users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Tried JASPIC with Custom Form authentication and SecurityContext

From: Rudy De Busscher <rdebusscher_at_gmail.com>
Date: Thu, 7 May 2015 10:54:51 +0200

Hi All,

Based on the code of Adam Bien (and Arjan Tijms), see [1] I tried a few
other things.


   - Custom form authentication with PrimeFaces and JASPIC
   - SecurityContext, single place for programmatic login and
   Principal/Subject info

It didn't succeed, probably because I know too little of JASPIC and because
this kind of examples need tighter integration with the server core code.
The code can be found here [2]

But anyway, I found a few interesting things that maybe needs to be
clarified.


   - How can we define the authentication method in web.xml with JASPIC?
   - How can we define the URL paths which are protected?
   - SecurityContext needs to access the JASPIC helper class
   HttpMsgContext, but is not available there.
   - Assumed that when the user isn't authenticated the Principal name is
   *ANONYMOUS* . But this isn't standardized.

The point where it fails is that when the programmatic login code tries to
inform the JASPIC system that there is a logged in user with his roles, I
get a NullPointerException.

java.lang.NullPointerException
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler$2.run(BaseContainerCallbackHandler.java:440)
at
com.sun.enterprise.security.common.AppservAccessController.doPrivileged(AppservAccessController.java:61)
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler.processCallerPrincipal(BaseContainerCallbackHandler.java:438)
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler.processCallback(BaseContainerCallbackHandler.java:198)
at
com.sun.enterprise.security.jmac.callback.ServerContainerCallbackHandler.handleSupportedCallbacks(ServerContainerCallbackHandler.java:76)
at
com.sun.enterprise.security.jmac.callback.BaseContainerCallbackHandler.handle(BaseContainerCallbackHandler.java:188)
at
com.sun.enterprise.security.jmac.callback.ContainerCallbackHandler.handle(ContainerCallbackHandler.java:83)
at
org.omnifaces.security.jaspic.core.Jaspic.notifyContainerAboutLogin(Jaspic.java:236)
at
org.omnifaces.security.jaspic.core.HttpMsgContext.notifyContainerAboutLogin(HttpMsgContext.java:281)
at javax.security.SecurityContext.login(SecurityContext.java:46)

Why I tried this example?
Well, probably developers want to do those kind of things once we have the
spec and implementation finished. So it is a kind of usage scenario which
should be possible (if we go the JASPIC way as a few times was mentioned in
the mailing list)

Best regards
Rudy

[1] = https://github.com/AdamBien/secspike
[2] = https://github.com/rdebusscher/secSpikeWeb
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.