Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
50 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Ron Monzillo
Tomcat Experts,

The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in
support of the portable integration
of new and/or custom authentication mechanisms in compatible Servlet
containers.

The Profile is a required component of all Full Platform EE Web
Containers, and we are receiving requests
for the profile to become a required component of the EE web profile. To
that end, we are contacting
standalone and EE web profile Servlet containers to determine if there
is interest in adopting the profile.

For those unfamiliar with JASPIC, the SPI is a general purpose facility
that applies the concepts of pluggable
authentication as defined by PAM and JAAS to the realm of message
authentication. The Servlet profile applies
the SPI to the realm of HttpServletRequest message authentication in the
context of servlet security constraint
processing. The SPI was defined to support complex challenge response
authentication protocols, and has
been shown to be an effective means to integrate portable
implementations of new internet authentication
mechanisms (e.g. Facebook Connect, and SAML WEB SSO) in compatible
Servlet containers.

Does the Tomcat community support the inclusion of the Servlet profile
of JSR 196 in the EE web Profile?

thanks,

Ron Monzillo

------
More details:

The requirements of the profile are spelled out in chapter 3 of the
JASPIC specification:

http://download.oracle.com/otndocs/jcp/jaspic-1.0-mrel-eval-oth-JSpec/

and use of the SPI is described in high level terms in the javadoc:
which can be accessed at:

http://docs.oracle.com/javaee/6/api/javax/security/auth/message/config/package-frame.html 


Support for the profile by a servlet container mostly amounts to making
a few calls to the spi in the
context of the processing of servlet requests. The pattern is basically
as follows:

// determine if a pluggable auth module is configured for the current
application
AuthConfigProvider provider =
AuthConfigFactory.getFactory().getConfigProvider("HttpServlet",appID,listener);

if (provider != null) {
    /if yes, get the server side configuration provider that applies to
the application

     ServerAuthConfig config =
provider.getServerAuthConfig("HttpServlet",appID,cbh);

     // for each request to the application
     // get the configuration of authentication modules that applies to
the request

     messageInfo.setRequestMessage(httpServletRequest);
     messageInfo.setResponseMessage(httpServletResponse);
     String authContextID = config.getAuthContextID(messageInfo);
     ServerAuthContext context =
config.getAuthContext(authContextID,serviceSubject,properties);

     // invoke validateRequest on the module configuration; which will
invoke the configured auth modules

     AuthStatus status =
context.validateRequest(messageInfo,clientSubject,serviceSubject);

     if (status == AuthStatus.SUCCESS) {
         // Use the proprietary interfaces of the container to set the
userPrincipal on the request
         // proceed to authorize and invoke the servlet request as
appropriate
     } else {
         // extract the response from messageInfo and return (it may be
a challenge or an error message,
         // and will have been established by the auth module
     }
} else {
    // do what the container would do in the absense of jsr 196
}


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

markt
On 30/01/2013 23:57, Ron Monzillo wrote:

> Tomcat Experts,
>
> The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in
> support of the portable integration
> of new and/or custom authentication mechanisms in compatible Servlet
> containers.
>
> The Profile is a required component of all Full Platform EE Web
> Containers, and we are receiving requests
> for the profile to become a required component of the EE web profile. To
> that end, we are contacting
> standalone and EE web profile Servlet containers to determine if there
> is interest in adopting the profile.
>
> For those unfamiliar with JASPIC, the SPI is a general purpose facility
> that applies the concepts of pluggable
> authentication as defined by PAM and JAAS to the realm of message
> authentication. The Servlet profile applies
> the SPI to the realm of HttpServletRequest message authentication in the
> context of servlet security constraint
> processing. The SPI was defined to support complex challenge response
> authentication protocols, and has
> been shown to be an effective means to integrate portable
> implementations of new internet authentication
> mechanisms (e.g. Facebook Connect, and SAML WEB SSO) in compatible
> Servlet containers.
>
> Does the Tomcat community support the inclusion of the Servlet profile
> of JSR 196 in the EE web Profile?

