New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify JASPIC SAM development via new CDI enabled HTTP specific interface #24

Closed
glassfishrobot opened this Issue Mar 25, 2015 · 4 comments

Comments

2 participants
@glassfishrobot

In JSR 375, we could simplify application developer authentication mechanism development by specifying helper classes for JASPIC. This has already been suggested in https://java.net/jira/browse/JASPIC_SPEC-24.

After discussion with the JASPIC spec lead (Ron Monzillo), we resolved that JSR-375 may address https://java.net/jira/browse/JASPIC_SPEC-24 with respect to simplifying SAM development, since core JASPIC behavior is unaffected.

@glassfishrobot

This comment has been minimized.

Show comment
Hide comment

Reported by @alexkosowski

@glassfishrobot

This comment has been minimized.

Show comment
Hide comment
@glassfishrobot

glassfishrobot Jan 7, 2016

@arjantijms said:
Current work in progress proposal is to define new interface:

public interface HttpAuthenticationMechanism {

    AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException;

    default AuthStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException {
        return SEND_SUCCESS;
    }

    default void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
        httpMessageContext.cleanClientSubject();
    }
}

See: https://github.com/javaee-security-spec/javaee-security-proposals/blob/master/authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/javax/security/authentication/mechanism/http/HttpAuthenticationMechanism.java

A bridge SAM, installed by a combination of a CDI extension and a ServletContainerInitializer calls implementations of this interface. Since the bean implementing this interface is obtained via the CDI bean manager, all CDI services are available in this bean. Note that this absolutely does not mean a SAM becomes in any way managed by CDI.

Example of SAM bridging the validateRequest method:

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpMessageContext msgContext = new HttpMessageContextImpl(handler, options, messageInfo, clientSubject);

    return CDI.current()
        .select(HttpAuthenticationMechanism.class).get()
        .validateRequest(msgContext.getRequest(), msgContext.getResponse(), msgContext);
}

See: https://github.com/javaee-security-spec/javaee-security-proposals/blob/master/authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/org/glassfish/jsr375/mechanisms/HttpBridgeServerAuthModule.java

An example authentication mechanism (simplified SAM) looks as follows:

@RequestScoped
public class TestAuthenticationMechanism implements HttpAuthenticationMechanism {

    @Inject
    private IdentityStore identityStore;

    @Override
    public AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException {

        if (request.getParameter("name") != null && request.getParameter("password") != null) {

            // Get the (caller) name and password from the request
            // NOTE: This is for the smallest possible example only. In practice
            // putting the password in a request query parameter is highly
            // insecure
            String name = request.getParameter("name");
            Password password = new Password(request.getParameter("password"));

            // Delegate the {credentials in -> identity data out} function to
            // the Identity Store
            CredentialValidationResult result = identityStore.validate(
new UsernamePasswordCredential(name, password));

            if (result.getStatus() == VALID) {
// Communicate the details of the authenticated user to the
// container. In many cases the underlying handler will just store the details 
// and the container will actually handle the login after we return from 
// this method.
return httpMessageContext.notifyContainerAboutLogin(
    result.getCallerPrincipal(), result.getCallerGroups());
            } else {
throw new AuthException("Login failed");
            }
        } 

        return httpMessageContext.doNothing();
    }

}

See: https://github.com/arjantijms/mechanism-to-store-x/blob/master/app-custom/src/main/java/test/TestAuthenticationMechanism.java

@arjantijms said:
Current work in progress proposal is to define new interface:

public interface HttpAuthenticationMechanism {

    AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException;

    default AuthStatus secureResponse(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException {
        return SEND_SUCCESS;
    }

    default void cleanSubject(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) {
        httpMessageContext.cleanClientSubject();
    }
}

See: https://github.com/javaee-security-spec/javaee-security-proposals/blob/master/authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/javax/security/authentication/mechanism/http/HttpAuthenticationMechanism.java

A bridge SAM, installed by a combination of a CDI extension and a ServletContainerInitializer calls implementations of this interface. Since the bean implementing this interface is obtained via the CDI bean manager, all CDI services are available in this bean. Note that this absolutely does not mean a SAM becomes in any way managed by CDI.

Example of SAM bridging the validateRequest method:

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpMessageContext msgContext = new HttpMessageContextImpl(handler, options, messageInfo, clientSubject);

    return CDI.current()
        .select(HttpAuthenticationMechanism.class).get()
        .validateRequest(msgContext.getRequest(), msgContext.getResponse(), msgContext);
}

See: https://github.com/javaee-security-spec/javaee-security-proposals/blob/master/authentication/authentication-mechanism/jaspic-cdi-interface/src/main/java/org/glassfish/jsr375/mechanisms/HttpBridgeServerAuthModule.java

An example authentication mechanism (simplified SAM) looks as follows:

@RequestScoped
public class TestAuthenticationMechanism implements HttpAuthenticationMechanism {

    @Inject
    private IdentityStore identityStore;

    @Override
    public AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthException {

        if (request.getParameter("name") != null && request.getParameter("password") != null) {

            // Get the (caller) name and password from the request
            // NOTE: This is for the smallest possible example only. In practice
            // putting the password in a request query parameter is highly
            // insecure
            String name = request.getParameter("name");
            Password password = new Password(request.getParameter("password"));

            // Delegate the {credentials in -> identity data out} function to
            // the Identity Store
            CredentialValidationResult result = identityStore.validate(
new UsernamePasswordCredential(name, password));

            if (result.getStatus() == VALID) {
// Communicate the details of the authenticated user to the
// container. In many cases the underlying handler will just store the details 
// and the container will actually handle the login after we return from 
// this method.
return httpMessageContext.notifyContainerAboutLogin(
    result.getCallerPrincipal(), result.getCallerGroups());
            } else {
throw new AuthException("Login failed");
            }
        } 

        return httpMessageContext.doNothing();
    }

}

See: https://github.com/arjantijms/mechanism-to-store-x/blob/master/app-custom/src/main/java/test/TestAuthenticationMechanism.java

@glassfishrobot

This comment has been minimized.

Show comment
Hide comment
@glassfishrobot

glassfishrobot Apr 26, 2017

This issue was imported from java.net JIRA JAVAEE_SECURITY_SPEC-24

This issue was imported from java.net JIRA JAVAEE_SECURITY_SPEC-24

@arjantijms

This comment has been minimized.

Show comment
Hide comment
@arjantijms

arjantijms Jul 25, 2017

Member

HttpAuthenticationMechanism has been fully specified and implemented as intended by this issue.

Member

arjantijms commented Jul 25, 2017

HttpAuthenticationMechanism has been fully specified and implemented as intended by this issue.

@arjantijms arjantijms closed this Jul 25, 2017

@arjantijms arjantijms changed the title from Simplify JASPIC SAM development with helper classes to Simplify JASPIC SAM development via new CDI enabled HTTP specific interface Jul 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment