subject:"Java EE Security API for EE 8"

Re: Java EE Security API for EE 8

2019-01-14 Thread Roberto Cortez

Yes, these need to be moved to Geronimo, but I think not at this time.

I would like to have a more stable implementation before moving this over to 
Geronimo. There are still a lot of things missing, including in the API and is 
just easier to get this done in a single project.

> On 11 Jan 2019, at 19:52, Gurkan Erdogdu  wrote:
> 
> I have added geronimo-specs-security_1.0 to geronimo-specs and let
> geronimo-dev about the issue. After receiving some response, I can commit
> the code.
> 
> On Fri, Jan 11, 2019 at 9:50 PM Gurkan Erdogdu  wrote:
> 
>> Ok then I created subtask,
>> https://issues.apache.org/jira/browse/TOMEE-2453 under the main issue,
>> https://issues.apache.org/jira/browse/TOMEE-2365
>> Can you please assign it to me?
>> 
>> 
>> On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro <
>> jlmonte...@tomitribe.com> wrote:
>> 
>>> That’d be great.
>>> I have commit permissions so if you need help help or something. Lemme
>>> know.
>>> 
>>> 
>>> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu  a
>>> écrit :
>>> 
 Hello Roberto
 We probably need to move javax.security.enterprise.* package to geronimo
 specs project (https://github.com/apache/geronimo-specs) and then
>>> adding
 dependency to our javaee-api. After that we also need to release
 geronimo-specs. If you want, I can work on to create a new project in
 geronimo-specs.
 Regards.
 Gurkan
 
 On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez
>>>  
 wrote:
 
> Hi,
> 
> I’ve merged the current state of the code.
> 
> In the meanwhile, I’ll write some documentation to help to understand
>>> the
> implementation.
> 
> Cheers,
> Roberto
> 
>> On 8 Jan 2019, at 15:19, Gurkan Erdogdu 
>>> wrote:
>> 
>> Hello Roberto,
>> Thank you for initiating this integration.
>> Can you prepare a small documentation (and also send to here) which
 helps
>> contributors to understand the internals about your current commit.
>> Regards.
>> Gurkan
>> 
>> 
>> On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
> 
>> wrote:
>> 
>>> Hi folks,
>>> 
>>> I think I’m now done with the FormAuthentication.
>>> 
>>> There are still things left to implement. At the moment, the code
>>> is
> part
>>> of the project but is not part of the binary. I would like to merge
 the
>>> current PR:
>>> https://github.com/apache/tomee/pull/277 <
>>> https://github.com/apache/tomee/pull/277>
>>> 
>>> I think this will give a chance for the community to contribute
>>> some
 of
>>> the missing pieces. I can make a list in JIRA.
>>> 
>>> So, if there is no strong opinions about merging this, I will be
>>> doing
>>> this in the end of the day.
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 30 Dec 2018, at 23:42, Roberto Cortez 
 wrote:
 
 Thanks! I’ll have a look!
 
> On 28 Dec 2018, at 20:34, David Jencks >>> 
>>> wrote:
> 
> Perhaps I didn’t recall correctly, or perhaps I implemented it
>>> for
>>> Jetty (at eclipse).  The code I’ve found at
>>> 
> 
 
>>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>>> <
>>> 
> 
 
>>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> 
>>> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t
>>> recall
> any
>>> details of how I modified tomcat’s auth setup: I might have made
>>> one
> that
>>> was more adapted to JASPIC and the geronimo security framework than
 the
>>> plain tomcat one.  If this code is of any use to you, great,
 otherwise,
>>> good luck!
> 
> many thanks
> David Jencks
> 
>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>>>  wrote:
>> 
>> Hi David,
>> 
>> Actually, the EE 8 Security spec tells you to use a JASPIC
>>> bridge
>>> underneath the implementation, so your code might be a good fit.
>>> Can
 you
>>> point me out to the sources so I can have a look?
>> 
>> Thank you!
>> 
>> Cheers,
>> Roberto
>> 
>>> On 28 Dec 2018, at 03:40, David Jencks <
>>> david.a.jen...@gmail.com>
>>> wrote:
>>> 
>>> IIRC I wrote a JASPIC form authentication for the geronimo
>>> server
>>> long ago. Although the JASPIC deployment model was somewhat
>>> incomprehensibly bizarre, the conversation model was very nice.
> Depending
>>> on what the EE 8 api is (I haven’t looked) the JASPIC
>>> implementation
> might
>>> be a source for webserver-independent code for from authentication
 that
>>> could be easily

Re: Java EE Security API for EE 8

2019-01-11 Thread Gurkan Erdogdu

I have added geronimo-specs-security_1.0 to geronimo-specs and let
geronimo-dev about the issue. After receiving some response, I can commit
the code.

On Fri, Jan 11, 2019 at 9:50 PM Gurkan Erdogdu  wrote:

> Ok then I created subtask,
> https://issues.apache.org/jira/browse/TOMEE-2453 under the main issue,
> https://issues.apache.org/jira/browse/TOMEE-2365
> Can you please assign it to me?
>
>
> On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro <
> jlmonte...@tomitribe.com> wrote:
>
>> That’d be great.
>> I have commit permissions so if you need help help or something. Lemme
>> know.
>>
>>
>> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu  a
>> écrit :
>>
>> > Hello Roberto
>> > We probably need to move javax.security.enterprise.* package to geronimo
>> > specs project (https://github.com/apache/geronimo-specs) and then
>> adding
>> > dependency to our javaee-api. After that we also need to release
>> > geronimo-specs. If you want, I can work on to create a new project in
>> > geronimo-specs.
>> > Regards.
>> > Gurkan
>> >
>> > On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez
>> > > >
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I’ve merged the current state of the code.
>> > >
>> > > In the meanwhile, I’ll write some documentation to help to understand
>> the
>> > > implementation.
>> > >
>> > > Cheers,
>> > > Roberto
>> > >
>> > > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu 
>> wrote:
>> > > >
>> > > > Hello Roberto,
>> > > > Thank you for initiating this integration.
>> > > > Can you prepare a small documentation (and also send to here) which
>> > helps
>> > > > contributors to understand the internals about your current commit.
>> > > > Regards.
>> > > > Gurkan
>> > > >
>> > > >
>> > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
>> > > 
>> > > > wrote:
>> > > >
>> > > >> Hi folks,
>> > > >>
>> > > >> I think I’m now done with the FormAuthentication.
>> > > >>
>> > > >> There are still things left to implement. At the moment, the code
>> is
>> > > part
>> > > >> of the project but is not part of the binary. I would like to merge
>> > the
>> > > >> current PR:
>> > > >> https://github.com/apache/tomee/pull/277 <
>> > > >> https://github.com/apache/tomee/pull/277>
>> > > >>
>> > > >> I think this will give a chance for the community to contribute
>> some
>> > of
>> > > >> the missing pieces. I can make a list in JIRA.
>> > > >>
>> > > >> So, if there is no strong opinions about merging this, I will be
>> doing
>> > > >> this in the end of the day.
>> > > >>
>> > > >> Cheers,
>> > > >> Roberto
>> > > >>
>> > > >>> On 30 Dec 2018, at 23:42, Roberto Cortez 
>> > wrote:
>> > > >>>
>> > > >>> Thanks! I’ll have a look!
>> > > >>>
>> > >  On 28 Dec 2018, at 20:34, David Jencks > >
>> > > >> wrote:
>> > > 
>> > >  Perhaps I didn’t recall correctly, or perhaps I implemented it
>> for
>> > > >> Jetty (at eclipse).  The code I’ve found at
>> > > >>
>> > >
>> >
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> > > >> <
>> > > >>
>> > >
>> >
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> > > >
>> > > >> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t
>> recall
>> > > any
>> > > >> details of how I modified tomcat’s auth setup: I might have made
>> one
>> > > that
>> > > >> was more adapted to JASPIC and the geronimo security framework than
>> > the
>> > > >> plain tomcat one.  If this code is of any use to you, great,
>> > otherwise,
>> > > >> good luck!
>> > > 
>> > >  many thanks
>> > >  David Jencks
>> > > 
>> > > > On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>> > > >>  wrote:
>> > > >
>> > > > Hi David,
>> > > >
>> > > > Actually, the EE 8 Security spec tells you to use a JASPIC
>> bridge
>> > > >> underneath the implementation, so your code might be a good fit.
>> Can
>> > you
>> > > >> point me out to the sources so I can have a look?
>> > > >
>> > > > Thank you!
>> > > >
>> > > > Cheers,
>> > > > Roberto
>> > > >
>> > > >> On 28 Dec 2018, at 03:40, David Jencks <
>> david.a.jen...@gmail.com>
>> > > >> wrote:
>> > > >>
>> > > >> IIRC I wrote a JASPIC form authentication for the geronimo
>> server
>> > > >> long ago. Although the JASPIC deployment model was somewhat
>> > > >> incomprehensibly bizarre, the conversation model was very nice.
>> > > Depending
>> > > >> on what the EE 8 api is (I haven’t looked) the JASPIC
>> implementation
>> > > might
>> > > >> be a source for webserver-independent code for from authentication
>> > that
>> > > >> could be easily adapted.
>> > > >>
>> > > >> David Jencks
>> > > >>
>> > > >>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>> > > >>  wrote:
>> > > >>>
>> > > >>> Update:
>> > > >>>
>> > > >>> I’ve started the implementation of the
>>

