2015-10-15 3:03 GMT+02:00 Fjodor Versinin <fjo...@vershinin.net>:
> Hi!
> Actually, I would like to continue to work on this, but not in GSOC scope
> anymore, because that expirience was too stressful for me.
> What about current JASPIC implementation, it is almost ready, so I think
> it would be better to keep already wroten code than rewriting it from a
> scratch. What about security, I'm not sure, but this code has been accepted
> during the summer time, it has not be changed since then. Security must be
> on the same level, I hope so. However, some places of old auth valves
> should be rewritten in more readable way.
>
> I'll review the jaspic work as much as possible. Feel free to continue
sending patches.
OTOH, starting with reviewing the basics (BASIC actually), I now understand
why Mark isn't very comfortable with the code:
In BasicAuthModule, I have:
try {
PasswordValidationCallback passwordCallback = new
PasswordValidationCallback(
clientSubject, username, password);
handler.handle(new Callback[] { passwordCallback });
if (!passwordCallback.getResult()) {
>>>>> sendUnauthorizedError(response, realmName);
}
handlePrincipalCallbacks(clientSubject,
getPrincipal(passwordCallback));
return AuthStatus.SUCCESS;
} catch (Exception e) {
throw new AuthException(e.getMessage());
}
Ok, so that actually lets in everyone unless there's an exception :) It
should be "return sendUnauthorizedError" I think.
What's not clear to me at this point is if jaspic should replace the
current "classic" auth methods. For example, the supposed benefit of jaspic
is that it makes container auth not proprietary, but looking at the code
that is there it sounds still quite proprietary in practice and almost
impossible to use from webapps. So what's the point exactly ?
Rémy
