Jaspic (jsr 196) support in tomcat

2009-07-16 Thread David Jencks 
While looking into some problems with the tomcat integration in  
geronimo around ejb web service security and the jacc integration I  
realized the simplest way to fix all the problems at once was to  
rewrite web security including jaspic support.


The new implementation is at

https://svn.apache.org/repos/asf/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/security

and it needs a couple ContextConfig classes in the parent directory to  
get installed and work.


The main idea here is to replace the Realm with a SecurityValve that  
delegates authentication decisions to an authenticator and  
authorization decisions to an authorizor.  The authenticator is  
similar in concept to the jaspic ServerAuthContext but more adapted to  
servlets.  The authorizor exposes the authorization decisions called  
for by the jaspic spec servlet profile.


I have authenticators for the build in auth methods and also a jaspic  
adapter.
So far I have only a jacc authorizer but it should be easy to adapt  
the old code to write one that uses the tomcat constraint objects.


The part that doesn't fit very well is that the Realm concept is used  
to implement isUserInRole.  I wrote a Realm implementation that uses  
JACC for this.  If I were to consider a patch to tomcat for this I  
would eliminate the Realm concept and have a new interface for the  
isUserInRole decision.


I have not yet tried running the jaspic tck on this so don't know how  
many bugs there are in the jaspic adapter.  Regular security seems to  
work OK.  Most likely I will spend a little time on this in the next  
few days.


I developed most of the ideas for the web-adapted interface and  
adapter working on the jetty jaspic integation.  In particular jetty  
wanted to be able to run without the jaspic api jar, and since this  
seemed like it might be desirable for tomcat as well, no jaspic  
classes are used outside the jaspic adapter.


I think it would be great if the tomcat community integrated some  
version of this code in perhaps tomcat 7 but I do not expect to be  
providing any patches to tomcat for this.  I'm happy to talk about the  
code, but I'm more likely to see discussion on the geronimo dev list.


thanks
david jencks


 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Jaspic (jsr 196) support in tomcat

2009-07-16 Thread Mark Thomas 
David Jencks wrote:
 I think it would be great if the tomcat community integrated some
 version of this code in perhaps tomcat 7 but I do not expect to be
 providing any patches to tomcat for this.  I'm happy to talk about the
 code, but I'm more likely to see discussion on the geronimo dev list.

JRS196 is support recommended for Servlet containers (at least that is
what the latest draft of the Servlet 3 spec I have says).

This is on the todo list for Tomcat 7 but not at the top. The mandatory
stuff has to come first.

Thanks for the heads up, I'm sure anyone working on JSR196 support for
Tomcat will take a look at what you have done.

Mark



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org