Re: Java EE Security API for EE 8

2019-01-11 Thread Jean-Louis Monteiro

That’d be great.
I have commit permissions so if you need help help or something. Lemme know.


Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu  a
écrit :

> Hello Roberto
> We probably need to move javax.security.enterprise.* package to geronimo
> specs project (https://github.com/apache/geronimo-specs) and then adding
> dependency to our javaee-api. After that we also need to release
> geronimo-specs. If you want, I can work on to create a new project in
> geronimo-specs.
> Regards.
> Gurkan
>
> On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez  >
> wrote:
>
> > Hi,
> >
> > I’ve merged the current state of the code.
> >
> > In the meanwhile, I’ll write some documentation to help to understand the
> > implementation.
> >
> > Cheers,
> > Roberto
> >
> > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu  wrote:
> > >
> > > Hello Roberto,
> > > Thank you for initiating this integration.
> > > Can you prepare a small documentation (and also send to here) which
> helps
> > > contributors to understand the internals about your current commit.
> > > Regards.
> > > Gurkan
> > >
> > >
> > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
> > 
> > > wrote:
> > >
> > >> Hi folks,
> > >>
> > >> I think I’m now done with the FormAuthentication.
> > >>
> > >> There are still things left to implement. At the moment, the code is
> > part
> > >> of the project but is not part of the binary. I would like to merge
> the
> > >> current PR:
> > >> https://github.com/apache/tomee/pull/277 <
> > >> https://github.com/apache/tomee/pull/277>
> > >>
> > >> I think this will give a chance for the community to contribute some
> of
> > >> the missing pieces. I can make a list in JIRA.
> > >>
> > >> So, if there is no strong opinions about merging this, I will be doing
> > >> this in the end of the day.
> > >>
> > >> Cheers,
> > >> Roberto
> > >>
> > >>> On 30 Dec 2018, at 23:42, Roberto Cortez 
> wrote:
> > >>>
> > >>> Thanks! I’ll have a look!
> > >>>
> >  On 28 Dec 2018, at 20:34, David Jencks 
> > >> wrote:
> > 
> >  Perhaps I didn’t recall correctly, or perhaps I implemented it for
> > >> Jetty (at eclipse).  The code I’ve found at
> > >>
> >
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> > >> <
> > >>
> >
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> > >
> > >> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall
> > any
> > >> details of how I modified tomcat’s auth setup: I might have made one
> > that
> > >> was more adapted to JASPIC and the geronimo security framework than
> the
> > >> plain tomcat one.  If this code is of any use to you, great,
> otherwise,
> > >> good luck!
> > 
> >  many thanks
> >  David Jencks
> > 
> > > On Dec 28, 2018, at 1:47 AM, Roberto Cortez
> > >>  wrote:
> > >
> > > Hi David,
> > >
> > > Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> > >> underneath the implementation, so your code might be a good fit. Can
> you
> > >> point me out to the sources so I can have a look?
> > >
> > > Thank you!
> > >
> > > Cheers,
> > > Roberto
> > >
> > >> On 28 Dec 2018, at 03:40, David Jencks 
> > >> wrote:
> > >>
> > >> IIRC I wrote a JASPIC form authentication for the geronimo server
> > >> long ago. Although the JASPIC deployment model was somewhat
> > >> incomprehensibly bizarre, the conversation model was very nice.
> > Depending
> > >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation
> > might
> > >> be a source for webserver-independent code for from authentication
> that
> > >> could be easily adapted.
> > >>
> > >> David Jencks
> > >>
> > >>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
> > >>  wrote:
> > >>>
> > >>> Update:
> > >>>
> > >>> I’ve started the implementation of the
> FormAuthenticationMechanism.
> > >> Is not as easy as it sounds, since it requires some conversation chat
> > >> across requests. I thought about wrapping all the logic and use the
> > Tomcat
> > >> FormAuthenticator, since it does exactly what we need. Unfortunately,
> > it is
> > >> too tied to the Tomcat code and it would require to instantiate a lot
> to
> > >> Tomcat objects to be able to use it. I’m not sure if it would be worth
> > it.
> > >> I ended up following the spec suggestion to use a CDI interceptor and
> > I’m
> > >> copying / reusing some pieces of the FormAuthentication when possible.
> > >>>
> > >>> PR updated:
> > >>> https://github.com/apache/tomee/pull/277 <
> > >> https://github.com/apache/tomee/pull/277>
> > >>>
> > >>> Cheers,
> > >>> Roberto
> > >>>
> >  On 26 Dec 2018, at 22:11, Roberto Cortez
> > >>  wrote:
> > 
> >  Hi folks,
> > 
> >  I’ve updated the PR with new

Re: Java EE Security API for EE 8

2019-01-10 Thread Gurkan Erdogdu

Hello Roberto
We probably need to move javax.security.enterprise.* package to geronimo
specs project (https://github.com/apache/geronimo-specs) and then adding
dependency to our javaee-api. After that we also need to release
geronimo-specs. If you want, I can work on to create a new project in
geronimo-specs.
Regards.
Gurkan

On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez 
wrote:

