Hi Ron, I saw the note on the Java EE 7 EG and haven't had the bandwidth to investigate and respond. Your note is fantastic, especially the code snippet.
You mention Facebook Connect, which is interesting. Is there a Facebook Connect JASPIC Provider? If so, where is the code for that? If you have links on where to get other providers, that helps too. My hesitation for immediately and blindly saying "yes" to its inclusion in the Web Profile is simply because Java EE is full of incomplete security APIs few people use and for which there are even fewer to no providers. I don't know if this describes JASPIC, but it has been out there for a major spec revision and it's not immediately clear if it has that "can't live without" quality I expect in a Web Profile spec. Cc'ing Markus as he was the one who brought it up on JavaEE 7. I suspect he might have some thoughts on what makes it a good candidate for the Web Profile. Certainly, we can support it in TomEE+ at some point. -David On Jan 30, 2013, at 4:03 PM, Ron Monzillo <[email protected]> wrote: > TomEE Experts, > > The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in support > of the portable integration > of new and/or custom authentication mechanisms in compatible Servlet > containers. > > The Profile is a required component of all Full Platform EE Web Containers, > and we are receiving requests > for the profile to become a required component of the EE web profile. To that > end, we are contacting > standalone and EE web profile Servlet containers to determine if there is > interest in adopting the profile. > > For those unfamiliar with JASPIC, the SPI is a general purpose facility that > applies the concepts of pluggable > authentication as defined by PAM and JAAS to the realm of message > authentication. The Servlet profile applies > the SPI to the realm of HttpServletRequest message authentication in the > context of servlet security constraint > processing. The SPI was defined to support complex challenge response > authentication protocols, and has > been shown to be an effective means to integrate portable implementations of > new internet authentication > mechanisms (e.g. Facebook Connect, and SAML WEB SSO) in compatible Servlet > containers. > > Does the TomEE community support the inclusion of the Servlet profile of JSR > 196 in the EE web Profile? > > thanks, > > Ron Monzillo > > ------ > More details: > > The requirements of the profile are spelled out in chapter 3 of the JASPIC > specification: > > http://download.oracle.com/otndocs/jcp/jaspic-1.0-mrel-eval-oth-JSpec/ > > and use of the SPI is described in high level terms in the javadoc: which can > be accessed at: > > http://docs.oracle.com/javaee/6/api/javax/security/auth/message/config/package-frame.html > > > Support for the profile by a servlet container mostly amounts to making a few > calls to the spi in the > context of the processing of servlet requests. The pattern is basically as > follows: > > // determine if a pluggable auth module is configured for the current > application > AuthConfigProvider provider = > AuthConfigFactory.getFactory().getConfigProvider("HttpServlet",appID,listener); > > if (provider != null) { > /if yes, get the server side configuration provider that applies to the > application > > ServerAuthConfig config = > provider.getServerAuthConfig("HttpServlet",appID,cbh); > > // for each request to the application > // get the configuration of authentication modules that applies to the > request > > messageInfo.setRequestMessage(httpServletRequest); > messageInfo.setResponseMessage(httpServletResponse); > String authContextID = config.getAuthContextID(messageInfo); > ServerAuthContext context = > config.getAuthContext(authContextID,serviceSubject,properties); > > // invoke validateRequest on the module configuration; which will invoke > the configured auth modules > > AuthStatus status = > context.validateRequest(messageInfo,clientSubject,serviceSubject); > > if (status == AuthStatus.SUCCESS) { > // Use the proprietary interfaces of the container to set the > userPrincipal on the request > // proceed to authorize and invoke the servlet request as appropriate > } else { > // extract the response from messageInfo and return (it may be a > challenge or an error message, > // and will have been established by the auth module > } > } else { > // do what the container would do in the absense of jsr 196 > } > > ------ > > I noticed that TomEE includes support for connector, A related use of the > JASPIC spi is in connector, where > the connector inflow contract requires the use of the JASPIC > CallerPrincipalCallback by the resource adapter > to set an authentication identity of the inflow.
