If we have to limit scope, that's not too bad.
-------- Original message --------From: Will Hopkins <will.hopkins_at_oracle.com> Date: 3/19/17 10:17 PM (GMT-05:00) To: jsr375-experts_at_javaee-security-spec.java.net Subject: [javaee-security-spec users] [jsr375-experts] Re: Drop SecurityContext from the spec?
Let's discuss when we meet.
Until then, a question: what are people's thoughts on limiting the
implementation to Servlet and EJB containers for now. I'm wondering
whether it makes sense to wait on defining an SPI until we've had a
chance to specify roles and authorization in Security 1.x.
On 03/19/2017 08:08 PM, arjan tijms
wrote:
On Sun, Mar 19, 2017 at 11:17 PM,
arjan tijms <arjan.tijms_at_gmail.com>
wrote:
So with a small SPI interface (like e.g. the
CDI RI (Weld) and the JSF RI (Mojarra) also have)
this should be possible.
I'll do a quick implementation of such an SPI
in Soteria as a draft proposal, so we can base
further discussion on that.
I just committed this SPI and an example implementation
of it here:
https://github.com/javaee-security-spec/soteria/commit/51f8430e2310e5ed724b4684e0bef6f890ea2c81
Specifically this small SPI interface (to be
implemented by integrators):
package org.glassfish.soteria.authorization.spi;
import java.security.Principal;
public interface CallerDetailsResolver {
Principal getCallerPrincipal();
boolean isCallerInRole(String role);
}
And a following example implementation:
public class ReflectionAndJaccCallerDetailsResolver
implements CallerDetailsResolver {
@Override
public Principal getCallerPrincipal() {
Subject subject = JACC.getSubject();
if (subject == null) {
return null;
}
SubjectParser roleMapper = new
SubjectParser(getContextID(), emptyList());
return
roleMapper.getCallerPrincipalFromPrincipals(subject.getPrincipals());
}
// isCallerInRole left to be done
}
In this example, the Subject is obtained from JACC, and
then a helper class that has knowledge about several
servers and how they store Principals in the Subject tries
to find the caller principal in this subject.
Again, this is a generic example and every
vendor/integrator can implement this in whatever way,
using or not using JACC.
Kind regards,
Arjan Tijms
--
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803