> Hi,
>
> I’ve merged the current state of the code.
>
> In the meanwhile, I’ll write some documentation to help to understand the
> implementation.
>
> Cheers,
> Roberto
>
> > On 8 Jan 2019, at 15:19, Gurkan Erdogdu  wrote:
> >
> > Hello Roberto,
> > Thank you for initiating this integration.
> > Can you prepare a small documentation (and also send to here) which helps
> > contributors to understand the internals about your current commit.
> > Regards.
> > Gurkan
> >
> >
> > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
> 
> > wrote:
> >
> >> Hi folks,
> >>
> >> I think I’m now done with the FormAuthentication.
> >>
> >> There are still things left to implement. At the moment, the code is
> part
> >> of the project but is not part of the binary. I would like to merge the
> >> current PR:
> >> https://github.com/apache/tomee/pull/277 <
> >> https://github.com/apache/tomee/pull/277>
> >>
> >> I think this will give a chance for the community to contribute some of
> >> the missing pieces. I can make a list in JIRA.
> >>
> >> So, if there is no strong opinions about merging this, I will be doing
> >> this in the end of the day.
> >>
> >> Cheers,
> >> Roberto
> >>
> >>> On 30 Dec 2018, at 23:42, Roberto Cortez  wrote:
> >>>
> >>> Thanks! I’ll have a look!
> >>>
>  On 28 Dec 2018, at 20:34, David Jencks 
> >> wrote:
> 
>  Perhaps I didn’t recall correctly, or perhaps I implemented it for
> >> Jetty (at eclipse).  The code I’ve found at
> >>
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> >> <
> >>
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> >
> >> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall
> any
> >> details of how I modified tomcat’s auth setup: I might have made one
> that
> >> was more adapted to JASPIC and the geronimo security framework than the
> >> plain tomcat one.  If this code is of any use to you, great, otherwise,
> >> good luck!
> 
>  many thanks
>  David Jencks
> 
> > On Dec 28, 2018, at 1:47 AM, Roberto Cortez
> >>  wrote:
> >
> > Hi David,
> >
> > Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> >> underneath the implementation, so your code might be a good fit. Can you
> >> point me out to the sources so I can have a look?
> >
> > Thank you!
> >
> > Cheers,
> > Roberto
> >
> >> On 28 Dec 2018, at 03:40, David Jencks 
> >> wrote:
> >>
> >> IIRC I wrote a JASPIC form authentication for the geronimo server
> >> long ago. Although the JASPIC deployment model was somewhat
> >> incomprehensibly bizarre, the conversation model was very nice.
> Depending
> >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation
> might
> >> be a source for webserver-independent code for from authentication that
> >> could be easily adapted.
> >>
> >> David Jencks
> >>
> >>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
> >>  wrote:
> >>>
> >>> Update:
> >>>
> >>> I’ve started the implementation of the FormAuthenticationMechanism.
> >> Is not as easy as it sounds, since it requires some conversation chat
> >> across requests. I thought about wrapping all the logic and use the
> Tomcat
> >> FormAuthenticator, since it does exactly what we need. Unfortunately,
> it is
> >> too tied to the Tomcat code and it would require to instantiate a lot to
> >> Tomcat objects to be able to use it. I’m not sure if it would be worth
> it.
> >> I ended up following the spec suggestion to use a CDI interceptor and
> I’m
> >> copying / reusing some pieces of the FormAuthentication when possible.
> >>>
> >>> PR updated:
> >>> https://github.com/apache/tomee/pull/277 <
> >> https://github.com/apache/tomee/pull/277>
> >>>
> >>> Cheers,
> >>> Roberto
> >>>
>  On 26 Dec 2018, at 22:11, Roberto Cortez
> >>  wrote:
> 
>  Hi folks,
> 
>  I’ve updated the PR with new changes:
> 
>  - I’ve implemented a CDI Extension to create
> >> AuthenticationMechanism beans and a CDI class to keep track of the
> mapping
> >> between the authentication mechanism and the servlet that should be
> >> checked. When a Servlet is executed the mapping is checked and if there
> is
> >> and associated AuthenticationMechanism, we validate the request with the
> >> associated type (Basic, Form, etc).
> 
>  -

Re: Java EE Security API for EE 8

2019-01-09 Thread Roberto Cortez

Hi,

I’ve merged the current state of the code.

In the meanwhile, I’ll write some documentation to help to understand the 
implementation.

Cheers,
Roberto

> On 8 Jan 2019, at 15:19, Gurkan Erdogdu  wrote:
> 
> Hello Roberto,
> Thank you for initiating this integration.
> Can you prepare a small documentation (and also send to here) which helps
> contributors to understand the internals about your current commit.
> Regards.
> Gurkan
> 
> 
> On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez 
> wrote:
> 
>> Hi folks,
>> 
>> I think I’m now done with the FormAuthentication.
>> 
>> There are still things left to implement. At the moment, the code is part
>> of the project but is not part of the binary. I would like to merge the
>> current PR:
>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>> 
>> I think this will give a chance for the community to contribute some of
>> the missing pieces. I can make a list in JIRA.
>> 
>> So, if there is no strong opinions about merging this, I will be doing
>> this in the end of the day.
>> 
>> Cheers,
>> Roberto
>> 
>>> On 30 Dec 2018, at 23:42, Roberto Cortez  wrote:
>>> 
>>> Thanks! I’ll have a look!
>>> 
 On 28 Dec 2018, at 20:34, David Jencks 
>> wrote:
 
 Perhaps I didn’t recall correctly, or perhaps I implemented it for
>> Jetty (at eclipse).  The code I’ve found at
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> <
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/>
>> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall any
>> details of how I modified tomcat’s auth setup: I might have made one that
>> was more adapted to JASPIC and the geronimo security framework than the
>> plain tomcat one.  If this code is of any use to you, great, otherwise,
>> good luck!
 
 many thanks
 David Jencks
 
> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>>  wrote:
> 
> Hi David,
> 
> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
>> underneath the implementation, so your code might be a good fit. Can you
>> point me out to the sources so I can have a look?
> 
> Thank you!
> 
> Cheers,
> Roberto
> 
>> On 28 Dec 2018, at 03:40, David Jencks 
>> wrote:
>> 
>> IIRC I wrote a JASPIC form authentication for the geronimo server
>> long ago. Although the JASPIC deployment model was somewhat
>> incomprehensibly bizarre, the conversation model was very nice. Depending
>> on what the EE 8 api is (I haven’t looked) the JASPIC implementation might
>> be a source for webserver-independent code for from authentication that
>> could be easily adapted.
>> 
>> David Jencks
>> 
>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>>  wrote:
>>> 
>>> Update:
>>> 
>>> I’ve started the implementation of the FormAuthenticationMechanism.
>> Is not as easy as it sounds, since it requires some conversation chat
>> across requests. I thought about wrapping all the logic and use the Tomcat
>> FormAuthenticator, since it does exactly what we need. Unfortunately, it is
>> too tied to the Tomcat code and it would require to instantiate a lot to
>> Tomcat objects to be able to use it. I’m not sure if it would be worth it.
>> I ended up following the spec suggestion to use a CDI interceptor and I’m
>> copying / reusing some pieces of the FormAuthentication when possible.
>>> 
>>> PR updated:
>>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 26 Dec 2018, at 22:11, Roberto Cortez
>>  wrote:
 
 Hi folks,
 
 I’ve updated the PR with new changes:
 
 - I’ve implemented a CDI Extension to create
>> AuthenticationMechanism beans and a CDI class to keep track of the mapping
>> between the authentication mechanism and the servlet that should be
>> checked. When a Servlet is executed the mapping is checked and if there is
>> and associated AuthenticationMechanism, we validate the request with the
>> associated type (Basic, Form, etc).
 
 - Implemented the BasicAuthenticationMechanism and all the plumbing
>> required to be executed. This required an HttpMessageContext to pass
>> information around, plus store some state to make decisions on things to
>> do, including the CallbackHandler to pass in additional Callbacks to create
>> the Principal and Groups
 
 - A default IdentityStore, using the Tomcat UserDatabase, that
>> reads user data from tomcat-users.xml
 
 I’ll probably move to implement the missing
>> AuthenticationMechanisms (FORM and Custom) next.
 
