jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: JASPIC example?

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Mon, 23 Mar 2015 23:51:20 +0100

On Mon, Mar 23, 2015 at 8:43 PM, David Blevins <dblevins_at_tomitribe.com>
wrote:

> We have a lot of assumed knowledge going on. I know we all have different
> backgrounds and levels of experience.
>
> I'm good in JAAS and JACC, weak in JASPIC. I can't be the only one.
>
> I'd love to show a simple version of all three at this weeks JavaLand talk.
>
> Arjan, you're probably the most qualified. Possible you could craft up a
> simple hard-coded example of a JASPIC SAM?
>

Here's a JASPIC SAM using nothing but the standard API that doesn't engage
into any interaction with a user and doesn't get the actual data from an
authentication store, but provides hardcoded values itself:

public class TestAuthenticationModule implements ServerAuthModule {

    private CallbackHandler handler;
    private final Class<?>[] supportedMessageTypes = new Class[] {
HttpServletRequest.class, HttpServletResponse.class };

    @Override
    public void initialize(MessagePolicy requestPolicy, MessagePolicy
responsePolicy, CallbackHandler handler, @SuppressWarnings("rawtypes") Map
options) throws AuthException {
        this.handler = handler;
    }

    @Override
    public Class<?>[] getSupportedMessageTypes() {
        return supportedMessageTypes;
    }

    /**
     * This method will be called before the first Filter or Servlet in the
request is invoked
     */
    @Override
    public AuthStatus validateRequest(MessageInfo messageInfo, Subject
clientSubject, Subject serviceSubject) throws AuthException {
        try {
            // Communicate the details of the authenticated user to the
container. In many
            // cases the handler will just store the details and the
container will actually handle
            // the login after we return from this method.
            handler.handle( new Callback[] {
            // The name of the authenticated user
            new CallerPrincipalCallback(clientSubject, "snoopy"),
            // the groups/roles of the authenticated user
            new GroupPrincipalCallback(clientSubject, new String[] {
"RedBaron", "JoeCool", "MansBestFriend" })
            );
        } catch (IOException | UnsupportedCallbackException e) {
            throw (AuthException) new AuthException().initCause(e);
        }

        return SUCCESS;
    }


    /**
     * This method will be called after the last Filter or Servlet in the
request has been invoked
     */
    @Override
    public AuthStatus secureResponse(MessageInfo messageInfo, Subject
serviceSubject) throws AuthException {
        return SEND_SUCCESS;
    }

    /**
     * This method will be called when HttpServletRequest#logout is
explicitly called
     */
    @Override
    public void cleanSubject(MessageInfo messageInfo, Subject subject)
throws AuthException {

    }
}

Using the base class and helper methods as proposed by JASPIC_SPEC-17 the
same code would be:

public class TestAuthenticationModule extends HttpServerAuthModule {

    @Override
    public AuthStatus validateHttpRequest(HttpServletRequest request,
HttpServletResponse response, HttpMsgContext httpMsgContext) throws
AuthException {
        // Communicate the details of the authenticated user to the
container. In many
        // cases the handler will just store the details and the container
will actually handle
        // the login after we return from this method.
        return httpMsgContext.notifyContainerAboutLogin(
            // The name of the authenticated user
            "snoopy",
            // the groups/roles of the authenticated user
            asList("RedBaron", "JoeCool", "MansBestFriend" )
        );
    }
}

Or without comments, to make it somewhat clearer that it's really not that
much code:

public class TestAuthenticationModule extends HttpServerAuthModule {

    @Override
    public AuthStatus validateHttpRequest(HttpServletRequest request,
HttpServletResponse response, HttpMsgContext httpMsgContext) throws
AuthException {

        return httpMsgContext.notifyContainerAboutLogin(
            "snoopy",
            asList("RedBaron", "JoeCool", "MansBestFriend" )
        );
    }
}

One thing to remark is that in this example you'd easily get the impression
that the SAM is a direct alternative for the JAAS LoginModule. But the
actual power of the SAM is to engage into a dialog with the user.

Is this what you were looking for?

Kind regards,
Arjan Tijms








>
> -
> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaspic-example
>
> I have the start of a JAAS example here:
>
> -
> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaas-example
>
> The idea is the examples will use the same fixed values:
>
> - username: snoopy
> - password: woodst0ck
> - roles:
> - RedBaron
> - JoeCool
> - MansBestFriend
>
>
> --
> David Blevins
> http://twitter.com/dblevins
> http://www.tomitribe.com
> 310-633-3852
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.