KNOX-641 and KNOX-642 have both been committed to master. There is a new docs book where you can check out the pac4j docs available: http://knox.apache.org/books/knox-0-8-0/user-guide.html#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect
I have some additional ideas for the docs that I will roll out in the next few days. We need to discuss the identity assertion approach for 0.8.0. I think we are on track for 1/29 release date. On Fri, Jan 15, 2016 at 11:06 AM, larry mccay <lmc...@apache.org> wrote: > Excellent - it worked! > > I will review the docs with the hurdles that I had to overcome in mind. > Hoping to get this committed today. :) > > On Fri, Jan 15, 2016 at 11:02 AM, larry mccay <lmc...@apache.org> wrote: > >> Okay - got past that now.... >> We are getting closer! >> >> On Fri, Jan 15, 2016 at 10:56 AM, Jérôme LELEU <lel...@gmail.com> wrote: >> >>> Hi, >>> >>> We have one callback url (the KnoxSSO url) and multiple identity >>> providers >>> so to distinguish between all clients, pac4j uses the callback url + the >>> client_name parameter (Clients.DEFAULT_CLIENT_NAME_PARAMETER). >>> >>> The redirection url generated to the identity provider has this >>> client_name >>> parameter: this is why it works well with the CAS server which redirects >>> the user (after a successfull url) to the originally provided url. >>> >>> For Okta, on server side, the redirection relies on the defined url. *So >>> you must define the callback url in Okta as your KnoxSSO url + the >>> client_name parameter = SAML2Client*. >>> >>> I myself have >>> https://127.0.0.1:8443/gateway/idp/api/v1/websso?client_name=SAML2Client >>> for my Okta app. And the logic of the pac4j gateway provider is based on >>> this client_name parameter to know if it's a callback or an access call. >>> Hence the infinite loop in your case. >>> >>> I guess we need to add a warning in the documentation for that. Just let >>> met know how you want to proceed. >>> >>> Thanks. >>> Best regards, >>> Jérôme >>> >>> >>> >>> >>> >>> 2016-01-15 16:38 GMT+01:00 larry mccay <lmc...@apache.org>: >>> >>> > Hi Jérôme - >>> > >>> > Thanks for the updated docs - I will take a look today. >>> > >>> > I am currently still trying to test okta and stuck in a redirect loop. >>> > Did you have to change anything in order to get the >>> > request.getParameter(Clients.DEFAULT_CLIENT_NAME_PARAMETER) >>> > set for the callbacks from okta? It is null in my environment and >>> therefore >>> > it moves on to the following: >>> > >>> > // otherwise just apply security and requires authentication >>> > >>> > // apply RequiresAuthenticationFilter >>> > >>> > requiresAuthenticationFilter.doFilter(servletRequest, >>> > servletResponse, filterChain); >>> > >>> > which obviously results in the redirect loop. >>> > >>> > Curious whether you ran into that... >>> > >>> > thanks, >>> > >>> > --larry >>> > >>> > On Fri, Jan 15, 2016 at 4:00 AM, Jérôme LELEU <lel...@gmail.com> >>> wrote: >>> > >>> > > Hi, >>> > > >>> > > I just uploaded a new patch for the documentation with the links >>> pointing >>> > > to the pac4j wiki. It should be clearer. >>> > > >>> > > Thanks. >>> > > Best regards, >>> > > Jérôme >>> > > >>> > > >>> > > 2016-01-14 13:20 GMT+01:00 larry mccay <lmc...@apache.org>: >>> > > >>> > > > That sounds pretty reasonable. >>> > > > I will likely document a few of the integrations that are possible >>> in >>> > > > blogs/tutorials anyway. >>> > > > >>> > > > I don't want testing of Knox at release time to have to jump >>> around to >>> > > much >>> > > > in order to be able to test. >>> > > > I think we can make that all good though. >>> > > > >>> > > > I will see what I can do with okta today. >>> > > > >>> > > > On Thu, Jan 14, 2016 at 5:00 AM, Jérôme LELEU <lel...@gmail.com> >>> > wrote: >>> > > > >>> > > > > Hi, >>> > > > > >>> > > > > Yes, the documentation is a bit too light. But you guessed it >>> right: >>> > we >>> > > > > need to have a keystore for encryption. >>> > > > > >>> > > > > The saml.identityProviderMetadataPath can point to a local >>> resource >>> > or >>> > > > to a >>> > > > > remote one, using the right prefix: resource:, file: or an url >>> (by >>> > > > default, >>> > > > > it is a file path). This must be documented though. >>> > > > > >>> > > > > With Okta, I used the defined url (Single Sign On URL = Recipient >>> > URL = >>> > > > > Destination URL) for the serviceProviderEntityId, but I think it >>> may >>> > > > > depends on IdP as well. Reading the spec, it must be an URI, but >>> I'm >>> > > not >>> > > > > sure if the SP metadata should be really available on this url. >>> For >>> > > Okta, >>> > > > > it doesn't matter. >>> > > > > >>> > > > > According to your SAML configuration, the SP metadata will be >>> > generated >>> > > > > somewhere and this somewhere can be defined via the >>> > > > > serviceProviderMetadataPath parameter. You generally need to >>> update >>> > > your >>> > > > > metadata to the IdP (not required for Okta though). Both the SP >>> and >>> > IdP >>> > > > > must know each other. >>> > > > > >>> > > > > When writing the documentation, I went fast on these parameters >>> with >>> > > the >>> > > > > feeling they were regular ones, but indeed, the description in >>> the >>> > Knox >>> > > > > manual is not enough. This is somehow a bit normal as the real >>> > > > > documentation for SAML is on the SAML wiki: >>> > > > > >>> https://github.com/pac4j/pac4j/wiki/Clients#details-for-saml-support >>> > > > > >>> > > > > So I propose to keep the Knox documentation mostly "as is", but >>> add >>> > > links >>> > > > > to the pac4j wiki (where I could more easily made updates). All >>> pac4j >>> > > > > integrations need this documentation so it's better to >>> centralize it, >>> > > > from >>> > > > > my point of view. What do you think? >>> > > > > >>> > > > > Thanks. >>> > > > > Best regards, >>> > > > > Jérôme >>> > > > > >>> > > > > >>> > > > > >>> > > > > 2016-01-13 19:37 GMT+01:00 larry mccay <lmc...@apache.org>: >>> > > > > >>> > > > > > Hi Jérôme - >>> > > > > > >>> > > > > > I'm trying to configure the pac4j provider for an okta >>> > "application" >>> > > > > that I >>> > > > > > created. >>> > > > > > The following (from KNOX-642 docs patch) isn't quite enough to >>> make >>> > > it >>> > > > > > clear to me how to go about doing so: >>> > > > > > >>> > > > > > +saml.keystorePassword | Password of the keystore >>> > > (storepass) >>> > > > > > +saml.privateKeyPassword | Password for the private >>> key >>> > > > > (keypass) >>> > > > > > +saml.keystorePath | Path of the keystore >>> > > > > > +saml.identityProviderMetadataPath | Path of the >>> identity >>> > > > > > provider metadata >>> > > > > > +saml.maximumAuthenticationLifetime | Maximum >>> lifetime >>> > for >>> > > > > > authentication >>> > > > > > +saml.serviceProviderEntityId | Identifier of the >>> service >>> > > > > > provider >>> > > > > > +saml.serviceProviderMetadataPath | Path of the >>> service >>> > > > > provider >>> > > > > > metadata >>> > > > > > >>> > > > > > I assume that I can use the gateway.jks keystore and the >>> > > > gateway-identity >>> > > > > > keypair to do the request signing and that that information is >>> what >>> > > is >>> > > > > > needed for the first 3 params. Unfortunately, I don't see any >>> use >>> > of >>> > > > > > gateway services to get the master secret therefore it needs >>> to be >>> > in >>> > > > > clear >>> > > > > > text here. This won't work - but may not be a show stopper for >>> > > > committing >>> > > > > > to master as long as we follow up with a fix. >>> > > > > > >>> > > > > > Can saml.identityProviderMetadataPath point to a remote >>> location or >>> > > > does >>> > > > > it >>> > > > > > have to be local to the SP application. This would likely >>> require >>> > it >>> > > to >>> > > > > be >>> > > > > > on the local filesystem, provisioned by the contributor into >>> the >>> > > > > generated >>> > > > > > web app or in some central location via NFS or something like >>> that. >>> > > > > > >>> > > > > > The okta application that I created is called KnoxSSO - is >>> that the >>> > > > value >>> > > > > > for saml.serviceProviderEntityId? >>> > > > > > >>> > > > > > The saml.serviceProviderMetadataPath has the same questions as >>> the >>> > > > > metadata >>> > > > > > for the IDP. In addition, is there a sample metadata file that >>> we >>> > can >>> > > > > > provide for the use of pac4j with KnoxSSO? >>> > > > > > >>> > > > > > I think that getting this working and clean (no clear text >>> > passwords) >>> > > > > will >>> > > > > > make a great feature and blog for featuring pac4j provider and >>> the >>> > > > 0.8.0 >>> > > > > > release. So, let's try and iron this out clearly. >>> > > > > > >>> > > > > > I would really like to get this working and committed in the >>> next >>> > > > couple >>> > > > > > days to free us up for follow up items. In particular we need >>> time >>> > to >>> > > > > > figure out whether the identity assertion providers that we >>> > currently >>> > > > > have >>> > > > > > will suffice for an apache release that is featuring this new >>> > > > > > functionality. >>> > > > > > >>> > > > > > I will also add the above comments/questions to the JIRA for >>> > > > visibility. >>> > > > > > >>> > > > > > thanks, >>> > > > > > >>> > > > > > --larry >>> > > > > > >>> > > > > > On Fri, Jan 8, 2016 at 12:40 PM, larry mccay < >>> lmc...