That’d be great. I have commit permissions so if you need help help or something. Lemme know.
Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cgerdo...@gmail.com> a écrit : > Hello Roberto > We probably need to move javax.security.enterprise.* package to geronimo > specs project (https://github.com/apache/geronimo-specs) and then adding > dependency to our javaee-api. After that we also need to release > geronimo-specs. If you want, I can work on to create a new project in > geronimo-specs. > Regards. > Gurkan > > On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez <radcor...@yahoo.com.invalid > > > wrote: > > > Hi, > > > > I’ve merged the current state of the code. > > > > In the meanwhile, I’ll write some documentation to help to understand the > > implementation. > > > > Cheers, > > Roberto > > > > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cgerdo...@gmail.com> wrote: > > > > > > Hello Roberto, > > > Thank you for initiating this integration. > > > Can you prepare a small documentation (and also send to here) which > helps > > > contributors to understand the internals about your current commit. > > > Regards. > > > Gurkan > > > > > > > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez > > <radcor...@yahoo.com.invalid> > > > wrote: > > > > > >> Hi folks, > > >> > > >> I think I’m now done with the FormAuthentication. > > >> > > >> There are still things left to implement. At the moment, the code is > > part > > >> of the project but is not part of the binary. I would like to merge > the > > >> current PR: > > >> https://github.com/apache/tomee/pull/277 < > > >> https://github.com/apache/tomee/pull/277> > > >> > > >> I think this will give a chance for the community to contribute some > of > > >> the missing pieces. I can make a list in JIRA. > > >> > > >> So, if there is no strong opinions about merging this, I will be doing > > >> this in the end of the day. > > >> > > >> Cheers, > > >> Roberto > > >> > > >>> On 30 Dec 2018, at 23:42, Roberto Cortez <radcor...@yahoo.com> > wrote: > > >>> > > >>> Thanks! I’ll have a look! > > >>> > > >>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com> > > >> wrote: > > >>>> > > >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for > > >> Jetty (at eclipse). The code I’ve found at > > >> > > > http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ > > >> < > > >> > > > http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ > > > > > >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall > > any > > >> details of how I modified tomcat’s auth setup: I might have made one > > that > > >> was more adapted to JASPIC and the geronimo security framework than > the > > >> plain tomcat one. If this code is of any use to you, great, > otherwise, > > >> good luck! > > >>>> > > >>>> many thanks > > >>>> David Jencks > > >>>> > > >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez > > >> <radcor...@yahoo.com.INVALID> wrote: > > >>>>> > > >>>>> Hi David, > > >>>>> > > >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge > > >> underneath the implementation, so your code might be a good fit. Can > you > > >> point me out to the sources so I can have a look? > > >>>>> > > >>>>> Thank you! > > >>>>> > > >>>>> Cheers, > > >>>>> Roberto > > >>>>> > > >>>>>> On 28 Dec 2018, at 03:40, David Jencks <david.a.jen...@gmail.com> > > >> wrote: > > >>>>>> > > >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server > > >> long ago. Although the JASPIC deployment model was somewhat > > >> incomprehensibly bizarre, the conversation model was very nice. > > Depending > > >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation > > might > > >> be a source for webserver-independent code for from authentication > that > > >> could be easily adapted. > > >>>>>> > > >>>>>> David Jencks > > >>>>>> > > >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez > > >> <radcor...@yahoo.com.INVALID> wrote: > > >>>>>>> > > >>>>>>> Update: > > >>>>>>> > > >>>>>>> I’ve started the implementation of the > FormAuthenticationMechanism. > > >> Is not as easy as it sounds, since it requires some conversation chat > > >> across requests. I thought about wrapping all the logic and use the > > Tomcat > > >> FormAuthenticator, since it does exactly what we need. Unfortunately, > > it is > > >> too tied to the Tomcat code and it would require to instantiate a lot > to > > >> Tomcat objects to be able to use it. I’m not sure if it would be worth > > it. > > >> I ended up following the spec suggestion to use a CDI interceptor and > > I’m > > >> copying / reusing some pieces of the FormAuthentication when possible. > > >>>>>>> > > >>>>>>> PR updated: > > >>>>>>> https://github.com/apache/tomee/pull/277 < > > >> https://github.com/apache/tomee/pull/277> > > >>>>>>> > > >>>>>>> Cheers, > > >>>>>>> Roberto > > >>>>>>> > > >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez > > >> <radcor...