You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by Roberto Cortez <ra...@yahoo.com.INVALID> on 2019/01/08 15:13:52 UTC
Re: Java EE Security API for EE 8
Hi folks,
I think I’m now done with the FormAuthentication.
There are still things left to implement. At the moment, the code is part of the project but is not part of the binary. I would like to merge the current PR:
https://github.com/apache/tomee/pull/277 <https://github.com/apache/tomee/pull/277>
I think this will give a chance for the community to contribute some of the missing pieces. I can make a list in JIRA.
So, if there is no strong opinions about merging this, I will be doing this in the end of the day.
Cheers,
Roberto
> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com> wrote:
>
> Thanks! I’ll have a look!
>
>> On 28 Dec 2018, at 20:34, David Jencks <da...@gmail.com> wrote:
>>
>> Perhaps I didn’t recall correctly, or perhaps I implemented it for Jetty (at eclipse). The code I’ve found at http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ <http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall any details of how I modified tomcat’s auth setup: I might have made one that was more adapted to JASPIC and the geronimo security framework than the plain tomcat one. If this code is of any use to you, great, otherwise, good luck!
>>
>> many thanks
>> David Jencks
>>
>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez <ra...@yahoo.com.INVALID> wrote:
>>>
>>> Hi David,
>>>
>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge underneath the implementation, so your code might be a good fit. Can you point me out to the sources so I can have a look?
>>>
>>> Thank you!
>>>
>>> Cheers,
>>> Roberto
>>>
>>>> On 28 Dec 2018, at 03:40, David Jencks <da...@gmail.com> wrote:
>>>>
>>>> IIRC I wrote a JASPIC form authentication for the geronimo server long ago. Although the JASPIC deployment model was somewhat incomprehensibly bizarre, the conversation model was very nice. Depending on what the EE 8 api is (I haven’t looked) the JASPIC implementation might be a source for webserver-independent code for from authentication that could be easily adapted.
>>>>
>>>> David Jencks
>>>>
>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez <ra...@yahoo.com.INVALID> wrote:
>>>>>
>>>>> Update:
>>>>>
>>>>> I’ve started the implementation of the FormAuthenticationMechanism. Is not as easy as it sounds, since it requires some conversation chat across requests. I thought about wrapping all the logic and use the Tomcat FormAuthenticator, since it does exactly what we need. Unfortunately, it is too tied to the Tomcat code and it would require to instantiate a lot to Tomcat objects to be able to use it. I’m not sure if it would be worth it. I ended up following the spec suggestion to use a CDI interceptor and I’m copying / reusing some pieces of the FormAuthentication when possible.
>>>>>
>>>>> PR updated:
>>>>> https://github.com/apache/tomee/pull/277 <https://github.com/apache/tomee/pull/277>
>>>>>
>>>>> Cheers,
>>>>> Roberto
>>>>>
>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez <ra...@yahoo.com.INVALID> wrote:
>>>>>>
>>>>>> Hi folks,
>>>>>>
>>>>>> I’ve updated the PR with new changes:
>>>>>>
>>>>>> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans and a CDI class to keep track of the mapping between the authentication mechanism and the servlet that should be checked. When a Servlet is executed the mapping is checked and if there is and associated AuthenticationMechanism, we validate the request with the associated type (Basic, Form, etc).
>>>>>>
>>>>>> - Implemented the BasicAuthenticationMechanism and all the plumbing required to be executed. This required an HttpMessageContext to pass information around, plus store some state to make decisions on things to do, including the CallbackHandler to pass in additional Callbacks to create the Principal and Groups
>>>>>>
>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that reads user data from tomcat-users.xml
>>>>>>
>>>>>> I’ll probably move to implement the missing AuthenticationMechanisms (FORM and Custom) next.
>>>>>>
>>>>>> Any feedback, always welcomed :)
>>>>>>
>>>>>> Cheers,
>>>>>> Roberto
>>>>>>
>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <br...@gmail.com> wrote:
>>>>>>>
>>>>>>> TomEE Security works for me.
>>>>>>>
>>>>>>> Bruno Baptista
>>>>>>> https://twitter.com/brunobat_
>>>>>>>
>>>>>>>
>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
>>>>>>>> Hi folks,
>>>>>>>>
>>>>>>>> Work is progressing.
>>>>>>>>
>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, it is full of dependencies to the other Jakarta dependent projects, some not in central yet, so I couldn’t even build the project.
>>>>>>>>
>>>>>>>> At the moment, I’ve added the structure to register a JASPIC provider to serve as a bride to the Security implementation code. With a CDI extension, we can register the required AuthenticationMechanisms and then look them up to delegate the authentication code.
>>>>>>>>
>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user credentials and retrieve user groups. This is just going through the container registered IdentityStores and using the spec rules to identify the credentials.
>>>>>>>>
>>>>>>>> Right now, I’m just calling this TomEE Security. If someone has a more fancy idea for a name, feel free to suggest it :)
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Roberto
>>>>>>>>
>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>
>>>>>>>>> Hi folks,
>>>>>>>>>
>>>>>>>>> I’ve now created a PR to push the work:
>>>>>>>>> https://github.com/apache/tomee/pull/277 <https://github.com/apache/tomee/pull/277>
>>>>>>>>>
>>>>>>>>> It is still in the early stages. I’ve just spent a good amount of time trying to understand the spec. The ideia here is that with a ServerAuthModule we could verify each of the spec authentication mechanisms that will be implemented with a CDI Bean and use a CDI Extension to create the bean depending on the annotation you use.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Roberto
>>>>>>>>>
>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi folks,
>>>>>>>>>>
>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 <https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE Security API that came up in EE 8. We are missing this spec implementation, and until we have it we cannot even say we are EE 8 compatible.
>>>>>>>>>>
>>>>>>>>>> I plan to start working on this. If anyone wants to collaborate with me, let me know.
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Roberto
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Java EE Security API for EE 8
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Yes, these need to be moved to Geronimo, but I think not at this time.
I would like to have a more stable implementation before moving this over to Geronimo. There are still a lot of things missing, including in the API and is just easier to get this done in a single project.
> On 11 Jan 2019, at 19:52, Gurkan Erdogdu <cg...@gmail.com> wrote:
>
> I have added geronimo-specs-security_1.0 to geronimo-specs and let
> geronimo-dev about the issue. After receiving some response, I can commit
> the code.
>
> On Fri, Jan 11, 2019 at 9:50 PM Gurkan Erdogdu <cg...@gmail.com> wrote:
>
>> Ok then I created subtask,
>> https://issues.apache.org/jira/browse/TOMEE-2453 under the main issue,
>> https://issues.apache.org/jira/browse/TOMEE-2365
>> Can you please assign it to me?
>>
>>
>> On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro <
>> jlmonteiro@tomitribe.com> wrote:
>>
>>> That’d be great.
>>> I have commit permissions so if you need help help or something. Lemme
>>> know.
>>>
>>>
>>> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cg...@gmail.com> a
>>> écrit :
>>>
>>>> Hello Roberto
>>>> We probably need to move javax.security.enterprise.* package to geronimo
>>>> specs project (https://github.com/apache/geronimo-specs) and then
>>> adding
>>>> dependency to our javaee-api. After that we also need to release
>>>> geronimo-specs. If you want, I can work on to create a new project in
>>>> geronimo-specs.
>>>> Regards.
>>>> Gurkan
>>>>
>>>> On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez
>>> <radcortez@yahoo.com.invalid
>>>>>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I’ve merged the current state of the code.
>>>>>
>>>>> In the meanwhile, I’ll write some documentation to help to understand
>>> the
>>>>> implementation.
>>>>>
>>>>> Cheers,
>>>>> Roberto
>>>>>
>>>>>> On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cg...@gmail.com>
>>> wrote:
>>>>>>
>>>>>> Hello Roberto,
>>>>>> Thank you for initiating this integration.
>>>>>> Can you prepare a small documentation (and also send to here) which
>>>> helps
>>>>>> contributors to understand the internals about your current commit.
>>>>>> Regards.
>>>>>> Gurkan
>>>>>>
>>>>>>
>>>>>> On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
>>>>> <ra...@yahoo.com.invalid>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi folks,
>>>>>>>
>>>>>>> I think I’m now done with the FormAuthentication.
>>>>>>>
>>>>>>> There are still things left to implement. At the moment, the code
>>> is
>>>>> part
>>>>>>> of the project but is not part of the binary. I would like to merge
>>>> the
>>>>>>> current PR:
>>>>>>> https://github.com/apache/tomee/pull/277 <
>>>>>>> https://github.com/apache/tomee/pull/277>
>>>>>>>
>>>>>>> I think this will give a chance for the community to contribute
>>> some
>>>> of
>>>>>>> the missing pieces. I can make a list in JIRA.
