Hi! Actually, I would like to continue to work on this, but not in GSOC scope anymore, because that expirience was too stressful for me. What about current JASPIC implementation, it is almost ready, so I think it would be better to keep already wroten code than rewriting it from a scratch. What about security, I'm not sure, but this code has been accepted during the summer time, it has not be changed since then. Security must be on the same level, I hope so. However, some places of old auth valves should be rewritten in more readable way.
Fjodor ---- Mark Thomas wrote ---- >On 14/10/2015 13:00, Arjan Tijms wrote: >> Hi there, >> >> Haven't seen updates for some time here. Wonder what the current >> status is and what exactly happened in the last months. Last commits >> in the Tomcat repo are from 3 months ago. > >The GSoC student took the money and ran at the mid-term evaluation. I >should have gone with my first instinct which was to fail them at the >mid-term due to lack of effort. > >Getting back to this is on my TODO list for Tomcat 9. I plan to remove >the GSoC work and start again from scratch. While that might seem >excessive I simply do not trust the refactoring that Fjodor completed is >secure. It will be quicker to re-do the work myself than it will be to >check the refactoring line by line. > >Mark > > >> >> Kind regards, >> Arjan Tijms >> >> >> >> On Thu, Jun 11, 2015 at 10:39 AM, markt [via Tomcat] >> <ml-node+s10n5035913...@n6.nabble.com> wrote: >>> On 10/06/2015 16:43, Arjan Tijms wrote: >>> >>>> Hi, >>>> >>>> On Wed, Jun 10, 2015 at 3:28 PM, markt [via Tomcat] < >>>> [hidden email]> wrote: >>>> >>>>> I don't really understand what the requirement is here. Can you expand / >>>>> point me to the part of the spec? >>>>> >>>> >>>> It's simply that from within a SAM you can forward/include to a Servlet >>>> using a dispatcher, such that the output of that Servlet is inserted in >>>> the >>>> response. >>> >>> Thanks for the clarification. You can do that easily from a Valve in a >>> couple of lines of code. No need for extra internal plumbing that I can see. >>> >>> Mark >>> >>>> >>>> It's in section 3.8.3.4 of the JASPIC spec: >>>> >>>> >>>> "3.8.3.4 >>>> Forwards and Includes by Server Authentication Modules >>>> >>>> The message processing runtime must support the acquisition and use of >>>> RequestDispatcher objects by authentication modules within their >>>> processing >>>> of validateRequest. >>>> >>>> Under the constraints defined by RequestDispatcher, authentication modules >>>> must be able to forward and include using the request and response objects >>>> passed in MessageInfo. In particular, an authentication module must be >>>> able >>>> to acquire a RequestDispatcher from the request obtained from MessageInfo, >>>> and uses it to forward the request (and response) to a login form. >>>> Authentication modules should catch and rethrow as an AuthException any >>>> exception thrown by these methods." >>>> >>>> >>>> A test/example showing this in practice is the following: >>>> >>>> >>>> https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/dispatching >>>> >>>> Specifically, this code shows both an include and a forward done by a SAM: >>>> >>>> public AuthStatus validateRequest(MessageInfo messageInfo, Subject >>>> clientSubject, Subject serviceSubject) throws AuthException { >>>> try { >>>> HttpServletRequest request = (HttpServletRequest) >>>> messageInfo.getRequestMessage(); >>>> HttpServletResponse response = (HttpServletResponse) >>>> messageInfo.getResponseMessage(); >>>> >>>> if ("include".equals(request.getParameter("dispatch"))) { >>>> request.getRequestDispatcher("/includedServlet") >>>> .include(request, response); >>>> >>>> // "Do nothing", required protocol when returning SUCCESS >>>> handler.handle(new Callback[] { new >>>> CallerPrincipalCallback(clientSubject, (Principal) null) }); >>>> >>>> // When using includes, the response stays open and the >>>> main >>>> // resource can also write to the response >>>> return SUCCESS; >>>> >>>> } else { >>>> request.getRequestDispatcher("/forwardedServlet") >>>> .forward(request, response); >>>> >>>> // MUST NOT invoke the resource, so CAN NOT return SUCCESS >>>> here. >>>> return SEND_CONTINUE; >>>> } >>>> >>>> } catch (IOException | ServletException | >>>> UnsupportedCallbackException e) { >>>> throw (AuthException) new AuthException().initCause(e); >>>> } >>>> } >>>> >>>> >>>> Sounds good. Thanks for the tip. >>>>> >>>> >>>> You're welcome ;) >>>> >>>> Kind regards, >>>> Arjan Tijms >>>> >>>> >>>> >>>> >>>>> >>>>> Cheers, >>>>> >>>>> mark >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [hidden email] >>>>> <http:///user/SendEmail.jtp?type=node&node=5035887&i=0> >>>>> For additional commands, e-mail: [hidden email] >>>>> <http:///user/SendEmail.jtp?type=node&node=5035887&i=1> >>>>> >>>>> >>>>> >>>>> ------------------------------ >>>>> If you reply to this email, your message will be added to the discussion >>>>> below: >>>>> >>>>> >>>>> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035887.html >>>>> To unsubscribe from Consider support for the Servlet profile of JSR 196 >>>>> (JASPIC) in Tomcat 7.0.x, click here >>>>> < >>>>> . >>>>> NAML >>>>> >>>>> <http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >>>>> >>>> >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035891.html >>>> Sent from the Tomcat - Dev mailing list archive at Nabble.com. >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [hidden email] >>> For additional commands, e-mail: [hidden email] >>> >>> >>> >>> ________________________________ >>> If you reply to this email, your message will be added to the discussion >>> below: >>> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035913.html >>> To unsubscribe from Consider support for the Servlet profile of JSR 196 >>> (JASPIC) in Tomcat 7.0.x, click here. >>> NAML >> >> >> >> >> -- >> View this message in context: >> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5040745.html >> Sent from the Tomcat - Dev mailing list archive at Nabble.com. >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >For additional commands, e-mail: dev-h...@tomcat.apache.org >