@yahoo.com.INVALID> wrote: > > >>>>>>>> > > >>>>>>>> Hi folks, > > >>>>>>>> > > >>>>>>>> I’ve updated the PR with new changes: > > >>>>>>>> > > >>>>>>>> - I’ve implemented a CDI Extension to create > > >> AuthenticationMechanism beans and a CDI class to keep track of the > > mapping > > >> between the authentication mechanism and the servlet that should be > > >> checked. When a Servlet is executed the mapping is checked and if > there > > is > > >> and associated AuthenticationMechanism, we validate the request with > the > > >> associated type (Basic, Form, etc). > > >>>>>>>> > > >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the > > plumbing > > >> required to be executed. This required an HttpMessageContext to pass > > >> information around, plus store some state to make decisions on things > to > > >> do, including the CallbackHandler to pass in additional Callbacks to > > create > > >> the Principal and Groups > > >>>>>>>> > > >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that > > >> reads user data from tomcat-users.xml > > >>>>>>>> > > >>>>>>>> I’ll probably move to implement the missing > > >> AuthenticationMechanisms (FORM and Custom) next. > > >>>>>>>> > > >>>>>>>> Any feedback, always welcomed :) > > >>>>>>>> > > >>>>>>>> Cheers, > > >>>>>>>> Roberto > > >>>>>>>> > > >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> > > >> wrote: > > >>>>>>>>> > > >>>>>>>>> TomEE Security works for me. > > >>>>>>>>> > > >>>>>>>>> Bruno Baptista > > >>>>>>>>> https://twitter.com/brunobat_ > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote: > > >>>>>>>>>> Hi folks, > > >>>>>>>>>> > > >>>>>>>>>> Work is progressing. > > >>>>>>>>>> > > >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to > > >> proceed. I’ve tried to use the Jakarta Security API jar. > Unfortunately, > > it > > >> is full of dependencies to the other Jakarta dependent projects, some > > not > > >> in central yet, so I couldn’t even build the project. > > >>>>>>>>>> > > >>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC > > >> provider to serve as a bride to the Security implementation code. > With a > > >> CDI extension, we can register the required AuthenticationMechanisms > and > > >> then look them up to delegate the authentication code. > > >>>>>>>>>> > > >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate > user > > >> credentials and retrieve user groups. This is just going through the > > >> container registered IdentityStores and using the spec rules to > identify > > >> the credentials. > > >>>>>>>>>> > > >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone > has > > a > > >> more fancy idea for a name, feel free to suggest it :) > > >>>>>>>>>> > > >>>>>>>>>> Cheers, > > >>>>>>>>>> Roberto > > >>>>>>>>>> > > >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez > > >> <radcor...@yahoo.com.INVALID> wrote: > > >>>>>>>>>>> > > >>>>>>>>>>> Hi folks, > > >>>>>>>>>>> > > >>>>>>>>>>> I’ve now created a PR to push the work: > > >>>>>>>>>>> https://github.com/apache/tomee/pull/277 < > > >> https://github.com/apache/tomee/pull/277> > > >>>>>>>>>>> > > >>>>>>>>>>> It is still in the early stages. I’ve just spent a good > amount > > >> of time trying to understand the spec. The ideia here is that with a > > >> ServerAuthModule we could verify each of the spec authentication > > mechanisms > > >> that will be implemented with a CDI Bean and use a CDI Extension to > > create > > >> the bean depending on the annotation you use. > > >>>>>>>>>>> > > >>>>>>>>>>> Cheers, > > >>>>>>>>>>> Roberto > > >>>>>>>>>>> > > >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez > > >> <radcor...@yahoo.com.INVALID> wrote: > > >>>>>>>>>>>> > > >>>>>>>>>>>> Hi folks, > > >>>>>>>>>>>> > > >>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 > < > > >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java > > EE > > >> Security API that came up in EE 8. We are missing this spec > > implementation, > > >> and until we have it we cannot even say we are EE 8 compatible. > > >>>>>>>>>>>> > > >>>>>>>>>>>> I plan to start working on this. If anyone wants to > > collaborate > > >> with me, let me know. > > >>>>>>>>>>>> > > >>>>>>>>>>>> Cheers, > > >>>>>>>>>>>> Roberto > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >>>>> > > >>>> > > >>> > > >> > > >> > > > > > -- -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com
