While on the topic of programmatic authentication, I would be interested in resin 4.x having native support for web services standards like WS-Security, WS-Trust and ultimately, a recipe for SSO integration. Of course, I can always grab a framework like OpenSSO and drop it into resin container, but having the capability available in resin and particularly supported by hessian would allow to inject web security services into our existing applications without significant refactoring, keep existing streamlined workflow and architecture.
-Leonid -----Original Message----- From: resin-interest-boun...@caucho.com [mailto:resin-interest-boun...@caucho.com] On Behalf Of Jeff Schnitzer Sent: Saturday, March 21, 2009 2:49 PM To: General Discussion for the Resin application server Subject: Re: [Resin-interest] Remote & programmatic authentication I have only spent a little while browsing through the Resin code, so apologies in advance if I'm misunderstanding something. I'd love to see something like: AbstractLogin.authenticate(HttpServletRequest request, Principal user, String credential) throws LoginException I just need any method that takes a user and password, checks it against the normal authentication SPI, and (if successful) registers the credentials to the container. I don't think I would need to customize the Login class. I wouldn't be using any of the j2ee standard auth mechanisms, just programmatic authentication, so I'm guessing I could have a BasicLogin and just never use it. As long as I can call the auth method from my normal webapp I'll be fine. BTW we are porting the opensource SubEthaMail over to Resin right now (http://subetha.tigris.org/). If we succeed, you might want to use it for this mailing list! Jeff On Fri, Mar 20, 2009 at 10:15 AM, Scott Ferguson <f...@caucho.com> wrote: > > On Mar 19, 2009, at 8:30 PM, Jeff Schnitzer wrote: > >> The problem is, j2ee automatic authentication is nearly useless. > > Correct. > >> It doesn't allow for autologin cookies nor does it allow me to sign up >> new users - they would have to then log in again. It blows my mind >> that a decade later the servlet spec hasn't addressed these simple >> needs. > > Yep. Almost as bizarre as not having multipart/mime (upload) support. > > Resin 4.0 has refactored Resin's login/authentication (because our old > model really didn't make much sense.) > > The new Login handles servlet/http interaction and the Authenticator > handles pure user/credentials (the old model mixed the two concepts > into the old ServletAuthenticator.) So, the capabilities you're > looking for would be added to a Login class. I don't know if you're > looking for customizing the Login, or if you want a more general > capability in our AbstractLogin. > > Since the new configuration uses Java DI, your application can grab > the login. The configuration looks like: > > <sec:BasicLogin/> > > And then you could use > > @Current AbstractLogin _login; > > Or > > @Current BasicLogin _login; > > (At present, the Login interface itself wouldn't be useful from a > programmatic standpoint, while we could add methods to AbstractLogin.) > > -- Scott > >> >> >> I need a way, in my web app, to programmatically say to the container >> "authenticate as this user/pass". Then these credentials will be used >> for further calls into the EJB tier or for responding to >> HttpServletRequest.isUserInRole() calls. Of course at the SPI level >> these will end up calling into my Resin Authenticator. >> >> This is a pretty common problem, there must be a Resin way to do it. >> In JBoss5, it looks like this: >> >> SecurityClient securityClient = >> SecurityClientFactory.getSecurityClient(); >> securityClient.setSimple("user", "password"); >> securityClient.login(); >> >> Thanks, >> Jeff >> >> On Thu, Mar 19, 2009 at 7:38 PM, Aaron Freeman <aaron.free...@layerz.com >> > wrote: >>> >>>> #2 is still a mystery to me. I'm in a servlet, how do I >>>> programmatically tell the container to "log me in" with a username >>>> and >>>> password? >>>> >>> This page has a good overview of how to do it: >>> >>> http://www.informit.com/articles/article.aspx?p=24253&seqNum=7 >>> >>> So you set up your security constraints in your resin.xml and >>> reference >>> a custom authenticator inside the login-config. The create your >>> custom >>> authenticator by AbstractAuthenticator. >>> >>> Note the code in the example is referencing: >>> com.caucho.server.http.AbstractAuthenticator but I think you want to >>> extend com.caucho.server.AbstractAuthenticator instead, as I think >>> the >>> .http. version is deprecated. >>> >>> - Aaron >>> >>> >>> _______________________________________________ >>> resin-interest mailing list >>> resin-interest@caucho.com >>> http://maillist.caucho.com/mailman/listinfo/resin-interest >>> >> >> >> _______________________________________________ >> resin-interest mailing list >> resin-interest@caucho.com >> http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