 Any feedback, always welcomed :)

Re: Java EE Security API for EE 8

2019-01-08 Thread Gurkan Erdogdu

Hello Roberto,
Thank you for initiating this integration.
Can you prepare a small documentation (and also send to here) which helps
contributors to understand the internals about your current commit.
Regards.
Gurkan


On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez 
wrote:

> Hi folks,
>
> I think I’m now done with the FormAuthentication.
>
> There are still things left to implement. At the moment, the code is part
> of the project but is not part of the binary. I would like to merge the
> current PR:
> https://github.com/apache/tomee/pull/277 <
> https://github.com/apache/tomee/pull/277>
>
> I think this will give a chance for the community to contribute some of
> the missing pieces. I can make a list in JIRA.
>
> So, if there is no strong opinions about merging this, I will be doing
> this in the end of the day.
>
> Cheers,
> Roberto
>
> > On 30 Dec 2018, at 23:42, Roberto Cortez  wrote:
> >
> > Thanks! I’ll have a look!
> >
> >> On 28 Dec 2018, at 20:34, David Jencks 
> wrote:
> >>
> >> Perhaps I didn’t recall correctly, or perhaps I implemented it for
> Jetty (at eclipse).  The code I’ve found at
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> <
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/>
> includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall any
> details of how I modified tomcat’s auth setup: I might have made one that
> was more adapted to JASPIC and the geronimo security framework than the
> plain tomcat one.  If this code is of any use to you, great, otherwise,
> good luck!
> >>
> >> many thanks
> >> David Jencks
> >>
> >>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>  wrote:
> >>>
> >>> Hi David,
> >>>
> >>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> underneath the implementation, so your code might be a good fit. Can you
> point me out to the sources so I can have a look?
> >>>
> >>> Thank you!
> >>>
> >>> Cheers,
> >>> Roberto
> >>>
>  On 28 Dec 2018, at 03:40, David Jencks 
> wrote:
> 
>  IIRC I wrote a JASPIC form authentication for the geronimo server
> long ago. Although the JASPIC deployment model was somewhat
> incomprehensibly bizarre, the conversation model was very nice. Depending
> on what the EE 8 api is (I haven’t looked) the JASPIC implementation might
> be a source for webserver-independent code for from authentication that
> could be easily adapted.
> 
>  David Jencks
> 
> > On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>  wrote:
> >
> > Update:
> >
> > I’ve started the implementation of the FormAuthenticationMechanism.
> Is not as easy as it sounds, since it requires some conversation chat
> across requests. I thought about wrapping all the logic and use the Tomcat
> FormAuthenticator, since it does exactly what we need. Unfortunately, it is
> too tied to the Tomcat code and it would require to instantiate a lot to
> Tomcat objects to be able to use it. I’m not sure if it would be worth it.
> I ended up following the spec suggestion to use a CDI interceptor and I’m
> copying / reusing some pieces of the FormAuthentication when possible.
> >
> > PR updated:
> > https://github.com/apache/tomee/pull/277 <
> https://github.com/apache/tomee/pull/277>
> >
> > Cheers,
> > Roberto
> >
> >> On 26 Dec 2018, at 22:11, Roberto Cortez
>  wrote:
> >>
> >> Hi folks,
> >>
> >> I’ve updated the PR with new changes:
> >>
> >> - I’ve implemented a CDI Extension to create
> AuthenticationMechanism beans and a CDI class to keep track of the mapping
> between the authentication mechanism and the servlet that should be
> checked. When a Servlet is executed the mapping is checked and if there is
> and associated AuthenticationMechanism, we validate the request with the
> associated type (Basic, Form, etc).
> >>
> >> - Implemented the BasicAuthenticationMechanism and all the plumbing
> required to be executed. This required an HttpMessageContext to pass
> information around, plus store some state to make decisions on things to
> do, including the CallbackHandler to pass in additional Callbacks to create
> the Principal and Groups
> >>
> >> - A default IdentityStore, using the Tomcat UserDatabase, that
> reads user data from tomcat-users.xml
> >>
> >> I’ll probably move to implement the missing
> AuthenticationMechanisms (FORM and Custom) next.
> >>
> >> Any feedback, always welcomed :)
> >>
> >> Cheers,
> >> Roberto
> >>
> >>> On 19 Dec 2018, at 10:00, Bruno Baptista 
> wrote:
> >>>
> >>> TomEE Security works for me.
> >>>
> >>> Bruno Baptista
> >>> https://twitter.com/brunobat_
> >>>
> >>>
> >>> On 19/12/18 00:20, Roberto Cortez wrote:
>  Hi folks,
> 
>

Re: Java EE Security API for EE 8

2019-01-08 Thread Roberto Cortez

Hi folks,

I think I’m now done with the FormAuthentication.

There are still things left to implement. At the moment, the code is part of 
the project but is not part of the binary. I would like to merge the current PR:
https://github.com/apache/tomee/pull/277 


I think this will give a chance for the community to contribute some of the 
missing pieces. I can make a list in JIRA.

So, if there is no strong opinions about merging this, I will be doing this in 
the end of the day.

Cheers,
Roberto 

> On 30 Dec 2018, at 23:42, Roberto Cortez  wrote:
> 
> Thanks! I’ll have a look!
> 
>> On 28 Dec 2018, at 20:34, David Jencks  wrote:
>> 
>> Perhaps I didn’t recall correctly, or perhaps I implemented it for Jetty (at 
>> eclipse).  The code I’ve found at 
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>>  
>> 
>>  includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall any 
>> details of how I modified tomcat’s auth setup: I might have made one that 
>> was more adapted to JASPIC and the geronimo security framework than the 
>> plain tomcat one.  If this code is of any use to you, great, otherwise, good 
>> luck!
>> 
>> many thanks
>> David Jencks
>> 
>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez  
>>> wrote:
>>> 
>>> Hi David,
>>> 
>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge 
>>> underneath the implementation, so your code might be a good fit. Can you 
>>> point me out to the sources so I can have a look?
>>> 
>>> Thank you!
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 28 Dec 2018, at 03:40, David Jencks  wrote:
 
 IIRC I wrote a JASPIC form authentication for the geronimo server long 
 ago. Although the JASPIC deployment model was somewhat incomprehensibly 
 bizarre, the conversation model was very nice. Depending on what the EE 8 
 api is (I haven’t looked) the JASPIC implementation might be a source for 
 webserver-independent code for from authentication that could be easily 
 adapted.
 
 David Jencks
 
> On Dec 27, 2018, at 3:53 PM, Roberto Cortez  
> wrote:
> 
> Update:
> 
> I’ve started the implementation of the FormAuthenticationMechanism. Is 
> not as easy as it sounds, since it requires some conversation chat across 
> requests. I thought about wrapping all the logic and use the Tomcat 
> FormAuthenticator, since it does exactly what we need. Unfortunately, it 
> is too tied to the Tomcat code and it would require to instantiate a lot 
> to Tomcat objects to be able to use it. I’m not sure if it would be worth 
> it. I ended up following the spec suggestion to use a CDI interceptor and 
> I’m copying / reusing some pieces of the FormAuthentication when possible.
> 
> PR updated:
> https://github.com/apache/tomee/pull/277 
> 
> 
> Cheers,
> Roberto
> 
>> On 26 Dec 2018, at 22:11, Roberto Cortez  
>> wrote:
>> 
>> Hi folks,
>> 
>> I’ve updated the PR with new changes:
>> 
>> - I’ve implemented a CDI Extension to create AuthenticationMechanism 
>> beans and a CDI class to keep track of the mapping between the 
>> authentication mechanism and the servlet that should be checked. When a 
>> Servlet is executed the mapping is checked and if there is and 
>> associated AuthenticationMechanism, we validate the request with the 
>> associated type (Basic, Form, etc).
>> 
>> - Implemented the BasicAuthenticationMechanism and all the plumbing 
>> required to be executed. This required an HttpMessageContext to pass 
>> information around, plus store some state to make decisions on things to 
>> do, including the CallbackHandler to pass in additional Callbacks to 
>> create the Principal and Groups
>> 
>> - A default IdentityStore, using the Tomcat UserDatabase, that reads 
>> user data from tomcat-users.xml
>> 
>> I’ll probably move to implement the missing AuthenticationMechanisms 
>> (FORM and Custom) next.
>> 
>> Any feedback, always welcomed :)
>> 
>> Cheers,
>> Roberto
>> 
>>> On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
>>> 
>>> TomEE Security works for me.
>>> 
>>> Bruno Baptista
>>> https://twitter.com/brunobat_
>>> 
>>> 
>>> On 19/12/18 00:20, Roberto Cortez wrote:
 Hi folks,
 
 Work is progressing.
 
