Yes, these need to be moved to Geronimo, but I think not at this time. I would like to have a more stable implementation before moving this over to Geronimo. There are still a lot of things missing, including in the API and is just easier to get this done in a single project.
> On 11 Jan 2019, at 19:52, Gurkan Erdogdu <cgerdo...@gmail.com> wrote: > > I have added geronimo-specs-security_1.0 to geronimo-specs and let > geronimo-dev about the issue. After receiving some response, I can commit > the code. > > On Fri, Jan 11, 2019 at 9:50 PM Gurkan Erdogdu <cgerdo...@gmail.com> wrote: > >> Ok then I created subtask, >> https://issues.apache.org/jira/browse/TOMEE-2453 under the main issue, >> https://issues.apache.org/jira/browse/TOMEE-2365 >> Can you please assign it to me? >> >> >> On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro < >> jlmonte...@tomitribe.com> wrote: >> >>> That’d be great. >>> I have commit permissions so if you need help help or something. Lemme >>> know. >>> >>> >>> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cgerdo...@gmail.com> a >>> écrit : >>> >>>> Hello Roberto >>>> We probably need to move javax.security.enterprise.* package to geronimo >>>> specs project (https://github.com/apache/geronimo-specs) and then >>> adding >>>> dependency to our javaee-api. After that we also need to release >>>> geronimo-specs. If you want, I can work on to create a new project in >>>> geronimo-specs. >>>> Regards. >>>> Gurkan >>>> >>>> On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez >>> <radcor...@yahoo.com.invalid >>>>> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I’ve merged the current state of the code. >>>>> >>>>> In the meanwhile, I’ll write some documentation to help to understand >>> the >>>>> implementation. >>>>> >>>>> Cheers, >>>>> Roberto >>>>> >>>>>> On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cgerdo...@gmail.com> >>> wrote: >>>>>> >>>>>> Hello Roberto, >>>>>> Thank you for initiating this integration. >>>>>> Can you prepare a small documentation (and also send to here) which >>>> helps >>>>>> contributors to understand the internals about your current commit. >>>>>> Regards. >>>>>> Gurkan >>>>>> >>>>>> >>>>>> On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez >>>>> <radcor...@yahoo.com.invalid> >>>>>> wrote: >>>>>> >>>>>>> Hi folks, >>>>>>> >>>>>>> I think I’m now done with the FormAuthentication. >>>>>>> >>>>>>> There are still things left to implement. At the moment, the code >>> is >>>>> part >>>>>>> of the project but is not part of the binary. I would like to merge >>>> the >>>>>>> current PR: >>>>>>> https://github.com/apache/tomee/pull/277 < >>>>>>> https://github.com/apache/tomee/pull/277> >>>>>>> >>>>>>> I think this will give a chance for the community to contribute >>> some >>>> of >>>>>>> the missing pieces. I can make a list in JIRA. >>>>>>> >>>>>>> So, if there is no strong opinions about merging this, I will be >>> doing >>>>>>> this in the end of the day. >>>>>>> >>>>>>> Cheers, >>>>>>> Roberto >>>>>>> >>>>>>>> On 30 Dec 2018, at 23:42, Roberto Cortez <radcor...@yahoo.com> >>>> wrote: >>>>>>>> >>>>>>>> Thanks! I’ll have a look! >>>>>>>> >>>>>>>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com >>>> >>>>>>> wrote: >>>>>>>>> >>>>>>>>> Perhaps I didn’t recall correctly, or perhaps I implemented it >>> for >>>>>>> Jetty (at eclipse). The code I’ve found at >>>>>>> >>>>> >>>> >>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ >>>>>>> < >>>>>>> >>>>> >>>> >>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ >>>>>> >>>>>>> includes a FormAuthenticator and a JaspiAuthenticator. I don’t >>> recall >>>>> any >>>>>>> details of how I modified tomcat’s auth setup: I might have made >>> one >>>>> that >>>>>>> was more adapted to JASPIC and the geronimo security framework than >>>> the >>>>>>> plain tomcat one. If this code is of any use to you, great, >>>> otherwise, >>>>>>> good luck! >>>>>>>>> >>>>>>>>> many thanks >>>>>>>>> David Jencks >>>>>>>>> >>>>>>>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez >>>>>>> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>> >>>>>>>>>> Hi David, >>>>>>>>>> >>>>>>>>>> Actually, the EE 8 Security spec tells you to use a JASPIC >>> bridge >>>>>>> underneath the implementation, so your code might be a good fit. >>> Can >>>> you >>>>>>> point me out to the sources so I can have a look? >>>>>>>>>> >>>>>>>>>> Thank you! >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Roberto >>>>>>>>>> >>>>>>>>>>> On 28 Dec 2018, at 03:40, David Jencks < >>> david.a.jen...@gmail.com> >>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> IIRC I wrote a JASPIC form authentication for the geronimo >>> server >>>>>>> long ago. Although the JASPIC deployment model was somewhat >>>>>>> incomprehensibly bizarre, the conversation model was very nice. >>>>> Depending >>>>>>> on what the EE 8 api is (I haven’t looked) the JASPIC >>> implementation >>>>> might >>>>>>> be a source for webserver-independent code for from authentication >>>> that >>>>>>> could be easily adapted. >>>>>>>>>>> >>>>>>>>>>> David Jencks >>>>>>>>>>> >>>>>>>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez >>>>>>> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Update: >>>>>>>>>>>> >>>>>>>>>>>> I’ve started the implementation of the >>>> FormAuthenticationMechanism. >>>>>>> Is not as easy as it sounds, since it requires