@apache.org> >>> > > > wrote: >>> > > > > > >>> > > > > > > Jérôme - >>> > > > > > > >>> > > > > > > My testing of OpenID Connect is blocked. >>> > > > > > > Can you see the comments in KNOX-641? >>> > > > > > > >>> > > > > > > thanks, >>> > > > > > > >>> > > > > > > --larry >>> > > > > > > >>> > > > > > > On Wed, Jan 6, 2016 at 2:30 PM, larry mccay < >>> > larry.mc...@gmail.com >>> > > > >>> > > > > > wrote: >>> > > > > > > >>> > > > > > >> Jérôme - >>> > > > > > >> >>> > > > > > >> Please see the comments on KNOX-641. >>> > > > > > >> >>> > > > > > >> thanks, >>> > > > > > >> >>> > > > > > >> --larry >>> > > > > > >> >>> > > > > > >> On Wed, Jan 6, 2016 at 11:24 AM, Kevin Minder < >>> > > > > > >> kevin.min...@hortonworks.com> wrote: >>> > > > > > >> >>> > > > > > >>> I can certainly appreciate the issue of including external >>> > > > resources >>> > > > > in >>> > > > > > >>> automated tests. Nothing has driven me more crazy over the >>> > > years. >>> > > > > The >>> > > > > > >>> flip side of this of course is not finding out about a >>> breakage >>> > > > until >>> > > > > > >>> someone is willing to go through the manual testing which >>> will >>> > > > > > typically >>> > > > > > >>> happen just before a release. Also the implication is that >>> > these >>> > > > > > testing >>> > > > > > >>> procedures must be very will documented so that they can be >>> > > > continue >>> > > > > > to be >>> > > > > > >>> run once any of us are no longer active in the project. >>> > > > > > >>> >>> > > > > > >>> >>> > > > > > >>> >>> > > > > > >>> On 1/6/16, 2:12 AM, "Jérôme LELEU" <lel...@gmail.com> >>> wrote: >>> > > > > > >>> >>> > > > > > >>> >Hi, >>> > > > > > >>> > >>> > > > > > >>> >Yes, you can hit the CAS server at Heroku. Notice it's a >>> > Heroku >>> > > > free >>> > > > > > >>> server >>> > > > > > >>> >so it needs to be re-activated first (it takes a couple of >>> > > > seconds). >>> > > > > > So >>> > > > > > >>> for >>> > > > > > >>> >a UI test, you should first hit it, wait 30 seconds and >>> then >>> > > > perform >>> > > > > > the >>> > > > > > >>> >test. >>> > > > > > >>> > >>> > > > > > >>> >Just my 2 cents: >>> > > > > > >>> >Using automated UI tests was my first strategy for pac4j >>> but >>> > I >>> > > > > > finally >>> > > > > > >>> >gave up because public providers change very often, at >>> least >>> > > > enough >>> > > > > to >>> > > > > > >>> make >>> > > > > > >>> >the maintenance tests a nightmare. Currently, I'm using >>> manual >>> > > > tests >>> > > > > > >>> (the >>> > > > > > >>> >same for all demos), it takes me around 5 minutes to play >>> them >>> > > all >>> > > > > by >>> > > > > > >>> hand >>> > > > > > >>> >(for a demo) and I launched manually the UI tests I have >>> for >>> > > every >>> > > > > > major >>> > > > > > >>> >pac4j release. Just to say UI tests are not that easy. >>> For a >>> > CAS >>> > > > > > server, >>> > > > > > >>> >it's fairly feasible as the CAS server and protocol change >>> > > rarely. >>> > > > > > >>> >That's why for Knox, I did some compromise with a >>> simulated >>> > web >>> > > > test >>> > > > > > >>> (based >>> > > > > > >>> >on the basic auth). See: >>> > > > > > >>> > >>> > > > > > >>> >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> https://github.com/apache/knox/pull/2/files#diff-d0c880ca71b310dbe57975c577535e97R47 >>> > > > > > >>> > >>> > > > > > >>> >Thanks. >>> > > > > > >>> >Best regards, >>> > > > > > >>> >Jérôme >>> > > > > > >>> > >>> > > > > > >>> > >>> > > > > > >>> > >>> > > > > > >>> >2016-01-05 21:20 GMT+01:00 Kevin Minder < >>> > > > > kevin.min...@hortonworks.com >>> > > > > > >: >>> > > > > > >>> > >>> > > > > > >>> >> From my perspective it would be ideal if there were some >>> > > > > automatable >>> > > > > > >>> >> functional tests for this. I’m not advocating that >>> these be >>> > > > > > something >>> > > > > > >>> >> included in “mvn clean install” as that is running too >>> long >>> > as >>> > > > it >>> > > > > > is. >>> > > > > > >>> >> Given that I don’t have as much context as Larry, I have >>> > some >>> > > > > > >>> questions >>> > > > > > >>> >> about what this would take. Lets say we had permission >>> to >>> > hit >>> > > > > > >>> >> https://casserverpac4j.herokuapp.com/login as part of >>> some >>> > > low >>> > > > > > >>> frequency >>> > > > > > >>> >> automated tests (e.g. Once nighty). What static >>> credentials >>> > > and >>> > > > > > >>> other test >>> > > > > > >>> >> automation infrastructure would need to be implemented >>> in >>> > > > support >>> > > > > of >>> > > > > > >>> this? >>> > > > > > >>> >> I understand that the test suite would require at a >>> minimum >>> > > > > > >>> >> 1) a test driver >>> > > > > > >>> >> 2) a protected mock UI and >>> > > > > > >>> >> 3) an appropriately configured Knox >>> > > > > > >>> >> 4) a profile enabled maven module >>> > > > > > >>> >> 5) an Apache jenkins job >>> > > > > > >>> >> but I’m sure I’m missing other things. I’m certainly >>> > willing >>> > > to >>> > > > > > help >>> > > > > > >>> >> setup the skeleton infrastructure (e.g. test driver, >>> mock >>> > UI, >>> > > > > maven >>> > > > > > >>> module, >>> > > > > > >>> >> jenkins job) >>> > > > > > >>> >> >>> > > > > > >>> >> >>> > > > > > >>> >> >>> > > > > > >>> >> On 1/5/16, 2:54 PM, "larry mccay" < >>> larry.mc...@gmail.com> >>> > > > wrote: >>> > > > > > >>> >> >>> > > > > > >>> >> >Okay, very good. >>> > > > > > >>> >> >I've used TestShib for the picketlink provider - >>> thanks for >>> > > the >>> > > > > > >>> pointers! >>> > > > > > >>> >> > >>> > > > > > >>> >> >On Tue, Jan 5, 2016 at 1:38 PM, Jérôme LELEU < >>> > > lel...@gmail.com >>> > > > > >>> > > > > > >>> wrote: >>> > > > > > >>> >> > >>> > > > > > >>> >> >> The online CAS server ( >>> > > > > > https://casserverpac4j.herokuapp.com/login) >>> > > > > > >>> uses >>> > > > > > >>> >> >> the >>> > > > > > >>> >> >> CAS protocol. SAML support can be tested using some >>> > online >>> > > > IdP >>> > > > > > like >>> > > > > > >>> >> Okta, >>> > > > > > >>> >> >> TestShib, OpenFeide, Ssocircle... >>> > > > > > >>> >> >> >>> > > > > > >>> >> >> >>> > > > > > >>> >> >> 2016-01-05 17:32 GMT+01:00 larry mccay < >>> > > > larry.mc...@gmail.com >>> > > > > >: >>> > > > > > >>> >> >> >>> > > > > > >>> >> >> > Great - thanks for that pointer! >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> > I will take a look at that and help drive the >>> release >>> > > > related >>> > > > > > >>> testing. >>> > > > > > >>> >> >> > Merge testing will be gated on CAS server (is this >>> SAML >>> > > or >>> > > > > CAS >>> > > > > > >>> >> protocol?) >>> > > > > > >>> >> >> > and testBasicAuth. >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> > On Tue, Jan 5, 2016 at 10:52 AM, Jérôme LELEU < >>> > > > > > lel...