3:45 p.m.
Hi,
I pushed the initial rewrite of the authentication in GateIn that is based on WCI and
Servlet 3.0 authentication.
The good news is it improves things by simplifying the code and remove all the previous
http redirects that we needed.
I wrote a doc about it there : https://community.jboss.org/wiki/GateIn35Authentication
- Marek and Matt should look at the authentication with SSO and WS-Security
- Trong should look at the login form redirection for groups and users as now we don't
rely anymore on servlet container security constraint (like it is already for portal
pages)
Note that this integrates with the new Alpha common/wci/pc stack, Bolek and I have been
working for a couple of weeks. I guess it could also affect WSRP if it is using WCI in
some way (WCI has had many simplifications last week with the removal of unnecessary
stuff).
cheers
Julien
1:36 a.m.
Not sure if it is clear from the email that changes are here:
https://github.com/vietj/gatein-portal/tree/pcwci
and
https://github.com/gatein/gatein-wci
and are awaiting some feedback before they get pushed upstream
Bolek
On Sep 17, 2012, at 10:45 PM, Julien Viet <julien(a)julienviet.com> wrote:
Hi,
I pushed the initial rewrite of the authentication in GateIn that is based on WCI and
Servlet 3.0 authentication.
The good news is it improves things by simplifying the code and remove all the previous
http redirects that we needed.
I wrote a doc about it there : https://community.jboss.org/wiki/GateIn35Authentication
- Marek and Matt should look at the authentication with SSO and WS-Security
- Trong should look at the login form redirection for groups and users as now we
don't rely anymore on servlet container security constraint (like it is already for
portal pages)
Note that this integrates with the new Alpha common/wci/pc stack, Bolek and I have been
working for a couple of weeks. I guess it could also affect WSRP if it is using WCI in
some way (WCI has had many simplifications last week with the removal of unnecessary
stuff).
cheers
Julien
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
1:51 a.m.
they actually need more work from Trong before being merged and careful checks.
I believe we can finish that by the end of this week.
On Sep 17, 2012, at 10:45 PM, Julien Viet <julien(a)julienviet.com> wrote:
Hi,
I pushed the initial rewrite of the authentication in GateIn that is based on WCI and
Servlet 3.0 authentication.
The good news is it improves things by simplifying the code and remove all the previous
http redirects that we needed.
I wrote a doc about it there : https://community.jboss.org/wiki/GateIn35Authentication
- Marek and Matt should look at the authentication with SSO and WS-Security
- Trong should look at the login form redirection for groups and users as now we
don't rely anymore on servlet container security constraint (like it is already for
portal pages)
Note that this integrates with the new Alpha common/wci/pc stack, Bolek and I have been
working for a couple of weeks. I guess it could also affect WSRP if it is using WCI in
some way (WCI has had many simplifications last week with the removal of unnecessary
stuff).
cheers
Julien
6:42 a.m.
Hi Julien,
I am checking the branch
https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for this
authentication simplification. I have some comments:
1) I tested on AS7 and saw some compilation failures in wsrp-extension
component (namely in class WSRPServiceIntegration) because it still used
old WCI api for obtaining ServletContainer.
I fixed it simply by using: ServletContainer servletContainer =
ServletContainerFactory.getServletContainer();
instead of DefaultServletContainerFactory as you suggested on irc.
2) Second thing is more major and it's related to the WSS issue with
credentials. Unfortunately it doesn't work correctly in your branch
because LoginServlet.bindCredentialsToConversationState is called
directly after authentication, which is too early as it still don't have
correct conversationState at this moment. What happens here is:
- Request http://localhost:8080/portal/login?username=john&password=gtn
is send
-- SetCurrentIdentityFilter is called at the beginning of the request,
but at this moment user is not authenticated. So it uses
ConversationState for anonymous identity (IdentityConstants.ANONIM)
-- request is processed by LoginServlet, which invokes wci
authentication. But at this moment there is still ConversationState for
anonymous user bind to threadLocal, so Credentials are registered to
this conversationState. Then we have redirection to initialURI like
"/portal/classic"
- Request http://localhost:8080/portal/classic is send
-- SetCurrentIdentityFilter is called and it recognize that user is
authenticated so it creates new ConversationState for this user and
register it to ConversationRegistry. But note that previous
ConversationState is lost. So credentials are not registered in current
ConversationState --> WSS can't work
I have my branch here
https://github.com/mposolda/gatein-portal/tree/pcwci which is based on
top of your branch and it addresses (1) and (2). I fixed (2) by similar
approach like was before your changes, which means:
- After successful authentication are credentials bind to temporary
authenticationRegistry, which exists only during authentication
- I added new filter ConversationStateUpdateFilter, which removes
credentials from temporary registry and adds them to ConversationState.