>>>>>>>
>>>>>>> So, if there is no strong opinions about merging this, I will be
>>> doing
>>>>>>> this in the end of the day.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Roberto
>>>>>>>
>>>>>>>> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com>
>>>> wrote:
>>>>>>>>
>>>>>>>> Thanks! I’ll have a look!
>>>>>>>>
>>>>>>>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jencks@gmail.com
>>>>
>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Perhaps I didn’t recall correctly, or perhaps I implemented it
>>> for
>>>>>>> Jetty (at eclipse). The code I’ve found at
>>>>>>>
>>>>>
>>>>
>>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>>>>>>> <
>>>>>>>
>>>>>
>>>>
>>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>>>>>>
>>>>>>> includes a FormAuthenticator and a JaspiAuthenticator. I don’t
>>> recall
>>>>> any
>>>>>>> details of how I modified tomcat’s auth setup: I might have made
>>> one
>>>>> that
>>>>>>> was more adapted to JASPIC and the geronimo security framework than
>>>> the
>>>>>>> plain tomcat one. If this code is of any use to you, great,
>>>> otherwise,
>>>>>>> good luck!
>>>>>>>>>
>>>>>>>>> many thanks
>>>>>>>>> David Jencks
>>>>>>>>>
>>>>>>>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>>>>>>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi David,
>>>>>>>>>>
>>>>>>>>>> Actually, the EE 8 Security spec tells you to use a JASPIC
>>> bridge
>>>>>>> underneath the implementation, so your code might be a good fit.
>>> Can
>>>> you
>>>>>>> point me out to the sources so I can have a look?
>>>>>>>>>>
>>>>>>>>>> Thank you!
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Roberto
>>>>>>>>>>
>>>>>>>>>>> On 28 Dec 2018, at 03:40, David Jencks <
>>> david.a.jencks@gmail.com>
>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> IIRC I wrote a JASPIC form authentication for the geronimo
>>> server
>>>>>>> long ago. Although the JASPIC deployment model was somewhat
>>>>>>> incomprehensibly bizarre, the conversation model was very nice.
>>>>> Depending
>>>>>>> on what the EE 8 api is (I haven’t looked) the JASPIC
>>> implementation
>>>>> might
>>>>>>> be a source for webserver-independent code for from authentication
>>>> that
>>>>>>> could be easily adapted.
>>>>>>>>>>>
>>>>>>>>>>> David Jencks
>>>>>>>>>>>
>>>>>>>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>>>>>>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Update:
>>>>>>>>>>>>
>>>>>>>>>>>> I’ve started the implementation of the
>>>> FormAuthenticationMechanism.
>>>>>>> Is not as easy as it sounds, since it requires some conversation
>>> chat
>>>>>>> across requests. I thought about wrapping all the logic and use the
>>>>> Tomcat
>>>>>>> FormAuthenticator, since it does exactly what we need.
>>> Unfortunately,
>>>>> it is
>>>>>>> too tied to the Tomcat code and it would require to instantiate a
>>> lot
>>>> to
>>>>>>> Tomcat objects to be able to use it. I’m not sure if it would be
>>> worth
>>>>> it.
>>>>>>> I ended up following the spec suggestion to use a CDI interceptor
>>> and
>>>>> I’m
>>>>>>> copying / reusing some pieces of the FormAuthentication when
>>> possible.
>>>>>>>>>>>>
>>>>>>>>>>>> PR updated:
>>>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
>>>>>>> https://github.com/apache/tomee/pull/277>
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> Roberto
>>>>>>>>>>>>
>>>>>>>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
>>>>>>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi folks,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I’ve updated the PR with new changes:
>>>>>>>>>>>>>
>>>>>>>>>>>>> - I’ve implemented a CDI Extension to create
>>>>>>> AuthenticationMechanism beans and a CDI class to keep track of the
>>>>> mapping
>>>>>>> between the authentication mechanism and the servlet that should be
>>>>>>> checked. When a Servlet is executed the mapping is checked and if
>>>> there
>>>>> is
>>>>>>> and associated AuthenticationMechanism, we validate the request
>>> with
>>>> the
>>>>>>> associated type (Basic, Form, etc).
>>>>>>>>>>>>>
>>>>>>>>>>>>> - Implemented the BasicAuthenticationMechanism and all the
>>>>> plumbing
>>>>>>> required to be executed. This required an HttpMessageContext to
>>> pass
>>>>>>> information around, plus store some state to make decisions on
>>> things
>>>> to
>>>>>>> do, including the CallbackHandler to pass in additional Callbacks
>>> to
>>>>> create
>>>>>>> the Principal and Groups
>>>>>>>>>>>>>
>>>>>>>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase,
>>> that
>>>>>>> reads user data from tomcat-users.xml
>>>>>>>>>>>>>
>>>>>>>>>>>>> I’ll probably move to implement the missing
>>>>>>> AuthenticationMechanisms (FORM and Custom) next.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Any feedback, always welcomed :)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <
>>> brunobat@gmail.com>
>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TomEE Security works for me.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Bruno Baptista
>>>>>>>>>>>>>> https://twitter.com/brunobat_
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
>>>>>>>>>>>>>>> Hi folks,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Work is progressing.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me
>>> to
>>>>>>> proceed. I’ve tried to use the Jakarta Security API jar.
>>>> Unfortunately,
>>>>> it
>>>>>>> is full of dependencies to the other Jakarta dependent projects,
>>> some
>>>>> not
>>>>>>> in central yet, so I couldn’t even build the project.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> At the moment, I’ve added the structure to register a
>>> JASPIC
>>>>>>> provider to serve as a bride to the Security implementation code.
>>>> With a
>>>>>>> CDI extension, we can register the required
>>> AuthenticationMechanisms
>>>> and
>>>>>>> then look them up to delegate the authentication code.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate
>>>> user
>>>>>>> credentials and retrieve user groups. This is just going through
>>> the
>>>>>>> container registered IdentityStores and using the spec rules to
>>>> identify
>>>>>>> the credentials.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone
>>>> has
>>>>> a
>>>>>>> more fancy idea for a name, feel free to suggest it :)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
>>>>>>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi folks,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I’ve now created a PR to push the work:
>>>>>>>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
>>>>>>> https://github.com/apache/tomee/pull/277>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> It is still in the early stages. I’ve just spent a good
>>>> amount
>>>>>>> of time trying to understand the spec. The ideia here is that with
>>> a
>>>>>>> ServerAuthModule we could verify each of the spec authentication
>>>>> mechanisms
>>>>>>> that will be implemented with a CDI Bean and use a CDI Extension to
>>>>> create
>>>>>>> the bean depending on the annotation you use.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
>>>>>>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi folks,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I’ve created
>>> https://jira.apache.org/jira/browse/TOMEE-2365
>>>> <
>>>>>>> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the
>>> Java
>>>>> EE
>>>>>>> Security API that came up in EE 8. We are missing this spec
>>>>> implementation,
>>>>>>> and until we have it we cannot even say we are EE 8 compatible.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I plan to start working on this. If anyone wants to
>>>>> collaborate
>>>>>>> with me, let me know.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>>>> Roberto
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>
>>> --
>>> --
>>> Jean-Louis Monteiro
>>> http://twitter.com/jlouismonteiro
>>> http://www.tomitribe.com
>>>
>>
Re: Java EE Security API for EE 8
Posted by Gurkan Erdogdu <cg...@gmail.com>.
I have added geronimo-specs-security_1.0 to geronimo-specs and let
geronimo-dev about the issue. After receiving some response, I can commit
the code.
On Fri, Jan 11, 2019 at 9:50 PM Gurkan Erdogdu <cg...@gmail.com> wrote:
> Ok then I created subtask,
> https://issues.apache.org/jira/browse/TOMEE-2453 under the main issue,
> https://issues.apache.org/jira/browse/TOMEE-2365
> Can you please assign it to me?
>
>
> On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro <
> jlmonteiro@tomitribe.com> wrote:
>
>> That’d be great.
>> I have commit permissions so if you need help help or something. Lemme
>> know.
>>
>>
>> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cg...@gmail.com> a
>> écrit :
>>
>> > Hello Roberto
>> > We probably need to move javax.security.enterprise.* package to geronimo
>> > specs project (https://github.com/apache/geronimo-specs) and then
>> adding
>> > dependency to our javaee-api. After that we also need to release
>> > geronimo-specs. If you want, I can work on to create a new project in
>> > geronimo-specs.
