On 10/06/2015 13:34, Fjodor Vershinin wrote: > Hi, guys! "guys" can be taken as referring to men only. Something like the gender neutral "all" would be more inclusive.
> This week goal is to replace current valve based authentication with JASPIC > based mechanism. It is what I am currently working on. Could you expand on what exactly you are aiming for this week? The sentence above sounds more like the aim for the entire project. > From my research Geronimo's implementation is also based on tomcat's > valves, and it's pretty straightforward how to integrate SecurityValve into > Tomcat's codebase. However, I am not sure, is that correct way? Do you have > better ideas? It is hard to be definite without knowing what the integration points are. Can you expand on this? A Valve is certainly a likely candidate since the current Authenticator implementations are all Valves. It really depends on whether access is required to Tomcat's internals. If you need access to the internals, a Valve is probably the way to go. If the Servlet API is sufficient then a Filter may be an option. Depending on exactly what the integration points are there may be other options. > And what about code backward compatibility for Geronimo, > should code ported back, or new Geronimo release can use our > implementation? Re-use by downstream consumers of Tomcat like TomEE and Geronimo is certainly a goal. The TomEE folks tend to provide feedback when we do something that makes their life difficult so I'd expect them to speak up if they spot a problem. Anything that works for TomEE should work for Geronimo. I wouldn't worry about backwards compatibility for Geronimo. That would probably be difficult to achieve. Keep in mind that Geronimo may wish to re-use the code (or just some of the patches) but if you need to change something you should feel free to do so. > We are implementing JASPIC 1.1, and there will be quite a > lot changes anyway. Also, Geronimo uses OSGi framework in their code, which > must be dropped off, because Tomcat is not OSGi based. Without knowing how much OSGi code there is in the Geronimo implementation, if there is scope for appropriate use of factories, service loaders etc. to make it relatively easy to insert the necessary OSGi changes for those downstream users that will want to then we should try to do so. > What about JASPIC configuration, I am curious, where we want to hold > configuration files. Different vendors use special xml files, for example > geronimo-web.xml, for configuring realms and other security stuff. Do we > need something like tomcat-web.xml? Is the configuration always going to be per web application (in which case context.xml is a likely candidate) or can it be per Host or per Engine (which suggests server.xml)? Are there any 'standard' configuration files defined by JASPIC? > And what about JACC support? Geronimo uses JACC for authorization config, > what about Tomcat? Tomcat currently uses Realms. It was not intended to implement JACC as part of the GSoC project. If the project goes well and the JASPIC work is completed early, taking a look at JACC would be a useful thing to do. Mark > > Thanks, > Fjodor > > 2015-05-04 16:49 GMT+03:00 Arjan Tijms <arjan.ti...@gmail.com>: > >> Hi, >> >> Great news! >> >> Do you have any definite start date for the actual coding already? >> >> A short while ago I did a very small and simple implementation of the >> Servlet BASIC auth mechanism using JASPIC, which is one of the 4 mechanisms >> required by Servlet. >> >> See: >> >> https://github.com/omnifaces/omnisecurity/blob/master/src/main/java/org/omnifaces/security/jaspic/authmodules/BasicAuthModule.java >> >> Calling out to the "identity store" is however not standardised yet (the >> example code simply uses CDI) and has to be done in a Tomcat specific way. >> >> Kind regards, >> Arjan Tijms >> >> >> On Monday, May 4, 2015, Fjodor Vershinin [via Tomcat] < >> ml-node+s10n503407...