Hello Roberto, Thank you for initiating this integration. Can you prepare a small documentation (and also send to here) which helps contributors to understand the internals about your current commit. Regards. Gurkan
On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez <radcor...@yahoo.com.invalid> wrote: > Hi folks, > > I think I’m now done with the FormAuthentication. > > There are still things left to implement. At the moment, the code is part > of the project but is not part of the binary. I would like to merge the > current PR: > https://github.com/apache/tomee/pull/277 < > https://github.com/apache/tomee/pull/277> > > I think this will give a chance for the community to contribute some of > the missing pieces. I can make a list in JIRA. > > So, if there is no strong opinions about merging this, I will be doing > this in the end of the day. > > Cheers, > Roberto > > > On 30 Dec 2018, at 23:42, Roberto Cortez <radcor...@yahoo.com> wrote: > > > > Thanks! I’ll have a look! > > > >> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com> > wrote: > >> > >> Perhaps I didn’t recall correctly, or perhaps I implemented it for > Jetty (at eclipse). The code I’ve found at > http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ > < > http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/> > includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall any > details of how I modified tomcat’s auth setup: I might have made one that > was more adapted to JASPIC and the geronimo security framework than the > plain tomcat one. If this code is of any use to you, great, otherwise, > good luck! > >> > >> many thanks > >> David Jencks > >> > >>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez > <radcor...@yahoo.com.INVALID> wrote: > >>> > >>> Hi David, > >>> > >>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge > underneath the implementation, so your code might be a good fit. Can you > point me out to the sources so I can have a look? > >>> > >>> Thank you! > >>> > >>> Cheers, > >>> Roberto > >>> > >>>> On 28 Dec 2018, at 03:40, David Jencks <david.a.jen...@gmail.com> > wrote: > >>>> > >>>> IIRC I wrote a JASPIC form authentication for the geronimo server > long ago. Although the JASPIC deployment model was somewhat > incomprehensibly bizarre, the conversation model was very nice. Depending > on what the EE 8 api is (I haven’t looked) the JASPIC implementation might > be a source for webserver-independent code for from authentication that > could be easily adapted. > >>>> > >>>> David Jencks > >>>> > >>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez > <radcor...@yahoo.com.INVALID> wrote: > >>>>> > >>>>> Update: > >>>>> > >>>>> I’ve started the implementation of the FormAuthenticationMechanism. > Is not as easy as it sounds, since it requires some conversation chat > across requests. I thought about wrapping all the logic and use the Tomcat > FormAuthenticator, since it does exactly what we need. Unfortunately, it is > too tied to the Tomcat code and it would require to instantiate a lot to > Tomcat objects to be able to use it. I’m not sure if it would be worth it. > I ended up following the spec suggestion to use a CDI interceptor and I’m > copying / reusing some pieces of the FormAuthentication when possible. > >>>>> > >>>>> PR updated: > >>>>> https://github.com/apache/tomee/pull/277 < > https://github.com/apache/tomee/pull/277> > >>>>> > >>>>> Cheers, > >>>>> Roberto > >>>>> > >>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez > <radcor...@yahoo.com.INVALID> wrote: > >>>>>> > >>>>>> Hi folks, > >>>>>> > >>>>>> I’ve updated the PR with new changes: > >>>>>> > >>>>>> - I’ve implemented a CDI Extension to create > AuthenticationMechanism beans and a CDI class to keep track of the mapping > between the authentication mechanism and the servlet that should be > checked. When a Servlet is executed the mapping is checked and if there is > and associated AuthenticationMechanism, we validate the request with the > associated type (Basic, Form, etc). > >>>>>> > >>>>>> - Implemented the BasicAuthenticationMechanism and all the plumbing > required to be executed. This required an HttpMessageContext to pass > information around, plus store some state to make decisions on things to > do, including the CallbackHandler to pass in additional Callbacks to create > the Principal and Groups > >>>>>> > >>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that > reads user data from tomcat-users.xml > >>>>>> > >>>>>> I’ll probably move to implement the missing > AuthenticationMechanisms (FORM and Custom) next. > >>>>>> > >>>>>> Any feedback, always welcomed :) > >>>>>> > >>>>>> Cheers, > >>>>>> Roberto > >>>>>> > >>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> > wrote: > >>>>>>> > >>>>>>> TomEE Security works for me. > >>>>>>> > >>>>>>> Bruno Baptista > >>>>>>> https://twitter.com/brunobat_ > >>>>>>> > >>>>>>> > >>>>>>> On 19/12/18 00:20, Roberto Cortez wrote: > >>>>>>>> Hi folks, > >>>>>>>> > >>>>>>>> Work is progressing. > >>>>>>>> > >>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to > proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, it > is full of dependencies to the other Jakarta dependent projects, some not > in central yet, so I couldn’t even build the project. > >>>>>>>> > >>>>>>>> At the moment, I’ve added the structure to register a JASPIC > provider to serve as a bride to the Security implementation code. With a > CDI extension, we can register the required AuthenticationMechanisms and > then look them up to delegate the authentication code. > >>>>>>>> > >>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user > credentials and retrieve user groups. This is just going through the > container registered IdentityStores and using the spec rules to identify > the credentials. > >>>>>>>> > >>>>>>>> Right now, I’m just calling this TomEE Security. If someone has a > more fancy idea for a name, feel free to suggest it :) > >>>>>>>> > >>>>>>>> Cheers, > >>>>>>>> Roberto > >>>>>>>> > >>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez > <radcor...@yahoo.com.INVALID> wrote: > >>>>>>>>> > >>>>>>>>> Hi folks, > >>>>>>>>> > >>>>>>>>> I’ve now created a PR to push the work: > >>>>>>>>> https://github.com/apache/tomee/pull/277 < > https://github.com/apache/tomee/pull/277> > >>>>>>>>> > >>>>>>>>> It is still in the early stages. I’ve just spent a good amount > of time trying to understand the spec. The ideia here is that with a > ServerAuthModule we could verify each of the spec authentication mechanisms > that will be implemented with a CDI Bean and use a CDI Extension to create > the bean depending on the annotation you use. > >>>>>>>>> > >>>>>>>>> Cheers, > >>>>>>>>> Roberto > >>>>>>>>> > >>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez > <radcor...@yahoo.com.INVALID> wrote: > >>>>>>>>>> > >>>>>>>>>> Hi folks, > >>>>>>>>>> > >>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 < > https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE > Security API that came up in EE 8. We are missing this spec implementation, > and until we have it we cannot even say we are EE 8 compatible. > >>>>>>>>>> > >>>>>>>>>> I plan to start working on this. If anyone wants to collaborate > with me, let me know. > >>>>>>>>>> > >>>>>>>>>> Cheers, > >>>>>>>>>> Roberto > >>>>>> > >>>>> > >>>> > >>> > >> > > > >
