I have added geronimo-specs-security_1.0 to geronimo-specs and let geronimo-dev about the issue. After receiving some response, I can commit the code.
On Fri, Jan 11, 2019 at 9:50 PM Gurkan Erdogdu <cgerdo...@gmail.com> wrote: > Ok then I created subtask, > https://issues.apache.org/jira/browse/TOMEE-2453 under the main issue, > https://issues.apache.org/jira/browse/TOMEE-2365 > Can you please assign it to me? > > > On Fri, Jan 11, 2019 at 12:58 PM Jean-Louis Monteiro < > jlmonte...@tomitribe.com> wrote: > >> That’d be great. >> I have commit permissions so if you need help help or something. Lemme >> know. >> >> >> Le ven. 11 janv. 2019 à 07:12, Gurkan Erdogdu <cgerdo...@gmail.com> a >> écrit : >> >> > Hello Roberto >> > We probably need to move javax.security.enterprise.* package to geronimo >> > specs project (https://github.com/apache/geronimo-specs) and then >> adding >> > dependency to our javaee-api. After that we also need to release >> > geronimo-specs. If you want, I can work on to create a new project in >> > geronimo-specs. >> > Regards. >> > Gurkan >> > >> > On Wed, Jan 9, 2019 at 8:32 PM Roberto Cortez >> <radcor...@yahoo.com.invalid >> > > >> > wrote: >> > >> > > Hi, >> > > >> > > I’ve merged the current state of the code. >> > > >> > > In the meanwhile, I’ll write some documentation to help to understand >> the >> > > implementation. >> > > >> > > Cheers, >> > > Roberto >> > > >> > > > On 8 Jan 2019, at 15:19, Gurkan Erdogdu <cgerdo...@gmail.com> >> wrote: >> > > > >> > > > Hello Roberto, >> > > > Thank you for initiating this integration. >> > > > Can you prepare a small documentation (and also send to here) which >> > helps >> > > > contributors to understand the internals about your current commit. >> > > > Regards. >> > > > Gurkan >> > > > >> > > > >> > > > On Tue, Jan 8, 2019 at 6:14 PM Roberto Cortez >> > > <radcor...@yahoo.com.invalid> >> > > > wrote: >> > > > >> > > >> Hi folks, >> > > >> >> > > >> I think I’m now done with the FormAuthentication. >> > > >> >> > > >> There are still things left to implement. At the moment, the code >> is >> > > part >> > > >> of the project but is not part of the binary. I would like to merge >> > the >> > > >> current PR: >> > > >> https://github.com/apache/tomee/pull/277 < >> > > >> https://github.com/apache/tomee/pull/277> >> > > >> >> > > >> I think this will give a chance for the community to contribute >> some >> > of >> > > >> the missing pieces. I can make a list in JIRA. >> > > >> >> > > >> So, if there is no strong opinions about merging this, I will be >> doing >> > > >> this in the end of the day. >> > > >> >> > > >> Cheers, >> > > >> Roberto >> > > >> >> > > >>> On 30 Dec 2018, at 23:42, Roberto Cortez <radcor...@yahoo.com> >> > wrote: >> > > >>> >> > > >>> Thanks! I’ll have a look! >> > > >>> >> > > >>>> On 28 Dec 2018, at 20:34, David Jencks <david.a.jen...@gmail.com >> > >> > > >> wrote: >> > > >>>> >> > > >>>> Perhaps I didn’t recall correctly, or perhaps I implemented it >> for >> > > >> Jetty (at eclipse). The code I’ve found at >> > > >> >> > > >> > >> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ >> > > >> < >> > > >> >> > > >> > >> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ >> > > > >> > > >> includes a FormAuthenticator and a JaspiAuthenticator. I don’t >> recall >> > > any >> > > >> details of how I modified tomcat’s auth setup: I might have made >> one >> > > that >> > > >> was more adapted to JASPIC and the geronimo security framework than >> > the >> > > >> plain tomcat one. If this code is of any use to you, great, >> > otherwise, >> > > >> good luck! >> > > >>>> >> > > >>>> many thanks >> > > >>>> David Jencks >> > > >>>> >> > > >>>>> On Dec 28, 2018, at 1:47 AM, Roberto Cortez >> > > >> <radcor...