Hi, On Wed, Jun 10, 2015 at 2:31 PM, Fjodor Vershinin [via Tomcat] < ml-node+s10n5035882...@n6.nabble.com> wrote:
> Hi, guys! > This week goal is to replace current valve based authentication with > JASPIC > based mechanism. It is what I am currently working on. > Nice ;) > From my research Geronimo's implementation is also based on tomcat's > valves, and it's pretty straightforward how to integrate SecurityValve > into > Tomcat's codebase. However, I am not sure, is that correct way? I'm pretty sure this should be the way forward, or at the very least the place where to start. > Do you have > better ideas? And what about code backward compatibility for Geronimo, > should code ported back, or new Geronimo release can use our > implementation? I can't speak for the Apache organization of course, but as an external observer I wouldn't hold my breath for a new Geronimo release. See David Blevins comments here: http://arjan-tijms.omnifaces.org/2014/05/implementation-components-used-by.html > We are implementing JASPIC 1.1, and there will be quite a > lot changes anyway. JASPIC 1.1 itself was not a huge change over JASPIC 1.0, but it did put some extra requirements in place like the ability to forward and include resources using the HttpServletRequest and HttpServletResponse that's made available to a SAM. If a Tomcat valve can already do forwards/includes correctly, then this is trivial to support (no extra code needed). However, IFF Tomcat would not support those, then some extra coding inside Tomcat's internals *may* be needed (but Mark would know more about how to forward then). > Also, Geronimo uses OSGi framework in their code, which > must be dropped off, because Tomcat is not OSGi based. > What about JASPIC configuration, I am curious, where we want to hold > configuration files. Different vendors use special xml files, for example > geronimo-web.xml, for configuring realms and other security stuff. Do we > need something like tomcat-web.xml? Not necessarily. JASPIC is first and foremost configured using a programmatic API from within the application. See http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html When an application performs this programmatic configuration (typically from a @WebListener/ServletContextListener), it overrides whatever auth-method is configured in web.xml, e.g. FORM, BASIC, etc. It's more or less a best practice not to put any auth-method in web.xml if the application configures JASPIC. When a JASPIC authentication module is configured programmatically via the standard JASPIC API, there is not really a mechanism available to delegate user/role retrieval to an identity store (Tomcat calls this realm). The JASPIC module is in full control then and ought to handle this itself using whatever internal mechanism it sees fit. Optionally (but highly recommended!) a JASPIC authentication module can be registered at the container level using a vendor specific mechanism. If I'm not mistaken Mark made some remarks about this earlier. Tomcat already has some dedicated configuration files for this. My take is that for step 1 it's best to focus on the programmatic installation of an authentication module (and wrapper artifacts) first, and make sure the most simple authentication case works (which means just passing the username/roles to the container and doing nothing else). Then look at the container side registration later. > And what about JACC support? Geronimo uses JACC for authorization config, > what about Tomcat? > JACC is an entirely different specification. It standardizes some of the authorization decisions a container makes. It works in tandem with JASPIC, but is not required by it. I don't think it's needed to look at JACC for this project. Kind regards, Arjan Tijms > > Thanks, > Fjodor > > 2015-05-04 16:49 GMT+03:00 Arjan Tijms <[hidden email] > <http:///user/SendEmail.jtp?type=node&node=5035882&i=0>>: > > > Hi, > > > > Great news! > > > > Do you have any definite start date for the actual coding already? > > > > A short while ago I did a very small and simple implementation of the > > Servlet BASIC auth mechanism using JASPIC, which is one of the 4 > mechanisms > > required by Servlet. > > > > See: > > > > > https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/jaspic/authmodules/BasicAuthModule.java > > > > Calling out to the "identity store" is however not standardised yet (the > > example code simply uses CDI) and has to be done in a Tomcat specific > way. > > > > Kind regards, > > Arjan Tijms > > > > > > On Monday, May 4, 2015, Fjodor Vershinin [via Tomcat] < > > [hidden email] <http:///user/SendEmail.jtp?type=node&node=5035882&i=1>> > wrote: > > > > > Good news, everyone! > > > I am happy to announce that our project has been accepted to > participate > > > in > > > GSoC. Now it's community binding period, so I need to introduce myself > to > > > other developers. > > > Some brief information about me: My name is Fjodor Vershinin, I am > 2'th > > > grade computer science student from Estonia. One of my hobbies is > writing > > > OSS software, mainly in Java and Python. I hope to