@n6.nabble.com> wrote: >> >>> Good news, everyone! >>> I am happy to announce that our project has been accepted to participate >>> in >>> GSoC. Now it's community binding period, so I need to introduce myself to >>> other developers. >>> Some brief information about me: My name is Fjodor Vershinin, I am 2'th >>> grade computer science student from Estonia. One of my hobbies is writing >>> OSS software, mainly in Java and Python. I hope to finish JASPIC >>> implementation during this summer and make Tomcat better ;) >>> Fjodor. >>> >>> >>> 2015-03-04 11:09 GMT+02:00 Fjodor Vershinin <[hidden email] >>> <http:///user/SendEmail.jtp?type=node&node=5034072&i=0>>: >>> >>>> Hello! >>>> It looks like ASF has been selected for GSOC 2015 and I am interested >> in >>>> pushing this project forward. So, in meantime I'll start writing >>> proposal >>>> and hope this project will be selected to participate in Gsoc program. >>>> Best regards, >>>> Fjodor. >>>> >>>> 2015-02-10 22:44 GMT+02:00 Arjan Tijms <[hidden email] >>> <http:///user/SendEmail.jtp?type=node&node=5034072&i=1>>: >>>> >>>>> Hi, >>>>> >>>>> On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat] >>>>> <[hidden email] <http:// >> /user/SendEmail.jtp?type=node&node=5034072&i=2>> >>> wrote: >>>>>> If you do look at JBoss keep in mind it is GPL licensed and we need >>> to >>>>>> be very careful that we don't end up with GPL'd code in Tomcat. >>>>> >>>>> That's absolutely true. The code there shouldn't not be copied in any >>>>> way. It's only useful as an example of how a Tomcat Valve can >>>>> integrate with something like JASPIC. As for the JASPIC code there, it >>>>> wouldn't make sense to copy it anyway, since A) it's JBoss specific >>>>> (builds up JBoss principal, calls JBoss security service, etc) and B) >>>>> there are various issues with it (it looks like JBoss pretty much >>>>> rewrote everything from scratch for Undertow, which is completely >>>>> different). >>>>> >>>>>> Personally, I'd look more much more closely at Geronimo. >>>>> >>>>> You're right, and since that one is Apache licensed one can even copy >>>>> from it if needed. >>>>> >>>>>> Keep in mind that part of the goal is to replace the existing >>>>>> authenticators with JASPIC modules. (As suggested on the Servlet EG >>>>> list.) >>>>> >>>>> It's good to have that as part of the goal indeed. Such auth modules >>>>> could even be implemented by a separate (group) of students if needed, >>>>> as they would not necessarily depend on the JASPIC implementation for >>>>> Tomcat. As long as that one is not finished they could test it on any >>>>> existing JASPIC implementation (e.g. the RI, GlassFish). >>>>> >>>>>> I think we all know that feeling - hence why I suggested it for >> GSoC. >>>>> >>>>> Yeah, I get that, thanks! It's still something that I'd really love to >>>>> do, but with the work for the startup zeef.com, open source projects >>>>> OmniFaces and OmniSecurity, the work for the JSF EG and perhaps soon >>>>> for the security EG, there is not always much time left. I had this on >>>>> my sketchy todo list for ~end of this month, but I'll see what happens >>>>> with the GSoC project now ;) >>>>> >>>>> Kind regards, >>>>> Arjan >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Mark >>>>>> >>>>>> >> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [hidden email] >>>>>> For additional commands, e-mail: [hidden email] >>>>>> >>>>>> >>>>>> >>>>>> ________________________________ >>>>>> If you reply to this email, your message will be added to the >>> discussion >>>>>> below: >>>>>> >>>>> >>> >> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html >>>>>> To unsubscribe from Consider support for the Servlet profile of JSR >>> 196 >>>>>> (JASPIC) in Tomcat 7.0.x, click here. >>>>>> NAML >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> View this message in context: >>>>> >>> >> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029664.html >>>>> Sent from the Tomcat - Dev mailing list archive at Nabble.com. >>>>> >>>> >>>> >>> >>> >>> ------------------------------ >>> If you reply to this email, your message will be added to the discussion >>> below: >>> >>> >> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034072.html >>> To unsubscribe from Consider support for the Servlet profile of JSR 196 >>> (JASPIC) in Tomcat 7.0.x, click here >>> < >> http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4993387&code=YXJqYW4udGlqbXNAZ21haWwuY29tfDQ5OTMzODd8LTM3MzU5NTg0OA== >>> >>> . >>> NAML >>> < >> http://tomcat.10.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml >>> >>> >> >> >> >> >> -- >> View this message in context: >> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5034079.html >> Sent from the Tomcat - Dev mailing list archive at Nabble.com. >> > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