@yahoo.com.INVALID> wrote: >> > > >>>>> >> > > >>>>> Hi David, >> > > >>>>> >> > > >>>>> Actually, the EE 8 Security spec tells you to use a JASPIC >> bridge >> > > >> underneath the implementation, so your code might be a good fit. >> Can >> > you >> > > >> point me out to the sources so I can have a look? >> > > >>>>> >> > > >>>>> Thank you! >> > > >>>>> >> > > >>>>> Cheers, >> > > >>>>> Roberto >> > > >>>>> >> > > >>>>>> On 28 Dec 2018, at 03:40, David Jencks < >> david.a.jen...@gmail.com> >> > > >> wrote: >> > > >>>>>> >> > > >>>>>> IIRC I wrote a JASPIC form authentication for the geronimo >> server >> > > >> long ago. Although the JASPIC deployment model was somewhat >> > > >> incomprehensibly bizarre, the conversation model was very nice. >> > > Depending >> > > >> on what the EE 8 api is (I haven’t looked) the JASPIC >> implementation >> > > might >> > > >> be a source for webserver-independent code for from authentication >> > that >> > > >> could be easily adapted. >> > > >>>>>> >> > > >>>>>> David Jencks >> > > >>>>>> >> > > >>>>>>> On Dec 27, 2018, at 3:53 PM, Roberto Cortez >> > > >> <radcor...@yahoo.com.INVALID> wrote: >> > > >>>>>>> >> > > >>>>>>> Update: >> > > >>>>>>> >> > > >>>>>>> I’ve started the implementation of the >> > FormAuthenticationMechanism. >> > > >> Is not as easy as it sounds, since it requires some conversation >> chat >> > > >> across requests. I thought about wrapping all the logic and use the >> > > Tomcat >> > > >> FormAuthenticator, since it does exactly what we need. >> Unfortunately, >> > > it is >> > > >> too tied to the Tomcat code and it would require to instantiate a >> lot >> > to >> > > >> Tomcat objects to be able to use it. I’m not sure if it would be >> worth >> > > it. >> > > >> I ended up following the spec suggestion to use a CDI interceptor >> and >> > > I’m >> > > >> copying / reusing some pieces of the FormAuthentication when >> possible. >> > > >>>>>>> >> > > >>>>>>> PR updated: >> > > >>>>>>> https://github.com/apache/tomee/pull/277 < >> > > >> https://github.com/apache/tomee/pull/277> >> > > >>>>>>> >> > > >>>>>>> Cheers, >> > > >>>>>>> Roberto >> > > >>>>>>> >> > > >>>>>>>> On 26 Dec 2018, at 22:11, Roberto Cortez >> > > >> <radcor...@yahoo.com.INVALID> wrote: >> > > >>>>>>>> >> > > >>>>>>>> Hi folks, >> > > >>>>>>>> >> > > >>>>>>>> I’ve updated the PR with new changes: >> > > >>>>>>>> >> > > >>>>>>>> - I’ve implemented a CDI Extension to create >> > > >> AuthenticationMechanism beans and a CDI class to keep track of the >> > > mapping >> > > >> between the authentication mechanism and the servlet that should be >> > > >> checked. When a Servlet is executed the mapping is checked and if >> > there >> > > is >> > > >> and associated AuthenticationMechanism, we validate the request >> with >> > the >> > > >> associated type (Basic, Form, etc). >> > > >>>>>>>> >> > > >>>>>>>> - Implemented the BasicAuthenticationMechanism and all the >> > > plumbing >> > > >> required to be executed. This required an HttpMessageContext to >> pass >> > > >> information around, plus store some state to make decisions on >> things >> > to >> > > >> do, including the CallbackHandler to pass in additional Callbacks >> to >> > > create >> > > >> the Principal and Groups >> > > >>>>>>>> >> > > >>>>>>>> - A default IdentityStore, using the Tomcat UserDatabase, >> that >> > > >> reads user data from tomcat-users.xml >> > > >>>>>>>> >> > > >>>>>>>> I’ll probably move to implement the missing >> > > >> AuthenticationMechanisms (FORM and Custom) next. >> > > >>>>>>>> >> > > >>>>>>>> Any feedback, always welcomed :) >> > > >>>>>>>> >> > > >>>>>>>> Cheers, >> > > >>>>>>>> Roberto >> > > >>>>>>>> >> > > >>>>>>>>> On 19 Dec 2018, at 10:00, Bruno Baptista < >> bruno...