>> > Regards.
>> > Gurkan
>> >
>> > On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez
>> <radcortez@yahoo.com.invalid
>> > >
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I’ve merged the current state of the code.
>> > >
>> > > In the meanwhile, I’ll write some documentation to help to understand
>> the
>> > > implementation.
>> > >
>> > > Cheers,
>> > > Roberto
>> > >
>> > > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cg...@gmail.com>
>> wrote:
>> > > >
>> > > > Hello Roberto,
>> > > > Thank you for initiating this integration.
>> > > > Can you prepare a small documentation (and also send to here) which
>> > helps
>> > > > contributors to understand the internals about your current commit.
>> > > > Regards.
>> > > > Gurkan
>> > > >
>> > > >
>> > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
>> > > <ra...@yahoo.com.invalid>
>> > > > wrote:
>> > > >
>> > > >> Hi folks,
>> > > >>
>> > > >> I think I’m now done with the FormAuthentication.
>> > > >>
>> > > >> There are still things left to implement. At the moment, the code
>> is
>> > > part
>> > > >> of the project but is not part of the binary. I would like to merge
>> > the
>> > > >> current PR:
>> > > >> https://github.com/apache/tomee/pull/277 <
>> > > >> https://github.com/apache/tomee/pull/277>
>> > > >>
>> > > >> I think this will give a chance for the community to contribute
>> some
>> > of
>> > > >> the missing pieces. I can make a list in JIRA.
>> > > >>
>> > > >> So, if there is no strong opinions about merging this, I will be
>> doing
>> > > >> this in the end of the day.
>> > > >>
>> > > >> Cheers,
>> > > >> Roberto
>> > > >>
>> > > >>> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com>
>> > wrote:
>> > > >>>
>> > > >>> Thanks! I’ll have a look!
>> > > >>>
>> > > >>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jencks@gmail.com
>> >
>> > > >> wrote:
>> > > >>>>
>> > > >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it
>> for
>> > > >> Jetty (at eclipse). The code I’ve found at
>> > > >>
>> > >
>> >
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> > > >> <
>> > > >>
>> > >
>> >
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> > > >
>> > > >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t
>> recall
>> > > any
>> > > >> details of how I modified tomcat’s auth setup: I might have made
>> one
>> > > that
>> > > >> was more adapted to JASPIC and the geronimo security framework than
>> > the
>> > > >> plain tomcat one. If this code is of any use to you, great,
>> > otherwise,
>> > > >> good luck!
>> > > >>>>
>> > > >>>> many thanks
>> > > >>>> David Jencks
>> > > >>>>
>> > > >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>> > > >> <ra...@yahoo.com.INVALID> wrote:
>> > > >>>>>
>> > > >>>>> Hi David,
>> > > >>>>>
>> > > >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC
>> bridge
>> > > >> underneath the implementation, so your code might be a good fit.
>> Can
>> > you
>> > > >> point me out to the sources so I can have a look?
>> > > >>>>>
>> > > >>>>> Thank you!
>> > > >>>>>
>> > > >>>>> Cheers,
>> > > >>>>> Roberto
>> > > >>>>>
>> > > >>>>>> On 28 Dec 2018, at 03:40, David Jencks <
>> david.a.jencks@gmail.com>
>> > > >> wrote:
>> > > >>>>>>
>> > > >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo
>> server
>> > > >> long ago. Although the JASPIC deployment model was somewhat
>> > > >> incomprehensibly bizarre, the conversation model was very nice.
>> > > Depending
>> > > >> on what the EE 8 api is (I haven’t looked) the JASPIC
>> implementation
>> > > might
>> > > >> be a source for webserver-independent code for from authentication
>> > that
>> > > >> could be easily adapted.
>> > > >>>>>>
>> > > >>>>>> David Jencks
>> > > >>>>>>
>> > > >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>> > > >> <ra...@yahoo.com.INVALID> wrote:
>> > > >>>>>>>
>> > > >>>>>>> Update:
>> > > >>>>>>>
>> > > >>>>>>> I’ve started the implementation of the
>> > FormAuthenticationMechanism.
>> > > >> Is not as easy as it sounds, since it requires some conversation
>> chat
>> > > >> across requests. I thought about wrapping all the logic and use the
>> > > Tomcat
>> > > >> FormAuthenticator, since it does exactly what we need.
>> Unfortunately,
>> > > it is
>> > > >> too tied to the Tomcat code and it would require to instantiate a
>> lot
>> > to
>> > > >> Tomcat objects to be able to use it. I’m not sure if it would be
>> worth
>> > > it.
>> > > >> I ended up following the spec suggestion to use a CDI interceptor
>> and
>> > > I’m
>> > > >> copying / reusing some pieces of the FormAuthentication when
>> possible.
>> > > >>>>>>>
>> > > >>>>>>> PR updated:
>> > > >>>>>>> https://github.com/apache/tomee/pull/277 <
>> > > >> https://github.com/apache/tomee/pull/277>
>> > > >>>>>>>
>> > > >>>>>>> Cheers,
>> > > >>>>>>> Roberto
>> > > >>>>>>>
>> > > >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
>> > > >> <ra...@yahoo.com.INVALID> wrote:
>> > > >>>>>>>>
>> > > >>>>>>>> Hi folks,
>> > > >>>>>>>>
>> > > >>>>>>>> I’ve updated the PR with new changes:
>> > > >>>>>>>>
>> > > >>>>>>>> - I’ve implemented a CDI Extension to create
>> > > >> AuthenticationMechanism beans and a CDI class to keep track of the
>> > > mapping
>> > > >> between the authentication mechanism and the servlet that should be
>> > > >> checked. When a Servlet is executed the mapping is checked and if
>> > there
>> > > is
>> > > >> and associated AuthenticationMechanism, we validate the request
>> with
>> > the
>> > > >> associated type (Basic, Form, etc).
>> > > >>>>>>>>
>> > > >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the
>> > > plumbing
>> > > >> required to be executed. This required an HttpMessageContext to
>> pass
>> > > >> information around, plus store some state to make decisions on
>> things
>> > to
>> > > >> do, including the CallbackHandler to pass in additional Callbacks
>> to
>> > > create
>> > > >> the Principal and Groups
>> > > >>>>>>>>
>> > > >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase,
>> that
>> > > >> reads user data from tomcat-users.xml
>> > > >>>>>>>>
>> > > >>>>>>>> I’ll probably move to implement the missing
>> > > >> AuthenticationMechanisms (FORM and Custom) next.
>> > > >>>>>>>>
>> > > >>>>>>>> Any feedback, always welcomed :)
>> > > >>>>>>>>
>> > > >>>>>>>> Cheers,
>> > > >>>>>>>> Roberto
>> > > >>>>>>>>
>> > > >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <
>> brunobat@gmail.com>
>> > > >> wrote:
>> > > >>>>>>>>>
>> > > >>>>>>>>> TomEE Security works for me.
>> > > >>>>>>>>>
>> > > >>>>>>>>> Bruno Baptista
>> > > >>>>>>>>> https://twitter.com/brunobat_
>> > > >>>>>>>>>
>> > > >>>>>>>>>
>> > > >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
>> > > >>>>>>>>>> Hi folks,
>> > > >>>>>>>>>>
>> > > >>>>>>>>>> Work is progressing.
>> > > >>>>>>>>>>
>> > > >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me
>> to
>> > > >> proceed. I’ve tried to use the Jakarta Security API jar.
>> > Unfortunately,
>> > > it
>> > > >> is full of dependencies to the other Jakarta dependent projects,
>> some
>> > > not
>> > > >> in central yet, so I couldn’t even build the project.
>> > > >>>>>>>>>>
>> > > >>>>>>>>>> At the moment, I’ve added the structure to register a
>> JASPIC
>> > > >> provider to serve as a bride to the Security implementation code.
>> > With a
>> > > >> CDI extension, we can register the required
>> AuthenticationMechanisms
>> > and
>> > > >> then look them up to delegate the authentication code.
>> > > >>>>>>>>>>
>> > > >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate
>> > user
>> > > >> credentials and retrieve user groups. This is just going through
>> the
>> > > >> container registered IdentityStores and using the spec rules to
>> > identify
>> > > >> the credentials.
