This is specified in the EDR, based on discussion on the experts list.
The way I specified it is that the servlet container will configure the
SAM required for HttpAuthenticationMechanism IFF the
<login-config><auth-method> for the servlet is set to AUTHMECH (as
opposed to BASIC, FROM, or CERT). The reason for this is that
applications must be able to specify how they want to authenticate, per
the servlet spec. If the mere existence of HttpAuthenticationMechanism
somewhere in classpath triggers that behavior, it may override the
application's choice (or, at best, allocate unused resources in the
container).
On a related note, I think we need some way of ordering or prioritizing
when there are multiple instances of, e.g., HAMs or IdentityStores, in
classpath, and potentially excluding some instances (esp. for
IdentityStores). Maybe there are obvious ways to do this -- I'm pretty
new to CDI -- but, applications need to be able to ensure that only the
IdentityStores they want are being used at runtime, even when others
exist in the system.
Will
On 03/31/2017 04:56 PM, arjan tijms wrote:
> Hi,
>
> On Fri, Mar 31, 2017 at 10:49 PM, Will Hopkins
> <will.hopkins_at_oracle.com <mailto:will.hopkins_at_oracle.com>> wrote:
>
> I think we have a similar issue w.r.t. Soteria -- the web
> container needs to configure a JASPIC AuthConfigProvider when it
> sees AUTHMECH in <login-config>.
>
>
> Sorry, could you elaborate on that?
>
> A (bridge) SAM is installed by the CDI extension when an
> HttpAuthenticationMechanism is discovered on the class path. I'm not
> really sure what you mean with AUTHMECH in <login-config>.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
> On 03/31/2017 03:24 PM, arjan tijms wrote:
>> Hi,
>>
>> The JACC and JASPIC repos are basically GlassFish, right?
>> Especially JASPIC is a little hard to implement as a RI, since it
>> more or less tells a Servlet container or EJB container (for
>> SOAP) what to do.
>>
>> But GlassFish still isn't officially on GitHub, is it?
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>> On Fri, Mar 31, 2017 at 9:01 PM, Will Hopkins
>> <will.hopkins_at_oracle.com <mailto:will.hopkins_at_oracle.com>> wrote:
>>
>> My understanding is the jacc and jaspic repos are currently
>> on github and will be kept (or in the case of the framemaker
>> spec source, kept in an internal repository).
>>
>>
>> On 03/31/2017 12:19 PM, arjan tijms wrote:
>>> Hope so :O
>>>
>>> On Fri, Mar 31, 2017 at 3:56 PM, Werner Keil
>>> <werner.keil_at_gmail.com <mailto:werner.keil_at_gmail.com>> wrote:
>>>
>>> Created 30/Apr/13, that was 4 years before the day,
>>> java.net <http://java.net> hosting will go down for many
>>> projects.
>>>
>>> Hoping, the JASPIC SPEC also being Sun/Oracle led will
>>> remain after April 30?;-)
>>>
>>> Kind Regards,
>>> Werner
>>>
>>>
>>>
>>>
>>> On Fri, Mar 31, 2017 at 2:35 PM, arjan tijms
>>> <arjan.tijms_at_gmail.com <mailto:arjan.tijms_at_gmail.com>>
>>> wrote:
>>>
>>> Hi,
>>>
>>> One of the things that were discussed early on, but
>>> till so far hasn't seen much followup is throwing
>>> (CDI) events when the caller is authenticated (logs
>>> in) and logs out.
>>>
>>> See this issue:
>>> https://java.net/jira/browse/JASPIC_SPEC-21
>>> <https://java.net/jira/browse/JASPIC_SPEC-21>
>>>
>>> I also wrote an article about this a couple of years
>>> ago:
>>>
>>> http://arjan-tijms.omnifaces.org/2012/12/bridging-undertows-authentication.html
>>> <http://arjan-tijms.omnifaces.org/2012/12/bridging-undertows-authentication.html>
>>>
>>> An example of how these events can be used in
>>> practice is shown here:
>>>
>>> https://github.com/javaeekickoff/java-ee-kickoff-app/blob/master/src/main/java/org/example/kickoff/model/producer/ActiveUserProducer.java
>>> <https://github.com/javaeekickoff/java-ee-kickoff-app/blob/master/src/main/java/org/example/kickoff/model/producer/ActiveUserProducer.java>
>>>
>>> The simple post authenticate events (being
>>> informational only) are relatively well understood
>>> and something like this is quite often asked for
>>> and/or needed by users.
>>>
>>> I think it would be good to include this in JSR 375.
>>>
>>> Thoughts?
>>>
>>> Kind regards,
>>> Arjan Tijms
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Will Hopkins | WebLogic Security Architect |+1.781.442.0310 <tel:%28781%29%20442-0310>
>> Oracle Application Development
>> 35 Network Drive, Burlington, MA 01803
>>
>>
>
> --
> Will Hopkins | WebLogic Security Architect |+1.781.442.0310 <tel:%28781%29%20442-0310>
> Oracle Application Development
> 35 Network Drive, Burlington, MA 01803
>
>
--
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803