 I’ve added a good chunk of the API (as needed) to allow me to proceed. 
 I’ve tried to use the Jakarta Security API jar. Unfortunately, it is 
 full of dependencies to the other Jakarta

Re: Java EE Security API for EE 8

2018-12-30 Thread Roberto Cortez

Thanks! I’ll have a look!

> On 28 Dec 2018, at 20:34, David Jencks  wrote:
> 
> Perhaps I didn’t recall correctly, or perhaps I implemented it for Jetty (at 
> eclipse).  The code I’ve found at 
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>  
> 
>  includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall any 
> details of how I modified tomcat’s auth setup: I might have made one that was 
> more adapted to JASPIC and the geronimo security framework than the plain 
> tomcat one.  If this code is of any use to you, great, otherwise, good luck!
> 
> many thanks
> David Jencks
> 
>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez  
>> wrote:
>> 
>> Hi David,
>> 
>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge underneath 
>> the implementation, so your code might be a good fit. Can you point me out 
>> to the sources so I can have a look?
>> 
>> Thank you!
>> 
>> Cheers,
>> Roberto
>> 
>>> On 28 Dec 2018, at 03:40, David Jencks  wrote:
>>> 
>>> IIRC I wrote a JASPIC form authentication for the geronimo server long ago. 
>>> Although the JASPIC deployment model was somewhat incomprehensibly bizarre, 
>>> the conversation model was very nice. Depending on what the EE 8 api is (I 
>>> haven’t looked) the JASPIC implementation might be a source for 
>>> webserver-independent code for from authentication that could be easily 
>>> adapted.
>>> 
>>> David Jencks
>>> 
 On Dec 27, 2018, at 3:53 PM, Roberto Cortez  
 wrote:
 
 Update:
 
 I’ve started the implementation of the FormAuthenticationMechanism. Is not 
 as easy as it sounds, since it requires some conversation chat across 
 requests. I thought about wrapping all the logic and use the Tomcat 
 FormAuthenticator, since it does exactly what we need. Unfortunately, it 
 is too tied to the Tomcat code and it would require to instantiate a lot 
 to Tomcat objects to be able to use it. I’m not sure if it would be worth 
 it. I ended up following the spec suggestion to use a CDI interceptor and 
 I’m copying / reusing some pieces of the FormAuthentication when possible.
 
 PR updated:
 https://github.com/apache/tomee/pull/277 
 
 
 Cheers,
 Roberto
 
> On 26 Dec 2018, at 22:11, Roberto Cortez  
> wrote:
> 
> Hi folks,
> 
> I’ve updated the PR with new changes:
> 
> - I’ve implemented a CDI Extension to create AuthenticationMechanism 
> beans and a CDI class to keep track of the mapping between the 
> authentication mechanism and the servlet that should be checked. When a 
> Servlet is executed the mapping is checked and if there is and associated 
> AuthenticationMechanism, we validate the request with the associated type 
> (Basic, Form, etc).
> 
> - Implemented the BasicAuthenticationMechanism and all the plumbing 
> required to be executed. This required an HttpMessageContext to pass 
> information around, plus store some state to make decisions on things to 
> do, including the CallbackHandler to pass in additional Callbacks to 
> create the Principal and Groups
> 
> - A default IdentityStore, using the Tomcat UserDatabase, that reads user 
> data from tomcat-users.xml
> 
> I’ll probably move to implement the missing AuthenticationMechanisms 
> (FORM and Custom) next.
> 
> Any feedback, always welcomed :)
> 
> Cheers,
> Roberto
> 
>> On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
>> 
>> TomEE Security works for me.
>> 
>> Bruno Baptista
>> https://twitter.com/brunobat_
>> 
>> 
>> On 19/12/18 00:20, Roberto Cortez wrote:
>>> Hi folks,
>>> 
>>> Work is progressing.
>>> 
>>> I’ve added a good chunk of the API (as needed) to allow me to proceed. 
>>> I’ve tried to use the Jakarta Security API jar. Unfortunately, it is 
>>> full of dependencies to the other Jakarta dependent projects, some not 
>>> in central yet, so I couldn’t even build the project.
>>> 
>>> At the moment, I’ve added the structure to register a JASPIC provider 
>>> to serve as a bride to the Security implementation code. With a CDI 
>>> extension, we can register the required AuthenticationMechanisms and 
>>> then look them up to delegate the authentication code.
>>> 
>>> I’ve also wrote a default IdentityStoreHandler to validate user 
>>> credentials and retrieve user groups. This is just going through the 
>>> container registered IdentityStores and using the spec rules to 
>>> identify the credentials.
>>> 
>>> Right now, I’m just calling this TomEE

Re: Java EE Security API for EE 8

2018-12-28 Thread David Jencks

Perhaps I didn’t recall correctly, or perhaps I implemented it for Jetty (at 
eclipse).  The code I’ve found at 
http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
 

 includes a FormAuthenticator and a JaspiAuthenticator.  I don’t recall any 
details of how I modified tomcat’s auth setup: I might have made one that was 
more adapted to JASPIC and the geronimo security framework than the plain 
tomcat one.  If this code is of any use to you, great, otherwise, good luck!

many thanks
David Jencks

> On Dec 28, 2018, at 1:47 AM, Roberto Cortez  
> wrote:
> 
> Hi David,
> 
> Actually, the EE 8 Security spec tells you to use a JASPIC bridge underneath 
> the implementation, so your code might be a good fit. Can you point me out to 
> the sources so I can have a look?
> 
> Thank you!
> 
> Cheers,
> Roberto
> 
>> On 28 Dec 2018, at 03:40, David Jencks  wrote:
>> 
>> IIRC I wrote a JASPIC form authentication for the geronimo server long ago. 
>> Although the JASPIC deployment model was somewhat incomprehensibly bizarre, 
>> the conversation model was very nice. Depending on what the EE 8 api is (I 
>> haven’t looked) the JASPIC implementation might be a source for 
>> webserver-independent code for from authentication that could be easily 
>> adapted.
>> 
>> David Jencks
>> 
>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez  
>>> wrote:
>>> 
>>> Update:
>>> 
>>> I’ve started the implementation of the FormAuthenticationMechanism. Is not 
>>> as easy as it sounds, since it requires some conversation chat across 
>>> requests. I thought about wrapping all the logic and use the Tomcat 
>>> FormAuthenticator, since it does exactly what we need. Unfortunately, it is 
>>> too tied to the Tomcat code and it would require to instantiate a lot to 
>>> Tomcat objects to be able to use it. I’m not sure if it would be worth it. 
>>> I ended up following the spec suggestion to use a CDI interceptor and I’m 
>>> copying / reusing some pieces of the FormAuthentication when possible.
>>> 
>>> PR updated:
>>> https://github.com/apache/tomee/pull/277 
>>> 
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 26 Dec 2018, at 22:11, Roberto Cortez  
 wrote:
 
 Hi folks,
 
 I’ve updated the PR with new changes:
 
 - I’ve implemented a CDI Extension to create AuthenticationMechanism beans 
 and a CDI class to keep track of the mapping between the authentication 
 mechanism and the servlet that should be checked. When a Servlet is 
 executed the mapping is checked and if there is and associated 
 AuthenticationMechanism, we validate the request with the associated type 
 (Basic, Form, etc).
 
