On Mon, Mar 23, 2015 at 8:43 PM, David Blevins <dblevins_at_tomitribe.com>
wrote:
> We have a lot of assumed knowledge going on. I know we all have different
> backgrounds and levels of experience.
>
> I'm good in JAAS and JACC, weak in JASPIC. I can't be the only one.
>
> I'd love to show a simple version of all three at this weeks JavaLand talk.
>
> Arjan, you're probably the most qualified. Possible you could craft up a
> simple hard-coded example of a JASPIC SAM?
>
Here's a JASPIC SAM using nothing but the standard API that doesn't engage
into any interaction with a user and doesn't get the actual data from an
authentication store, but provides hardcoded values itself:
public class TestAuthenticationModule implements ServerAuthModule {
private CallbackHandler handler;
private final Class<?>[] supportedMessageTypes = new Class[] {
HttpServletRequest.class, HttpServletResponse.class };
@Override
public void initialize(MessagePolicy requestPolicy, MessagePolicy
responsePolicy, CallbackHandler handler, @SuppressWarnings("rawtypes") Map
options) throws AuthException {
this.handler = handler;
}
@Override
public Class<?>[] getSupportedMessageTypes() {
return supportedMessageTypes;
}
/**
* This method will be called before the first Filter or Servlet in the
request is invoked
*/
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject
clientSubject, Subject serviceSubject) throws AuthException {
try {
// Communicate the details of the authenticated user to the
container. In many
// cases the handler will just store the details and the
container will actually handle
// the login after we return from this method.
handler.handle( new Callback[] {
// The name of the authenticated user
new CallerPrincipalCallback(clientSubject, "snoopy"),
// the groups/roles of the authenticated user
new GroupPrincipalCallback(clientSubject, new String[] {
"RedBaron", "JoeCool", "MansBestFriend" })
);
} catch (IOException | UnsupportedCallbackException e) {
throw (AuthException) new AuthException().initCause(e);
}
return SUCCESS;
}
/**
* This method will be called after the last Filter or Servlet in the
request has been invoked
*/
@Override
public AuthStatus secureResponse(MessageInfo messageInfo, Subject
serviceSubject) throws AuthException {
return SEND_SUCCESS;
}
/**
* This method will be called when HttpServletRequest#logout is
explicitly called
*/
@Override
public void cleanSubject(MessageInfo messageInfo, Subject subject)
throws AuthException {
}
}
Using the base class and helper methods as proposed by JASPIC_SPEC-17 the
same code would be:
public class TestAuthenticationModule extends HttpServerAuthModule {
@Override
public AuthStatus validateHttpRequest(HttpServletRequest request,
HttpServletResponse response, HttpMsgContext httpMsgContext) throws
AuthException {
// Communicate the details of the authenticated user to the
container. In many
// cases the handler will just store the details and the container
will actually handle
// the login after we return from this method.
return httpMsgContext.notifyContainerAboutLogin(
// The name of the authenticated user
"snoopy",
// the groups/roles of the authenticated user
asList("RedBaron", "JoeCool", "MansBestFriend" )
);
}
}
Or without comments, to make it somewhat clearer that it's really not that
much code:
public class TestAuthenticationModule extends HttpServerAuthModule {
@Override
public AuthStatus validateHttpRequest(HttpServletRequest request,
HttpServletResponse response, HttpMsgContext httpMsgContext) throws
AuthException {
return httpMsgContext.notifyContainerAboutLogin(
"snoopy",
asList("RedBaron", "JoeCool", "MansBestFriend" )
);
}
}
One thing to remark is that in this example you'd easily get the impression
that the SAM is a direct alternative for the JAAS LoginModule. But the
actual power of the SAM is to engage into a dialog with the user.
Is this what you were looking for?
Kind regards,
Arjan Tijms
>
> -
> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaspic-example
>
> I have the start of a JAAS example here:
>
> -
> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaas-example
>
> The idea is the examples will use the same fixed values:
>
> - username: snoopy
> - password: woodst0ck
> - roles:
> - RedBaron
> - JoeCool
> - MansBestFriend
>
>
> --
> David Blevins
> http://twitter.com/dblevins
> http://www.tomitribe.com
> 310-633-3852
>
>