Hi David, Actually, the EE 8 Security spec tells you to use a JASPIC bridge underneath the implementation, so your code might be a good fit. Can you point me out to the sources so I can have a look?
Thank you! Cheers, Roberto > On 28 Dec 2018, at 03:40, David Jencks <david.a.jen...@gmail.com> wrote: > > IIRC I wrote a JASPIC form authentication for the geronimo server long ago. > Although the JASPIC deployment model was somewhat incomprehensibly bizarre, > the conversation model was very nice. Depending on what the EE 8 api is (I > haven’t looked) the JASPIC implementation might be a source for > webserver-independent code for from authentication that could be easily > adapted. > > David Jencks > >> On Dec 27, 2018, at 3:53 PM, Roberto Cortez <radcor...@yahoo.com.INVALID> >> wrote: >> >> Update: >> >> I’ve started the implementation of the FormAuthenticationMechanism. Is not >> as easy as it sounds, since it requires some conversation chat across >> requests. I thought about wrapping all the logic and use the Tomcat >> FormAuthenticator, since it does exactly what we need. Unfortunately, it is >> too tied to the Tomcat code and it would require to instantiate a lot to >> Tomcat objects to be able to use it. I’m not sure if it would be worth it. I >> ended up following the spec suggestion to use a CDI interceptor and I’m >> copying / reusing some pieces of the FormAuthentication when possible. >> >> PR updated: >> https://github.com/apache/tomee/pull/277 >> <https://github.com/apache/tomee/pull/277> >> >> Cheers, >> Roberto >> >>> On 26 Dec 2018, at 22:11, Roberto Cortez <radcor...@yahoo.com.INVALID> >>> wrote: >>> >>> Hi folks, >>> >>> I’ve updated the PR with new changes: >>> >>> - I’ve implemented a CDI Extension to create AuthenticationMechanism beans >>> and a CDI class to keep track of the mapping between the authentication >>> mechanism and the servlet that should be checked. When a Servlet is >>> executed the mapping is checked and if there is and associated >>> AuthenticationMechanism, we validate the request with the associated type >>> (Basic, Form, etc). >>> >>> - Implemented the BasicAuthenticationMechanism and all the plumbing >>> required to be executed. This required an HttpMessageContext to pass >>> information around, plus store some state to make decisions on things to >>> do, including the CallbackHandler to pass in additional Callbacks to create >>> the Principal and Groups >>> >>> - A default IdentityStore, using the Tomcat UserDatabase, that reads user >>> data from tomcat-users.xml >>> >>> I’ll probably move to implement the missing AuthenticationMechanisms (FORM >>> and Custom) next. >>> >>> Any feedback, always welcomed :) >>> >>> Cheers, >>> Roberto >>> >>>> On 19 Dec 2018, at 10:00, Bruno Baptista <bruno...@gmail.com> wrote: >>>> >>>> TomEE Security works for me. >>>> >>>> Bruno Baptista >>>> https://twitter.com/brunobat_ >>>> >>>> >>>> On 19/12/18 00:20, Roberto Cortez wrote: >>>>> Hi folks, >>>>> >>>>> Work is progressing. >>>>> >>>>> I’ve added a good chunk of the API (as needed) to allow me to proceed. >>>>> I’ve tried to use the Jakarta Security API jar. Unfortunately, it is full >>>>> of dependencies to the other Jakarta dependent projects, some not in >>>>> central yet, so I couldn’t even build the project. >>>>> >>>>> At the moment, I’ve added the structure to register a JASPIC provider to >>>>> serve as a bride to the Security implementation code. With a CDI >>>>> extension, we can register the required AuthenticationMechanisms and then >>>>> look them up to delegate the authentication code. >>>>> >>>>> I’ve also wrote a default IdentityStoreHandler to validate user >>>>> credentials and retrieve user groups. This is just going through the >>>>> container registered IdentityStores and using the spec rules to identify >>>>> the credentials. >>>>> >>>>> Right now, I’m just calling this TomEE Security. If someone has a more >>>>> fancy idea for a name, feel free to suggest it :) >>>>> >>>>> Cheers, >>>>> Roberto >>>>> >>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez <radcor...@yahoo.com.INVALID> >>>>>> wrote: >>>>>> >>>>>> Hi folks, >>>>>> >>>>>> I’ve now created a PR to push the work: >>>>>> https://github.com/apache/tomee/pull/277 >>>>>> <https://github.com/apache/tomee/pull/277> >>>>>> >>>>>> It is still in the early stages. I’ve just spent a good amount of time >>>>>> trying to understand the spec. The ideia here is that with a >>>>>> ServerAuthModule we could verify each of the spec authentication >>>>>> mechanisms that will be implemented with a CDI Bean and use a CDI >>>>>> Extension to create the bean depending on the annotation you use. >>>>>> >>>>>> Cheers, >>>>>> Roberto >>>>>> >>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez <radcor...@yahoo.com.INVALID> >>>>>>> wrote: >>>>>>> >>>>>>> Hi folks, >>>>>>> >>>>>>> I’ve created https://jira.apache.org/jira/browse/TOMEE-2365 >>>>>>> <https://jira.apache.org/jira/browse/TOMEE-2365> to implement the Java >>>>>>> EE Security API that came up in EE 8. We are missing this spec >>>>>>> implementation, and until we have it we cannot even say we are EE 8 >>>>>>> compatible. >>>>>>> >>>>>>> I plan to start working on this. If anyone wants to collaborate with >>>>>>> me, let me know. >>>>>>> >>>>>>> Cheers, >>>>>>> Roberto >>> >> >