Apache Tomcat does not currently support the Java EE web profile. Tomcat
currently supports only the Servlet, JSP and EL specifications and will
be adding WebSocket to that list for Tomcat 8.

The has been very little demand from the Apache Tomcat user community to
support the Java EE web profile. There have been just two threads on the
users list that mention the web profile. There have been slightly more
on the dev list.

JASPIC was on the TODO list for Tomcat 7 for a while but it dropped off
because a) it wasn't a mandatory requirement for Servlet containers and
b) there was very little (no references at all on the users list) for it.

I think it would be safe to say that the Apache Tomcat community has no
opinion on the Java EE web profile requiring JSR 196 support. You'd
obviously get a very different reaction if the Servlet spec was going to
require JSR 196 support.

Apache TomEE does support the Java EE web profile. If you haven't
already approached that community for their views, I recommend that you
do so.

Kind regards,

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Jean-frederic Clere-3
In reply to this post by Ron Monzillo
On 01/31/2013 12:57 AM, Ron Monzillo wrote:
> Tomcat Experts,
>
> The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in
> support of the portable integration
> of new and/or custom authentication mechanisms in compatible Servlet
> containers.

You probably should ask that to the TomEE user list.

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Ron Monzillo
In reply to this post by markt
On 2/3/13 5:02 AM, Mark Thomas wrote:

> On 30/01/2013 23:57, Ron Monzillo wrote:
>> Tomcat Experts and Users,
>>
>> The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in
>> support of the portable integration
>> of new and/or custom authentication mechanisms in compatible Servlet
>> containers.
>>
>> The Profile is a required component of all Full Platform EE Web
>> Containers, and we are receiving requests
>> for the profile to become a required component of the EE web profile. To
>> that end, we are contacting
>> standalone and EE web profile Servlet containers to determine if there
>> is interest in adopting the profile.
>>
>> For those unfamiliar with JASPIC, the SPI is a general purpose facility
>> that applies the concepts of pluggable
>> authentication as defined by PAM and JAAS to the realm of message
>> authentication. The Servlet profile applies
>> the SPI to the realm of HttpServletRequest message authentication in the
>> context of servlet security constraint
>> processing. The SPI was defined to support complex challenge response
>> authentication protocols, and has
>> been shown to be an effective means to integrate portable
>> implementations of new internet authentication
>> mechanisms (e.g. Facebook Connect, and SAML WEB SSO) in compatible
>> Servlet containers.
>>
>> Does the Tomcat community support the inclusion of the Servlet profile
>> of JSR 196 in the EE web Profile?
> Apache Tomcat does not currently support the Java EE web profile. Tomcat
> currently supports only the Servlet, JSP and EL specifications and will
> be adding WebSocket to that list for Tomcat 8.
>
> The has been very little demand from the Apache Tomcat user community to
> support the Java EE web profile. There have been just two threads on the
> users list that mention the web profile. There have been slightly more
> on the dev list.
>
> JASPIC was on the TODO list for Tomcat 7 for a while but it dropped off
> because a) it wasn't a mandatory requirement for Servlet containers and
> b) there was very little (no references at all on the users list) for it.
>
> I think it would be safe to say that the Apache Tomcat community has no
> opinion on the Java EE web profile requiring JSR 196 support. You'd
> obviously get a very different reaction if the Servlet spec was going to
> require JSR 196 support.
>
> Apache TomEE does support the Java EE web profile. If you haven't
> already approached that community for their views, I recommend that you
> do so.
Mark,

I have posted the question to the TomEE and Caucho/Resin user's lists.

It would also help to know what the level of interest is from Tomcat
users and developers.

I anticipate that there are Tomcat users and developers who are committed
to other approaches, but I'd like to make sure the use of JASPIC has been
presented for consideration by the Tomcat community.

I would also like to know if anyone has already done or is interested in
doing
the work to integrate the JASPIC  profile in the Tomcat code base.

kind regards,

Ron

>
> Kind regards,
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

markt
On 06/02/2013 15:45, Ron Monzillo wrote:
> I have posted the question to the TomEE and Caucho/Resin user's lists.
>
> It would also help to know what the level of interest is from Tomcat
> users and developers.