>> > > >>>>>>>>>>
>> > > >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone
>> > has
>> > > a
>> > > >> more fancy idea for a name, feel free to suggest it :)
>> > > >>>>>>>>>>
>> > > >>>>>>>>>> Cheers,
>> > > >>>>>>>>>> Roberto
>> > > >>>>>>>>>>
>> > > >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
>> > > >> <ra...@yahoo.com.INVALID> wrote:
>> > > >>>>>>>>>>>
>> > > >>>>>>>>>>> Hi folks,
>> > > >>>>>>>>>>>
>> > > >>>>>>>>>>> I’ve now created a PR to push the work:
>> > > >>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
>> > > >> https://github.com/apache/tomee/pull/277>
>> > > >>>>>>>>>>>
>> > > >>>>>>>>>>> It is still in the early stages. I’ve just spent a good
>> > amount
>> > > >> of time trying to understand the spec. The ideia here is that with
>> a
>> > > >> ServerAuthModule we could verify each of the spec authentication
>> > > mechanisms
>> > > >> that will be implemented with a CDI Bean and use a CDI Extension to
>> > > create
>> > > >> the bean depending on the annotation you use.
>> > > >>>>>>>>>>>
>> > > >>>>>>>>>>> Cheers,
>> > > >>>>>>>>>>> Roberto
>> > > >>>>>>>>>>>
>> > > >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
>> > > >> <ra...@yahoo.com.INVALID> wrote:
>> > > >>>>>>>>>>>>
>> > > >>>>>>>>>>>> Hi folks,
>> > > >>>>>>>>>>>>
>> > > >>>>>>>>>>>> I’ve created
>> https://jira.apache.org/jira/browse/TOMEE-2365
>> > <
>> > > >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the
>> Java
>> > > EE
>> > > >> Security API that came up in EE 8. We are missing this spec
>> > > implementation,
>> > > >> and until we have it we cannot even say we are EE 8 compatible.
>> > > >>>>>>>>>>>>
>> > > >>>>>>>>>>>> I plan to start working on this. If anyone wants to
>> > > collaborate
>> > > >> with me, let me know.
>> > > >>>>>>>>>>>>
>> > > >>>>>>>>>>>> Cheers,
>> > > >>>>>>>>>>>> Roberto
>> > > >>>>>>>>
>> > > >>>>>>>
>> > > >>>>>>
>> > > >>>>>
>> > > >>>>
>> > > >>>
>> > > >>
>> > > >>
>> > >
>> > >
>> >
>> --
>> --
>> Jean-Louis Monteiro
>> http://twitter.com/jlouismonteiro
>> http://www.tomitribe.com
>>
>
Re: Java EE Security API for EE 8
Posted by Gurkan Erdogdu <cg...@gmail.com>.
Ok then I created subtask, https://issues.apache.org/jira/browse/TOMEE-2453
under the main issue, https://issues.apache.org/jira/browse/TOMEE-2365
Can you please assign it to me?
On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro <
jlmonteiro@tomitribe.com> wrote:
> That’d be great.
> I have commit permissions so if you need help help or something. Lemme
> know.
>
>
> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cg...@gmail.com> a
> écrit :
>
> > Hello Roberto
> > We probably need to move javax.security.enterprise.* package to geronimo
> > specs project (https://github.com/apache/geronimo-specs) and then adding
> > dependency to our javaee-api. After that we also need to release
> > geronimo-specs. If you want, I can work on to create a new project in
> > geronimo-specs.
> > Regards.
> > Gurkan
> >
> > On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez
> <radcortez@yahoo.com.invalid
> > >
> > wrote:
> >
> > > Hi,
> > >
> > > I’ve merged the current state of the code.
> > >
> > > In the meanwhile, I’ll write some documentation to help to understand
> the
> > > implementation.
> > >
> > > Cheers,
> > > Roberto
> > >
> > > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cg...@gmail.com> wrote:
> > > >
> > > > Hello Roberto,
> > > > Thank you for initiating this integration.
> > > > Can you prepare a small documentation (and also send to here) which
> > helps
> > > > contributors to understand the internals about your current commit.
> > > > Regards.
> > > > Gurkan
> > > >
> > > >
> > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
> > > <ra...@yahoo.com.invalid>
> > > > wrote:
> > > >
> > > >> Hi folks,
> > > >>
> > > >> I think I’m now done with the FormAuthentication.
> > > >>
> > > >> There are still things left to implement. At the moment, the code is
> > > part
> > > >> of the project but is not part of the binary. I would like to merge
> > the
> > > >> current PR:
> > > >> https://github.com/apache/tomee/pull/277 <
> > > >> https://github.com/apache/tomee/pull/277>
> > > >>
> > > >> I think this will give a chance for the community to contribute some
> > of
> > > >> the missing pieces. I can make a list in JIRA.
> > > >>
> > > >> So, if there is no strong opinions about merging this, I will be
> doing
> > > >> this in the end of the day.
> > > >>
> > > >> Cheers,
> > > >> Roberto
> > > >>
> > > >>> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com>
> > wrote:
> > > >>>
> > > >>> Thanks! I’ll have a look!
> > > >>>
> > > >>>> On 28 Dec 2018, at 20:34, David Jencks <da...@gmail.com>
> > > >> wrote:
> > > >>>>
> > > >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for
> > > >> Jetty (at eclipse). The code I’ve found at
> > > >>
> > >
> >
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> > > >> <
> > > >>
> > >
> >
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> > > >
> > > >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t
> recall
> > > any
> > > >> details of how I modified tomcat’s auth setup: I might have made one
> > > that
> > > >> was more adapted to JASPIC and the geronimo security framework than
> > the
> > > >> plain tomcat one. If this code is of any use to you, great,
> > otherwise,
> > > >> good luck!
> > > >>>>
> > > >>>> many thanks
> > > >>>> David Jencks
> > > >>>>
> > > >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
> > > >> <ra...@yahoo.com.INVALID> wrote:
> > > >>>>>
> > > >>>>> Hi David,
> > > >>>>>
> > > >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> > > >> underneath the implementation, so your code might be a good fit. Can
> > you
> > > >> point me out to the sources so I can have a look?
> > > >>>>>
> > > >>>>> Thank you!
> > > >>>>>
> > > >>>>> Cheers,
> > > >>>>> Roberto
> > > >>>>>
> > > >>>>>> On 28 Dec 2018, at 03:40, David Jencks <
> david.a.jencks@gmail.com>
> > > >> wrote:
> > > >>>>>>
> > > >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo
> server
> > > >> long ago. Although the JASPIC deployment model was somewhat
> > > >> incomprehensibly bizarre, the conversation model was very nice.
> > > Depending
> > > >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation
> > > might
> > > >> be a source for webserver-independent code for from authentication
> > that
> > > >> could be easily adapted.
> > > >>>>>>
> > > >>>>>> David Jencks
> > > >>>>>>
> > > >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
> > > >> <ra...@yahoo.com.INVALID> wrote:
> > > >>>>>>>
> > > >>>>>>> Update:
> > > >>>>>>>
> > > >>>>>>> I’ve started the implementation of the
> > FormAuthenticationMechanism.
> > > >> Is not as easy as it sounds, since it requires some conversation
> chat
> > > >> across requests. I thought about wrapping all the logic and use the
> > > Tomcat
> > > >> FormAuthenticator, since it does exactly what we need.
> Unfortunately,
> > > it is
> > > >> too tied to the Tomcat code and it would require to instantiate a
> lot
> > to
> > > >> Tomcat objects to be able to use it. I’m not sure if it would be
> worth
> > > it.
> > > >> I ended up following the spec suggestion to use a CDI interceptor
> and
> > > I’m
> > > >> copying / reusing some pieces of the FormAuthentication when
> possible.
> > > >>>>>>>
> > > >>>>>>> PR updated:
> > > >>>>>>> https://github.com/apache/tomee/pull/277 <
> > > >> https://github.com/apache/tomee/pull/277>
> > > >>>>>>>
> > > >>>>>>> Cheers,
> > > >>>>>>> Roberto
> > > >>>>>>>
> > > >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
> > > >> <ra...@yahoo.com.INVALID> wrote:
> > > >>>>>>>>
> > > >>>>>>>> Hi folks,
> > > >>>>>>>>
> > > >>>>>>>> I’ve updated the PR with new changes:
> > > >>>>>>>>
> > > >>>>>>>> - I’ve implemented a CDI Extension to create
> > > >> AuthenticationMechanism beans and a CDI class to keep track of the
> > > mapping
> > > >> between the authentication mechanism and the servlet that should be
> > > >> checked. When a Servlet is executed the mapping is checked and if
> > there
> > > is
> > > >> and associated AuthenticationMechanism, we validate the request with
> > the
> > > >> associated type (Basic, Form, etc).