some conversation >>> chat >>>>>>> across requests. I thought about wrapping all the logic and use the >>>>> Tomcat >>>>>>> FormAuthenticator, since it does exactly what we need. >>> Unfortunately, >>>>> it is >>>>>>> too tied to the Tomcat code and it would require to instantiate a >>> lot >>>> to >>>>>>> Tomcat objects to be able to use it. I’m not sure if it would be >>> worth >>>>> it. >>>>>>> I ended up following the spec suggestion to use a CDI interceptor >>> and >>>>> I’m >>>>>>> copying / reusing some pieces of the FormAuthentication when >>> possible. >>>>>>>>>>>> >>>>>>>>>>>> PR updated: >>>>>>>>>>>> https://github.com/apache/tomee/pull/277 < >>>>>>> https://github.com/apache/tomee/pull/277> >>>>>>>>>>>> >>>>>>>>>>>> Cheers, >>>>>>>>>>>> Roberto >>>>>>>>>>>> >>>>>>>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez >>>>>>> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi folks, >>>>>>>>>>>>> >>>>>>>>>>>>> I’ve updated the PR with new changes: >>>>>>>>>>>>> >>>>>>>>>>>>> - I’ve implemented a CDI Extension to create >>>>>>> AuthenticationMechanism beans and a CDI class to keep track of the >>>>> mapping >>>>>>> between the authentication mechanism and the servlet that should be >>>>>>> checked. When a Servlet is executed the mapping is checked and if >>>> there >>>>> is >>>>>>> and associated AuthenticationMechanism, we validate the request >>> with >>>> the >>>>>>> associated type (Basic, Form, etc). >>>>>>>>>>>>> >>>>>>>>>>>>> - Implemented the BasicAuthenticationMechanism and all the >>>>> plumbing >>>>>>> required to be executed. This required an HttpMessageContext to >>> pass >>>>>>> information around, plus store some state to make decisions on >>> things >>>> to >>>>>>> do, including the CallbackHandler to pass in additional Callbacks >>> to >>>>> create >>>>>>> the Principal and Groups >>>>>>>>>>>>> >>>>>>>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, >>> that >>>>>>> reads user data from tomcat-users.xml >>>>>>>>>>>>> >>>>>>>>>>>>> I’ll probably move to implement the missing >>>>>>> AuthenticationMechanisms (FORM and Custom) next. >>>>>>>>>>>>> >>>>>>>>>>>>> Any feedback, always welcomed :) >>>>>>>>>>>>> >>>>>>>>>>>>> Cheers, >>>>>>>>>>>>> Roberto >>>>>>>>>>>>> >>>>>>>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista < >>> bruno...@gmail.com> >>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> TomEE Security works for me. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Bruno Baptista >>>>>>>>>>>>>> https://twitter.com/brunobat_ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote: >>>>>>>>>>>>>>> Hi folks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Work is progressing. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me >>> to >>>>>>> proceed. I’ve tried to use the Jakarta Security API jar. >>>> Unfortunately, >>>>> it >>>>>>> is full of dependencies to the other Jakarta dependent projects, >>> some >>>>> not >>>>>>> in central yet, so I couldn’t even build the project. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> At the moment, I’ve added the structure to register a >>> JASPIC >>>>>>> provider to serve as a bride to the Security implementation code. >>>> With a >>>>>>> CDI extension, we can register the required >>> AuthenticationMechanisms >>>> and >>>>>>> then look them up to delegate the authentication code. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate >>>> user >>>>>>> credentials and retrieve user groups. This is just going through >>> the >>>>>>> container registered IdentityStores and using the spec rules to >>>> identify >>>>>>> the credentials. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone >>>> has >>>>> a >>>>>>> more fancy idea for a name, feel free to suggest it :) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez >>>>>>> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi folks, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I’ve now created a PR to push the work: >>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/277 < >>>>>>> https://github.com/apache/tomee/pull/277> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It is still in the early stages. I’ve just spent a good >>>> amount >>>>>>> of time trying to understand the spec. The ideia here is that with >>> a >>>>>>> ServerAuthModule we could verify each of the spec authentication >>>>> mechanisms >>>>>>> that will be implemented with a CDI Bean and use a CDI Extension to >>>>> create >>>>>>> the bean depending on the annotation you use. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez >>>>>>> <radcor...@yahoo.com.INVALID> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi folks, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I’ve created >>> https://jira.apache.org/jira/browse/TOMEE-2365 >>>> < >>>>>>> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the >>> Java >>>>> EE >>>>>>> Security API that came up in EE 8. We are missing this spec >>>>> implementation, >>>>>>> and until we have it we cannot even say we are EE 8 compatible. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I plan to start working on this. If anyone wants to >>>>> collaborate >>>>>>> with me, let me know. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>>>> Roberto >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>> >>> -- >>> -- >>> Jean-Louis Monteiro >>> http://twitter.com/jlouismonteiro >>> http://www.tomitribe.com >>> >>