 - Implemented the BasicAuthenticationMechanism and all the plumbing 
 required to be executed. This required an HttpMessageContext to pass 
 information around, plus store some state to make decisions on things to 
 do, including the CallbackHandler to pass in additional Callbacks to 
 create the Principal and Groups
 
 - A default IdentityStore, using the Tomcat UserDatabase, that reads user 
 data from tomcat-users.xml
 
 I’ll probably move to implement the missing AuthenticationMechanisms (FORM 
 and Custom) next.
 
 Any feedback, always welcomed :)
 
 Cheers,
 Roberto
 
> On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
> 
> TomEE Security works for me.
> 
> Bruno Baptista
> https://twitter.com/brunobat_
> 
> 
> On 19/12/18 00:20, Roberto Cortez wrote:
>> Hi folks,
>> 
>> Work is progressing.
>> 
>> I’ve added a good chunk of the API (as needed) to allow me to proceed. 
>> I’ve tried to use the Jakarta Security API jar. Unfortunately, it is 
>> full of dependencies to the other Jakarta dependent projects, some not 
>> in central yet, so I couldn’t even build the project.
>> 
>> At the moment, I’ve added the structure to register a JASPIC provider to 
>> serve as a bride to the Security implementation code. With a CDI 
>> extension, we can register the required AuthenticationMechanisms and 
>> then look them up to delegate the authentication code.
>> 
>> I’ve also wrote a default IdentityStoreHandler to validate user 
>> credentials and retrieve user groups. This is just going through the 
>> container registered IdentityStores and using the spec rules to identify 
>> the credentials.
>> 
>> Right now, I’m just calling this TomEE Security. If someone has a more 
>> fancy idea for a name, feel free to suggest it :)
>> 
>> Cheers,
>> Roberto
>> 
>>> On 14 Dec 2018, at 23:44, Roberto Cortez  
>>> wrote:
>>>

Re: Java EE Security API for EE 8

2018-12-28 Thread Roberto Cortez

Hi David,

Actually, the EE 8 Security spec tells you to use a JASPIC bridge underneath 
the implementation, so your code might be a good fit. Can you point me out to 
the sources so I can have a look?

Thank you!

Cheers,
Roberto

> On 28 Dec 2018, at 03:40, David Jencks  wrote:
> 
> IIRC I wrote a JASPIC form authentication for the geronimo server long ago. 
> Although the JASPIC deployment model was somewhat incomprehensibly bizarre, 
> the conversation model was very nice. Depending on what the EE 8 api is (I 
> haven’t looked) the JASPIC implementation might be a source for 
> webserver-independent code for from authentication that could be easily 
> adapted.
> 
> David Jencks
> 
>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez  
>> wrote:
>> 
>> Update:
>> 
>> I’ve started the implementation of the FormAuthenticationMechanism. Is not 
>> as easy as it sounds, since it requires some conversation chat across 
>> requests. I thought about wrapping all the logic and use the Tomcat 
>> FormAuthenticator, since it does exactly what we need. Unfortunately, it is 
>> too tied to the Tomcat code and it would require to instantiate a lot to 
>> Tomcat objects to be able to use it. I’m not sure if it would be worth it. I 
>> ended up following the spec suggestion to use a CDI interceptor and I’m 
>> copying / reusing some pieces of the FormAuthentication when possible.
>> 
>> PR updated:
>> https://github.com/apache/tomee/pull/277 
>> 
>> 
>> Cheers,
>> Roberto
>> 
>>> On 26 Dec 2018, at 22:11, Roberto Cortez  
>>> wrote:
>>> 
>>> Hi folks,
>>> 
>>> I’ve updated the PR with new changes:
>>> 
>>> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans 
>>> and a CDI class to keep track of the mapping between the authentication 
>>> mechanism and the servlet that should be checked. When a Servlet is 
>>> executed the mapping is checked and if there is and associated 
>>> AuthenticationMechanism, we validate the request with the associated type 
>>> (Basic, Form, etc).
>>> 
>>> - Implemented the BasicAuthenticationMechanism and all the plumbing 
>>> required to be executed. This required an HttpMessageContext to pass 
>>> information around, plus store some state to make decisions on things to 
>>> do, including the CallbackHandler to pass in additional Callbacks to create 
>>> the Principal and Groups
>>> 
>>> - A default IdentityStore, using the Tomcat UserDatabase, that reads user 
>>> data from tomcat-users.xml
>>> 
>>> I’ll probably move to implement the missing AuthenticationMechanisms (FORM 
>>> and Custom) next.
>>> 
>>> Any feedback, always welcomed :)
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
 
 TomEE Security works for me.
 
 Bruno Baptista
 https://twitter.com/brunobat_
 
 
 On 19/12/18 00:20, Roberto Cortez wrote:
> Hi folks,
> 
> Work is progressing.
> 
> I’ve added a good chunk of the API (as needed) to allow me to proceed. 
> I’ve tried to use the Jakarta Security API jar. Unfortunately, it is full 
> of dependencies to the other Jakarta dependent projects, some not in 
> central yet, so I couldn’t even build the project.
> 
> At the moment, I’ve added the structure to register a JASPIC provider to 
> serve as a bride to the Security implementation code. With a CDI 
> extension, we can register the required AuthenticationMechanisms and then 
> look them up to delegate the authentication code.
> 
> I’ve also wrote a default IdentityStoreHandler to validate user 
> credentials and retrieve user groups. This is just going through the 
> container registered IdentityStores and using the spec rules to identify 
> the credentials.
> 
> Right now, I’m just calling this TomEE Security. If someone has a more 
> fancy idea for a name, feel free to suggest it :)
> 
> Cheers,
> Roberto
> 
>> On 14 Dec 2018, at 23:44, Roberto Cortez  
>> wrote:
>> 
>> Hi folks,
>> 
>> I’ve now created a PR to push the work:
>> https://github.com/apache/tomee/pull/277 
>> 
>> 
>> It is still in the early stages. I’ve just spent a good amount of time 
>> trying to understand the spec. The ideia here is that with a 
>> ServerAuthModule we could verify each of the spec authentication 
>> mechanisms that will be implemented with a CDI Bean and use a CDI 
>> Extension to create the bean depending on the annotation you use.
>> 
>> Cheers,
>> Roberto
>> 
>>> On 13 Dec 2018, at 16:06, Roberto Cortez  
>>> wrote:
>>> 
>>> Hi folks,
>>> 
>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
>>>  to implement the Java 
>>> EE Security API that came up in EE 8. We are missing this spec 
>>>

Re: Java EE Security API for EE 8

2018-12-27 Thread David Jencks

IIRC I wrote a JASPIC form authentication for the geronimo server long ago. 
Although the JASPIC deployment model was somewhat incomprehensibly bizarre, the 
conversation model was very nice. Depending on what the EE 8 api is (I haven’t 
looked) the JASPIC implementation might be a source for webserver-independent 
code for from authentication that could be easily adapted.

