>
> limiting the implementation to Servlet and EJB containers for now. I'm
> wondering whether it makes sense to wait on defining an SPI until we've had
> a chance to specify roles and authorization in Security 1.x.
Fine for me. We can't rush into some last minute changes because we will
need to keep them forever( backward compatibility) So they need to be
right, from the first time.
Rudy
On 20 March 2017 at 03:17, Will Hopkins <will.hopkins_at_oracle.com> wrote:
> Let's discuss when we meet.
>
> Until then, a question: what are people's thoughts on limiting the
> implementation to Servlet and EJB containers for now. I'm wondering whether
> it makes sense to wait on defining an SPI until we've had a chance to
> specify roles and authorization in Security 1.x.
>
>
> On 03/19/2017 08:08 PM, arjan tijms wrote:
>
>
>
> On Sun, Mar 19, 2017 at 11:17 PM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> So with a small SPI interface (like e.g. the CDI RI (Weld) and the JSF RI
>> (Mojarra) also have) this should be possible.
>>
>> I'll do a quick implementation of such an SPI in Soteria as a draft
>> proposal, so we can base further discussion on that.
>>
>
> I just committed this SPI and an example implementation of it here:
> https://github.com/javaee-security-spec/soteria/commit/
> 51f8430e2310e5ed724b4684e0bef6f890ea2c81
>
>
> Specifically this small SPI interface (to be implemented by integrators):
>
> package org.glassfish.soteria.authorization.spi;
>
> import java.security.Principal;
>
> public interface CallerDetailsResolver {
>
> Principal getCallerPrincipal();
> boolean isCallerInRole(String role);
>
> }
>
> And a following example implementation:
>
> public class ReflectionAndJaccCallerDetailsResolver implements
> CallerDetailsResolver {
>
> @Override
> public Principal getCallerPrincipal() {
> Subject subject = JACC.getSubject();
>
> if (subject == null) {
> return null;
> }
>
> SubjectParser roleMapper = new SubjectParser(getContextID(),
> emptyList());
>
> return roleMapper.getCallerPrincipalFromPrincipa
> ls(subject.getPrincipals());
> }
>
> // isCallerInRole left to be done
> }
>
> In this example, the Subject is obtained from JACC, and then a helper
> class that has knowledge about several servers and how they store
> Principals in the Subject tries to find the caller principal in this
> subject.
>
> Again, this is a generic example and every vendor/integrator can implement
> this in whatever way, using or not using JACC.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
> --
> Will Hopkins | WebLogic Security Architect | +1.781.442.0310
> Oracle Application Development
> 35 Network Drive, Burlington, MA 01803
>
>