Hi, I’ve merged the current state of the code.
In the meanwhile, I’ll write some documentation to help to understand the implementation. Cheers, Roberto > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cgerdo...@gmail.com> wrote: > > Hello Roberto, > Thank you for initiating this integration. > Can you prepare a small documentation (and also send to here) which helps > contributors to understand the internals about your current commit. > Regards. > Gurkan > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez <radcor...@yahoo.com.invalid> > wrote: > >> Hi folks, >> >> I think I’m now done with the FormAuthentication. >> >> There are still things left to implement. At the moment, the code is part >> of the project but is not part of the binary. I would like to merge the >> current PR: >> https://github.com/apache/tomee/pull/277 < >> https://github.com/apache/tomee/pull/277> >> >> I think this will give a chance for the community to contribute some of >> the missing pieces. I can make a list in JIRA. >> >> So, if there is no strong opinions about merging this, I will be doing >> this in the end of the day. >> >> Cheers, >> Roberto >> >>> On 30 Dec 2018, at 23:42, Roberto Cortez <radcor...@yahoo.com> wrote: >>> >>> Thanks! I’ll have a look! >>> >>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com> >> wrote: >>>> >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for >> Jetty (at eclipse). The code I’ve found at >> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ >> < >> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/> >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall any >> details of how I modified tomcat’s auth setup: I might have made one that >> was more adapted to JASPIC and the geronimo security framework than the >> plain tomcat one. If this code is of any use to you, great, otherwise, >> good luck! >>>> >>>> many thanks >>>> David Jencks >>>> >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez >> <radcor...@yahoo.com.INVALID> wrote: >>>>> >>>>> Hi David, >>>>> >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge >> underneath the implementation, so your code might be a good fit. Can you >> point me out to the sources so I can have a look? >>>>> >>>>> Thank you! >>>>> >>>>> Cheers, >>>>> Roberto >>>>> >>>>>> On 28 Dec 2018, at 03:40, David Jencks <david.a.jen...@gmail.com> >> wrote: >>>>>> >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server >> long ago. Although the JASPIC deployment model was somewhat >> incomprehensibly bizarre, the conversation model was very nice. Depending >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation might >> be a source for webserver-independent code for from authentication that >> could be easily adapted. >>>>>> >>>>>> David Jencks >>>>>> >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez >> <radcor...@yahoo.com.INVALID> wrote: >>>>>>> >>>>>>> Update: >>>>>>> >>>>>>> I’ve started the implementation of the FormAuthenticationMechanism. >> Is not as easy as it sounds, since it requires some conversation chat >> across requests. I thought about wrapping all the logic and use the Tomcat >> FormAuthenticator, since it does exactly what we need. Unfortunately, it is >> too tied to the Tomcat code and it would require to instantiate a lot to >> Tomcat objects to be able to use it. I’m not sure if it would be worth it. >> I ended up following the spec suggestion to use a CDI interceptor and I’m >> copying / reusing some pieces of the FormAuthentication when possible. >>>>>>> >>>>>>> PR updated: >>>>>>> https://github.com/apache/tomee/pull/277 < >> https://github.com/apache/tomee/pull/277> >>>>>>> >>>>>>> Cheers, >>>>>>> Roberto >>>>>>> >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez >> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>> >>>>>>>> Hi folks, >>>>>>>> >>>>>>>> I’ve updated the PR with new changes: >>>>>>>> >>>>>>>> - I’ve implemented a CDI Extension to create >> AuthenticationMechanism beans and a CDI class to keep track of the mapping >> between the authentication mechanism and the servlet that should be >> checked. When a Servlet is executed the mapping is checked and if there is >> and associated AuthenticationMechanism, we validate the request with the >> associated type (Basic, Form, etc). >>>>>>>> >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the plumbing >> required to be executed. This required an HttpMessageContext to pass >> information around, plus store some state to make decisions on things to >> do, including the CallbackHandler to pass in additional Callbacks to create >> the Principal and Groups >>>>>>>> >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that >> reads user data from tomcat-users.xml >>>>>>>> >>>>>>>> I’ll probably move to implement the missing >> AuthenticationMechanisms (FORM and Custom) next. >>>>>>>> >>>>>>>> Any feedback, always welcomed :) >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Roberto >>>>>>>> >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> >> wrote: >>>>>>>>> >>>>>>>>> TomEE Security works for me. >>>>>>>>> >>>>>>>>> Bruno Baptista >>>>>>>>> https://twitter.com/brunobat_ >>>>>>>>> >>>>>>>>> >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote: >>>>>>>>>> Hi folks, >>>>>>>>>> >>>>>>>>>> Work is progressing. >>>>>>>>>> >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to >> proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, it >> is full of dependencies to the other Jakarta dependent projects, some not >> in central yet, so I couldn’t even build the project. >>>>>>>>>> >>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC >> provider to serve as a bride to the Security implementation code. With a >> CDI extension, we can register the required AuthenticationMechanisms and >> then look them up to delegate the authentication code. >>>>>>>>>> >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user >> credentials and retrieve user groups. This is just going through the >> container registered IdentityStores and using the spec rules to identify >> the credentials. >>>>>>>>>> >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone has a >> more fancy idea for a name, feel free to suggest it :) >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Roberto >>>>>>>>>> >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez >> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi folks, >>>>>>>>>>> >>>>>>>>>>> I’ve now created a PR to push the work: >>>>>>>>>>> https://github.com/apache/tomee/pull/277 < >> https://github.com/apache/tomee/pull/277> >>>>>>>>>>> >>>>>>>>>>> It is still in the early stages. I’ve just spent a good amount >> of time trying to understand the spec. The ideia here is that with a >> ServerAuthModule we could verify each of the spec authentication mechanisms >> that will be implemented with a CDI Bean and use a CDI Extension to create >> the bean depending on the annotation you use. >>>>>>>>>>> >>>>>>>>>>> Cheers, >>>>>>>>>>> Roberto >>>>>>>>>>> >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez >> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi folks, >>>>>>>>>>>> >>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 < >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE >> Security API that came up in EE 8. We are missing this spec implementation, >> and until we have it we cannot even say we are EE 8 compatible. >>>>>>>>>>>> >>>>>>>>>>>> I plan to start working on this. If anyone wants to collaborate >> with me, let me know. >>>>>>>>>>>> >>>>>>>>>>>> Cheers, >>>>>>>>>>>> Roberto >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >>