@gmail.com> >> > > >> wrote: >> > > >>>>>>>>> >> > > >>>>>>>>> TomEE Security works for me. >> > > >>>>>>>>> >> > > >>>>>>>>> Bruno Baptista >> > > >>>>>>>>> https://twitter.com/brunobat_ >> > > >>>>>>>>> >> > > >>>>>>>>> >> > > >>>>>>>>> On 19/12/18 00:20, Roberto Cortez wrote: >> > > >>>>>>>>>> Hi folks, >> > > >>>>>>>>>> >> > > >>>>>>>>>> Work is progressing. >> > > >>>>>>>>>> >> > > >>>>>>>>>> I’ve added a good chunk of the API (as needed) to allow me >> to >> > > >> proceed. I’ve tried to use the Jakarta Security API jar. >> > Unfortunately, >> > > it >> > > >> is full of dependencies to the other Jakarta dependent projects, >> some >> > > not >> > > >> in central yet, so I couldn’t even build the project. >> > > >>>>>>>>>> >> > > >>>>>>>>>> At the moment, I’ve added the structure to register a >> JASPIC >> > > >> provider to serve as a bride to the Security implementation code. >> > With a >> > > >> CDI extension, we can register the required >> AuthenticationMechanisms >> > and >> > > >> then look them up to delegate the authentication code. >> > > >>>>>>>>>> >> > > >>>>>>>>>> I’ve also wrote a default IdentityStoreHandler to validate >> > user >> > > >> credentials and retrieve user groups. This is just going through >> the >> > > >> container registered IdentityStores and using the spec rules to >> > identify >> > > >> the credentials. >> > > >>>>>>>>>> >> > > >>>>>>>>>> Right now, I’m just calling this TomEE Security. If someone >> > has >> > > a >> > > >> more fancy idea for a name, feel free to suggest it :) >> > > >>>>>>>>>> >> > > >>>>>>>>>> Cheers, >> > > >>>>>>>>>> Roberto >> > > >>>>>>>>>> >> > > >>>>>>>>>>> On 14 Dec 2018, at 23:44, Roberto Cortez >> > > >> <radcor...@yahoo.com.INVALID> wrote: >> > > >>>>>>>>>>> >> > > >>>>>>>>>>> Hi folks, >> > > >>>>>>>>>>> >> > > >>>>>>>>>>> I’ve now created a PR to push the work: >> > > >>>>>>>>>>> https://github.com/apache/tomee/pull/277 < >> > > >> https://github.com/apache/tomee/pull/277> >> > > >>>>>>>>>>> >> > > >>>>>>>>>>> It is still in the early stages. I’ve just spent a good >> > amount >> > > >> of time trying to understand the spec. The ideia here is that with >> a >> > > >> ServerAuthModule we could verify each of the spec authentication >> > > mechanisms >> > > >> that will be implemented with a CDI Bean and use a CDI Extension to >> > > create >> > > >> the bean depending on the annotation you use. >> > > >>>>>>>>>>> >> > > >>>>>>>>>>> Cheers, >> > > >>>>>>>>>>> Roberto >> > > >>>>>>>>>>> >> > > >>>>>>>>>>>> On 13 Dec 2018, at 16:06, Roberto Cortez >> > > >> <radcor...@yahoo.com.INVALID> wrote: >> > > >>>>>>>>>>>> >> > > >>>>>>>>>>>> Hi folks, >> > > >>>>>>>>>>>> >> > > >>>>>>>>>>>> I’ve created >> https://jira.apache.org/jira/browse/TOMEE-2365 >> > < >> > > >> https://jira.apache.org/jira/browse/TOMEE-2365> to implement the >> Java >> > > EE >> > > >> Security API that came up in EE 8. We are missing this spec >> > > implementation, >> > > >> and until we have it we cannot even say we are EE 8 compatible. >> > > >>>>>>>>>>>> >> > > >>>>>>>>>>>> I plan to start working on this. If anyone wants to >> > > collaborate >> > > >> with me, let me know. >> > > >>>>>>>>>>>> >> > > >>>>>>>>>>>> Cheers, >> > > >>>>>>>>>>>> Roberto >> > > >>>>>>>> >> > > >>>>>>> >> > > >>>>>> >> > > >>>>> >> > > >>>> >> > > >>> >> > > >> >> > > >> >> > > >> > > >> > >> -- >> -- >> Jean-Louis Monteiro >> http://twitter.com/jlouismonteiro >> http://www.tomitribe.com >> >