@gmail.com> >>> > > > > > >>> >> wrote: >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> > > Hi, >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > Glad to hear back from you! >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > The core pac4j project is fully tested by unit >>> tests >>> > > (and >>> > > > > > some >>> > > > > > >>> >> >> > integration >>> > > > > > >>> >> >> > > tests I run for major version), then all pac4j >>> > > > > > implementations >>> > > > > > >>> are >>> > > > > > >>> >> each >>> > > > > > >>> >> >> > > tested by the appropriate demo: j2e-pac4j-demo >>> tests >>> > > > > > j2e-pac4j, >>> > > > > > >>> >> >> > > spring-webmvc-pac4j-demo tests >>> spring-webmvc-pac4j, >>> > > etc. >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > So if you take a look at: >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> >>> > > > > > >>> >> >>> > > > > > >>> >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> https://github.com/pac4j/j2e-pac4j-demo/blob/master/src/main/java/org/pac4j/demo/j2e/config/DemoConfigFactory.java#L27 >>> > > > > > >>> >> >> > > (for example), you have all the required >>> information >>> > to >>> > > > > test. >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > I can do that on my own, but it can be good for >>> the >>> > > Knox >>> > > > > > >>> community >>> > > > > > >>> >> to >>> > > > > > >>> >> >> > start >>> > > > > > >>> >> >> > > working / testing the pac4j support. It's up to >>> yoy. >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > Thanks. >>> > > > > > >>> >> >> > > Best regards, >>> > > > > > >>> >> >> > > Jérôme >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > 2016-01-05 16:11 GMT+01:00 larry mccay < >>> > > > > > larry.mc...@gmail.com >>> > > > > > >>> >: >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > > > Hello Jérôme - >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > Happy New Year! >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > I am going to start reviewing your updates >>> today, >>> > > > > > hopefully. >>> > > > > > >>> >> >> > > > I was thinking that we need to start >>> discussions on >>> > > > what >>> > > > > > the >>> > > > > > >>> key >>> > > > > > >>> >> >> > usecases >>> > > > > > >>> >> >> > > > are and how to go about testing them. >>> > > > > > >>> >> >> > > > We can certainly test the testBasicAuth and >>> against >>> > > the >>> > > > > > >>> hosted CAS >>> > > > > > >>> >> >> > server >>> > > > > > >>> >> >> > > > but what about FB, openid, OAuth, etc? >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > I'm not sure that FB would be a key feature but >>> > > OpenID >>> > > > > > >>> Connect and >>> > > > > > >>> >> >> > OAuth >>> > > > > > >>> >> >> > > > would be - as is SAML. >>> > > > > > >>> >> >> > > > I think CAS buys us SAML testing - assuming >>> that >>> > the >>> > > > > > >>> >> configuration of >>> > > > > > >>> >> >> > the >>> > > > > > >>> >> >> > > > hosted server is actually a SAML 2 instance. >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > What about the others? >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > I don't know that we need to be able to test >>> them >>> > all >>> > > > > > before >>> > > > > > >>> merge >>> > > > > > >>> >> >> but >>> > > > > > >>> >> >> > > some >>> > > > > > >>> >> >> > > > sort of manual verification would be great. >>> > > > > > >>> >> >> > > > We would need to be able to test them before >>> the >>> > next >>> > > > > > release >>> > > > > > >>> >> which >>> > > > > > >>> >> >> > would >>> > > > > > >>> >> >> > > > be featuring the pac4j functionality. >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > Maybe you can describe how you go about testing >>> > such >>> > > > > things >>> > > > > > >>> for >>> > > > > > >>> >> the >>> > > > > > >>> >> >> > pac4j >>> > > > > > >>> >> >> > > > project itself? >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > thanks, >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > --larry >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > On Tue, Jan 5, 2016 at 9:55 AM, Jérôme LELEU < >>> > > > > > >>> lel...@gmail.com> >>> > > > > > >>> >> >> wrote: >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > > > Hi, >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > Happy new year! >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > A few days ago, I updated my patch of the >>> pac4j >>> > > > gateway >>> > > > > > >>> provider >>> > > > > > >>> >> >> > > > according >>> > > > > > >>> >> >> > > > > to all comments on >>> > > > > > >>> >> https://issues.apache.org/jira/browse/KNOX-641 >>> > > > > > >>> >> >> as >>> > > > > > >>> >> >> > > > well >>> > > > > > >>> >> >> > > > > as the documentation on KNOX-642. >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > Is everything ok for the merge? >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > Thanks. >>> > > > > > >>> >> >> > > > > Best regards, >>> > > > > > >>> >> >> > > > > Jérôme >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > 2015-12-14 15:28 GMT+01:00 larry mccay < >>> > > > > > >>> larry.mc...@gmail.com>: >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > > > Hi Jérôme - >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > Not sure if you saw but I added review >>> comments >>> > > to >>> > > > > > >>> KNOX-641. >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > I think that we need to determine whether >>> we >>> > want >>> > > > the >>> > > > > > >>> >> >> testBasicAuth >>> > > > > > >>> >> >> > > in >>> > > > > > >>> >> >> > > > > the >>> > > > > > >>> >> >> > > > > > provider itself. >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > Let's follow up on the JIRA. >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > thanks, >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > --larry >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > On Fri, Dec 11, 2015 at 8:44 AM, Jérôme >>> LELEU < >>> > > > > > >>> >> lel...@gmail.com> >>> > > > > > >>> >> >> > > > wrote: >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > > Hi, >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > No problem. It can go into a version >>> 0.8.0 if >>> > > > > needed. >>> > > > > > >>> The >>> > > > > > >>> >> truth >>> > > > > > >>> >> >> > is >>> > > > > > >>> >> >> > > > that >>> > > > > > >>> >> >> > > > > > > there is only one change outside the new >>> > pac4j >>> > > > > > module, >>> > > > > > >>> so I >>> > > > > > >>> >> >> think >>> > > > > > >>> >> >> > > > risks >>> > > > > > >>> >> >> > > > > > are >>> > > > > > >>> >> >> > > > > > > extremly limited. >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > Just let met know. >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > Thanks. >>> > > > > > >>> >> >> > > > > > > Best regards, >>> > > > > > >>> >> >> > > > > > > Jérôme >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > 2015-12-11 14:23 GMT+01:00 larry mccay < >>> > > > > > >>> >> larry.mc...@gmail.com >>> > > > > > >>> >> >> >: >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > > Hi Jérôme - >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > I have unfortunately not had a chance >>> to >>> > > pull, >>> > > > > > >>> review and >>> > > > > > >>> >> >> test >>> > > > > > >>> >> >> > it >>> > > > > > >>> >> >> > > > yet >>> > > > > > >>> >> >> > > > > > and >>> > > > > > >>> >> >> > > > > > > > have intended to do that today. >>> > > > > > >>> >> >> > > > > > > > I apologize for the delay. >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > I was actually thinking that this >>> would go >>> > > > into a >>> > > > > > >>> follow >>> > > > > > >>> >> up >>> > > > > > >>> >> >> > > release >>> > > > > > >>> >> >> > > > > > that >>> > > > > > >>> >> >> > > > > > > we >>> > > > > > >>> >> >> > > > > > > > would try and get done rapidly after >>> the >>> > > 0.7.0 >>> > > > > > >>> release >>> > > > > > >>> >> but we >>> > > > > > >>> >> >> > can >>> > > > > > >>> >> >> > > > > > discuss >>> > > > > > >>> >> >> > > > > > > > the target and its chances of >>> destabilizing >>> > > > > 0.7.0. >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > I believe that it is rather >>> self-contained >>> > > with >>> > > > > > only >>> > > > > > >>> a few >>> > > > > > >>> >> >> > > changes >>> > > > > > >>> >> >> > > > to >>> > > > > > >>> >> >> > > > > > > > external modules. >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > Opening the JIRAs is perfect and I was >>> > going >>> > > to >>> > > > > do >>> > > > > > >>> that >>> > > > > > >>> >> once >>> > > > > > >>> >> >> I >>> > > > > > >>> >> >> > > > > started >>> > > > > > >>> >> >> > > > > > > the >>> > > > > > >>> >> >> > > > > > > > review. >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > Let's continue review comments and >>> > > > collaboration >>> > > > > on >>> > > > > > >>> those >>> > > > > > >>> >> >> > JIRAs. >>> > > > > > >>> >> >> > > > > > > > I will add you to the contributors >>> list so >>> > > that >>> > > > > we >>> > > > > > >>> can >>> > > > > > >>> >> assign >>> > > > > > >>> >> >> > > them >>> > > > > > >>> >> >> > > > to >>> > > > > > >>> >> >> > > > > > > you. >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > Thank you for your contributions and >>> your >>> > > > > patience, >>> > > > > > >>> >> Jérôme! >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > --larry >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > On Fri, Dec 11, 2015 at 3:00 AM, Jérôme >>> > > LELEU < >>> > > > > > >>> >> >> > lel...