Hi folks, I’ve updated the PR with new changes:
- I’ve implemented a CDI Extension to create AuthenticationMechanism beans and a CDI class to keep track of the mapping between the authentication mechanism and the servlet that should be checked. When a Servlet is executed the mapping is checked and if there is and associated AuthenticationMechanism, we validate the request with the associated type (Basic, Form, etc). - Implemented the BasicAuthenticationMechanism and all the plumbing required to be executed. This required an HttpMessageContext to pass information around, plus store some state to make decisions on things to do, including the CallbackHandler to pass in additional Callbacks to create the Principal and Groups - A default IdentityStore, using the Tomcat UserDatabase, that reads user data from tomcat-users.xml I’ll probably move to implement the missing AuthenticationMechanisms (FORM and Custom) next. Any feedback, always welcomed :) Cheers, Roberto > On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> wrote: > > TomEE Security works for me. > > Bruno Baptista > https://twitter.com/brunobat_ > > > On 19/12/18 00:20, Roberto Cortez wrote: >> Hi folks, >> >> Work is progressing. >> >> I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve >> tried to use the Jakarta Security API jar. Unfortunately, it is full of >> dependencies to the other Jakarta dependent projects, some not in central >> yet, so I couldn’t even build the project. >> >> At the moment, I’ve added the structure to register a JASPIC provider to >> serve as a bride to the Security implementation code. With a CDI extension, >> we can register the required AuthenticationMechanisms and then look them up >> to delegate the authentication code. >> >> I’ve also wrote a default IdentityStoreHandler to validate user credentials >> and retrieve user groups. This is just going through the container >> registered IdentityStores and using the spec rules to identify the >> credentials. >> >> Right now, I’m just calling this TomEE Security. If someone has a more fancy >> idea for a name, feel free to suggest it :) >> >> Cheers, >> Roberto >> >>> On 14 Dec 2018, at 23:44, Roberto Cortez <radcor...@yahoo.com.INVALID> >>> wrote: >>> >>> Hi folks, >>> >>> I’ve now created a PR to push the work: >>> https://github.com/apache/tomee/pull/277 >>> <https://github.com/apache/tomee/pull/277> >>> >>> It is still in the early stages. I’ve just spent a good amount of time >>> trying to understand the spec. The ideia here is that with a >>> ServerAuthModule we could verify each of the spec authentication mechanisms >>> that will be implemented with a CDI Bean and use a CDI Extension to create >>> the bean depending on the annotation you use. >>> >>> Cheers, >>> Roberto >>> >>>> On 13 Dec 2018, at 16:06, Roberto Cortez <radcor...@yahoo.com.INVALID> >>>> wrote: >>>> >>>> Hi folks, >>>> >>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 >>>> <https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE >>>> Security API that came up in EE 8. We are missing this spec >>>> implementation, and until we have it we cannot even say we are EE 8 >>>> compatible. >>>> >>>> I plan to start working on this. If anyone wants to collaborate with me, >>>> let me know. >>>> >>>> Cheers, >>>> Roberto
