Hi,
On Mon, Nov 3, 2014 at 8:44 PM, Edward Burns <edward.burns_at_oracle.com> wrote:
>>>>>> On Sat, 01 Nov 2014 10:14:10 +0000, Mark Thomas <markt_at_apache.org> said:
> Ok, these are actionable responses. Arjan, can you please get back to
> the list with a feel for if it's possible to do as you said with the
> Geronimo JASPIC impl?
Yes, I took a look at it a while back and will do some more studies soon.
At any length, JASPIC does not have a major amount of functionality to
implement (like e.g. JSF). Slight simplified it consists of:
1. The Servlet container calling the user provided auth module at the
right times
2. Implementing a small amount of "API classes with code" (mostly
AuthConfigFactory)
and actually optional, but most users would expect this:
3. Some way to register the auth module at the container level (as
opposed to registering from within the application archive)
If I'm not mistaken the bulk in actual implementation code is
typically in item 3, which is usually some way to parse an XML file
and extract some details like the auth module class and whether it's
required etc. I'm not 100% sure how the TCK approaches this, but since
item 3. is fully container specific I guess that the most minimal
implementation could possibly even leave that out.
Item 1. is the most important part, and I've seen servers based on
Tomcat implementing this with just a custom Valve.
Item 2. should be the most trivial part, but trivial or not it's of
course something that does needs to be done.
The above is my current feeling about it, and unless I'm really
terribly mistaken it almost can't be anything else than absolutely
doable. I'll come back to this list after I did some more studies
(likely after Devoxx, which is next week).
Kind regards,
Arjan