ConversationStateUpdateFilter is added after SetCurrentIdentityFilter,
which ensures that correct ConversationState is bound to threadLocal
when it's called.
I did not test with WSS enabled, but I verified that after my change is
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
returning correct credentials value, which should fix GTNPORTAL-2567 .
Let me know if my branch with those changes
https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you have
some other ideas to improve this.
Personally I would prefer to use WCI authenticationListener for register
credentials but unfortunately listener doesn't have information about
password of user, so I created WCI jira
https://issues.jboss.org/browse/GTNWCI-37 to address this. I think you
told about this limitation on IRC yesterday as well. WDYT?
3) I saw some exceptions due to gatein-sample-extension and
gatein-sample-portal. It seems that we need to remove those obsolete
servlets from web.xml and login.jsp. Also it seems that other products
on top of GateIn will need to adapt those changes as well. I did not fix
those in my branch for now...
I will try to test with SSO later in the afternoon but I did not expect
any major problems as you keep "/dologin" secure URL, so I think that it
should work without any changes. Will update later if found any problems.
Marek
On 18/09/12 08:51, Julien Viet wrote:
they actually need more work from Trong before being merged and
careful checks.
I believe we can finish that by the end of this week.
On Sep 17, 2012, at 10:45 PM, Julien Viet <julien(a)julienviet.com> wrote:
> Hi,
>
> I pushed the initial rewrite of the authentication in GateIn that is based on WCI and
Servlet 3.0 authentication.
>
> The good news is it improves things by simplifying the code and remove all the
previous http redirects that we needed.
>
> I wrote a doc about it there :
https://community.jboss.org/wiki/GateIn35Authentication
>
> - Marek and Matt should look at the authentication with SSO and WS-Security
> - Trong should look at the login form redirection for groups and users as now we
don't rely anymore on servlet container security constraint (like it is already for
portal pages)
>
> Note that this integrates with the new Alpha common/wci/pc stack, Bolek and I have
been working for a couple of weeks. I guess it could also affect WSRP if it is using WCI
in some way (WCI has had many simplifications last week with the removal of unnecessary
stuff).
>
> cheers
>
> Julien
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
6:59 a.m.
On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi Julien,
I am checking the branch https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
this authentication simplification. I have some comments:
1) I tested on AS7 and saw some compilation failures in wsrp-extension component (namely
in class WSRPServiceIntegration) because it still used old WCI api for obtaining
ServletContainer.
I fixed it simply by using: ServletContainer servletContainer =
ServletContainerFactory.getServletContainer();
instead of DefaultServletContainerFactory as you suggested on irc.
2) Second thing is more major and it's related to the WSS issue with credentials.
Unfortunately it doesn't work correctly in your branch because
LoginServlet.bindCredentialsToConversationState is called directly after authentication,
which is too early as it still don't have correct conversationState at this moment.
What happens here is:
- Request http://localhost:8080/portal/login?username=john&password=gtn is send
-- SetCurrentIdentityFilter is called at the beginning of the request, but at this moment
user is not authenticated. So it uses ConversationState for anonymous identity
(IdentityConstants.ANONIM)
-- request is processed by LoginServlet, which invokes wci authentication. But at this
moment there is still ConversationState for anonymous user bind to threadLocal, so
Credentials are registered to this conversationState. Then we have redirection to
initialURI like "/portal/classic"
- Request http://localhost:8080/portal/classic is send
-- SetCurrentIdentityFilter is called and it recognize that user is authenticated so it
creates new ConversationState for this user and register it to ConversationRegistry. But
note that previous ConversationState is lost. So credentials are not registered in current
ConversationState --> WSS can't work
I have my branch here https://github.com/mposolda/gatein-portal/tree/pcwci which is based
on top of your branch and it addresses (1) and (2). I fixed (2) by similar approach like
was before your changes, which means:
- After successful authentication are credentials bind to temporary
authenticationRegistry, which exists only during authentication
- I added new filter ConversationStateUpdateFilter, which removes credentials from
temporary registry and adds them to ConversationState. ConversationStateUpdateFilter is
added after SetCurrentIdentityFilter, which ensures that correct ConversationState is
bound to threadLocal when it's called.