For users@, yours is the first post ever to mention JASPIC. We'll see
what reaction your post gets.

For dev@, it is safe to say it is an itch no-one has wanted to scratch
so far because it hasn't been implemented. User demand could change that
but so far there hasn't been any.

> I anticipate that there are Tomcat users and developers who are committed
> to other approaches, but I'd like to make sure the use of JASPIC has been
> presented for consideration by the Tomcat community.

It has been on our radar for well over 3 years. As I keep saying, so far
no-one seems to be that interested in either using it or implementing it.

> I would also like to know if anyone has already done or is interested in
> doing
> the work to integrate the JASPIC  profile in the Tomcat code base.

I believe the Geronimo folks have had this implemented for a number of
years. If JASPIC support was going to be added to Tomcat, that is
probably where we'd start.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

David Jencks
Umm, a few years ago I was quite interested in implementing it for tomcat, but couldn't raise any support over here.  I still think the geronimo-tomcat-jaspic integration could be adapted to tomcat standalone pretty easily, although I don't think I'll have time to work on it.

thanks
david jencks

On Feb 6, 2013, at 10:29 AM, Mark Thomas <[hidden email]> wrote:

> On 06/02/2013 15:45, Ron Monzillo wrote:
>> I have posted the question to the TomEE and Caucho/Resin user's lists.
>>
>> It would also help to know what the level of interest is from Tomcat
>> users and developers.
>
> For users@, yours is the first post ever to mention JASPIC. We'll see
> what reaction your post gets.
>
> For dev@, it is safe to say it is an itch no-one has wanted to scratch
> so far because it hasn't been implemented. User demand could change that
> but so far there hasn't been any.
>
>> I anticipate that there are Tomcat users and developers who are committed
>> to other approaches, but I'd like to make sure the use of JASPIC has been
>> presented for consideration by the Tomcat community.
>
> It has been on our radar for well over 3 years. As I keep saying, so far
> no-one seems to be that interested in either using it or implementing it.
>
>> I would also like to know if anyone has already done or is interested in
>> doing
>> the work to integrate the JASPIC  profile in the Tomcat code base.
>
> I believe the Geronimo folks have had this implemented for a number of
> years. If JASPIC support was going to be added to Tomcat, that is
> probably where we'd start.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Arjan Tijms
In reply to this post by markt
markt wrote
> we are contacting  standalone and EE web profile Servlet containers
[...]
The has been very little demand from the Apache Tomcat user community to
support the Java EE web profile.
I guess Ron meant Tomcat with the "standalone Servlet container" and didn't ask for Tomcat to implement the EE web profile ;)

markt wrote
JASPIC was on the TODO list for Tomcat 7 for a while but it dropped off
because a) it wasn't a mandatory requirement for Servlet containers and
b) there was very little (no references at all on the users list) for it.
Maybe the last point is because of the classic chicken & egg problem? People are not writing portable authentication modules, since they know Tomcat doesn't support them. Because of that few of them are being written and thus other people do not ask for it.

As Ron already demonstrated a bit, the Servlet Profile of JASPIC should be relatively easy to support. It's not a complete new feature with a lot of code that has to be build into Tomcat (like e.g. supporting CDI would require).

Instead, it's doing something that Tomcat already does, but (more or less) layering some standardized interfaces on top of that. In fact Tomcat's JAASRealm (http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#JAASRealm) is not that far away from a JASPIC implementation.

markt wrote
You'd obviously get a very different reaction if the Servlet spec was going to
require JSR 196 support.
Just out of curiosity, but what would you think the reaction might be if that was going to happen?

Kind regards,
Arjan Tijms
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

markt
On 13/08/2013 22:58, Arjan Tijms wrote:
> markt wrote
>>> we are contacting  standalone and EE web profile Servlet containers
>> [...]
>> The has been very little demand from the Apache Tomcat user community to
>> support the Java EE web profile.
>
> I guess Ron meant Tomcat with the "standalone Servlet container" and didn't
> ask for Tomcat to implement the EE web profile ;)

Had you not cut all the context, it would be clear that Ron's question was:
<quote>
Does the Tomcat community support the inclusion of the Servlet profile
of JSR 196 in the EE web Profile?
</quote>
Hence my response. I don't think the Tomcat developers are in a position
to pass judgement on what should or should not be in the web profile as
we have little to no visibility into what users want from the web profile.

Since I wrote that original response, there have been a handful of users
on the users list asking questions about the Tomcat part of TomEE but
nothing to change my view that there has been very little demand for web
profile support from the Tomcat user community.

What I don't have visibility of is the mix of TomEE users between Tomcat
users wanting more and J2EE container users wanting less. From $dayjob,
I see more of the later: folks currently using full J2EE wanting to move
to the web profile or Tomcat.

> markt wrote
>> JASPIC was on the TODO list for Tomcat 7 for a while but it dropped off
>> because a) it wasn't a mandatory requirement for Servlet containers and
>> b) there was very little (no references at all on the users list) for it.
>
> Maybe the last point is because of the classic chicken & egg problem? People
> are not writing portable authentication modules, since they know Tomcat
> doesn't support them. Because of that few of them are being written and thus
> other people do not ask for it.

Maybe. On the other hand, look at the demand from the user community we
saw for WebSocket.

The only folks talking about JSR 196 have been either EG members like
Ron or David, or Tomcat committers mentioning that JSR 196 support was
being considered or might be a possible implementation solution for
something.

Not a single user has asked for JSR 196 support.

> As Ron already demonstrated a bit, the Servlet Profile of JASPIC should be
> relatively easy to support. It's not a complete new feature with a lot of
> code that has to be build into Tomcat (like e.g. supporting CDI would
> require).

No-one said it would be difficult. TomEE has already done it. We'd just
need to lift the code. Difficulty really doesn't come into it. If there
is a demand for it, it will get implemented. If there isn't, it won't.

At the moment the main driver for this, in my view, is to provide an API
for folks that want to do things like this:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54503

JASPIC isn't on the TODO list for 8.0.x but it is still early enough to
add it. Doing this for Tomcat 8 is on my "it would be nice to do this if
I can find the time" list.

> Instead, it's doing something that Tomcat already does, but (more or less)
> layering some standardized interfaces on top of that. In fact Tomcat's
> JAASRealm
> (http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#JAASRealm) is not
> that far away from a JASPIC implementation.
>
>
> markt wrote
>> You'd obviously get a very different reaction if the Servlet spec was
>> going to
>> require JSR 196 support.
>
> Just out of curiosity, but what would you think the reaction might be if
> that was going to happen?

If the Servlet specification required JSR 196 support then it would get
implemented.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Arjan Tijms
Hi,

markt wrote
Had you not cut all the context, it would be clear that Ron's question was:
Does the Tomcat community support the inclusion of the Servlet profile
of JSR 196 in the EE web Profile?
Hence my response. I don't think the Tomcat developers are in a position
to pass judgement on what should or should not be in the web profile as
we have little to no visibility into what users want from the web profile.
I see, thanks for the clarification, it's clear to me now.

markt wrote
The only folks talking about JSR 196 have been either EG members like
Ron or David, or Tomcat committers mentioning that JSR 196 support was
being considered or might be a possible implementation solution for
something.

Not a single user has asked for JSR 196 support.
Well, I'm a user asking for it ;)

Personally I know of 2 users who were busy trying to implement a kind of bridge between JASPIC and Tomcat so that they could use their company's in-house developed SAM with Tomcat. I don't know why they didn't approach the Tomcat mailing list or created an issue.

I address JASPIC on my blog, and from the traffic I can see there's some demand for JASPIC indeed. People do search for things like "portable login module", "universal realm Java EE", "jaspic", "jaspic api" etc. Granted, it's not a very large amount of traffic (currently sits at ~1% of the JSF traffic, which is a topic I also cover), but it's still there.

