Hi All,
Based on the code of Adam Bien (and Arjan Tijms), see [1] I tried a few
other things.
- Custom form authentication with PrimeFaces and JASPIC
- SecurityContext, single place for programmatic login and
Principal/Subject info
It didn't succeed, probably because I know too little of JASPIC and because
this kind of examples need tighter integration with the server core code.
The code can be found here [2]
But anyway, I found a few interesting things that maybe needs to be
clarified.
- How can we define the authentication method in web.xml with JASPIC?
- How can we define the URL paths which are protected?
- SecurityContext needs to access the JASPIC helper class
HttpMsgContext, but is not available there.
- Assumed that when the user isn't authenticated the Principal name is
*ANONYMOUS* . But this isn't standardized.
The point where it fails is that when the programmatic login code tries to
inform the JASPIC system that there is a logged in user with his roles, I
get a NullPointerException.
java.lang.NullPointerException
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler$2.run(BaseContainerCallbackHandler.java:440)
at
com.sun.enterprise.security.common.AppservAccessController.doPrivileged(AppservAccessController.java:61)
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler.processCallerPrincipal(BaseContainerCallbackHandler.java:438)
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler.processCallback(BaseContainerCallbackHandler.java:198)
at
com.sun.enterprise.security.jmac.callback.ServerContainerCallbackHandler.handleSupportedCallbacks(ServerContainerCallbackHandler.java:76)
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler.handle(BaseContainerCallbackHandler.java:188)
at
com.sun.enterprise.security.jmac.callback.ContainerCallbackHandler.handle(ContainerCallbackHandler.java:83)
at
org.omnifaces.security.jaspic.core.Jaspic.notifyContainerAboutLogin(Jaspic.java:236)
at
org.omnifaces.security.jaspic.core.HttpMsgContext.notifyContainerAboutLogin(HttpMsgContext.java:281)
at javax.security.SecurityContext.login(SecurityContext.java:46)
Why I tried this example?
Well, probably developers want to do those kind of things once we have the
spec and implementation finished. So it is a kind of usage scenario which
should be possible (if we go the JASPIC way as a few times was mentioned in
the mailing list)
Best regards
Rudy
[1] =
https://github.com/AdamBien/secspike
[2] =
https://github.com/rdebusscher/secSpikeWeb