@gmail.com> >>> > > > > > >>> >> >> > > > > > wrote: >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > Hi, >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > I didn't get any new feedback on the >>> pull >>> > > > > request >>> > > > > > >>> so I >>> > > > > > >>> >> >> assume >>> > > > > > >>> >> >> > > > > > > everything >>> > > > > > >>> >> >> > > > > > > > is >>> > > > > > >>> >> >> > > > > > > > > ok from your point of view. >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > I released pac4j v1.8.1 and j2e-pac4j >>> > > v1.2.1 >>> > > > > so I >>> > > > > > >>> >> updated >>> > > > > > >>> >> >> the >>> > > > > > >>> >> >> > > > pull >>> > > > > > >>> >> >> > > > > > > > request >>> > > > > > >>> >> >> > > > > > > > > to use them and successfully >>> re-tested >>> > > > > > everything. >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > I opened KNOX-641 and submitted the >>> > > > > corresponding >>> > > > > > >>> patch. >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > I also wrote the documentation, >>> opened >>> > > > KNOX-642 >>> > > > > > and >>> > > > > > >>> >> >> submitted >>> > > > > > >>> >> >> > > the >>> > > > > > >>> >> >> > > > > > > > > corresponding patch (just to let you >>> know >>> > > > that >>> > > > > it >>> > > > > > >>> >> doesn't >>> > > > > > >>> >> >> > work >>> > > > > > >>> >> >> > > > out >>> > > > > > >>> >> >> > > > > of >>> > > > > > >>> >> >> > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > box in Windows, I had to replace >>> mvn.bat >>> > by >>> > > > > > >>> mvn.cmd to >>> > > > > > >>> >> make >>> > > > > > >>> >> >> > ant >>> > > > > > >>> >> >> > > > > > work). >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > Even if the branch 0.7.0 has already >>> been >>> > > > > > created, >>> > > > > > >>> I >>> > > > > > >>> >> >> assumed >>> > > > > > >>> >> >> > > this >>> > > > > > >>> >> >> > > > > new >>> > > > > > >>> >> >> > > > > > > > pac4j >>> > > > > > >>> >> >> > > > > > > > > provider will go into this version >>> 0.7.0 >>> > > > > > >>> (dependency on >>> > > > > > >>> >> the >>> > > > > > >>> >> >> > > > > > > > 0.7.0-SNAPSHOT >>> > > > > > >>> >> >> > > > > > > > > parent version). >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > Just let me know if everything is ok >>> and >>> > > when >>> > > > > > it's >>> > > > > > >>> >> goind to >>> > > > > > >>> >> >> > be >>> > > > > > >>> >> >> > > > > > merged. >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > Thanks. >>> > > > > > >>> >> >> > > > > > > > > Best regards, >>> > > > > > >>> >> >> > > > > > > > > Jérôme >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > 2015-12-04 14:20 GMT+01:00 larry >>> mccay < >>> > > > > > >>> >> >> > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > >: >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > That ability to configure multiple >>> > > > mechanisms >>> > > > > > >>> based on >>> > > > > > >>> >> >> > > > clientName >>> > > > > > >>> >> >> > > > > > is >>> > > > > > >>> >> >> > > > > > > > > really >>> > > > > > >>> >> >> > > > > > > > > > interesting for Knox. >>> > > > > > >>> >> >> > > > > > > > > > Currently, we require separate >>> > topologies >>> > > > per >>> > > > > > >>> >> >> > authentication >>> > > > > > >>> >> >> > > > > > > mechanism. >>> > > > > > >>> >> >> > > > > > > > > > The ability to configure them all >>> in >>> > one >>> > > is >>> > > > > > >>> really >>> > > > > > >>> >> great. >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > We would need to think through the >>> best >>> > > way >>> > > > > to >>> > > > > > >>> provide >>> > > > > > >>> >> >> the >>> > > > > > >>> >> >> > > > > > clientName >>> > > > > > >>> >> >> > > > > > > > > > parameter. >>> > > > > > >>> >> >> > > > > > > > > > Since this is targeting KnoxSSO it >>> can >>> > > > > actually >>> > > > > > >>> be >>> > > > > > >>> >> added >>> > > > > > >>> >> >> to >>> > > > > > >>> >> >> > > the >>> > > > > > >>> >> >> > > > > > > > > providerURL >>> > > > > > >>> >> >> > > > > > > > > > used to redirect from the >>> participating >>> > > > > > >>> application. >>> > > > > > >>> >> >> > > > > > > > > > Regardless of the authentication >>> > > mechanism >>> > > > > used >>> > > > > > >>> each >>> > > > > > >>> >> >> > > > application >>> > > > > > >>> >> >> > > > > > will >>> > > > > > >>> >> >> > > > > > > > > still >>> > > > > > >>> >> >> > > > > > > > > > get the same JWT based cookie. >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > I think that should work really >>> nicely. >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > On Fri, Dec 4, 2015 at 7:17 AM, >>> larry >>> > > > mccay < >>> > > > > > >>> >> >> > > > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > > > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > > Excellent, Jérôme. >>> > > > > > >>> >> >> > > > > > > > > > > Thanks! >>> > > > > > >>> >> >> > > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > > On Fri, Dec 4, 2015 at 2:40 AM, >>> > Jérôme >>> > > > > LELEU >>> > > > > > < >>> > > > > > >>> >> >> > > > lel...@gmail.com >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > > > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> Hi, >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> I will write how to configure >>> the >>> > > pac4j >>> > > > > > >>> provider in >>> > > > > > >>> >> >> the >>> > > > > > >>> >> >> > > > > > > > documentation, >>> > > > > > >>> >> >> > > > > > > > > > but >>> > > > > > >>> >> >> > > > > > > > > > >> I can already give you some >>> > insights. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> My main goal is always to >>> respect >>> > the >>> > > > key >>> > > > > > >>> design >>> > > > > > >>> >> >> > > principles >>> > > > > > >>> >> >> > > > of >>> > > > > > >>> >> >> > > > > > > pac4j >>> > > > > > >>> >> >> > > > > > > > > > >> whatever the environment / >>> framework >>> > > in >>> > > > > > which >>> > > > > > >>> it is >>> > > > > > >>> >> >> > > > > implemented. >>> > > > > > >>> >> >> > > > > > > For >>> > > > > > >>> >> >> > > > > > > > > > Knox, >>> > > > > > >>> >> >> > > > > > > > > > >> I'm pretty happy with the use >>> of the >>> > > > > > j2e-pac4j >>> > > > > > >>> >> >> library, >>> > > > > > >>> >> >> > > > which >>> > > > > > >>> >> >> > > > > > > means >>> > > > > > >>> >> >> > > > > > > > > that >>> > > > > > >>> >> >> > > > > > > > > > >> almost all the pac4j features >>> are >>> > > > > available, >>> > > > > > >>> >> >> especially >>> > > > > > >>> >> >> > > both >>> > > > > > >>> >> >> > > > > > > direct >>> > > > > > >>> >> >> > > > > > > > > and >>> > > > > > >>> >> >> > > > > > > > > > >> indirect clients. So it can do >>> what >>> > > > Shiro >>> > > > > > >>> already >>> > > > > > >>> >> does >>> > > > > > >>> >> >> > but >>> > > > > > >>> >> >> > > > > also, >>> > > > > > >>> >> >> > > > > > > as >>> > > > > > >>> >> >> > > > > > > > we >>> > > > > > >>> >> >> > > > > > > > > > >> agreed together, supports remote >>> > > > > > >>> authentications. