Tomcat Experts,
The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in
support of the portable integration
of new and/or custom authentication mechanisms in compatible Servlet
containers.
The Profile is a required component of all Full Platform EE Web
Containers, and we are receiving requests
for the profile to become a required component of the EE web profile. To
that end, we are contacting
standalone and EE web profile Servlet containers to determine if there
is interest in adopting the profile.
For those unfamiliar with JASPIC, the SPI is a general purpose facility
that applies the concepts of pluggable
authentication as defined by PAM and JAAS to the realm of message
authentication. The Servlet profile applies
the SPI to the realm of HttpServletRequest message authentication in the
context of servlet security constraint
processing. The SPI was defined to support complex challenge response
authentication protocols, and has
been shown to be an effective means to integrate portable
implementations of new internet authentication
mechanisms (e.g. Facebook Connect, and SAML WEB SSO) in compatible
Servlet containers.
Does the Tomcat community support the inclusion of the Servlet profile
of JSR 196 in the EE web Profile?
thanks,
Ron Monzillo
------
More details:
The requirements of the profile are spelled out in chapter 3 of the
JASPIC specification:
http://download.oracle.com/otndocs/jcp/jaspic-1.0-mrel-eval-oth-JSpec/
and use of the SPI is described in high level terms in the javadoc:
which can be accessed at:
http://docs.oracle.com/javaee/6/api/javax/security/auth/message/config/package-frame.html
Support for the profile by a servlet container mostly amounts to making
a few calls to the spi in the
context of the processing of servlet requests. The pattern is basically
as follows:
// determine if a pluggable auth module is configured for the current
application
AuthConfigProvider provider =
AuthConfigFactory.getFactory().getConfigProvider("HttpServlet",appID,listener);
if (provider != null) {
/if yes, get the server side configuration provider that applies to
the application
ServerAuthConfig config =
provider.getServerAuthConfig("HttpServlet",appID,cbh);
// for each request to the application
// get the configuration of authentication modules that applies to
the request
messageInfo.setRequestMessage(httpServletRequest);
messageInfo.setResponseMessage(httpServletResponse);
String authContextID = config.getAuthContextID(messageInfo);
ServerAuthContext context =
config.getAuthContext(authContextID,serviceSubject,properties);
// invoke validateRequest on the module configuration; which will
invoke the configured auth modules
AuthStatus status =
context.validateRequest(messageInfo,clientSubject,serviceSubject);
if (status == AuthStatus.SUCCESS) {
// Use the proprietary interfaces of the container to set the
userPrincipal on the request
// proceed to authorize and invoke the servlet request as
appropriate
} else {
// extract the response from messageInfo and return (it may be
a challenge or an error message,
// and will have been established by the auth module
}
} else {
// do what the container would do in the absense of jsr 196
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