> > > >>>>>>>>
> > > >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the
> > > plumbing
> > > >> required to be executed. This required an HttpMessageContext to pass
> > > >> information around, plus store some state to make decisions on
> things
> > to
> > > >> do, including the CallbackHandler to pass in additional Callbacks to
> > > create
> > > >> the Principal and Groups
> > > >>>>>>>>
> > > >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that
> > > >> reads user data from tomcat-users.xml
> > > >>>>>>>>
> > > >>>>>>>> I’ll probably move to implement the missing
> > > >> AuthenticationMechanisms (FORM and Custom) next.
> > > >>>>>>>>
> > > >>>>>>>> Any feedback, always welcomed :)
> > > >>>>>>>>
> > > >>>>>>>> Cheers,
> > > >>>>>>>> Roberto
> > > >>>>>>>>
> > > >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <brunobat@gmail.com
> >
> > > >> wrote:
> > > >>>>>>>>>
> > > >>>>>>>>> TomEE Security works for me.
> > > >>>>>>>>>
> > > >>>>>>>>> Bruno Baptista
> > > >>>>>>>>> https://twitter.com/brunobat_
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
> > > >>>>>>>>>> Hi folks,
> > > >>>>>>>>>>
> > > >>>>>>>>>> Work is progressing.
> > > >>>>>>>>>>
> > > >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me
> to
> > > >> proceed. I’ve tried to use the Jakarta Security API jar.
> > Unfortunately,
> > > it
> > > >> is full of dependencies to the other Jakarta dependent projects,
> some
> > > not
> > > >> in central yet, so I couldn’t even build the project.
> > > >>>>>>>>>>
> > > >>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC
> > > >> provider to serve as a bride to the Security implementation code.
> > With a
> > > >> CDI extension, we can register the required AuthenticationMechanisms
> > and
> > > >> then look them up to delegate the authentication code.
> > > >>>>>>>>>>
> > > >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate
> > user
> > > >> credentials and retrieve user groups. This is just going through the
> > > >> container registered IdentityStores and using the spec rules to
> > identify
> > > >> the credentials.
> > > >>>>>>>>>>
> > > >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone
> > has
> > > a
> > > >> more fancy idea for a name, feel free to suggest it :)
> > > >>>>>>>>>>
> > > >>>>>>>>>> Cheers,
> > > >>>>>>>>>> Roberto
> > > >>>>>>>>>>
> > > >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
> > > >> <ra...@yahoo.com.INVALID> wrote:
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> Hi folks,
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> I’ve now created a PR to push the work:
> > > >>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
> > > >> https://github.com/apache/tomee/pull/277>
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> It is still in the early stages. I’ve just spent a good
> > amount
> > > >> of time trying to understand the spec. The ideia here is that with a
> > > >> ServerAuthModule we could verify each of the spec authentication
> > > mechanisms
> > > >> that will be implemented with a CDI Bean and use a CDI Extension to
> > > create
> > > >> the bean depending on the annotation you use.
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> Cheers,
> > > >>>>>>>>>>> Roberto
> > > >>>>>>>>>>>
> > > >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
> > > >> <ra...@yahoo.com.INVALID> wrote:
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> Hi folks,
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> I’ve created
> https://jira.apache.org/jira/browse/TOMEE-2365
> > <
> > > >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the
> Java
> > > EE
> > > >> Security API that came up in EE 8. We are missing this spec
> > > implementation,
> > > >> and until we have it we cannot even say we are EE 8 compatible.
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> I plan to start working on this. If anyone wants to
> > > collaborate
> > > >> with me, let me know.
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> Cheers,
> > > >>>>>>>>>>>> Roberto
> > > >>>>>>>>
> > > >>>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>>
> > > >>
> > > >>
> > >
> > >
> >
> --
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
Re: Java EE Security API for EE 8
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
That’d be great.
I have commit permissions so if you need help help or something. Lemme know.
Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cg...@gmail.com> a
écrit :
> Hello Roberto
> We probably need to move javax.security.enterprise.* package to geronimo
> specs project (https://github.com/apache/geronimo-specs) and then adding
> dependency to our javaee-api. After that we also need to release
> geronimo-specs. If you want, I can work on to create a new project in
> geronimo-specs.
> Regards.
> Gurkan
>
> On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez <radcortez@yahoo.com.invalid
> >
> wrote:
>
> > Hi,
> >
> > I’ve merged the current state of the code.
> >
> > In the meanwhile, I’ll write some documentation to help to understand the
> > implementation.
> >
> > Cheers,
> > Roberto
> >
> > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cg...@gmail.com> wrote:
> > >
> > > Hello Roberto,
> > > Thank you for initiating this integration.
> > > Can you prepare a small documentation (and also send to here) which
> helps
> > > contributors to understand the internals about your current commit.
> > > Regards.
> > > Gurkan
> > >
> > >
> > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
> > <ra...@yahoo.com.invalid>
> > > wrote:
> > >
> > >> Hi folks,
> > >>
> > >> I think I’m now done with the FormAuthentication.
> > >>
> > >> There are still things left to implement. At the moment, the code is
> > part
> > >> of the project but is not part of the binary. I would like to merge
> the
> > >> current PR:
> > >> https://github.com/apache/tomee/pull/277 <
> > >> https://github.com/apache/tomee/pull/277>
> > >>
> > >> I think this will give a chance for the community to contribute some
> of
> > >> the missing pieces. I can make a list in JIRA.
> > >>
> > >> So, if there is no strong opinions about merging this, I will be doing
> > >> this in the end of the day.
> > >>
> > >> Cheers,
> > >> Roberto
> > >>
> > >>> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com>
> wrote:
> > >>>
> > >>> Thanks! I’ll have a look!
> > >>>
> > >>>> On 28 Dec 2018, at 20:34, David Jencks <da...@gmail.com>
> > >> wrote:
> > >>>>
> > >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for
> > >> Jetty (at eclipse). The code I’ve found at
> > >>
> >
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> > >> <
> > >>
> >
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> > >
> > >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall
> > any
> > >> details of how I modified tomcat’s auth setup: I might have made one
> > that
> > >> was more adapted to JASPIC and the geronimo security framework than
> the
> > >> plain tomcat one. If this code is of any use to you, great,
> otherwise,
> > >> good luck!
> > >>>>
> > >>>> many thanks
> > >>>> David Jencks
> > >>>>
> > >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
> > >> <ra...@yahoo.com.INVALID> wrote:
> > >>>>>
> > >>>>> Hi David,
> > >>>>>
> > >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> > >> underneath the implementation, so your code might be a good fit. Can
> you
> > >> point me out to the sources so I can have a look?
> > >>>>>
> > >>>>> Thank you!
> > >>>>>
> > >>>>> Cheers,
> > >>>>> Roberto
> > >>>>>
> > >>>>>> On 28 Dec 2018, at 03:40, David Jencks <da...@gmail.com>
> > >> wrote:
> > >>>>>>
> > >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server
> > >> long ago. Although the JASPIC deployment model was somewhat
> > >> incomprehensibly bizarre, the conversation model was very nice.
> > Depending
> > >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation
> > might
> > >> be a source for webserver-independent code for from authentication
> that
> > >> could be easily adapted.
> > >>>>>>
> > >>>>>> David Jencks
> > >>>>>>
> > >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
> > >> <ra...@yahoo.com.INVALID> wrote:
> > >>>>>>>
> > >>>>>>> Update:
> > >>>>>>>
> > >>>>>>> I’ve started the implementation of the
> FormAuthenticationMechanism.
> > >> Is not as easy as it sounds, since it requires some conversation chat
> > >> across requests. I thought about wrapping all the logic and use the
> > Tomcat
> > >> FormAuthenticator, since it does exactly what we need. Unfortunately,
> > it is
> > >> too tied to the Tomcat code and it would require to instantiate a lot
> to
> > >> Tomcat objects to be able to use it. I’m not sure if it would be worth
> > it.
> > >> I ended up following the spec suggestion to use a CDI interceptor and
> > I’m
> > >> copying / reusing some pieces of the FormAuthentication when possible.
> > >>>>>>>
> > >>>>>>> PR updated:
> > >>>>>>> https://github.com/apache/tomee/pull/277 <
> > >> https://github.com/apache/tomee/pull/277>
> > >>>>>>>
> > >>>>>>> Cheers,
> > >>>>>>> Roberto
> > >>>>>>>
> > >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
> > >> <ra...@yahoo.com.INVALID> wrote:
> > >>>>>>>>
> > >>>>>>>> Hi folks,
> > >>>>>>>>
> > >>>>>>>> I’ve updated the PR with new changes:
> > >>>>>>>>
> > >>>>>>>> - I’ve implemented a CDI Extension to create
> > >> AuthenticationMechanism beans and a CDI class to keep track of the
> > mapping
> > >> between the authentication mechanism and the servlet that should be
> > >> checked. When a Servlet is executed the mapping is checked and if
> there
> > is
> > >> and associated AuthenticationMechanism, we validate the request with
> the
> > >> associated type (Basic, Form, etc).