As opposed to WebSocket; I think WebSocket addresses a need for which there wasn't a real solution yet. It's a new feature that got a lot of attention. JASPIC doesn't really add any new feature, it just standardizes existing things. People are obviously already building authentication modules, but seem to have grudgingly accepted that those things are just container specific.

For some reason JASPIC hasn't been given that much attention. From a user's point it was almost silently added to the spec. Even the well known Java EE tutorial from Oracle doesn't mention it. On StackOverflow I mentioned the existence of JASPIC a couple of times in relevant questions, and even very experienced Java programmers (judging by their SO rep) were genuinely surprised that this existed and seemed to be very enthusiastic  about the idea of portable authentication modules. A recent example: http://stackoverflow.com/questions/5030924/user-group-implementation-compatible-with-jaas/15873533#comment26696282_15873533


markt wrote
No-one said it would be difficult. TomEE has already done it. We'd just
need to lift the code. Difficulty really doesn't come into it. If there
is a demand for it, it will get implemented. If there isn't, it won't.
Thanks, that's clear!

Btw, didn't you mean Geronimo there, or really TomEE? Last time I checked TomEE didn't have JASPIC implemented yet, but Geronimo of course has.

markt wrote
At the moment the main driver for this, in my view, is to provide an API
for folks that want to do things like this:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54503
Yes, I see. That's a very good example.

Thanks a lot for your detailed response.

Kind regards,
Arjan Tijms
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

David Blevins-2

On Aug 14, 2013, at 2:25 AM, Arjan Tijms <[hidden email]> wrote:

> markt wrote
>> No-one said it would be difficult. TomEE has already done it. We'd just
>> need to lift the code. Difficulty really doesn't come into it. If there
>> is a demand for it, it will get implemented. If there isn't, it won't.
>
> Thanks, that's clear!
>
> Btw, didn't you mean Geronimo there, or really TomEE? Last time I checked
> TomEE didn't have JASPIC implemented yet, but Geronimo of course has.

Right, the code David J wrote some time ago is in Geronimo.  If you wanted to roll up your sleeves, we'd be more than happy to see it ported or reimplemented in TomEE.

It's a Full Profile requirement and there has been user-demand for seeing TomEE+ be full profile compliant.  Something we'd never have done in EE 6 with JAX-RPC and other horrific legacy, but much of that is dropped in EE 7 Full Profile.


-David


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

markt
On 15/08/2013 00:02, David Blevins wrote:

>
> On Aug 14, 2013, at 2:25 AM, Arjan Tijms <[hidden email]> wrote:
>
>> markt wrote
>>> No-one said it would be difficult. TomEE has already done it. We'd just
>>> need to lift the code. Difficulty really doesn't come into it. If there
>>> is a demand for it, it will get implemented. If there isn't, it won't.
>>
>> Thanks, that's clear!
>>
>> Btw, didn't you mean Geronimo there, or really TomEE? Last time I checked
>> TomEE didn't have JASPIC implemented yet, but Geronimo of course has.
>
> Right, the code David J wrote some time ago is in Geronimo.

Thanks for the correction.

> If you wanted to roll up your sleeves, we'd be more than happy to see it ported or reimplemented in TomEE.

or Tomcat :)

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Arjan Tijms
Hi,

On Thursday, August 15, 2013, markt [via Tomcat] wrote:
On 15/08/2013 00:02, David Blevins wrote:

> If you wanted to roll up your sleeves, we'd be more than happy to see it ported or reimplemented in TomEE.

or Tomcat :) 

Definitely! 

I'll also try to contact the guys who said to be working on a Tomcat JASPIC bridge already. One of them had the intention to release his work as open source, although he said he had to target Tomcat 6 specifically.

Kind regards,
Arjan Tijms
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

David Blevins-2
In reply to this post by markt

On Aug 15, 2013, at 1:07 AM, Mark Thomas <[hidden email]> wrote:

>> If you wanted to roll up your sleeves, we'd be more than happy to see it ported or reimplemented in TomEE.
>
> or Tomcat :)

Even better!