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> It is only limited by what you >>> can >>> > > > > currently >>> > > > > > >>> >> >> configure. >>> > > > > > >>> >> >> > > And >>> > > > > > >>> >> >> > > > > even >>> > > > > > >>> >> >> > > > > > > > > > >> configuration is a pac4j >>> feature as >>> > > the >>> > > > > CAS >>> > > > > > >>> server >>> > > > > > >>> >> has >>> > > > > > >>> >> >> > the >>> > > > > > >>> >> >> > > > > same >>> > > > > > >>> >> >> > > > > > > > need. >>> > > > > > >>> >> >> > > > > > > > > > >> Everything happens in this >>> class: >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> >>> > > > > > >>> >> >>> > > > > > >>> >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> https://github.com/pac4j/pac4j/blob/master/pac4j-config/src/main/java/org/pac4j/config/client/ConfigPropertiesFactory.java >>> > > > > > >>> >> >> > > > > > > > > > >> , >>> > > > > > >>> >> >> > > > > > > > > > >> which allows you to configure >>> > > Facebook, >>> > > > > > >>> Twitter, a >>> > > > > > >>> >> CAS >>> > > > > > >>> >> >> > > > > server, a >>> > > > > > >>> >> >> > > > > > > > SAML >>> > > > > > >>> >> >> > > > > > > > > > IdP >>> > > > > > >>> >> >> > > > > > > > > > >> or an OpenID Connect provider. >>> All >>> > the >>> > > > > > >>> provided >>> > > > > > >>> >> >> > parameters >>> > > > > > >>> >> >> > > > to >>> > > > > > >>> >> >> > > > > > the >>> > > > > > >>> >> >> > > > > > > > > pac4j >>> > > > > > >>> >> >> > > > > > > > > > >> provider are put into a Map and >>> the >>> > > > > > >>> >> >> > > ConfigPropertiesFactory >>> > > > > > >>> >> >> > > > is >>> > > > > > >>> >> >> > > > > > > built >>> > > > > > >>> >> >> > > > > > > > > > with >>> > > > > > >>> >> >> > > > > > > > > > >> this Map to return the built >>> client >>> > (= >>> > > > > > >>> >> authentication >>> > > > > > >>> >> >> > > > > > mechanism). >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> You have one more specific >>> option >>> > for >>> > > > Knox >>> > > > > > as >>> > > > > > >>> a >>> > > > > > >>> >> basic >>> > > > > > >>> >> >> > > > > > > authentication >>> > > > > > >>> >> >> > > > > > > > > > popup >>> > > > > > >>> >> >> > > > > > > > > > >> where the username must match >>> the >>> > > > > password, >>> > > > > > >>> you can >>> > > > > > >>> >> >> > define >>> > > > > > >>> >> >> > > > > that >>> > > > > > >>> >> >> > > > > > > by: >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> <param> >>> > > > > > >>> >> >> > > > > > > > > > >> <name>clientName</name> >>> > > > > > >>> >> >> > > > > > > > > > >> <value>testBasicAuth</value> >>> > > > > > >>> >> >> > > > > > > > > > >> </param> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> It's for testing only. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> For a CAS server: >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> <param> >>> > > > > > >>> >> >> > > > > > > > > > >> <name>cas.loginUrl</name> >>> > > > > > >>> >> >> > > > > > > > > > >> <value> >>> > > > > > >>> >> https://casserverpac4j.herokuapp.com/login >>> > > > > > >>> >> >> > > </value> >>> > > > > > >>> >> >> > > > > > > > > > >> </param> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> Here are all the properties >>> > available >>> > > > for >>> > > > > > >>> building >>> > > > > > >>> >> >> > clients >>> > > > > > >>> >> >> > > > > > (their >>> > > > > > >>> >> >> > > > > > > > > > meaning >>> > > > > > >>> >> >> > > > > > > > > > >> is obvious): >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> facebook.id >>> > > > > > >>> >> >> > > > > > > > > > >> facebook.secret >>> > > > > > >>> >> >> > > > > > > > > > >> facebook.scope >>> > > > > > >>> >> >> > > > > > > > > > >> facebook.fields >>> > > > > > >>> >> >> > > > > > > > > > >> twitter.id >>> > > > > > >>> >> >> > > > > > > > > > >> twitter.secret >>> > > > > > >>> >> >> > > > > > > > > > >> saml.keystorePassword >>> > > > > > >>> >> >> > > > > > > > > > >> saml.privateKeyPassword >>> > > > > > >>> >> >> > > > > > > > > > >> saml.keystorePath >>> > > > > > >>> >> >> > > > > > > > > > >> >>> saml.identityProviderMetadataPath >>> > > > > > >>> >> >> > > > > > > > > > >> >>> saml.maximumAuthenticationLifetime >>> > > > > > >>> >> >> > > > > > > > > > >> saml.serviceProviderEntityId >>> > > > > > >>> >> >> > > > > > > > > > >> saml.serviceProviderMetadataPath >>> > > > > > >>> >> >> > > > > > > > > > >> cas.loginUrl >>> > > > > > >>> >> >> > > > > > > > > > >> cas.protocol >>> > > > > > >>> >> >> > > > > > > > > > >> oidc.id >>> > > > > > >>> >> >> > > > > > > > > > >> oidc.secret >>> > > > > > >>> >> >> > > > > > > > > > >> oidc.discoveryUri >>> > > > > > >>> >> >> > > > > > > > > > >> oidc.customParamKey1 >>> > > > > > >>> >> >> > > > > > > > > > >> oidc.customParamValue1 >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> If you define multiple clients, >>> the >>> > > > first >>> > > > > > one >>> > > > > > >>> will >>> > > > > > >>> >> be >>> > > > > > >>> >> >> > used >>> > > > > > >>> >> >> > > > for >>> > > > > > >>> >> >> > > > > > > > > > >> authentication, but you can >>> > explicitly >>> > > > > > choose >>> > > > > > >>> the >>> > > > > > >>> >> >> client >>> > > > > > >>> >> >> > > you >>> > > > > > >>> >> >> > > > > > want >>> > > > > > >>> >> >> > > > > > > to >>> > > > > > >>> >> >> > > > > > > > > use >>> > > > > > >>> >> >> > > > > > > > > > >> via the clientName parameter, >>> > assuming >>> > > > you >>> > > > > > >>> want to >>> > > > > > >>> >> >> > switch >>> > > > > > >>> >> >> > > > from >>> > > > > > >>> >> >> > > > > > > > client >>> > > > > > >>> >> >> > > > > > > > > > >> depending on environment for >>> > example. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> So if you want to add some new >>> > > > > > authentication >>> > > > > > >>> >> >> mechanism, >>> > > > > > >>> >> >> > > you >>> > > > > > >>> >> >> > > > > > must >>> > > > > > >>> >> >> > > > > > > > > first >>> > > > > > >>> >> >> > > > > > > > > > >> check that it is available in >>> pac4j >>> > > (if >>> > > > > it's >>> > > > > > >>> not, >>> > > > > > >>> >> it's >>> > > > > > >>> >> >> > > > another >>> > > > > > >>> >> >> > > > > > > > > > discussion, >>> > > > > > >>> >> >> > > > > > > > > > >> but generally, it is). Then, >>> you'll >>> > > need >>> > > > > to >>> > > > > > >>> upgrade >>> > > > > > >>> >> >> the >>> > > > > > >>> >> >> > > > > > > > > > >> ConfigPropertiesFactory by >>> > submitting >>> > > a >>> > > > > new >>> > > > > > >>> pull >>> > > > > > >>> >> >> request >>> > > > > > >>> >> >> > > to >>> > > > > > >>> >> >> > > > > the >>> > > > > > >>> >> >> > > > > > > > pac4j >>> > > > > > >>> >> >> > > > > > > > > > >> project (I can do it myself, >>> but I'm >>> > > > sure >>> > > > > > you >>> > > > > > >>> >> could do >>> > > > > > >>> >> >> > > that >>> > > > > > >>> >> >> > > > > > > easily), >>> > > > > > >>> >> >> > > > > > > > > > >> finally wait for the new pac4j >>> > release >>> > > > and >>> > > > > > >>> switch >>> > > > > > >>> >> >> pac4j >>> > > > > > >>> >> >> > > > > versions >>> > > > > > >>> >> >> > > > > > > in >>> > > > > > >>> >> >> > > > > > > > > Knox >>> > > > > > >>> >> >> > > > > > > > > > >> to >>> > > > > > >>> >> >> > > > > > > > > > >> benefit from the new feature. >>> > > > > > >>> >> >> > > > > > > > > > >> The good thing is that if >>> someone >>> > > > related >>> > > > > to >>> > > > > > >>> the >>> > > > > > >>> >> CAS >>> > > > > > >>> >> >> > > server >>> > > > > > >>> >> >> > > > > does >>> > > > > > >>> >> >> > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > > same >>> > > > > > >>> >> >> > > > > > > > > > >> thing for CAS (in pac4j), you >>> will >>> > > > > > >>> automatically >>> > > > > > >>> >> get >>> > > > > > >>> >> >> it >>> > > > > > >>> >> >> > > when >>> > > > > > >>> >> >> > > > > > > you'll >>> > > > > > >>> >> >> > > > > > > > > > >> upgrade >>> > > > > > >>> >> >> > > > > > > > > > >> pac4j. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> To go even further, replacing >>> LDAP >>> > > Shiro >>> > > > > > >>> >> >> authentication >>> > > > > > >>> >> >> > is >>> > > > > > >>> >> >> > > > > just >>> > > > > > >>> >> >> > > > > > a >>> > > > > > >>> >> >> > > > > > > > > matter >>> > > > > > >>> >> >> > > > > > > > > > >> of >>> > > > > > >>> >> >> > > > > > > > > > >> making pac4j LDAP authentication >>> > > > available >>> > > > > > via >>> > > > > > >>> >> >> > > configuration >>> > > > > > >>> >> >> > > > > > > > > parameters. