >>>>>>>>>>>> openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**> >>>>>>>>>>>> > >>>>>>>>>>>> **< >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**> >>>>>>>>>>> **<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**> >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>> examples/cdi-ejbcontext-jaas/< >>>>>>>> >>>>>>>>> >>>>>>>>> http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**> >>>>>>>>>>>> **<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**> >>>>>>>>>>>> > >>>>>>>>>>>> >>>>>>>>>>> examples/cdi-ejbcontext-jaas/< >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**> >>>>>>>>> >>>>>>>> examples/cdi-ejbcontext-jaas/<**http://svn.apache.org/repos/** >>>>>> asf/openejb/trunk/openejb/**examples/cdi-ejbcontext-jaas/<http://svn.apache.org/repos/asf/openejb/trunk/openejb/examples/cdi-ejbcontext-jaas/> >>>>>> > >>>>>> >>>>>> *Romain Manni-Bucau* >>>>>>> >>>>>>>> *Twitter: @rmannibucau* >>>>>>>>>>>> *Blog: http://rmannibucau.wordpress.********com< >>>>>>>>>>>> >>>>>>>>>>>> http://rmannibucau.wordpress.******com < >>>>>>>>>>>> >>>>>>>>>>> http://rmannibucau.wordpress.****com<http://rmannibucau.** >>>>>>>>>> wordpress.com <http://rmannibucau.wordpress.com>> >>>>>>>>>> >>>>>>>>> * >>>>>>> >>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2012/8/22 Enrico Olivelli <[email protected]> >>>>>>>>>>>> >>>>>>>>>>>> I'd like to bundle my own "realm" implementation with my >>>>>>>>>>>> app, >>>>>>>>>>>> because I >>>>>>>>>>>> >>>>>>>>>>>> want to call an EJB method in order to authenticate users >>>>>>>>>>>> >>>>>>>>>>>>> Tomcat comes with JDBCRealm which can be used to lookup >>>>>>>>>>>>> >>>>>>>>>>>>> username/password >>>>>>>>>>>>> >>>>>>>>>>>> directly in the app DB bypassing application code >>>>>>>>>>> >>>>>>>>>>> and Tomcat does like to "bundle" a Realm implementation inside >>>>>>>>>>>> the >>>>>>>>>>>> >>>>>>>>>>> app >>>>>>> >>>>>>> The only "issue" I see is the security context to use to access >>>>>>>> >>>>>>>>> this >>>>>>>>>>>> >>>>>>>>>>> "realm-EJB" >>>>>>> >>>>>>>> Did I miss something ? >>>>>>>>>>>>> >>>>>>>>>>>>> Could you bundle a built-in Tomcat Realm that does the trick ? >>>>>>>>>>>>> some thing like >>>>>>>>>>>>> <Realm className="xxxx.EJBRealm" >>>>>>>>>>>>> >>>>>>>>>>>>> beanLookup="java:comp/env/**** >>>>>>>>>>>> >>>>>>>>>>> MyAuthBean" >>>>>>> >>>>>>>> authenticateMethod="**********authenticateUser" runAs="superuser" >>>>>>>>>>>>> >>>>>>>>>>>>> /> >>>>>>>>>>>>> >>>>>>>>>>>>> or CDI-EL based >>>>>>>>>>>>> assuming the presence of a @Named("authbean") >>>>>>>>>>>>> <Realm className="xxxx.CDIRealm" >>>>>>>>>>>>> authenticateMethod="#{**** >>>>>>>>>>>>> authbean.authenticateUser}" >>>>>>>>>>>>> runAs="superuser" /> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> Enrico >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >
