users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: JASPIC example?

From: Alex Kosowski <alex.kosowski_at_oracle.com>
Date: Mon, 23 Mar 2015 19:18:27 -0400

Would it make sense to move the JASPIC helpers proposed by
JASPIC_SPEC-17 into JSR 375 as a means of simplifying authentication?


On 3/23/15 6:51 PM, arjan tijms wrote:
>
>
> On Mon, Mar 23, 2015 at 8:43 PM, David Blevins <dblevins_at_tomitribe.com
> <mailto:dblevins_at_tomitribe.com>> wrote:
>
> We have a lot of assumed knowledge going on. I know we all have
> different backgrounds and levels of experience.
>
> I'm good in JAAS and JACC, weak in JASPIC. I can't be the only one.
>
> I'd love to show a simple version of all three at this weeks
> JavaLand talk.
>
> Arjan, you're probably the most qualified. Possible you could
> craft up a simple hard-coded example of a JASPIC SAM?
>
>
> Here's a JASPIC SAM using nothing but the standard API that doesn't
> engage into any interaction with a user and doesn't get the actual
> data from an authentication store, but provides hardcoded values itself:
>
> public class TestAuthenticationModule implements ServerAuthModule {
>
> private CallbackHandler handler;
> private final Class<?>[] supportedMessageTypes = new Class[] {
> HttpServletRequest.class, HttpServletResponse.class };
>
> @Override
> public void initialize(MessagePolicy requestPolicy, MessagePolicy
> responsePolicy, CallbackHandler handler, @SuppressWarnings("rawtypes")
> Map options) throws AuthException {
> this.handler = handler;
> }
> @Override
> public Class<?>[] getSupportedMessageTypes() {
> return supportedMessageTypes;
> }
>
> /**
> * This method will be called before the first Filter or Servlet
> in the request is invoked
> */
> @Override
> public AuthStatus validateRequest(MessageInfo messageInfo, Subject
> clientSubject, Subject serviceSubject) throws AuthException {
> try {
> // Communicate the details of the authenticated user to
> the container. In many
> // cases the handler will just store the details and the
> container will actually handle
> // the login after we return from this method.
> handler.handle( new Callback[] {
> // The name of the authenticated user
> new CallerPrincipalCallback(clientSubject, "snoopy"),
> // the groups/roles of the authenticated user
> new GroupPrincipalCallback(clientSubject, new String[] {
> "RedBaron", "JoeCool", "MansBestFriend" })
> );
> } catch (IOException | UnsupportedCallbackException e) {
> throw (AuthException) new AuthException().initCause(e);
> }
>
> return SUCCESS;
> }
>
> /**
> * This method will be called after the last Filter or Servlet in
> the request has been invoked
> */
> @Override
> public AuthStatus secureResponse(MessageInfo messageInfo, Subject
> serviceSubject) throws AuthException {
> return SEND_SUCCESS;
> }
>
> /**
> * This method will be called when HttpServletRequest#logout is
> explicitly called
> */
> @Override
> public void cleanSubject(MessageInfo messageInfo, Subject subject)
> throws AuthException {
>
> }
> }
>
> Using the base class and helper methods as proposed by
> JASPIC_SPEC-17 the same code would be:
>
> public class TestAuthenticationModule extends HttpServerAuthModule {
> @Override
> public AuthStatus validateHttpRequest(HttpServletRequest request,
> HttpServletResponse response, HttpMsgContext httpMsgContext) throws
> AuthException {
> // Communicate the details of the authenticated user to the
> container. In many
> // cases the handler will just store the details and the
> container will actually handle
> // the login after we return from this method.
> return httpMsgContext.notifyContainerAboutLogin(
> // The name of the authenticated user
> "snoopy",
> // the groups/roles of the authenticated user
> asList("RedBaron", "JoeCool", "MansBestFriend" )
> );
> }
> }
>
> Or without comments, to make it somewhat clearer that it's really not
> that much code:
>
> public class TestAuthenticationModule extends HttpServerAuthModule {
> @Override
> public AuthStatus validateHttpRequest(HttpServletRequest request,
> HttpServletResponse response, HttpMsgContext httpMsgContext) throws
> AuthException {
> return httpMsgContext.notifyContainerAboutLogin(
> "snoopy",
> asList("RedBaron", "JoeCool", "MansBestFriend" )
> );
> }
> }
>
> One thing to remark is that in this example you'd easily get the
> impression that the SAM is a direct alternative for the JAAS
> LoginModule. But the actual power of the SAM is to engage into a
> dialog with the user.
>
> Is this what you were looking for?
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
>
> -
> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaspic-example
>
> I have the start of a JAAS example here:
>
> -
> https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaas-example
>
> The idea is the examples will use the same fixed values:
>
> - username: snoopy
> - password: woodst0ck
> - roles:
> - RedBaron
> - JoeCool
> - MansBestFriend
>
>
> --
> David Blevins
> http://twitter.com/dblevins
> http://www.tomitribe.com
> 310-633-3852 <tel:310-633-3852>
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.