> > >>>>>>>>
> > >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the
> > plumbing
> > >> required to be executed. This required an HttpMessageContext to pass
> > >> information around, plus store some state to make decisions on things
> to
> > >> do, including the CallbackHandler to pass in additional Callbacks to
> > create
> > >> the Principal and Groups
> > >>>>>>>>
> > >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that
> > >> reads user data from tomcat-users.xml
> > >>>>>>>>
> > >>>>>>>> I’ll probably move to implement the missing
> > >> AuthenticationMechanisms (FORM and Custom) next.
> > >>>>>>>>
> > >>>>>>>> Any feedback, always welcomed :)
> > >>>>>>>>
> > >>>>>>>> Cheers,
> > >>>>>>>> Roberto
> > >>>>>>>>
> > >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <br...@gmail.com>
> > >> wrote:
> > >>>>>>>>>
> > >>>>>>>>> TomEE Security works for me.
> > >>>>>>>>>
> > >>>>>>>>> Bruno Baptista
> > >>>>>>>>> https://twitter.com/brunobat_
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
> > >>>>>>>>>> Hi folks,
> > >>>>>>>>>>
> > >>>>>>>>>> Work is progressing.
> > >>>>>>>>>>
> > >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to
> > >> proceed. I’ve tried to use the Jakarta Security API jar.
> Unfortunately,
> > it
> > >> is full of dependencies to the other Jakarta dependent projects, some
> > not
> > >> in central yet, so I couldn’t even build the project.
> > >>>>>>>>>>
> > >>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC
> > >> provider to serve as a bride to the Security implementation code.
> With a
> > >> CDI extension, we can register the required AuthenticationMechanisms
> and
> > >> then look them up to delegate the authentication code.
> > >>>>>>>>>>
> > >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate
> user
> > >> credentials and retrieve user groups. This is just going through the
> > >> container registered IdentityStores and using the spec rules to
> identify
> > >> the credentials.
> > >>>>>>>>>>
> > >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone
> has
> > a
> > >> more fancy idea for a name, feel free to suggest it :)
> > >>>>>>>>>>
> > >>>>>>>>>> Cheers,
> > >>>>>>>>>> Roberto
> > >>>>>>>>>>
> > >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
> > >> <ra...@yahoo.com.INVALID> wrote:
> > >>>>>>>>>>>
> > >>>>>>>>>>> Hi folks,
> > >>>>>>>>>>>
> > >>>>>>>>>>> I’ve now created a PR to push the work:
> > >>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
> > >> https://github.com/apache/tomee/pull/277>
> > >>>>>>>>>>>
> > >>>>>>>>>>> It is still in the early stages. I’ve just spent a good
> amount
> > >> of time trying to understand the spec. The ideia here is that with a
> > >> ServerAuthModule we could verify each of the spec authentication
> > mechanisms
> > >> that will be implemented with a CDI Bean and use a CDI Extension to
> > create
> > >> the bean depending on the annotation you use.
> > >>>>>>>>>>>
> > >>>>>>>>>>> Cheers,
> > >>>>>>>>>>> Roberto
> > >>>>>>>>>>>
> > >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
> > >> <ra...@yahoo.com.INVALID> wrote:
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> Hi folks,
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365
> <
> > >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java
> > EE
> > >> Security API that came up in EE 8. We are missing this spec
> > implementation,
> > >> and until we have it we cannot even say we are EE 8 compatible.
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> I plan to start working on this. If anyone wants to
> > collaborate
> > >> with me, let me know.
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> Cheers,
> > >>>>>>>>>>>> Roberto
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> >
> >
>
--
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
Re: Java EE Security API for EE 8
Posted by Gurkan Erdogdu <cg...@gmail.com>.
Hello Roberto
We probably need to move javax.security.enterprise.* package to geronimo
specs project (https://github.com/apache/geronimo-specs) and then adding
dependency to our javaee-api. After that we also need to release
geronimo-specs. If you want, I can work on to create a new project in
geronimo-specs.
Regards.
Gurkan
On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez <ra...@yahoo.com.invalid>
wrote:
> Hi,
>
> I’ve merged the current state of the code.
>
> In the meanwhile, I’ll write some documentation to help to understand the
> implementation.
>
> Cheers,
> Roberto
>
> > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cg...@gmail.com> wrote:
> >
> > Hello Roberto,
> > Thank you for initiating this integration.
> > Can you prepare a small documentation (and also send to here) which helps
> > contributors to understand the internals about your current commit.
> > Regards.
> > Gurkan
> >
> >
> > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez
> <ra...@yahoo.com.invalid>
> > wrote:
> >
> >> Hi folks,
> >>
> >> I think I’m now done with the FormAuthentication.
> >>
> >> There are still things left to implement. At the moment, the code is
> part
> >> of the project but is not part of the binary. I would like to merge the
> >> current PR:
> >> https://github.com/apache/tomee/pull/277 <
> >> https://github.com/apache/tomee/pull/277>
> >>
> >> I think this will give a chance for the community to contribute some of
> >> the missing pieces. I can make a list in JIRA.
> >>
> >> So, if there is no strong opinions about merging this, I will be doing
> >> this in the end of the day.
> >>
> >> Cheers,
> >> Roberto
> >>
> >>> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com> wrote:
> >>>
> >>> Thanks! I’ll have a look!
> >>>
> >>>> On 28 Dec 2018, at 20:34, David Jencks <da...@gmail.com>
> >> wrote:
> >>>>
> >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for
> >> Jetty (at eclipse). The code I’ve found at
> >>
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> >> <
> >>
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> >
> >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall
> any
> >> details of how I modified tomcat’s auth setup: I might have made one
> that
> >> was more adapted to JASPIC and the geronimo security framework than the
> >> plain tomcat one. If this code is of any use to you, great, otherwise,
> >> good luck!
> >>>>
> >>>> many thanks
> >>>> David Jencks
> >>>>
> >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
> >> <ra...@yahoo.com.INVALID> wrote:
> >>>>>
> >>>>> Hi David,
> >>>>>
> >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> >> underneath the implementation, so your code might be a good fit. Can you
> >> point me out to the sources so I can have a look?
> >>>>>
> >>>>> Thank you!
> >>>>>
> >>>>> Cheers,
> >>>>> Roberto
> >>>>>
> >>>>>> On 28 Dec 2018, at 03:40, David Jencks <da...@gmail.com>
> >> wrote:
> >>>>>>
> >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server
> >> long ago. Although the JASPIC deployment model was somewhat
> >> incomprehensibly bizarre, the conversation model was very nice.
> Depending
> >> on what the EE 8 api is (I haven’t looked) the JASPIC implementation
> might
> >> be a source for webserver-independent code for from authentication that
> >> could be easily adapted.
> >>>>>>
> >>>>>> David Jencks
> >>>>>>
> >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
> >> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>>
> >>>>>>> Update:
> >>>>>>>
> >>>>>>> I’ve started the implementation of the FormAuthenticationMechanism.
> >> Is not as easy as it sounds, since it requires some conversation chat
> >> across requests. I thought about wrapping all the logic and use the
> Tomcat
> >> FormAuthenticator, since it does exactly what we need. Unfortunately,
> it is
> >> too tied to the Tomcat code and it would require to instantiate a lot to
> >> Tomcat objects to be able to use it. I’m not sure if it would be worth
> it.
> >> I ended up following the spec suggestion to use a CDI interceptor and
> I’m
> >> copying / reusing some pieces of the FormAuthentication when possible.
> >>>>>>>
> >>>>>>> PR updated:
> >>>>>>> https://github.com/apache/tomee/pull/277 <
> >> https://github.com/apache/tomee/pull/277>
> >>>>>>>
> >>>>>>> Cheers,
> >>>>>>> Roberto
> >>>>>>>
> >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
> >> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>>>
> >>>>>>>> Hi folks,
> >>>>>>>>
> >>>>>>>> I’ve updated the PR with new changes:
> >>>>>>>>
> >>>>>>>> - I’ve implemented a CDI Extension to create
> >> AuthenticationMechanism beans and a CDI class to keep track of the
> mapping
> >> between the authentication mechanism and the servlet that should be
> >> checked. When a Servlet is executed the mapping is checked and if there
> is
> >> and associated AuthenticationMechanism, we validate the request with the
> >> associated type (Basic, Form, etc).