-David


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Fjodor Vershinin
Hello!
I am CS student and it looks like that this task is quite interesting. I would take it for GSOC if ASF organization will be selected. Currently I have some time to do research in Tomcat codebase. Could you provide me some entry points?
Thanks,
Fjodor
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

David Jencks-2
For many years Geronimo has had a modified tomcat version implementing jaspic. I offered it to tomcat when I wrote it but was declined.

thanks
david jencks

On Feb 10, 2015, at 1:05 PM, Fjodor Vershinin <[hidden email]> wrote:

> Hello!
> I am CS student and it looks like that this task is quite interesting. I
> would take it for GSOC if ASF organization will be selected. Currently I
> have some time to do research in Tomcat codebase. Could you provide me some
> entry points?
> Thanks,
> Fjodor
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029627.html
> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Arjan Tijms
In reply to this post by Fjodor Vershinin
Hi,

On Tuesday, February 10, 2015, Fjodor Vershinin [via Tomcat] <[hidden email]> wrote:
Hello!
I am CS student and it looks like that this task is quite interesting. I would take it for GSOC if ASF organization will be selected. Currently I have some time to do research in Tomcat codebase. Could you provide me some entry points? 

Thanks for your interest in this. An entry point could be my original JASPIC article that you can find here; http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html

At the end of the article you'll find a list of resources.

My approach would be to investigate how Tomcat integrates authentication modules, eg look at the source of the JAAS support in Tomcat; that code has to do similar integration. You can look at JBoss 7.x for an example too, it used Tomcat and an integration Valve (WebJaspiAuthenticator seehttp://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.as/jboss-as-web/7.1.1.Final/org/jboss/as/web/security/jaspi/WebJASPIAuthenticator.java)

Geronimo also implemented JASPIC and used Tomcat, so that implementation would be high on the list to study too.

Many implementations have a (large) part of their code dedicated to handling some xml file where jaspic auth modules are defined. Strictly speaking this is not a required part of JASPIC, but it's somewhat expected for configuring modules at the container side (as apposed to from within the app archive).

I did actually more or less promise to do this implementation myself, but so far havent found the time for it.

Let me know if this is enough to get started.

Kind regards,
Arjan 
 
Thanks,
Fjodor


To unsubscribe from Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

markt
On 10/02/2015 18:42, Arjan Tijms wrote:

> Hi,
>
> On Tuesday, February 10, 2015, Fjodor Vershinin [via Tomcat] <
> [hidden email]> wrote:
>
>> Hello!
>> I am CS student and it looks like that this task is quite interesting. I
>> would take it for GSOC if ASF organization will be selected. Currently I
>> have some time to do research in Tomcat codebase. Could you provide me some
>> entry points?
>
>
> Thanks for your interest in this. An entry point could be my original
> JASPIC article that you can find here;
> http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html
>
> At the end of the article you'll find a list of resources.
>
> My approach would be to investigate how Tomcat integrates authentication
> modules, eg look at the source of the JAAS support in Tomcat; that code has
> to do similar integration. You can look at JBoss 7.x for an example too, it
> used Tomcat and an integration Valve (WebJaspiAuthenticator seehttp://
> grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.as/jboss-as-web/7.1.1.Final/org/jboss/as/web/security/jaspi/WebJASPIAuthenticator.java

If you do look at JBoss keep in mind it is GPL licensed and we need to
be very careful that we don't end up with GPL'd code in Tomcat.

> )
>
> Geronimo also implemented JASPIC and used Tomcat, so that implementation
> would be high on the list to study too.

Personally, I'd look more much more closely at Geronimo.

Keep in mind that part of the goal is to replace the existing
authenticators with JASPIC modules. (As suggested on the Servlet EG list.)

> Many implementations have a (large) part of their code dedicated to
> handling some xml file where jaspic auth modules are defined. Strictly
> speaking this is not a required part of JASPIC, but it's somewhat expected
> for configuring modules at the container side (as apposed to from within
> the app archive).

