IIRC I wrote a JASPIC form authentication for the geronimo server long ago. Although the JASPIC deployment model was somewhat incomprehensibly bizarre, the conversation model was very nice. Depending on what the EE 8 api is (I haven’t looked) the JASPIC implementation might be a source for webserver-independent code for from authentication that could be easily adapted.
David Jencks > On Dec 27, 2018, at 3:53 PM, Roberto Cortez <radcor...@yahoo.com.INVALID> > wrote: > > Update: > > I’ve started the implementation of the FormAuthenticationMechanism. Is not as > easy as it sounds, since it requires some conversation chat across requests. > I thought about wrapping all the logic and use the Tomcat FormAuthenticator, > since it does exactly what we need. Unfortunately, it is too tied to the > Tomcat code and it would require to instantiate a lot to Tomcat objects to be > able to use it. I’m not sure if it would be worth it. I ended up following > the spec suggestion to use a CDI interceptor and I’m copying / reusing some > pieces of the FormAuthentication when possible. > > PR updated: > https://github.com/apache/tomee/pull/277 > <https://github.com/apache/tomee/pull/277> > > Cheers, > Roberto > >> On 26 Dec 2018, at 22:11, Roberto Cortez <radcor...@yahoo.com.INVALID> wrote: >> >> Hi folks, >> >> I’ve updated the PR with new changes: >> >> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans >> and a CDI class to keep track of the mapping between the authentication >> mechanism and the servlet that should be checked. When a Servlet is executed >> the mapping is checked and if there is and associated >> AuthenticationMechanism, we validate the request with the associated type >> (Basic, Form, etc). >> >> - Implemented the BasicAuthenticationMechanism and all the plumbing required >> to be executed. This required an HttpMessageContext to pass information >> around, plus store some state to make decisions on things to do, including >> the CallbackHandler to pass in additional Callbacks to create the Principal >> and Groups >> >> - A default IdentityStore, using the Tomcat UserDatabase, that reads user >> data from tomcat-users.xml >> >> I’ll probably move to implement the missing AuthenticationMechanisms (FORM >> and Custom) next. >> >> Any feedback, always welcomed :) >> >> Cheers, >> Roberto >> >>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> wrote: >>> >>> TomEE Security works for me. >>> >>> Bruno Baptista >>> https://twitter.com/brunobat_ >>> >>> >>> On 19/12/18 00:20, Roberto Cortez wrote: >>>> Hi folks, >>>> >>>> Work is progressing. >>>> >>>> I’ve added a good chunk of the API (as needed) to allow me to proceed. >>>> I’ve tried to use the Jakarta Security API jar. Unfortunately, it is full >>>> of dependencies to the other Jakarta dependent projects, some not in >>>> central yet, so I couldn’t even build the project. >>>> >>>> At the moment, I’ve added the structure to register a JASPIC provider to >>>> serve as a bride to the Security implementation code. With a CDI >>>> extension, we can register the required AuthenticationMechanisms and then >>>> look them up to delegate the authentication code. >>>> >>>> I’ve also wrote a default IdentityStoreHandler to validate user >>>> credentials and retrieve user groups. This is just going through the >>>> container registered IdentityStores and using the spec rules to identify >>>> the credentials. >>>> >>>> Right now, I’m just calling this TomEE Security. If someone has a more >>>> fancy idea for a name, feel free to suggest it :) >>>> >>>> Cheers, >>>> Roberto >>>> >>>>> On 14 Dec 2018, at 23:44, Roberto Cortez <radcor...@yahoo.com.INVALID> >>>>> wrote: >>>>> >>>>> Hi folks, >>>>> >>>>> I’ve now created a PR to push the work: >>>>> https://github.com/apache/tomee/pull/277 >>>>> <https://github.com/apache/tomee/pull/277> >>>>> >>>>> It is still in the early stages. I’ve just spent a good amount of time >>>>> trying to understand the spec. The ideia here is that with a >>>>> ServerAuthModule we could verify each of the spec authentication >>>>> mechanisms that will be implemented with a CDI Bean and use a CDI >>>>> Extension to create the bean depending on the annotation you use. >>>>> >>>>> Cheers, >>>>> Roberto >>>>> >>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez <radcor...@yahoo.com.INVALID> >>>>>> wrote: >>>>>> >>>>>> Hi folks, >>>>>> >>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 >>>>>> <https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java >>>>>> EE Security API that came up in EE 8. We are missing this spec >>>>>> implementation, and until we have it we cannot even say we are EE 8 >>>>>> compatible. >>>>>> >>>>>> I plan to start working on this. If anyone wants to collaborate with me, >>>>>> let me know. >>>>>> >>>>>> Cheers, >>>>>> Roberto >> >