Thanks! I’ll have a look!
> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com> wrote:
>
> Perhaps I didn’t recall correctly, or perhaps I implemented it for Jetty (at
> eclipse). The code I’ve found at
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>
> <http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/>
> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall any
> details of how I modified tomcat’s auth setup: I might have made one that was
> more adapted to JASPIC and the geronimo security framework than the plain
> tomcat one. If this code is of any use to you, great, otherwise, good luck!
>
> many thanks
> David Jencks
>
>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez <radcor...@yahoo.com.INVALID>
>> wrote:
>>
>> Hi David,
>>
>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge underneath
>> the implementation, so your code might be a good fit. Can you point me out
>> to the sources so I can have a look?
>>
>> Thank you!
>>
>> Cheers,
>> Roberto
>>
>>> On 28 Dec 2018, at 03:40, David Jencks <david.a.jen...@gmail.com> wrote:
>>>
>>> IIRC I wrote a JASPIC form authentication for the geronimo server long ago.
>>> Although the JASPIC deployment model was somewhat incomprehensibly bizarre,
>>> the conversation model was very nice. Depending on what the EE 8 api is (I
>>> haven’t looked) the JASPIC implementation might be a source for
>>> webserver-independent code for from authentication that could be easily
>>> adapted.
>>>
>>> David Jencks
>>>
>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez <radcor...@yahoo.com.INVALID>
>>>> wrote:
>>>>
>>>> Update:
>>>>
>>>> I’ve started the implementation of the FormAuthenticationMechanism. Is not
>>>> as easy as it sounds, since it requires some conversation chat across
>>>> requests. I thought about wrapping all the logic and use the Tomcat
>>>> FormAuthenticator, since it does exactly what we need. Unfortunately, it
>>>> is too tied to the Tomcat code and it would require to instantiate a lot
>>>> to Tomcat objects to be able to use it. I’m not sure if it would be worth
>>>> it. I ended up following the spec suggestion to use a CDI interceptor and
>>>> I’m copying / reusing some pieces of the FormAuthentication when possible.
>>>>
>>>> PR updated:
>>>> https://github.com/apache/tomee/pull/277
>>>> <https://github.com/apache/tomee/pull/277>
>>>>
>>>> Cheers,
>>>> Roberto
>>>>
>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez <radcor...@yahoo.com.INVALID>
>>>>> wrote:
>>>>>
>>>>> Hi folks,
>>>>>
>>>>> I’ve updated the PR with new changes:
>>>>>
>>>>> - I’ve implemented a CDI Extension to create AuthenticationMechanism
>>>>> beans and a CDI class to keep track of the mapping between the
>>>>> authentication mechanism and the servlet that should be checked. When a
>>>>> Servlet is executed the mapping is checked and if there is and associated
>>>>> AuthenticationMechanism, we validate the request with the associated type
>>>>> (Basic, Form, etc).
>>>>>
>>>>> - Implemented the BasicAuthenticationMechanism and all the plumbing
>>>>> required to be executed. This required an HttpMessageContext to pass
>>>>> information around, plus store some state to make decisions on things to
>>>>> do, including the CallbackHandler to pass in additional Callbacks to
>>>>> create the Principal and Groups
>>>>>
>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that reads user
>>>>> data from tomcat-users.xml
>>>>>
>>>>> I’ll probably move to implement the missing AuthenticationMechanisms
>>>>> (FORM and Custom) next.
>>>>>
>>>>> Any feedback, always welcomed :)
>>>>>
>>>>> Cheers,
>>>>> Roberto
>>>>>
>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> wrote:
>>>>>>
>>>>>> TomEE Security works for me.
>>>>>>
>>>>>> Bruno Baptista
>>>>>> https://twitter.com/brunobat_
>>>>>>
>>>>>>
>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
>>>>>>> Hi folks,
>>>>>>>
>>>>>>> Work is progressing.
>>>>>>>
>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to proceed.
>>>>>>> I’ve tried to use the Jakarta Security API jar. Unfortunately, it is
>>>>>>> full of dependencies to the other Jakarta dependent projects, some not
>>>>>>> in central yet, so I couldn’t even build the project.
>>>>>>>
>>>>>>> At the moment, I’ve added the structure to register a JASPIC provider
>>>>>>> to serve as a bride to the Security implementation code. With a CDI
>>>>>>> extension, we can register the required AuthenticationMechanisms and
>>>>>>> then look them up to delegate the authentication code.
>>>>>>>
>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user
>>>>>>> credentials and retrieve user groups. This is just going through the
>>>>>>> container registered IdentityStores and using the spec rules to
>>>>>>> identify the credentials.
>>>>>>>
>>>>>>> Right now, I’m just calling this TomEE Security. If someone has a more
>>>>>>> fancy idea for a name, feel free to suggest it :)
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Roberto
>>>>>>>
>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez <radcor...@yahoo.com.INVALID>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi folks,
>>>>>>>>
>>>>>>>> I’ve now created a PR to push the work:
>>>>>>>> https://github.com/apache/tomee/pull/277
>>>>>>>> <https://github.com/apache/tomee/pull/277>
>>>>>>>>
>>>>>>>> It is still in the early stages. I’ve just spent a good amount of time
>>>>>>>> trying to understand the spec. The ideia here is that with a
>>>>>>>> ServerAuthModule we could verify each of the spec authentication
>>>>>>>> mechanisms that will be implemented with a CDI Bean and use a CDI
>>>>>>>> Extension to create the bean depending on the annotation you use.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Roberto
>>>>>>>>
>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
>>>>>>>>> <radcor...@yahoo.com.INVALID> wrote:
>>>>>>>>>
>>>>>>>>> Hi folks,
>>>>>>>>>
>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365
>>>>>>>>> <https://jira.apache.org/jira/browse/TOMEE-2365> to implement the
>>>>>>>>> Java EE Security API that came up in EE 8. We are missing this spec
>>>>>>>>> implementation, and until we have it we cannot even say we are EE 8
>>>>>>>>> compatible.
>>>>>>>>>
>>>>>>>>> I plan to start working on this. If anyone wants to collaborate with
>>>>>>>>> me, let me know.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Roberto
>>>>>
>>>>
>>>
>>
>
