Hello Roberto We probably need to move javax.security.enterprise.* package to geronimo specs project (https://github.com/apache/geronimo-specs) and then adding dependency to our javaee-api. After that we also need to release geronimo-specs. If you want, I can work on to create a new project in geronimo-specs. Regards. Gurkan
On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez <radcor...@yahoo.com.invalid> wrote: > Hi, > > I’ve merged the current state of the code. > > In the meanwhile, I’ll write some documentation to help to understand the > implementation. > > Cheers, > Roberto > > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cgerdo...@gmail.com> wrote: > > > > Hello Roberto, > > Thank you for initiating this integration. > > Can you prepare a small documentation (and also send to here) which helps > > contributors to understand the internals about your current commit. > > Regards. > > Gurkan > > > > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez > <radcor...@yahoo.com.invalid> > > wrote: > > > >> Hi folks, > >> > >> I think I’m now done with the FormAuthentication. > >> > >> There are still things left to implement. At the moment, the code is > part > >> of the project but is not part of the binary. I would like to merge the > >> current PR: > >> https://github.com/apache/tomee/pull/277 < > >> https://github.com/apache/tomee/pull/277> > >> > >> I think this will give a chance for the community to contribute some of > >> the missing pieces. I can make a list in JIRA. > >> > >> So, if there is no strong opinions about merging this, I will be doing > >> this in the end of the day. > >> > >> Cheers, > >> Roberto > >> > >>> On 30 Dec 2018, at 23:42, Roberto Cortez <radcor...@yahoo.com> wrote: > >>> > >>> Thanks! I’ll have a look! > >>> > >>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com> > >> wrote: > >>>> > >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for > >> Jetty (at eclipse). The code I’ve found at > >> > http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ > >> < > >> > http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ > > > >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall > any > >> details of how I modified tomcat’s auth setup: I might have made one > that > >> was more adapted to JASPIC and the geronimo security framework than the > >> plain tomcat one. If this code is of any use to you, great, otherwise, > >> good luck! > >>>> > >>>> many thanks > >>>> David Jencks > >>>> > >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez > >> <radcor...@yahoo.com.INVALID> wrote: > >>>>> > >>>>> Hi David, > >>>>> > >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge > >> underneath the implementation, so your code might be a good fit. Can you > >> point me out to the sources so I can have a look? > >>>>> > >>>>> Thank you! > >>>>> > >>>>> Cheers, > >>>>> Roberto > >>>>> > >>>>>> On 28 Dec 2018, at 03:40, David Jencks <david.a.jen...@gmail.com> > >> wrote: > >>>>>> > >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server > >> long ago. Although the JASPIC deployment model was somewhat > >> incomprehensibly bizarre, the conversation model was very nice. > Depending > >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation > might > >> be a source for webserver-independent code for from authentication that > >> could be easily adapted. > >>>>>> > >>>>>> David Jencks > >>>>>> > >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez > >> <radcor...@yahoo.com.INVALID> wrote: > >>>>>>> > >>>>>>> Update: > >>>>>>> > >>>>>>> I’ve started the implementation of the FormAuthenticationMechanism. > >> Is not as easy as it sounds, since it requires some conversation chat > >> across requests. I thought about wrapping all the logic and use the > Tomcat > >> FormAuthenticator, since it does exactly what we need. Unfortunately, > it is > >> too tied to the Tomcat code and it would require to instantiate a lot to > >> Tomcat objects to be able to use it. I’m not sure if it would be worth > it. > >> I ended up following the spec suggestion to use a CDI interceptor and > I’m > >> copying / reusing some pieces of the FormAuthentication when possible. > >>>>>>> > >>>>>>> PR updated: > >>>>>>> https://github.com/apache/tomee/pull/277 < > >> https://github.com/apache/tomee/pull/277> > >>>>>>> > >>>>>>> Cheers, > >>>>>>> Roberto > >>>>>>> > >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez > >> <radcor...@yahoo.com.INVALID> wrote: > >>>>>>>> > >>>>>>>> Hi folks, > >>>>>>>> > >>>>>>>> I’ve updated the PR with new changes: > >>>>>>>> > >>>>>>>> - I’ve implemented a CDI Extension to create > >> AuthenticationMechanism beans and a CDI class to keep track of the > mapping > >> between the authentication mechanism and the servlet that should be > >> checked. When a Servlet is executed the mapping is checked and if there > is > >> and associated AuthenticationMechanism, we validate the request with the > >> associated type (Basic, Form, etc). > >>>>>>>> > >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the > plumbing > >> required to be executed. This required an HttpMessageContext to pass > >> information around, plus store some state to make decisions on things to > >> do, including the CallbackHandler to pass in additional Callbacks to > create > >> the Principal and Groups > >>>>>>>> > >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that > >> reads user data from tomcat-users.xml > >>>>>>>> > >>>>>>>> I’ll probably move to implement the missing > >> AuthenticationMechanisms (FORM and Custom) next. > >>>>>>>> > >>>>>>>> Any feedback, always welcomed :) > >>>>>>>> > >>>>>>>> Cheers, > >>>>>>>> Roberto > >>>>>>>> > >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> > >> wrote: > >>>>>>>>> > >>>>>>>>> TomEE Security works for me. > >>>>>>>>> > >>>>>>>>> Bruno Baptista > >>>>>>>>> https://twitter.com/brunobat_ > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote: > >>>>>>>>>> Hi folks, > >>>>>>>>>> > >>>>>>>>>> Work is progressing. > >>>>>>>>>> > >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to > >> proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, > it > >> is full of dependencies to the other Jakarta dependent projects, some > not > >> in central yet, so I couldn’t even build the project. > >>>>>>>>>> > >>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC > >> provider to serve as a bride to the Security implementation code. With a > >> CDI extension, we can register the required AuthenticationMechanisms and > >> then look them up to delegate the authentication code. > >>>>>>>>>> > >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user > >> credentials and retrieve user groups. This is just going through the > >> container registered IdentityStores and using the spec rules to identify > >> the credentials. > >>>>>>>>>> > >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone has > a > >> more fancy idea for a name, feel free to suggest it :) > >>>>>>>>>> > >>>>>>>>>> Cheers, > >>>>>>>>>> Roberto > >>>>>>>>>> > >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez > >> <radcor...@yahoo.com.INVALID> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Hi folks, > >>>>>>>>>>> > >>>>>>>>>>> I’ve now created a PR to push the work: > >>>>>>>>>>> https://github.com/apache/tomee/pull/277 < > >> https://github.com/apache/tomee/pull/277> > >>>>>>>>>>> > >>>>>>>>>>> It is still in the early stages. I’ve just spent a good amount > >> of time trying to understand the spec. The ideia here is that with a > >> ServerAuthModule we could verify each of the spec authentication > mechanisms > >> that will be implemented with a CDI Bean and use a CDI Extension to > create > >> the bean depending on the annotation you use. > >>>>>>>>>>> > >>>>>>>>>>> Cheers, > >>>>>>>>>>> Roberto > >>>>>>>>>>> > >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez > >> <radcor...@yahoo.com.INVALID> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Hi folks, > >>>>>>>>>>>> > >>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 < > >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java > EE > >> Security API that came up in EE 8. We are missing this spec > implementation, > >> and until we have it we cannot even say we are EE 8 compatible. > >>>>>>>>>>>> > >>>>>>>>>>>> I plan to start working on this. If anyone wants to > collaborate > >> with me, let me know. > >>>>>>>>>>>> > >>>>>>>>>>>> Cheers, > >>>>>>>>>>>> Roberto > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > >> > >