finish JASPIC > > > implementation during this summer and make Tomcat better ;) > > > Fjodor. > > > > > > > > > 2015-03-04 11:09 GMT+02:00 Fjodor Vershinin <[hidden email] > > > <http:///user/SendEmail.jtp?type=node&node=5034072&i=0>>: > > > > > > > Hello! > > > > It looks like ASF has been selected for GSOC 2015 and I am > interested > > in > > > > pushing this project forward. So, in meantime I'll start writing > > > proposal > > > > and hope this project will be selected to participate in Gsoc > program. > > > > Best regards, > > > > Fjodor. > > > > > > > > 2015-02-10 22:44 GMT+02:00 Arjan Tijms <[hidden email] > > > <http:///user/SendEmail.jtp?type=node&node=5034072&i=1>>: > > > > > > > >> Hi, > > > >> > > > >> On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat] > > > >> <[hidden email] <http:// > > /user/SendEmail.jtp?type=node&node=5034072&i=2>> > > > wrote: > > > >> > If you do look at JBoss keep in mind it is GPL licensed and we > need > > > to > > > >> > be very careful that we don't end up with GPL'd code in Tomcat. > > > >> > > > >> That's absolutely true. The code there shouldn't not be copied in > any > > > >> way. It's only useful as an example of how a Tomcat Valve can > > > >> integrate with something like JASPIC. As for the JASPIC code there, > it > > > >> wouldn't make sense to copy it anyway, since A) it's JBoss specific > > > >> (builds up JBoss principal, calls JBoss security service, etc) and > B) > > > >> there are various issues with it (it looks like JBoss pretty much > > > >> rewrote everything from scratch for Undertow, which is completely > > > >> different). > > > >> > > > >> > Personally, I'd look more much more closely at Geronimo. > > > >> > > > >> You're right, and since that one is Apache licensed one can even > copy > > > >> from it if needed. > > > >> > > > >> > Keep in mind that part of the goal is to replace the existing > > > >> > authenticators with JASPIC modules. (As suggested on the Servlet > EG > > > >> list.) > > > >> > > > >> It's good to have that as part of the goal indeed. Such auth > modules > > > >> could even be implemented by a separate (group) of students if > needed, > > > >> as they would not necessarily depend on the JASPIC implementation > for > > > >> Tomcat. As long as that one is not finished they could test it on > any > > > >> existing JASPIC implementation (e.g. the RI, GlassFish). > > > >> > > > >> > I think we all know that feeling - hence why I suggested it for > > GSoC. > > > >> > > > >> Yeah, I get that, thanks! It's still something that I'd really love > to > > > >> do, but with the work for the startup zeef.com, open source > projects > > > >> OmniFaces and OmniSecurity, the work for the JSF EG and perhaps > soon > > > >> for the security EG, there is not always much time left. I had this > on > > > >> my sketchy todo list for ~end of this month, but I'll see what > happens > > > >> with the GSoC project now ;) > > > >> > > > >> Kind regards, > > > >> Arjan > > > >> > > > >> > > > >> > > > >> > > > >> > > > > >> > Mark > > > >> > > > > >> > > > --------------------------------------------------------------------- > > > >> > To unsubscribe, e-mail: [hidden email] > > > >> > For additional commands, e-mail: [hidden email] > > > >> > > > > >> > > > > >> > > > > >> > ________________________________ > > > >> > If you reply to this email, your message will be added to the > > > discussion > > > >> > below: > > > >> > > > > >> > > > > > > http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html > > > >> > To unsubscribe from Consider support for the Servlet profile of > JSR > > > 196 > > > >> > (JASPIC) in Tomcat 7.0.x, click here. > > > >> > NAML > > > >> > > > >> > > > >> > > > >> > > > >> -- > > > >> View this message in context: > > > >> > > > > > > http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029664.html > > > >> Sent from the Tomcat - Dev mailing list archive at Nabble.com. > > > >> > > > > > > > > > > > > > > > > > ------------------------------ > > > If you reply to this email, your message will be added to the > discussion > > > below: > > > > > > > > > http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034072.html > > > To unsubscribe from Consider support for the Servlet profile of JSR > 196 > > > (JASPIC) in Tomcat 7.0.x, click here > > > < > > > > > > . > > > NAML > > > < > > > http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml > > > > > > > > > > > > > > > > -- > > View this message in context: > > > http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034079.html > > Sent from the Tomcat - Dev mailing list archive at Nabble.com. > > > > > > -- > Thanks, > Fjodor > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035882.html > To unsubscribe from Consider support for the Servlet profile of JSR 196 > (JASPIC) in Tomcat 7.0.x, click here > <http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4993387&code=YXJqYW4udGlqbXNAZ21haWwuY29tfDQ5OTMzODd8LTM3MzU5NTg0OA==> > . > NAML > <http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5035885.html Sent from the Tomcat - Dev mailing list archive at Nabble.com.