> >>>>>>>>
> >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the
> plumbing
> >> required to be executed. This required an HttpMessageContext to pass
> >> information around, plus store some state to make decisions on things to
> >> do, including the CallbackHandler to pass in additional Callbacks to
> create
> >> the Principal and Groups
> >>>>>>>>
> >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that
> >> reads user data from tomcat-users.xml
> >>>>>>>>
> >>>>>>>> I’ll probably move to implement the missing
> >> AuthenticationMechanisms (FORM and Custom) next.
> >>>>>>>>
> >>>>>>>> Any feedback, always welcomed :)
> >>>>>>>>
> >>>>>>>> Cheers,
> >>>>>>>> Roberto
> >>>>>>>>
> >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <br...@gmail.com>
> >> wrote:
> >>>>>>>>>
> >>>>>>>>> TomEE Security works for me.
> >>>>>>>>>
> >>>>>>>>> Bruno Baptista
> >>>>>>>>> https://twitter.com/brunobat_
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
> >>>>>>>>>> Hi folks,
> >>>>>>>>>>
> >>>>>>>>>> Work is progressing.
> >>>>>>>>>>
> >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to
> >> proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately,
> it
> >> is full of dependencies to the other Jakarta dependent projects, some
> not
> >> in central yet, so I couldn’t even build the project.
> >>>>>>>>>>
> >>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC
> >> provider to serve as a bride to the Security implementation code. With a
> >> CDI extension, we can register the required AuthenticationMechanisms and
> >> then look them up to delegate the authentication code.
> >>>>>>>>>>
> >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user
> >> credentials and retrieve user groups. This is just going through the
> >> container registered IdentityStores and using the spec rules to identify
> >> the credentials.
> >>>>>>>>>>
> >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone has
> a
> >> more fancy idea for a name, feel free to suggest it :)
> >>>>>>>>>>
> >>>>>>>>>> Cheers,
> >>>>>>>>>> Roberto
> >>>>>>>>>>
> >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
> >> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> Hi folks,
> >>>>>>>>>>>
> >>>>>>>>>>> I’ve now created a PR to push the work:
> >>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
> >> https://github.com/apache/tomee/pull/277>
> >>>>>>>>>>>
> >>>>>>>>>>> It is still in the early stages. I’ve just spent a good amount
> >> of time trying to understand the spec. The ideia here is that with a
> >> ServerAuthModule we could verify each of the spec authentication
> mechanisms
> >> that will be implemented with a CDI Bean and use a CDI Extension to
> create
> >> the bean depending on the annotation you use.
> >>>>>>>>>>>
> >>>>>>>>>>> Cheers,
> >>>>>>>>>>> Roberto
> >>>>>>>>>>>
> >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
> >> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hi folks,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 <
> >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java
> EE
> >> Security API that came up in EE 8. We are missing this spec
> implementation,
> >> and until we have it we cannot even say we are EE 8 compatible.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I plan to start working on this. If anyone wants to
> collaborate
> >> with me, let me know.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Cheers,
> >>>>>>>>>>>> Roberto
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >>
>
>
Re: Java EE Security API for EE 8
Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.
Hi,
I’ve merged the current state of the code.
In the meanwhile, I’ll write some documentation to help to understand the implementation.
Cheers,
Roberto
> On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cg...@gmail.com> wrote:
>
> Hello Roberto,
> Thank you for initiating this integration.
> Can you prepare a small documentation (and also send to here) which helps
> contributors to understand the internals about your current commit.
> Regards.
> Gurkan
>
>
> On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez <ra...@yahoo.com.invalid>
> wrote:
>
>> Hi folks,
>>
>> I think I’m now done with the FormAuthentication.
>>
>> There are still things left to implement. At the moment, the code is part
>> of the project but is not part of the binary. I would like to merge the
>> current PR:
>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>>
>> I think this will give a chance for the community to contribute some of
>> the missing pieces. I can make a list in JIRA.
>>
>> So, if there is no strong opinions about merging this, I will be doing
>> this in the end of the day.
>>
>> Cheers,
>> Roberto
>>
>>> On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com> wrote:
>>>
>>> Thanks! I’ll have a look!
>>>
>>>> On 28 Dec 2018, at 20:34, David Jencks <da...@gmail.com>
>> wrote:
>>>>
>>>> Perhaps I didn’t recall correctly, or perhaps I implemented it for
>> Jetty (at eclipse). The code I’ve found at
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
>> <
>> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/>
>> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall any
>> details of how I modified tomcat’s auth setup: I might have made one that
>> was more adapted to JASPIC and the geronimo security framework than the
>> plain tomcat one. If this code is of any use to you, great, otherwise,
>> good luck!
>>>>
>>>> many thanks
>>>> David Jencks
>>>>
>>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
>> <ra...@yahoo.com.INVALID> wrote:
>>>>>
>>>>> Hi David,
>>>>>
>>>>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
>> underneath the implementation, so your code might be a good fit. Can you
>> point me out to the sources so I can have a look?
>>>>>
>>>>> Thank you!
>>>>>
>>>>> Cheers,
>>>>> Roberto
>>>>>
>>>>>> On 28 Dec 2018, at 03:40, David Jencks <da...@gmail.com>
>> wrote:
>>>>>>
>>>>>> IIRC I wrote a JASPIC form authentication for the geronimo server
>> long ago. Although the JASPIC deployment model was somewhat
>> incomprehensibly bizarre, the conversation model was very nice. Depending
>> on what the EE 8 api is (I haven’t looked) the JASPIC implementation might
>> be a source for webserver-independent code for from authentication that
>> could be easily adapted.
>>>>>>
>>>>>> David Jencks
>>>>>>
>>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>
>>>>>>> Update:
>>>>>>>
>>>>>>> I’ve started the implementation of the FormAuthenticationMechanism.
>> Is not as easy as it sounds, since it requires some conversation chat
>> across requests. I thought about wrapping all the logic and use the Tomcat
>> FormAuthenticator, since it does exactly what we need. Unfortunately, it is
>> too tied to the Tomcat code and it would require to instantiate a lot to
>> Tomcat objects to be able to use it. I’m not sure if it would be worth it.
>> I ended up following the spec suggestion to use a CDI interceptor and I’m
>> copying / reusing some pieces of the FormAuthentication when possible.
>>>>>>>
>>>>>>> PR updated:
>>>>>>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Roberto
>>>>>>>
>>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>
>>>>>>>> Hi folks,
>>>>>>>>
>>>>>>>> I’ve updated the PR with new changes:
>>>>>>>>
>>>>>>>> - I’ve implemented a CDI Extension to create
>> AuthenticationMechanism beans and a CDI class to keep track of the mapping
>> between the authentication mechanism and the servlet that should be
>> checked. When a Servlet is executed the mapping is checked and if there is
>> and associated AuthenticationMechanism, we validate the request with the
>> associated type (Basic, Form, etc).
>>>>>>>>
>>>>>>>> - Implemented the BasicAuthenticationMechanism and all the plumbing
>> required to be executed. This required an HttpMessageContext to pass
>> information around, plus store some state to make decisions on things to
>> do, including the CallbackHandler to pass in additional Callbacks to create
>> the Principal and Groups
>>>>>>>>
>>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that
>> reads user data from tomcat-users.xml
>>>>>>>>
>>>>>>>> I’ll probably move to implement the missing
>> AuthenticationMechanisms (FORM and Custom) next.
>>>>>>>>
>>>>>>>> Any feedback, always welcomed :)
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Roberto
>>>>>>>>
>>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <br...@gmail.com>
>> wrote:
>>>>>>>>>
>>>>>>>>> TomEE Security works for me.
>>>>>>>>>
>>>>>>>>> Bruno Baptista
>>>>>>>>> https://twitter.com/brunobat_
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
>>>>>>>>>> Hi folks,
>>>>>>>>>>
>>>>>>>>>> Work is progressing.
>>>>>>>>>>
>>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to
>> proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, it
>> is full of dependencies to the other Jakarta dependent projects, some not
>> in central yet, so I couldn’t even build the project.
>>>>>>>>>>
>>>>>>>>>> At the moment, I’ve added the structure to register a JASPIC
>> provider to serve as a bride to the Security implementation code. With a
>> CDI extension, we can register the required AuthenticationMechanisms and
>> then look them up to delegate the authentication code.
>>>>>>>>>>
>>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user
>> credentials and retrieve user groups. This is just going through the
>> container registered IdentityStores and using the spec rules to identify
>> the credentials.