Tomcat already has a lot of the infrastructure for handling this sort of
thing. It could be as simple as adding a few digester rules.

> I did actually more or less promise to do this implementation myself, but
> so far havent found the time for it.

I think we all know that feeling - hence why I suggested it for GSoC.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Arjan Tijms
Hi,

On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat]
<[hidden email]> wrote:
> If you do look at JBoss keep in mind it is GPL licensed and we need to
> be very careful that we don't end up with GPL'd code in Tomcat.

That's absolutely true. The code there shouldn't not be copied in any
way. It's only useful as an example of how a Tomcat Valve can
integrate with something like JASPIC. As for the JASPIC code there, it
wouldn't make sense to copy it anyway, since A) it's JBoss specific
(builds up JBoss principal, calls JBoss security service, etc) and B)
there are various issues with it (it looks like JBoss pretty much
rewrote everything from scratch for Undertow, which is completely
different).

> Personally, I'd look more much more closely at Geronimo.

You're right, and since that one is Apache licensed one can even copy
from it if needed.

> Keep in mind that part of the goal is to replace the existing
> authenticators with JASPIC modules. (As suggested on the Servlet EG list.)

It's good to have that as part of the goal indeed. Such auth modules
could even be implemented by a separate (group) of students if needed,
as they would not necessarily depend on the JASPIC implementation for
Tomcat. As long as that one is not finished they could test it on any
existing JASPIC implementation (e.g. the RI, GlassFish).

> I think we all know that feeling - hence why I suggested it for GSoC.

Yeah, I get that, thanks! It's still something that I'd really love to
do, but with the work for the startup zeef.com, open source projects
OmniFaces and OmniSecurity, the work for the JSF EG and perhaps soon
for the security EG, there is not always much time left. I had this on
my sketchy todo list for ~end of this month, but I'll see what happens
with the GSoC project now ;)

Kind regards,
Arjan




>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html
> To unsubscribe from Consider support for the Servlet profile of JSR 196
> (JASPIC) in Tomcat 7.0.x, click here.
> NAML
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Fjodor Vershinin
Hello!
It looks like ASF has been selected for GSOC 2015 and I am interested in
pushing this project forward. So, in meantime I'll start writing proposal
and hope this project will be selected to participate in Gsoc program.
Best regards,
Fjodor.

2015-02-10 22:44 GMT+02:00 Arjan Tijms <[hidden email]>:

> Hi,
>
> On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat]
> <[hidden email]> wrote:
> > If you do look at JBoss keep in mind it is GPL licensed and we need to
> > be very careful that we don't end up with GPL'd code in Tomcat.
>
> That's absolutely true. The code there shouldn't not be copied in any
> way. It's only useful as an example of how a Tomcat Valve can
> integrate with something like JASPIC. As for the JASPIC code there, it
> wouldn't make sense to copy it anyway, since A) it's JBoss specific
> (builds up JBoss principal, calls JBoss security service, etc) and B)
> there are various issues with it (it looks like JBoss pretty much
> rewrote everything from scratch for Undertow, which is completely
> different).
>
> > Personally, I'd look more much more closely at Geronimo.
>
> You're right, and since that one is Apache licensed one can even copy
> from it if needed.
>
> > Keep in mind that part of the goal is to replace the existing
> > authenticators with JASPIC modules. (As suggested on the Servlet EG
> list.)
>
> It's good to have that as part of the goal indeed. Such auth modules
> could even be implemented by a separate (group) of students if needed,
> as they would not necessarily depend on the JASPIC implementation for
> Tomcat. As long as that one is not finished they could test it on any
> existing JASPIC implementation (e.g. the RI, GlassFish).
>
> > I think we all know that feeling - hence why I suggested it for GSoC.
>
> Yeah, I get that, thanks! It's still something that I'd really love to
> do, but with the work for the startup zeef.com, open source projects
> OmniFaces and OmniSecurity, the work for the JSF EG and perhaps soon
> for the security EG, there is not always much time left. I had this on
> my sketchy todo list for ~end of this month, but I'll see what happens
> with the GSoC project now ;)
>
> Kind regards,
> Arjan
>
>
>
>
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
> >
> > ________________________________
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html
> > To unsubscribe from Consider support for the Servlet profile of JSR 196
> > (JASPIC) in Tomcat 7.0.x, click here.
> > NAML
>
>
>
>
> --
> View this message in context:
> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029664.html
> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x

