On Tue, Mar 24, 2015 at 12:18 AM, Alex Kosowski <alex.kosowski_at_oracle.com>
wrote:
> Would it make sense to move the JASPIC helpers proposed by JASPIC_SPEC-17
> into JSR 375 as a means of simplifying authentication?
>
Absolutely.
There are two ways to look at it; JASPIC can either add ease of use helpers
itself and become an easier more application developer oriented spec, or it
can remain a lower level more SPI/vendor oriented spec and have other specs
provide an ease of use layer.
It's definitely architecturally appealing to keep JASPIC a very minimal
spec focussing on the bare essentials of providing an authentication SPI.
This also fits well with the general direction in Java EE where smaller
more focussed specs provide platform services to other specs (think
Interceptor Spec, Bean Validation, Expression Language, etc).
Kind regards,
Arjan Tijms
>
>
>
> On 3/23/15 6:51 PM, arjan tijms wrote:
>
>
>
> On Mon, Mar 23, 2015 at 8:43 PM, David Blevins <dblevins_at_tomitribe.com>
> wrote:
>
>> We have a lot of assumed knowledge going on. I know we all have
>> different backgrounds and levels of experience.
>>
>> I'm good in JAAS and JACC, weak in JASPIC. I can't be the only one.
>>
>> I'd love to show a simple version of all three at this weeks JavaLand
>> talk.
>>
>> Arjan, you're probably the most qualified. Possible you could craft up a
>> simple hard-coded example of a JASPIC SAM?
>>
>
> Here's a JASPIC SAM using nothing but the standard API that doesn't
> engage into any interaction with a user and doesn't get the actual data
> from an authentication store, but provides hardcoded values itself:
>
> public class TestAuthenticationModule implements ServerAuthModule {
>
> private CallbackHandler handler;
> private final Class<?>[] supportedMessageTypes = new Class[] {
> HttpServletRequest.class, HttpServletResponse.class };
>
> @Override
> public void initialize(MessagePolicy requestPolicy, MessagePolicy
> responsePolicy, CallbackHandler handler, @SuppressWarnings("rawtypes") Map
> options) throws AuthException {
> this.handler = handler;
> }
>
> @Override
> public Class<?>[] getSupportedMessageTypes() {
> return supportedMessageTypes;
> }
>
> /**
> * This method will be called before the first Filter or Servlet in
> the request is invoked
> */
> @Override
> public AuthStatus validateRequest(MessageInfo messageInfo, Subject
> clientSubject, Subject serviceSubject) throws AuthException {
> try {
> // Communicate the details of the authenticated user to the
> container. In many
> // cases the handler will just store the details and the
> container will actually handle
> // the login after we return from this method.
> handler.handle( new Callback[] {
> // The name of the authenticated user
> new CallerPrincipalCallback(clientSubject, "snoopy"),
> // the groups/roles of the authenticated user
> new GroupPrincipalCallback(clientSubject, new String[] {
> "RedBaron", "JoeCool", "MansBestFriend" })
> );
> } catch (IOException | UnsupportedCallbackException e) {
> throw (AuthException) new AuthException().initCause(e);
> }
>
> return SUCCESS;
> }
>
>
> /**
> * This method will be called after the last Filter or Servlet in the
> request has been invoked
> */
> @Override
> public AuthStatus secureResponse(MessageInfo messageInfo, Subject
> serviceSubject) throws AuthException {
> return SEND_SUCCESS;
> }
>
> /**
> * This method will be called when HttpServletRequest#logout is
> explicitly called
> */
> @Override
> public void cleanSubject(MessageInfo messageInfo, Subject subject)
> throws AuthException {
>
> }
> }
>
> Using the base class and helper methods as proposed by
> JASPIC_SPEC-17 the same code would be:
>
> public class TestAuthenticationModule extends HttpServerAuthModule {
>
> @Override
> public AuthStatus validateHttpRequest(HttpServletRequest request,
> HttpServletResponse response, HttpMsgContext httpMsgContext) throws
> AuthException {
> // Communicate the details of the authenticated user to the
> container. In many
> // cases the handler will just store the details and the container
> will actually handle
> // the login after we return from this method.
> return httpMsgContext.notifyContainerAboutLogin(
> // The name of the authenticated user
> "snoopy",
> // the groups/roles of the authenticated user
> asList("RedBaron", "JoeCool", "MansBestFriend" )
> );
> }
> }
>
> Or without comments, to make it somewhat clearer that it's really not
> that much code:
>
> public class TestAuthenticationModule extends HttpServerAuthModule {
>
> @Override
> public AuthStatus validateHttpRequest(HttpServletRequest request,
> HttpServletResponse response, HttpMsgContext httpMsgContext) throws
> AuthException {
>
> return httpMsgContext.notifyContainerAboutLogin(
> "snoopy",
> asList("RedBaron", "JoeCool", "MansBestFriend" )
> );
> }
> }
>
> One thing to remark is that in this example you'd easily get the
> impression that the SAM is a direct alternative for the JAAS LoginModule.
> But the actual power of the SAM is to engage into a dialog with the user.
>
> Is this what you were looking for?
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
>
>
>>
>> -
>> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaspic-example
>>
>> I have the start of a JAAS example here:
>>
>> -
>> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaas-example
>>
>> The idea is the examples will use the same fixed values:
>>
>> - username: snoopy
>> - password: woodst0ck
>> - roles:
>> - RedBaron
>> - JoeCool
>> - MansBestFriend
>>
>>
>> --
>> David Blevins
>> http://twitter.com/dblevins
>> http://www.tomitribe.com
>> 310-633-3852
>>
>>
>