>>>>>>>>>>
>>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone has a
>> more fancy idea for a name, feel free to suggest it :)
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Roberto
>>>>>>>>>>
>>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi folks,
>>>>>>>>>>>
>>>>>>>>>>> I’ve now created a PR to push the work:
>>>>>>>>>>> https://github.com/apache/tomee/pull/277 <
>> https://github.com/apache/tomee/pull/277>
>>>>>>>>>>>
>>>>>>>>>>> It is still in the early stages. I’ve just spent a good amount
>> of time trying to understand the spec. The ideia here is that with a
>> ServerAuthModule we could verify each of the spec authentication mechanisms
>> that will be implemented with a CDI Bean and use a CDI Extension to create
>> the bean depending on the annotation you use.
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Roberto
>>>>>>>>>>>
>>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
>> <ra...@yahoo.com.INVALID> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi folks,
>>>>>>>>>>>>
>>>>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 <
>> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE
>> Security API that came up in EE 8. We are missing this spec implementation,
>> and until we have it we cannot even say we are EE 8 compatible.
>>>>>>>>>>>>
>>>>>>>>>>>> I plan to start working on this. If anyone wants to collaborate
>> with me, let me know.
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> Roberto
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
Re: Java EE Security API for EE 8
Posted by Gurkan Erdogdu <cg...@gmail.com>.
Hello Roberto,
Thank you for initiating this integration.
Can you prepare a small documentation (and also send to here) which helps
contributors to understand the internals about your current commit.
Regards.
Gurkan
On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez <ra...@yahoo.com.invalid>
wrote:
> Hi folks,
>
> I think I’m now done with the FormAuthentication.
>
> There are still things left to implement. At the moment, the code is part
> of the project but is not part of the binary. I would like to merge the
> current PR:
> https://github.com/apache/tomee/pull/277 <
> https://github.com/apache/tomee/pull/277>
>
> I think this will give a chance for the community to contribute some of
> the missing pieces. I can make a list in JIRA.
>
> So, if there is no strong opinions about merging this, I will be doing
> this in the end of the day.
>
> Cheers,
> Roberto
>
> > On 30 Dec 2018, at 23:42, Roberto Cortez <ra...@yahoo.com> wrote:
> >
> > Thanks! I’ll have a look!
> >
> >> On 28 Dec 2018, at 20:34, David Jencks <da...@gmail.com>
> wrote:
> >>
> >> Perhaps I didn’t recall correctly, or perhaps I implemented it for
> Jetty (at eclipse). The code I’ve found at
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/
> <
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/>
> includes a FormAuthenticator and a JaspiAuthenticator. I don’t recall any
> details of how I modified tomcat’s auth setup: I might have made one that
> was more adapted to JASPIC and the geronimo security framework than the
> plain tomcat one. If this code is of any use to you, great, otherwise,
> good luck!
> >>
> >> many thanks
> >> David Jencks
> >>
> >>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez
> <ra...@yahoo.com.INVALID> wrote:
> >>>
> >>> Hi David,
> >>>
> >>> Actually, the EE 8 Security spec tells you to use a JASPIC bridge
> underneath the implementation, so your code might be a good fit. Can you
> point me out to the sources so I can have a look?
> >>>
> >>> Thank you!
> >>>
> >>> Cheers,
> >>> Roberto
> >>>
> >>>> On 28 Dec 2018, at 03:40, David Jencks <da...@gmail.com>
> wrote:
> >>>>
> >>>> IIRC I wrote a JASPIC form authentication for the geronimo server
> long ago. Although the JASPIC deployment model was somewhat
> incomprehensibly bizarre, the conversation model was very nice. Depending
> on what the EE 8 api is (I haven’t looked) the JASPIC implementation might
> be a source for webserver-independent code for from authentication that
> could be easily adapted.
> >>>>
> >>>> David Jencks
> >>>>
> >>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez
> <ra...@yahoo.com.INVALID> wrote:
> >>>>>
> >>>>> Update:
> >>>>>
> >>>>> I’ve started the implementation of the FormAuthenticationMechanism.
> Is not as easy as it sounds, since it requires some conversation chat
> across requests. I thought about wrapping all the logic and use the Tomcat
> FormAuthenticator, since it does exactly what we need. Unfortunately, it is
> too tied to the Tomcat code and it would require to instantiate a lot to
> Tomcat objects to be able to use it. I’m not sure if it would be worth it.
> I ended up following the spec suggestion to use a CDI interceptor and I’m
> copying / reusing some pieces of the FormAuthentication when possible.
> >>>>>
> >>>>> PR updated:
> >>>>> https://github.com/apache/tomee/pull/277 <
> https://github.com/apache/tomee/pull/277>
> >>>>>
> >>>>> Cheers,
> >>>>> Roberto
> >>>>>
> >>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez
> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>
> >>>>>> Hi folks,
> >>>>>>
> >>>>>> I’ve updated the PR with new changes:
> >>>>>>
> >>>>>> - I’ve implemented a CDI Extension to create
> AuthenticationMechanism beans and a CDI class to keep track of the mapping
> between the authentication mechanism and the servlet that should be
> checked. When a Servlet is executed the mapping is checked and if there is
> and associated AuthenticationMechanism, we validate the request with the
> associated type (Basic, Form, etc).
> >>>>>>
> >>>>>> - Implemented the BasicAuthenticationMechanism and all the plumbing
> required to be executed. This required an HttpMessageContext to pass
> information around, plus store some state to make decisions on things to
> do, including the CallbackHandler to pass in additional Callbacks to create
> the Principal and Groups
> >>>>>>
> >>>>>> - A default IdentityStore, using the Tomcat UserDatabase, that
> reads user data from tomcat-users.xml
> >>>>>>
> >>>>>> I’ll probably move to implement the missing
> AuthenticationMechanisms (FORM and Custom) next.
> >>>>>>
> >>>>>> Any feedback, always welcomed :)
> >>>>>>
> >>>>>> Cheers,
> >>>>>> Roberto
> >>>>>>
> >>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista <br...@gmail.com>
> wrote:
> >>>>>>>
> >>>>>>> TomEE Security works for me.
> >>>>>>>
> >>>>>>> Bruno Baptista
> >>>>>>> https://twitter.com/brunobat_
> >>>>>>>
> >>>>>>>
> >>>>>>> On 19/12/18 00:20, Roberto Cortez wrote:
> >>>>>>>> Hi folks,
> >>>>>>>>
> >>>>>>>> Work is progressing.
> >>>>>>>>
> >>>>>>>> I’ve added a good chunk of the API (as needed) to allow me to
> proceed. I’ve tried to use the Jakarta Security API jar. Unfortunately, it
> is full of dependencies to the other Jakarta dependent projects, some not
> in central yet, so I couldn’t even build the project.
> >>>>>>>>
> >>>>>>>> At the moment, I’ve added the structure to register a JASPIC
> provider to serve as a bride to the Security implementation code. With a
> CDI extension, we can register the required AuthenticationMechanisms and
> then look them up to delegate the authentication code.
> >>>>>>>>
> >>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate user
> credentials and retrieve user groups. This is just going through the
> container registered IdentityStores and using the spec rules to identify
> the credentials.
> >>>>>>>>
> >>>>>>>> Right now, I’m just calling this TomEE Security. If someone has a
> more fancy idea for a name, feel free to suggest it :)
> >>>>>>>>
> >>>>>>>> Cheers,
> >>>>>>>> Roberto
> >>>>>>>>
> >>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez
> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi folks,
> >>>>>>>>>
> >>>>>>>>> I’ve now created a PR to push the work:
> >>>>>>>>> https://github.com/apache/tomee/pull/277 <
> https://github.com/apache/tomee/pull/277>
> >>>>>>>>>
> >>>>>>>>> It is still in the early stages. I’ve just spent a good amount
> of time trying to understand the spec. The ideia here is that with a
> ServerAuthModule we could verify each of the spec authentication mechanisms
> that will be implemented with a CDI Bean and use a CDI Extension to create
> the bean depending on the annotation you use.
> >>>>>>>>>
> >>>>>>>>> Cheers,
> >>>>>>>>> Roberto
> >>>>>>>>>
> >>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez
> <ra...@yahoo.com.INVALID> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Hi folks,
> >>>>>>>>>>
> >>>>>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 <
> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java EE
> Security API that came up in EE 8. We are missing this spec implementation,
> and until we have it we cannot even say we are EE 8 compatible.
> >>>>>>>>>>
> >>>>>>>>>> I plan to start working on this. If anyone wants to collaborate
> with me, let me know.
> >>>>>>>>>>
> >>>>>>>>>> Cheers,
> >>>>>>>>>> Roberto
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >
>
>