David Jencks

> On Dec 27, 2018, at 3:53 PM, Roberto Cortez  
> wrote:
> 
> Update:
> 
> I’ve started the implementation of the FormAuthenticationMechanism. Is not as 
> easy as it sounds, since it requires some conversation chat across requests. 
> I thought about wrapping all the logic and use the Tomcat FormAuthenticator, 
> since it does exactly what we need. Unfortunately, it is too tied to the 
> Tomcat code and it would require to instantiate a lot to Tomcat objects to be 
> able to use it. I’m not sure if it would be worth it. I ended up following 
> the spec suggestion to use a CDI interceptor and I’m copying / reusing some 
> pieces of the FormAuthentication when possible.
> 
> PR updated:
> https://github.com/apache/tomee/pull/277 
> 
> 
> Cheers,
> Roberto
> 
>> On 26 Dec 2018, at 22:11, Roberto Cortez  wrote:
>> 
>> Hi folks,
>> 
>> I’ve updated the PR with new changes:
>> 
>> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans 
>> and a CDI class to keep track of the mapping between the authentication 
>> mechanism and the servlet that should be checked. When a Servlet is executed 
>> the mapping is checked and if there is and associated 
>> AuthenticationMechanism, we validate the request with the associated type 
>> (Basic, Form, etc).
>> 
>> - Implemented the BasicAuthenticationMechanism and all the plumbing required 
>> to be executed. This required an HttpMessageContext to pass information 
>> around, plus store some state to make decisions on things to do, including 
>> the CallbackHandler to pass in additional Callbacks to create the Principal 
>> and Groups
>> 
>> - A default IdentityStore, using the Tomcat UserDatabase, that reads user 
>> data from tomcat-users.xml
>> 
>> I’ll probably move to implement the missing AuthenticationMechanisms (FORM 
>> and Custom) next.
>> 
>> Any feedback, always welcomed :)
>> 
>> Cheers,
>> Roberto
>> 
>>> On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
>>> 
>>> TomEE Security works for me.
>>> 
>>> Bruno Baptista
>>> https://twitter.com/brunobat_
>>> 
>>> 
>>> On 19/12/18 00:20, Roberto Cortez wrote:
 Hi folks,
 
 Work is progressing.
 
 I’ve added a good chunk of the API (as needed) to allow me to proceed. 
 I’ve tried to use the Jakarta Security API jar. Unfortunately, it is full 
 of dependencies to the other Jakarta dependent projects, some not in 
 central yet, so I couldn’t even build the project.
 
 At the moment, I’ve added the structure to register a JASPIC provider to 
 serve as a bride to the Security implementation code. With a CDI 
 extension, we can register the required AuthenticationMechanisms and then 
 look them up to delegate the authentication code.
 
 I’ve also wrote a default IdentityStoreHandler to validate user 
 credentials and retrieve user groups. This is just going through the 
 container registered IdentityStores and using the spec rules to identify 
 the credentials.
 
 Right now, I’m just calling this TomEE Security. If someone has a more 
 fancy idea for a name, feel free to suggest it :)
 
 Cheers,
 Roberto
 
> On 14 Dec 2018, at 23:44, Roberto Cortez  
> wrote:
> 
> Hi folks,
> 
> I’ve now created a PR to push the work:
> https://github.com/apache/tomee/pull/277 
> 
> 
> It is still in the early stages. I’ve just spent a good amount of time 
> trying to understand the spec. The ideia here is that with a 
> ServerAuthModule we could verify each of the spec authentication 
> mechanisms that will be implemented with a CDI Bean and use a CDI 
> Extension to create the bean depending on the annotation you use.
> 
> Cheers,
> Roberto
> 
>> On 13 Dec 2018, at 16:06, Roberto Cortez  
>> wrote:
>> 
>> Hi folks,
>> 
>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
>>  to implement the Java 
>> EE Security API that came up in EE 8. We are missing this spec 
>> implementation, and until we have it we cannot even say we are EE 8 
>> compatible.
>> 
>> I plan to start working on this. If anyone wants to collaborate with me, 
>> let me know.
>> 
>> Cheers,
>> Roberto
>> 
>

Re: Java EE Security API for EE 8

2018-12-27 Thread Roberto Cortez

Update:

I’ve started the implementation of the FormAuthenticationMechanism. Is not as 
easy as it sounds, since it requires some conversation chat across requests. I 
thought about wrapping all the logic and use the Tomcat FormAuthenticator, 
since it does exactly what we need. Unfortunately, it is too tied to the Tomcat 
code and it would require to instantiate a lot to Tomcat objects to be able to 
use it. I’m not sure if it would be worth it. I ended up following the spec 
suggestion to use a CDI interceptor and I’m copying / reusing some pieces of 
the FormAuthentication when possible.

PR updated:
https://github.com/apache/tomee/pull/277 


Cheers,
Roberto

> On 26 Dec 2018, at 22:11, Roberto Cortez  wrote:
> 
> Hi folks,
> 
> I’ve updated the PR with new changes:
> 
> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans 
> and a CDI class to keep track of the mapping between the authentication 
> mechanism and the servlet that should be checked. When a Servlet is executed 
> the mapping is checked and if there is and associated 
> AuthenticationMechanism, we validate the request with the associated type 
> (Basic, Form, etc).
> 
> - Implemented the BasicAuthenticationMechanism and all the plumbing required 
> to be executed. This required an HttpMessageContext to pass information 
> around, plus store some state to make decisions on things to do, including 
> the CallbackHandler to pass in additional Callbacks to create the Principal 
> and Groups
> 
> - A default IdentityStore, using the Tomcat UserDatabase, that reads user 
> data from tomcat-users.xml
> 
> I’ll probably move to implement the missing AuthenticationMechanisms (FORM 
> and Custom) next.
> 
> Any feedback, always welcomed :)
> 
> Cheers,
> Roberto
> 
>> On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
>> 
>> TomEE Security works for me.
>> 
>> Bruno Baptista
>> https://twitter.com/brunobat_
>> 
>> 
>> On 19/12/18 00:20, Roberto Cortez wrote:
>>> Hi folks,
>>> 
>>> Work is progressing.
>>> 
>>> I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve 
>>> tried to use the Jakarta Security API jar. Unfortunately, it is full of 
>>> dependencies to the other Jakarta dependent projects, some not in central 
>>> yet, so I couldn’t even build the project.
>>> 
>>> At the moment, I’ve added the structure to register a JASPIC provider to 
>>> serve as a bride to the Security implementation code. With a CDI extension, 
>>> we can register the required AuthenticationMechanisms and then look them up 
>>> to delegate the authentication code.
>>> 
>>> I’ve also wrote a default IdentityStoreHandler to validate user credentials 
>>> and retrieve user groups. This is just going through the container 
>>> registered IdentityStores and using the spec rules to identify the 
>>> credentials.
>>> 
>>> Right now, I’m just calling this TomEE Security. If someone has a more 
>>> fancy idea for a name, feel free to suggest it :)
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 14 Dec 2018, at 23:44, Roberto Cortez  
 wrote:
 
 Hi folks,
 
 I’ve now created a PR to push the work:
 https://github.com/apache/tomee/pull/277 
 
 
 It is still in the early stages. I’ve just spent a good amount of time 
 trying to understand the spec. The ideia here is that with a 
 ServerAuthModule we could verify each of the spec authentication 
 mechanisms that will be implemented with a CDI Bean and use a CDI 
 Extension to create the bean depending on the annotation you use.
 
 Cheers,
 Roberto
 
> On 13 Dec 2018, at 16:06, Roberto Cortez  
> wrote:
> 
> Hi folks,
> 
> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
>  to implement the Java EE 
> Security API that came up in EE 8. We are missing this spec 
> implementation, and until we have it we cannot even say we are EE 8 
> compatible.
> 
> I plan to start working on this. If anyone wants to collaborate with me, 
> let me know.
> 
> Cheers,
> Roberto
>

Re: Java EE Security API for EE 8

2018-12-26 Thread Roberto Cortez

Hi folks,

I’ve updated the PR with new changes:

- I’ve implemented a CDI Extension to create AuthenticationMechanism beans and 
a CDI class to keep track of the mapping between the authentication mechanism 
and the servlet that should be checked. When a Servlet is executed the mapping 
is checked and if there is and associated AuthenticationMechanism, we validate 
the request with the associated type (Basic, Form, etc).