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> I hope it was clear enough. >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> Thanks. >>> > > > > > >>> >> >> > > > > > > > > > >> Best regards, >>> > > > > > >>> >> >> > > > > > > > > > >> Jérôme >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> 2015-12-03 20:45 GMT+01:00 larry >>> > > mccay < >>> > > > > > >>> >> >> > > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > >: >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > Excellent! >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > I will carve out some time to >>> do >>> > > code >>> > > > > > >>> review. >>> > > > > > >>> >> >> > > > > > > > > > >> > We will need to get some >>> insights >>> > > into >>> > > > > how >>> > > > > > >>> to go >>> > > > > > >>> >> >> about >>> > > > > > >>> >> >> > > > > > testing: >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > * is the CAS server going to >>> be >>> > > > > available >>> > > > > > >>> for >>> > > > > > >>> >> >> testing? >>> > > > > > >>> >> >> > > > > > > > > > >> > * what are the specific and >>> > > > > > >>> generic/standard (if >>> > > > > > >>> >> >> any) >>> > > > > > >>> >> >> > > > > > > > authentication >>> > > > > > >>> >> >> > > > > > > > > > >> > mechanisms available - for >>> > instance: >>> > > > > > >>> >> >> > > > > > > > > > >> > - Facebook, Google, >>> LinkedIn >>> > and >>> > > > CAS >>> > > > > > are >>> > > > > > >>> >> >> specifics >>> > > > > > >>> >> >> > > > > > > > > > >> > - OAuth 2, OpenID Connect, >>> > SAML >>> > > > are >>> > > > > > >>> >> >> > > generic/standards >>> > > > > > >>> >> >> > > > - >>> > > > > > >>> >> >> > > > > > that >>> > > > > > >>> >> >> > > > > > > > may >>> > > > > > >>> >> >> > > > > > > > > > be >>> > > > > > >>> >> >> > > > > > > > > > >> > used for the above >>> specifics... >>> > > > > > >>> >> >> > > > > > > > > > >> > * how do we test things other >>> than >>> > > > CAS - >>> > > > > > in >>> > > > > > >>> >> terms of >>> > > > > > >>> >> >> > > > getting >>> > > > > > >>> >> >> > > > > > > > > > >> credentials, >>> > > > > > >>> >> >> > > > > > > > > > >> > configuration, etc >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > We could certainly do this is >>> > phases >>> > > > as >>> > > > > > >>> well. >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > If you can enumerate the >>> things >>> > that >>> > > > > > should >>> > > > > > >>> work >>> > > > > > >>> >> and >>> > > > > > >>> >> >> > > > provide >>> > > > > > >>> >> >> > > > > > > some >>> > > > > > >>> >> >> > > > > > > > > > >> testing >>> > > > > > >>> >> >> > > > > > > > > > >> > details for CAS or as many as >>> > > possible >>> > > > > and >>> > > > > > >>> OpenID >>> > > > > > >>> >> >> > > Connect >>> > > > > > >>> >> >> > > > > then >>> > > > > > >>> >> >> > > > > > > we >>> > > > > > >>> >> >> > > > > > > > > can >>> > > > > > >>> >> >> > > > > > > > > > >> test >>> > > > > > >>> >> >> > > > > > > > > > >> > the specific implementations >>> that >>> > > you >>> > > > > > >>> provide and >>> > > > > > >>> >> >> > enable >>> > > > > > >>> >> >> > > > the >>> > > > > > >>> >> >> > > > > > > > testing >>> > > > > > >>> >> >> > > > > > > > > > of >>> > > > > > >>> >> >> > > > > > > > > > >> > another OpenID Connect effort >>> that >>> > > is >>> > > > in >>> > > > > > the >>> > > > > > >>> >> works >>> > > > > > >>> >> >> in >>> > > > > > >>> >> >> > > the >>> > > > > > >>> >> >> > > > > > > > community. >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > I'm not sure whether we want >>> to >>> > > commit >>> > > > > > >>> >> contributions >>> > > > > > >>> >> >> > > that >>> > > > > > >>> >> >> > > > > are >>> > > > > > >>> >> >> > > > > > > > > > dependent >>> > > > > > >>> >> >> > > > > > > > > > >> on >>> > > > > > >>> >> >> > > > > > > > > > >> > snapshots - we certainly can't >>> > > release >>> > > > > > with >>> > > > > > >>> any >>> > > > > > >>> >> such >>> > > > > > >>> >> >> > > > > > > dependencies. >>> > > > > > >>> >> >> > > > > > > > > > >> > I would hate to add a cleanup >>> task >>> > > to >>> > > > a >>> > > > > > >>> release >>> > > > > > >>> >> to >>> > > > > > >>> >> >> > make >>> > > > > > >>> >> >> > > > sure >>> > > > > > >>> >> >> > > > > > > there >>> > > > > > >>> >> >> > > > > > > > > are >>> > > > > > >>> >> >> > > > > > > > > > >> no >>> > > > > > >>> >> >> > > > > > > > > > >> > snapshots in there. >>> > > > > > >>> >> >> > > > > > > > > > >> > We will probably wait until >>> after >>> > > the >>> > > > > > pac4j >>> > > > > > >>> >> releases >>> > > > > > >>> >> >> > to >>> > > > > > >>> >> >> > > > > > commit. >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > I am really happy that this >>> > > > integration >>> > > > > is >>> > > > > > >>> >> happening >>> > > > > > >>> >> >> > and >>> > > > > > >>> >> >> > > > > that >>> > > > > > >>> >> >> > > > > > it >>> > > > > > >>> >> >> > > > > > > > > went >>> > > > > > >>> >> >> > > > > > > > > > >> > rather smoothly. >>> > > > > > >>> >> >> > > > > > > > > > >> > These sorts of authentication >>> > > > protocols >>> > > > > > are >>> > > > > > >>> >> complex >>> > > > > > >>> >> >> > and >>> > > > > > >>> >> >> > > I >>> > > > > > >>> >> >> > > > > > think >>> > > > > > >>> >> >> > > > > > > we >>> > > > > > >>> >> >> > > > > > > > > > >> lined up >>> > > > > > >>> >> >> > > > > > > > > > >> > pretty well overall. >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > Thanks for your work! >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > On Thu, Dec 3, 2015 at 2:28 >>> PM, >>> > > Jérôme >>> > > > > > >>> LELEU < >>> > > > > > >>> >> >> > > > > > lel...@gmail.com> >>> > > > > > >>> >> >> > > > > > > > > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > Hi, >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > I just sync'ed with master, >>> > > cleaned >>> > > > > > >>> >> dependencies >>> > > > > > >>> >> >> and >>> > > > > > >>> >> >> > > > added >>> > > > > > >>> >> >> > > > > > > > missing >>> > > > > > >>> >> >> > > > > > > > > > >> > > Javadocs. Everything works >>> > > correctly >>> > > > > > now. >>> > > > > > >>> Many >>> > > > > > >>> >> >> > thanks. >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > The pull request is ready >>> for a >>> > > full >>> > > > > > code >>> > > > > > >>> >> review: >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > https://github.com/apache/knox/pull/2 >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > I'll write the documentation >>> > after >>> > > > the >>> > > > > > >>> pac4j >>> > > > > > >>> >> >> > releases >>> > > > > > >>> >> >> > > (I >>> > > > > > >>> >> >> > > > > > hope >>> > > > > > >>> >> >> > > > > > > > next >>> > > > > > >>> >> >> > > > > > > > > > >> week). >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > Thanks. >>> > > > > > >>> >> >> > > > > > > > > > >> > > Best regards, >>> > > > > > >>> >> >> > > > > > > > > > >> > > Jérôme >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > 2015-12-02 19:18 GMT+01:00 >>> larry >>> > > > > mccay < >>> > > > > > >>> >> >> > > > > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > >: >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > Fixed in >>> > > > > > >>> >> >> > > > https://issues.apache.org/jira/browse/KNOX-636 >>> > > > > > >>> >> >> > > > > . >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > On Wed, Dec 2, 2015 at >>> 12:42 >>> > PM, >>> > > > > larry >>> > > > > > >>> mccay >>> > > > > > >>> >> < >>> > > > > > >>> >> >> > > > > > > > > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > Sure - I can file a >>> JIRA and >>> > > > > commit >>> > > > > > a >>> > > > > > >>> fix. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > The secret generation >>> should >>> > > be >>> > > > > done >>> > > > > > >>> in one >>> > > > > > >>> >> >> > > instance >>> > > > > > >>> >> >> > > > > and >>> > > > > > >>> >> >> > > > > > > > > > >> replicated >>> > > > > > >>> >> >> > > > > > > > > > >> > > > across >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > others. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > This >>> replication/management >>> > of >>> > > > the >>> > > > > > >>> >> credential >>> > > > > > >>> >> >> > > stores >>> > > > > > >>> >> >> > > > > is >>> > > > > > >>> >> >> > > > > > > > > outside >>> > > > > > >>> >> >> > > > > > > > > > of >>> > > > > > >>> >> >> > > > > > > > > > >> > the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > scope of Knox itself as >>> of >>> > > now. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > Documentation is done in >>> > > > markdown >>> > > > > > and >>> > > > > > >>> is >>> > > > > > >>> >> >> > > > contributing >>> > > > > > >>> >> >> > > > > > > > details >>> > > > > > >>> >> >> > > > > > > > > > are >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > available at: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> >>> > > > > > >>> >> >>> > > > > > >>> >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-DocumentationContributorWorkflow >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > Which should give you a >>> > > general >>> > > > > > idea. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > Find an example like: >>> > > > > > >>> ./trunk/books/0.7.0/ >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> config_preauth_sso_provider.md >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > For an example of >>> typical >>> > > > content >>> > > > > > and >>> > > > > > >>> >> format. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > Here is how that example >>> > > > renders: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> >>> > > > > > >>> >> >>> > > > > > >>> >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> http://knox.apache.org/books/knox-0-7-0/user-guide.html#Preauthenticated+SSO+Provider >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > You'll need to tie it >>> into >>> > the >>> > > > > rest >>> > > > > > >>> of the >>> > > > > > >>> >> >> book >>> > > > > > >>> >> >> > - >>> > > > > > >>> >> >> > > > just >>> > > > > > >>> >> >> > > > > > > grep >>> > > > > > >>> >> >> > > > > > > > > for >>> > > > > > >>> >> >> > > > > > > > > > >> where >>> > > > > > >>> >> >> > > > > > > > > > >> > > > that >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > filename is referenced. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > To test how it renders >>> build >>> > > the >>> > > > > > site >>> > > > > > >>> with: >>> > > > > > >>> >> >> > "ant" >>> > > > > > >>> >> >> > > > and >>> > > > > > >>> >> >> > > > > > note >>> > > > > > >>> >> >> > > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > > >> url to >>> > > > > > >>> >> >> > > > > > > > > > >> > > the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > 0.7.0 book. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > On Wed, Dec 2, 2015 at >>> 12:12 >>> > > PM, >>> > > > > > >>> Jérôme >>> > > > > > >>> >> LELEU >>> > > > > > >>> >> >> < >>> > > > > > >>> >> >> > > > > > > > > lel...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Hi, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Why it doesn't work for >>> > pac4j >>> > > > > while >>> > > > > > >>> it >>> > > > > > >>> >> works >>> > > > > > >>> >> >> > for >>> > > > > > >>> >> >> > > > > others >>> > > > > > >>> >> >> > > > > > > is >>> > > > > > >>> >> >> > > > > > > > a >>> > > > > > >>> >> >> > > > > > > > > > bit >>> > > > > > >>> >> >> > > > > > > > > > >> > > strange >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> to >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> me, but if you have the >>> > patch >>> > > > in >>> > > > > > >>> front of >>> > > > > > >>> >> >> your >>> > > > > > >>> >> >> > > > eyes, >>> > > > > > >>> >> >> > > > > > I'd >>> > > > > > >>> >> >> > > > > > > > > rather >>> > > > > > >>> >> >> > > > > > > > > > >> > prefer >>> > > > > > >>> >> >> > > > > > > > > > >> > > > you >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> to commit it. In all >>> cases, >>> > > > I'll >>> > > > > > >>> sync with >>> > > > > > >>> >> >> the >>> > > > > > >>> >> >> > > > > master. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> There was one question >>> you >>> > > > didn't >>> > > > > > >>> answer >>> > > > > > >>> >> >> > > > previously: >>> > > > > > >>> >> >> > > > > is >>> > > > > > >>> >> >> > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > > >> password >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> generated for the pac4j >>> > > > provider >>> > > > > > the >>> > > > > > >>> same >>> > > > > > >>> >> >> > across >>> > > > > > >>> >> >> > > > all >>> > > > > > >>> >> >> > > > > > > > gateway >>> > > > > > >>> >> >> > > > > > > > > > >> > > instances? >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Because I expect to >>> have >>> > the >>> > > > same >>> > > > > > >>> value >>> > > > > > >>> >> as I >>> > > > > > >>> >> >> > use >>> > > > > > >>> >> >> > > it >>> > > > > > >>> >> >> > > > > to >>> > > > > > >>> >> >> > > > > > > > > encrypt >>> > > > > > >>> >> >> > > > > > > > > > / >>> > > > > > >>> >> >> > > > > > > > > > >> > > decrypt >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> data. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> I will add the Javadoc. >>> > After >>> > > > > that, >>> > > > > > >>> you >>> > > > > > >>> >> can >>> > > > > > >>> >> >> > > review >>> > > > > > >>> >> >> > > > > the >>> > > > > > >>> >> >> > > > > > > pull >>> > > > > > >>> >> >> > > > > > > > > > >> request >>> > > > > > >>> >> >> > > > > > > > > > >> > > more >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> completely. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> What do you expect for >>> the >>> > > > > > >>> documentation? >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Notice that pac4j >>> > > dependencies >>> > > > > are >>> > > > > > >>> still >>> > > > > > >>> >> >> > > snapshots, >>> > > > > > >>> >> >> > > > > but >>> > > > > > >>> >> >> > > > > > > > they >>> > > > > > >>> >> >> > > > > > > > > > >> will be >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> released in a week or >>> two. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Thanks. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Best regards, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> Jérôme >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> 2015-12-02 17:51 >>> GMT+01:00 >>> > > > larry >>> > > > > > >>> mccay < >>> > > > > > >>> >> >> > > > > > > > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > Jérôme - >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > If you would like to >>> add >>> > > that >>> > > > > > >>> change as >>> > > > > > >>> >> >> part >>> > > > > > >>> >> >> > of >>> > > > > > >>> >> >> > > > > your >>> > > > > > >>> >> >> > > > > > > > patch >>> > > > > > >>> >> >> > > > > > > > > or >>> > > > > > >>> >> >> > > > > > > > > > >> as a >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > separately filed >>> JIRA to >>> > > fix >>> > > > a >>> > > > > > bug >>> > > > > > >>> that >>> > > > > > >>> >> >> would >>> > > > > > >>> >> >> > > > > > certainly >>> > > > > > >>> >> >> > > > > > > > be >>> > > > > > >>> >> >> > > > > > > > > > >> > welcomed. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > Otherwise, I can do >>> it. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > Let me know. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > thanks, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > --larry >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > On Wed, Dec 2, 2015 >>> at >>> > > 11:44 >>> > > > > AM, >>> > > > > > >>> larry >>> > > > > > >>> >> >> mccay >>> > > > > > >>> >> >> > < >>> > > > > > >>> >> >> > > > > > > > > > >> > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > Okay - I had to >>> add an >>> > > > > override >>> > > > > > >>> of >>> > > > > > >>> >> >> > > > > > getUserPrincipal() >>> > > > > > >>> >> >> > > > > > > > to >>> > > > > > >>> >> >> > > > > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> > > > > > >>> >> IdentityAsserterHttpServletRequestWrapper >>> > > > > > >>> >> >> > and >>> > > > > > >>> >> >> > > > > > return >>> > > > > > >>> >> >> > > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > > >> member >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> variable >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > username and it >>> works >>> > > like >>> > > > a >>> > > > > > >>> charm. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > Why I haven't seen >>> this >>> > > > same >>> > > > > > >>> behavior >>> > > > > > >>> >> >> with >>> > > > > > >>> >> >> > > > other >>> > > > > > >>> >> >> > > > > > > > > providers >>> > > > > > >>> >> >> > > > > > > > > > >> is a >>> > > > > > >>> >> >> > > > > > > > > > >> > > bit >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> of a >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > mystery but they >>> must >>> > be >>> > > > > adding >>> > > > > > >>> other >>> > > > > > >>> >> >> > > wrappers >>> > > > > > >>> >> >> > > > > that >>> > > > > > >>> >> >> > > > > > > > > handle >>> > > > > > >>> >> >> > > > > > > > > > >> it. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > This is quite cool, >>> > > Jérôme! >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > On Wed, Dec 2, >>> 2015 at >>> > > > 10:41 >>> > > > > > AM, >>> > > > > > >>> larry >>> > > > > > >>> >> >> > mccay >>> > > > > > >>> >> >> > > < >>> > > > > > >>> >> >> > > > > > > > > > >> > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >> That was it - >>> thanks! >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >> On Wed, Dec 2, >>> 2015 at >>> > > > 10:20 >>> > > > > > AM, >>> > > > > > >>> >> Jérôme >>> > > > > > >>> >> >> > > LELEU >>> > > > > > >>> >> >> > > > < >>> > > > > > >>> >> >> > > > > > > > > > >> > lel...