users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: JASPIC example?

From: David Blevins <dblevins_at_tomitribe.com>
Date: Tue, 24 Mar 2015 02:03:56 +0100

Thanks, Arjan!

Was hoping for code in the repo that compiles, but this is a good start. :)

We post a lot of code with no imports, pseudo code, missing parent classes or other parts that all assume expert level knowledge.

My goal is to do all the chasing and see if we can lower the assumed knowledge.

I'll chase down the required code from JASPIC_SPEC-17. 


-- 
David Blevins
http://twitter.com/dblevins
http://www.tomitribe.com
310-633-3852
On Mar 23, 2015, at 11:51 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> 
> 
> On Mon, Mar 23, 2015 at 8:43 PM, David Blevins <dblevins_at_tomitribe.com> wrote:
> We have a lot of assumed knowledge going on.  I know we all have different backgrounds and levels of experience.
> 
> I'm good in JAAS and JACC, weak in JASPIC.  I can't be the only one.
> 
> I'd love to show a simple version of all three at this weeks JavaLand talk.
> 
> Arjan, you're probably the most qualified.  Possible you could craft up a simple hard-coded example of a JASPIC SAM?
> 
> Here's a JASPIC SAM using nothing but the standard API that doesn't engage into any interaction with a user and doesn't get the actual data from an authentication store, but provides hardcoded values itself:
> 
> public class TestAuthenticationModule implements ServerAuthModule {
> 
>     private CallbackHandler handler;
>     private final Class<?>[] supportedMessageTypes = new Class[] { HttpServletRequest.class, HttpServletResponse.class };
> 
>     @Override
>     public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, @SuppressWarnings("rawtypes") Map options) throws AuthException {
>         this.handler = handler;
>     }
>     
>     @Override
>     public Class<?>[] getSupportedMessageTypes() {
>         return supportedMessageTypes;
>     }
> 
>     /**
>      * This method will be called before the first Filter or Servlet in the request is invoked
>      */
>     @Override
>     public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
>         try {
>             // Communicate the details of the authenticated user to the container. In many
>             // cases the handler will just store the details and the container will actually handle
>             // the login after we return from this method.
>             handler.handle( new Callback[] {
> 	            // The name of the authenticated user
> 	            new CallerPrincipalCallback(clientSubject, "snoopy"),
> 	            // the groups/roles of the authenticated user
> 	            new GroupPrincipalCallback(clientSubject, new String[] { "RedBaron", "JoeCool", "MansBestFriend" })
>             );
>         } catch (IOException | UnsupportedCallbackException e) {
>             throw (AuthException) new AuthException().initCause(e);
>         }
> 
>         return SUCCESS;
>     }
> 
>   
>     /**
>      * This method will be called after the last Filter or Servlet in the request has been invoked
>      */
>     @Override
>     public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException {
>         return SEND_SUCCESS;
>     }
> 
>     /**
>      * This method will be called when HttpServletRequest#logout is explicitly called
>      */
>     @Override
>     public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
> 
>     }
> }
> 
> Using the base class and helper methods as proposed by JASPIC_SPEC-17 the same code would be:
> 
> public class TestAuthenticationModule extends HttpServerAuthModule {
>     
>     @Override
>     public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMsgContext httpMsgContext) throws AuthException {
>         // Communicate the details of the authenticated user to the container. In many
>         // cases the handler will just store the details and the container will actually handle
>         // the login after we return from this method.
>         return httpMsgContext.notifyContainerAboutLogin(
>             // The name of the authenticated user
>             "snoopy",
>             // the groups/roles of the authenticated user
>             asList("RedBaron", "JoeCool", "MansBestFriend" )
>         );
>     }
> }
> 
> Or without comments, to make it somewhat clearer that it's really not that much code:
> 
> public class TestAuthenticationModule extends HttpServerAuthModule {
>     
>     @Override
>     public AuthStatus validateHttpRequest(HttpServletRequest request, HttpServletResponse response, HttpMsgContext httpMsgContext) throws AuthException {
>        
>         return httpMsgContext.notifyContainerAboutLogin(
>             "snoopy",
>             asList("RedBaron", "JoeCool", "MansBestFriend" )
>         );
>     }
> }
> 
> One thing to remark is that in this example you'd easily get the impression that the SAM is a direct alternative for the JAAS LoginModule. But the actual power of the SAM is to engage into a dialog with the user.
> 
> Is this what you were looking for?
> 
> Kind regards,
> Arjan Tijms
> 
> 
> 
> 
> 
> 
>  
> 
>  - https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaspic-example
> 
> I have the start of a JAAS example here:
> 
>  - https://github.com/javaee-security-spec/bootstrap/tree/master/simple-jaas-example
> 
> The idea is the examples will use the same fixed values:
> 
>  - username: snoopy
>  - password: woodst0ck
>  - roles:
>     - RedBaron
>     - JoeCool
>     - MansBestFriend
> 
> 
> --
> David Blevins
> http://twitter.com/dblevins
> http://www.tomitribe.com
> 310-633-3852
> 
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.