- Implemented the BasicAuthenticationMechanism and all the plumbing required to 
be executed. This required an HttpMessageContext to pass information around, 
plus store some state to make decisions on things to do, including the 
CallbackHandler to pass in additional Callbacks to create the Principal and 
Groups

- A default IdentityStore, using the Tomcat UserDatabase, that reads user data 
from tomcat-users.xml

I’ll probably move to implement the missing AuthenticationMechanisms (FORM and 
Custom) next.

Any feedback, always welcomed :)

Cheers,
Roberto

> On 19 Dec 2018, at 10:00, Bruno Baptista  wrote:
> 
> TomEE Security works for me.
> 
> Bruno Baptista
> https://twitter.com/brunobat_
> 
> 
> On 19/12/18 00:20, Roberto Cortez wrote:
>> Hi folks,
>> 
>> Work is progressing.
>> 
>> I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve 
>> tried to use the Jakarta Security API jar. Unfortunately, it is full of 
>> dependencies to the other Jakarta dependent projects, some not in central 
>> yet, so I couldn’t even build the project.
>> 
>> At the moment, I’ve added the structure to register a JASPIC provider to 
>> serve as a bride to the Security implementation code. With a CDI extension, 
>> we can register the required AuthenticationMechanisms and then look them up 
>> to delegate the authentication code.
>> 
>> I’ve also wrote a default IdentityStoreHandler to validate user credentials 
>> and retrieve user groups. This is just going through the container 
>> registered IdentityStores and using the spec rules to identify the 
>> credentials.
>> 
>> Right now, I’m just calling this TomEE Security. If someone has a more fancy 
>> idea for a name, feel free to suggest it :)
>> 
>> Cheers,
>> Roberto
>> 
>>> On 14 Dec 2018, at 23:44, Roberto Cortez  
>>> wrote:
>>> 
>>> Hi folks,
>>> 
>>> I’ve now created a PR to push the work:
>>> https://github.com/apache/tomee/pull/277 
>>> 
>>> 
>>> It is still in the early stages. I’ve just spent a good amount of time 
>>> trying to understand the spec. The ideia here is that with a 
>>> ServerAuthModule we could verify each of the spec authentication mechanisms 
>>> that will be implemented with a CDI Bean and use a CDI Extension to create 
>>> the bean depending on the annotation you use.
>>> 
>>> Cheers,
>>> Roberto
>>> 
 On 13 Dec 2018, at 16:06, Roberto Cortez  
 wrote:
 
 Hi folks,
 
 I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
  to implement the Java EE 
 Security API that came up in EE 8. We are missing this spec 
 implementation, and until we have it we cannot even say we are EE 8 
 compatible.
 
 I plan to start working on this. If anyone wants to collaborate with me, 
 let me know.
 
 Cheers,
 Roberto

Re: Java EE Security API for EE 8

2018-12-19 Thread Bruno Baptista


TomEE Security works for me.

Bruno Baptista
https://twitter.com/brunobat_


On 19/12/18 00:20, Roberto Cortez wrote:

Hi folks,

Work is progressing.

I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve 
tried to use the Jakarta Security API jar. Unfortunately, it is full of 
dependencies to the other Jakarta dependent projects, some not in central yet, 
so I couldn’t even build the project.

At the moment, I’ve added the structure to register a JASPIC provider to serve 
as a bride to the Security implementation code. With a CDI extension, we can 
register the required AuthenticationMechanisms and then look them up to 
delegate the authentication code.

I’ve also wrote a default IdentityStoreHandler to validate user credentials and 
retrieve user groups. This is just going through the container registered 
IdentityStores and using the spec rules to identify the credentials.

Right now, I’m just calling this TomEE Security. If someone has a more fancy 
idea for a name, feel free to suggest it :)

Cheers,
Roberto


On 14 Dec 2018, at 23:44, Roberto Cortez  wrote:

Hi folks,

I’ve now created a PR to push the work:
https://github.com/apache/tomee/pull/277 


It is still in the early stages. I’ve just spent a good amount of time trying 
to understand the spec. The ideia here is that with a ServerAuthModule we could 
verify each of the spec authentication mechanisms that will be implemented with 
a CDI Bean and use a CDI Extension to create the bean depending on the 
annotation you use.

Cheers,
Roberto


On 13 Dec 2018, at 16:06, Roberto Cortez  wrote:

Hi folks,

I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
 to implement the Java EE 
Security API that came up in EE 8. We are missing this spec implementation, and until 
we have it we cannot even say we are EE 8 compatible.

I plan to start working on this. If anyone wants to collaborate with me, let me 
know.

Cheers,
Roberto

Re: Java EE Security API for EE 8

2018-12-18 Thread Roberto Cortez

Hi folks,

Work is progressing.

I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve 
tried to use the Jakarta Security API jar. Unfortunately, it is full of 
dependencies to the other Jakarta dependent projects, some not in central yet, 
so I couldn’t even build the project.

At the moment, I’ve added the structure to register a JASPIC provider to serve 
as a bride to the Security implementation code. With a CDI extension, we can 
register the required AuthenticationMechanisms and then look them up to 
delegate the authentication code.

I’ve also wrote a default IdentityStoreHandler to validate user credentials and 
retrieve user groups. This is just going through the container registered 
IdentityStores and using the spec rules to identify the credentials.

Right now, I’m just calling this TomEE Security. If someone has a more fancy 
idea for a name, feel free to suggest it :)

Cheers,
Roberto

> On 14 Dec 2018, at 23:44, Roberto Cortez  wrote:
> 
> Hi folks,
> 
> I’ve now created a PR to push the work:
> https://github.com/apache/tomee/pull/277 
> 
> 
> It is still in the early stages. I’ve just spent a good amount of time trying 
> to understand the spec. The ideia here is that with a ServerAuthModule we 
> could verify each of the spec authentication mechanisms that will be 
> implemented with a CDI Bean and use a CDI Extension to create the bean 
> depending on the annotation you use.
> 
> Cheers,
> Roberto
> 
>> On 13 Dec 2018, at 16:06, Roberto Cortez  wrote:
>> 
>> Hi folks,
>> 
>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
>>  to implement the Java EE 
>> Security API that came up in EE 8. We are missing this spec implementation, 
>> and until we have it we cannot even say we are EE 8 compatible.
>> 
>> I plan to start working on this. If anyone wants to collaborate with me, let 
>> me know.
>> 
>> Cheers,
>> Roberto
>

Re: Java EE Security API for EE 8

2018-12-14 Thread Roberto Cortez

Hi folks,

I’ve now created a PR to push the work:
https://github.com/apache/tomee/pull/277 

It is still in the early stages. I’ve just spent a good amount of time trying 
to understand the spec. The ideia here is that with a ServerAuthModule we could 
verify each of the spec authentication mechanisms that will be implemented with 
a CDI Bean and use a CDI Extension to create the bean depending on the 
annotation you use.

Cheers,
Roberto

> On 13 Dec 2018, at 16:06, Roberto Cortez  wrote:
> 
> Hi folks,
> 
> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
>  to implement the Java EE 
> Security API that came up in EE 8. We are missing this spec implementation, 
> and until we have it we cannot even say we are EE 8 compatible.
> 
> I plan to start working on this. If anyone wants to collaborate with me, let 
> me know.
> 
> Cheers,
> Roberto

Java EE Security API for EE 8

2018-12-13 Thread Roberto Cortez

Hi folks,

I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 
 to implement the Java EE 
Security API that came up in EE 8. We are missing this spec implementation, and 
until we have it we cannot even say we are EE 8 compatible.

I plan to start working on this. If anyone wants to collaborate with me, let me 
know.

Cheers,
Roberto

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Re: Java EE Security API for EE 8

Java EE Security API for EE 8

17 matches

Site Navigation

Mail list logo

Footer information