@gmail.com> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> This is my exact >>> > > command >>> > > > > > line: >>> > > > > > >>> mvn >>> > > > > > >>> >> >> > > -Prelease >>> > > > > > >>> >> >> > > > > > clean >>> > > > > > >>> >> >> > > > > > > > > > install >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> -DskipTests >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> You use an >>> internal >>> > > Maven >>> > > > > > >>> >> repository to >>> > > > > > >>> >> >> > > fetch >>> > > > > > >>> >> >> > > > > > > > > > dependencies >>> > > > > > >>> >> >> > > > > > > > > > >> > from >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > internet: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >>> > > http://nexus-private.hortonworks.com/nexus/content/groups/public/ >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> Does this >>> repository >>> > > have >>> > > > > > >>> access to >>> > > > > > >>> >> the >>> > > > > > >>> >> >> > > > remote >>> > > > > > >>> >> >> > > > > > > > > Snapshots >>> > > > > > >>> >> >> > > > > > > > > > >> > > Sonatype >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> repo? >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> 2015-12-02 16:16 >>> > > > GMT+01:00 >>> > > > > > >>> larry >>> > > > > > >>> >> mccay >>> > > > > > >>> >> >> < >>> > > > > > >>> >> >> > > > > > > > > > >> larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >> > >: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > hmmm - I used: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > mvn clean >>> install >>> > > > > > >>> -DskipTests=true >>> > > > > > >>> >> >> > > > -Prelease >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > The repository >>> > entry >>> > > is >>> > > > > in >>> > > > > > >>> there >>> > > > > > >>> >> >> > already. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > No worky. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > On Wed, Dec 2, >>> 2015 >>> > > at >>> > > > > > 10:12 >>> > > > > > >>> AM, >>> > > > > > >>> >> >> Jérôme >>> > > > > > >>> >> >> > > > > LELEU < >>> > > > > > >>> >> >> > > > > > > > > > >> > > lel...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Hi, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > You need the >>> > > > j2e-pac4j >>> > > > > > >>> >> dependencies >>> > > > > > >>> >> >> > as >>> > > > > > >>> >> >> > > > well >>> > > > > > >>> >> >> > > > > > as >>> > > > > > >>> >> >> > > > > > > > the >>> > > > > > >>> >> >> > > > > > > > > > >> pac4j-* >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> dependencies, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > but you don't >>> > need >>> > > to >>> > > > > > >>> build them >>> > > > > > >>> >> >> > > locally >>> > > > > > >>> >> >> > > > > > > > > (hopefully). >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > But you need >>> a >>> > > > > dependency >>> > > > > > >>> on the >>> > > > > > >>> >> >> > > Sonatype >>> > > > > > >>> >> >> > > > > > > > snapshots >>> > > > > > >>> >> >> > > > > > > > > > >> > > repository >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> (where the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > snapshot >>> versions >>> > > are >>> > > > > > >>> hosted), >>> > > > > > >>> >> >> which >>> > > > > > >>> >> >> > is >>> > > > > > >>> >> >> > > > > added >>> > > > > > >>> >> >> > > > > > > for >>> > > > > > >>> >> >> > > > > > > > > > >> Maven in >>> > > > > > >>> >> >> > > > > > > > > > >> > > the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> root >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > pom.xml: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> >>> > > > > > >>> >> >>> > > > > > >>> >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> https://github.com/apache/knox/pull/2/files#diff-600376dffeb79835ede4a0b285078036R123 >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > If you use >>> Ant >>> > for >>> > > > the >>> > > > > > >>> build, >>> > > > > > >>> >> there >>> > > > > > >>> >> >> > is >>> > > > > > >>> >> >> > > > > maybe >>> > > > > > >>> >> >> > > > > > a >>> > > > > > >>> >> >> > > > > > > > > glitch >>> > > > > > >>> >> >> > > > > > > > > > >> to >>> > > > > > >>> >> >> > > > > > > > > > >> > > find >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > Sonatype >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Maven repo. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Thanks. >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Best regards, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > Jérôme >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > 2015-12-02 >>> 16:06 >>> > > > > > GMT+01:00 >>> > > > > > >>> larry >>> > > > > > >>> >> >> > mccay >>> > > > > > >>> >> >> > > < >>> > > > > > >>> >> >> > > > > > > > > > >> > > larry.mc...@gmail.com >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > Oh - do I >>> need >>> > to >>> > > > > build >>> > > > > > >>> >> j2e-pac4 >>> > > > > > >>> >> >> > > > locally >>> > > > > > >>> >> >> > > > > in >>> > > > > > >>> >> >> > > > > > > > order >>> > > > > > >>> >> >> > > > > > > > > > to >>> > > > > > >>> >> >> > > > > > > > > > >> > > resolve >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> the >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> dependencies? >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > [ERROR] >>> Failed >>> > to >>> > > > > > execute >>> > > > > > >>> >> goal on >>> > > > > > >>> >> >> > > > project >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > >>> > > > > > >>> gateway-provider-security-pac4j: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > Could not >>> > resolve >>> > > > > > >>> dependencies >>> > > > > > >>> >> >> for >>> > > > > > >>> >> >> > > > > project >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >>> > > > > >>> org.apache.knox:gateway-provider-security-pac4j:jar:0.7.0-SNAPSHOT: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> The >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > following >>> > > artifacts >>> > > > > > >>> could not >>> > > > > > >>> >> be >>> > > > > > >>> >> >> > > > > resolved: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > org.pac4j:j2e-pac4j:jar:1.2.1-SNAPSHOT, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > org.pac4j:pac4j-http:jar:1.8.1-SNAPSHOT, >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > > org.pac4j:pac4j-config:jar:1.8.1-SNAPSHOT: >>> > > > > > >>> >> >> > > > > > > > Could >>> > > > > > >>> >> >> > > > > > > > > > not >>> > > > > > >>> >> >> > > > > > > > > > >> > find >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > artifact >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > org.pac4j:j2e-pac4j:jar:1.2.1-SNAPSHOT >>> > > > > > >>> >> >> > > > in >>> > > > > > >>> >> >> > > > > > > > public >>> > > > > > >>> >> >> > > > > > > > > ( >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> >>> > > > > > >>> http://nexus-private.hortonworks.com/nexus/content/groups/public/ >>> > > > > > >>> >> >> > > > > > > > > > >> > ) >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> -> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > [Help >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > 1] >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > On Wed, >>> Dec 2, >>> > > 2015 >>> > > > > at >>> > > > > > >>> 10:05 >>> > > > > > >>> >> AM, >>> > > > > > >>> >> >> > > larry >>> > > > > > >>> >> >> > > > > > mccay >>> > > > > > >>> >> >> > > > > > > < >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > larry.mc...@gmail.com> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > wrote: >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> > > > > > >>> >> gateway-provider-security-pac4j >>> > > > > > >>> >> >> > > > doesn't >>> > > > > > >>> >> >> > > > > > > > build - >>> > > > > > >>> >> >> > > > > > > > > > do >>> > > > > > >>> >> >> > > > > > > > > > >> you >>> > > > > > >>> >> >> > > > > > > > > > >> > > > have >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> a >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> pending >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > change >>> for >>> > your >>> > > > > > >>> pom.xml or >>> > > > > > >>> >> >> > > something? >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >> >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > > >>> > > > > > >>> >> >> > > > > > > > > > >> > > >>> > > > > > >>> >> >> > > > > > > > > > >> > >>> > > > > > >>> >> >> > > > > > > > > > >> >>> > > > > > >>> >> >> > > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > > >>> > > > > > >>> >> >> > > > > > > > >>> > > > > > >>> >> >> > > > > > > >>> > > > > > >>> >> >> > > > > > >>> > > > > > >>> >> >> > > > > >>> > > > > > >>> >> >> > > > >>> > > > > > >>> >> >> > > >>> > > > > > >>> >> >> > >>> > > > > > >>> >> >> >>> > > > > > >>> >> >>> > > > > > >>> >>> > > > > > >> >>> > > > > > >> >>> > > > > > > >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> >> >> >