users@glassfish.java.net

Re: Questions about custom ServerAuthModule on httpServlet layer (JSR196)

From: <glassfish_at_javadesktop.org>
Date: Wed, 28 May 2008 07:35:52 PDT

> Hi Ron,
>
> > as I mentioned above, you could also follow the
> > path of developing a custom AuthConfigProvider and
> > registering it for you app, during the loading of
> > your app. That would be a bit more work (of
> course).
>
> I'm taking the AuthConfigProvider path and I have
> some questions more :)
>
> I'm I right saying the following :
> - I have to register my AuthConfigProvider in a
> ServletContextListener during app deployment with a
> statement like this one : new
> MyAuthConfigProvider(new HashMap(),
> AuthConfigFactory.getFactory());

I hadn't thought of doing the registration in the SCL, but that sounds like it could be a good point to do the registration. In order to do the self-registration, you will need the
context-path, and server name in order to construct the appcontext id.

do you plan to do the registration for all servlet contexts, or do you epect the context listener to only register the AuthConfigProvider for some specific apps. If it is the former, you may want to configure a persistent registration in the factory config file. There are a few forms of this. The syntax (specific to the factory shipped with glassfish) is defined in:

http://fisheye5.cenqua.com/browse/glassfish/jmac-provider/src/java/com/sun/enterprise/security/jmac/config/RegStoreFileParser.java

> - As I only want to provide a ServerAuthModule, I can
> use a ClientAuthConfig that always returns null and
> only really implement a ServerAuthConfig.
 
it would be better to throw am AuthException (e.g., "not implemented"), as an ACP that is registered for an appctxt, is not supposed to return null when an AuthConfig for the same appctxt is requested of it. In practice, it won't much matter, as the calls should never be made, but the spec should probably require that an exception be thrown in such circustances.

> - my ServerAuthConfig, intanciated by my
> AuthConfigProvider, is initialized with the layer,
> the appContext and a cbHandler
>
> I still have questions ...
>
> - What is appContext that is used to register my
> AuthConfigProvider to the AuthConfigFactory ?

AppContextID ::= hostname blank context-path
For example: "java-server /petstore"
see section 3.2 of the spec

> - Who is responsible for the request and response
> MessagePolicy creation ? Is this the
> ServerAuthContext ?

yes. note that the runtime must (conditionally) establish a value in the messageInfo map, (passed to getAuthContextID) to indicate whether a mandatory or optional policy must be created.

Ron

>
> Thanks in advance
>
> Paul
>
> Added a question about MessagePolicies.
>
> age was edited by: eskatos
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=277010