Hi, Thanks for all your help. I've made the pac4j integration works in Knox (using a simple basic auth where login = pwd or a remote CAS server).
I have two points left (before more tests and documentation): 1) In my Pac4jIdentityAdapter, I successfully retrieved the authenticated user and perform a doAs with it, but I still end with an error 500. Putting a breakpoint in the WebSSOResource, I get null as the authenticated user (*Principal p *= (*(HttpServletRequest)request).getUserPrincipal();*). Doing more debugging, I see that the original request in my Pac4jIdentityAdapter is a XForwardedHeaderRequestWrapper, then a filter is called: RegexIdentityAssertionFilter which encapsulates the request in a new one: IdentityAsserterHttpServletRequestWrapper. So I don't understand why this filter comes into play and why my authenticated subject is "lost". 2) To save session data, I use cookies: for each key, I have a cookie whose value is the serialized object in base64. I don't think it's secure enough, especially for the authenticated user profile. I think I could use the JWTokenAuthority to wrap data in a token: does it make sense to use it? Is there any other way to secure data? What's your recommendation / expectation? In a token, it seems I can only set a subject, issuer, audience and no extra attributes: am I getting it right? I updated the pull request with my latest source code: https://github.com/apache/knox/pull/2 Thanks. Best regards, Jérôme 2015-11-24 21:25 GMT+01:00 larry mccay <[email protected]>: > Yes, look at the code that "blindly copies the parameters as filter init > params in your Pac4jFederationProviderContributor > There is a toLowerCase, there is no reason that you need that and if you > are case sensitive in your external code then you should remove it. > > On Tue, Nov 24, 2015 at 3:16 PM, Jérôme LELEU <[email protected]> wrote: > > > Hi, > > > > You were right: there was an issue between my xalan dependency (excluding > > it solves the problem for now). > > > > But I've noticed something else: even when defining a provider parameter > > like NAME, I get name as servlet parameter: are the values transformed in > > lower case when injected in filters or am I missing something? > > > > Thanks. > > Best regards, > > Jérôme > > > > > > 2015-11-24 16:38 GMT+01:00 larry mccay <[email protected]>: > > > > > We may need to change that line in XmlGatewayDescriptorExporter - try > > > replacing it with the following: > > > > > > t.setOutputProperty(OutputKeys.INDENT, "yes"); > > > t.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "2"); > > > > > > Not sure why you got the next error when you commented it out. > > > Again, it may be due to a mismatch in xalan dependencies or some other > > > transformation provider. > > > > > > I suspect that we are somehow clashing with your dependency on xalan > and > > > our jetty dependencies. > > > > > > On Tue, Nov 24, 2015 at 10:08 AM, Jérôme LELEU <[email protected]> > wrote: > > > > > > > Hi, > > > > > > > > I updated the pull request with my latest changes: > > > > > > > > > > > > > > https://github.com/apache/knox/pull/2/files#diff-3b70d7177f6e0b395f99316a73bb71b0R17 > > > > > > > > Thanks. > > > > Best regards, > > > > Jérôme > > > > > > > > > > > > 2015-11-24 16:04 GMT+01:00 larry mccay <[email protected]>: > > > > > > > > > Hi Jérôme - > > > > > > > > > > That's a new one for me. > > > > > Strikes me as a library mismatch or something. > > > > > > > > > > What does your pom.xml look like? > > > > > > > > > > thanks, > > > > > > > > > > --larry > > > > > > > > > > > > > > >