Fjodor Vershinin
Good news, everyone!
I am happy to announce that our project has been accepted to participate in
GSoC. Now it's community binding period, so I need to introduce myself to
other developers.
Some brief information about me: My name is Fjodor Vershinin, I am 2'th
grade computer science student from Estonia. One of my hobbies is writing
OSS software, mainly in Java and Python. I hope to finish JASPIC
implementation during this summer and make Tomcat better ;)
Fjodor.


2015-03-04 11:09 GMT+02:00 Fjodor Vershinin <[hidden email]>:

> Hello!
> It looks like ASF has been selected for GSOC 2015 and I am interested in
> pushing this project forward. So, in meantime I'll start writing proposal
> and hope this project will be selected to participate in Gsoc program.
> Best regards,
> Fjodor.
>
> 2015-02-10 22:44 GMT+02:00 Arjan Tijms <[hidden email]>:
>
>> Hi,
>>
>> On Tue, Feb 10, 2015 at 8:34 PM, Mark Thomas-2 [via Tomcat]
>> <[hidden email]> wrote:
>> > If you do look at JBoss keep in mind it is GPL licensed and we need to
>> > be very careful that we don't end up with GPL'd code in Tomcat.
>>
>> That's absolutely true. The code there shouldn't not be copied in any
>> way. It's only useful as an example of how a Tomcat Valve can
>> integrate with something like JASPIC. As for the JASPIC code there, it
>> wouldn't make sense to copy it anyway, since A) it's JBoss specific
>> (builds up JBoss principal, calls JBoss security service, etc) and B)
>> there are various issues with it (it looks like JBoss pretty much
>> rewrote everything from scratch for Undertow, which is completely
>> different).
>>
>> > Personally, I'd look more much more closely at Geronimo.
>>
>> You're right, and since that one is Apache licensed one can even copy
>> from it if needed.
>>
>> > Keep in mind that part of the goal is to replace the existing
>> > authenticators with JASPIC modules. (As suggested on the Servlet EG
>> list.)
>>
>> It's good to have that as part of the goal indeed. Such auth modules
>> could even be implemented by a separate (group) of students if needed,
>> as they would not necessarily depend on the JASPIC implementation for
>> Tomcat. As long as that one is not finished they could test it on any
>> existing JASPIC implementation (e.g. the RI, GlassFish).
>>
>> > I think we all know that feeling - hence why I suggested it for GSoC.
>>
>> Yeah, I get that, thanks! It's still something that I'd really love to
>> do, but with the work for the startup zeef.com, open source projects
>> OmniFaces and OmniSecurity, the work for the JSF EG and perhaps soon
>> for the security EG, there is not always much time left. I had this on
>> my sketchy todo list for ~end of this month, but I'll see what happens
>> with the GSoC project now ;)
>>
>> Kind regards,
>> Arjan
>>
>>
>>
>>
>> >
>> > Mark
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [hidden email]
>> > For additional commands, e-mail: [hidden email]
>> >
>> >
>> >
>> > ________________________________
>> > If you reply to this email, your message will be added to the discussion
>> > below:
>> >
>> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029643.html
>> > To unsubscribe from Consider support for the Servlet profile of JSR 196
>> > (JASPIC) in Tomcat 7.0.x, click here.
>> > NAML
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://tomcat.10.x6.nabble.com/Consider-support-for-the-Servlet-profile-of-JSR-196-JASPIC-in-Tomcat-7-0-x-tp4993387p5029664.html
>> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
>>
>
>
123