I did not test with WSS enabled, but I verified that after my change is
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS) returning correct
credentials value, which should fix GTNPORTAL-2567 .
Let me know if my branch with those changes
https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you have some other ideas to
improve this.
Personally I would prefer to use WCI authenticationListener for register credentials but
unfortunately listener doesn't have information about password of user, so I created
WCI jira https://issues.jboss.org/browse/GTNWCI-37 to address this. I think you told about
this limitation on IRC yesterday as well. WDYT?
we can fix WCI and make password available again.
if yes we can make a release today.
3) I saw some exceptions due to gatein-sample-extension and gatein-sample-portal. It
seems that we need to remove those obsolete servlets from web.xml and login.jsp. Also it
seems that other products on top of GateIn will need to adapt those changes as well. I did
not fix those in my branch for now…
this is correct, it needs more correction before final merge, this is still a WIP :-)
I will try to test with SSO later in the afternoon but I did not expect any major
problems as you keep "/dologin" secure URL, so I think that it should work
without any changes. Will update later if found any problems.
Marek
On 18/09/12 08:51, Julien Viet wrote:
> they actually need more work from Trong before being merged and careful checks.
>
> I believe we can finish that by the end of this week.
>
> On Sep 17, 2012, at 10:45 PM, Julien Viet <julien(a)julienviet.com> wrote:
>
>> Hi,
>>
>> I pushed the initial rewrite of the authentication in GateIn that is based on WCI
and Servlet 3.0 authentication.
>>
>> The good news is it improves things by simplifying the code and remove all the
previous http redirects that we needed.
>>
>> I wrote a doc about it there :
https://community.jboss.org/wiki/GateIn35Authentication
>>
>> - Marek and Matt should look at the authentication with SSO and WS-Security
>> - Trong should look at the login form redirection for groups and users as now we
don't rely anymore on servlet container security constraint (like it is already for
portal pages)
>>
>> Note that this integrates with the new Alpha common/wci/pc stack, Bolek and I
have been working for a couple of weeks. I guess it could also affect WSRP if it is using
WCI in some way (WCI has had many simplifications last week with the removal of
unnecessary stuff).
>>
>> cheers
>>
>> Julien
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/gatein-dev
1:01 p.m.
it is now merged in gatein-portal/master
kuddos to you and Trong for the responsiveness and the good work
On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com> wrote:
On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> Hi Julien,
>
> I am checking the branch https://github.com/vietj/gatein-portal/tree/pcwci . Thanks
for this authentication simplification. I have some comments:
>
> 1) I tested on AS7 and saw some compilation failures in wsrp-extension component
(namely in class WSRPServiceIntegration) because it still used old WCI api for obtaining
ServletContainer.
> I fixed it simply by using: ServletContainer servletContainer =
ServletContainerFactory.getServletContainer();
> instead of DefaultServletContainerFactory as you suggested on irc.
>
> 2) Second thing is more major and it's related to the WSS issue with credentials.
Unfortunately it doesn't work correctly in your branch because
LoginServlet.bindCredentialsToConversationState is called directly after authentication,
which is too early as it still don't have correct conversationState at this moment.
What happens here is:
> - Request http://localhost:8080/portal/login?username=john&password=gtn is send
> -- SetCurrentIdentityFilter is called at the beginning of the request, but at this
moment user is not authenticated. So it uses ConversationState for anonymous identity
(IdentityConstants.ANONIM)
> -- request is processed by LoginServlet, which invokes wci authentication. But at
this moment there is still ConversationState for anonymous user bind to threadLocal, so
Credentials are registered to this conversationState. Then we have redirection to
initialURI like "/portal/classic"
> - Request http://localhost:8080/portal/classic is send
> -- SetCurrentIdentityFilter is called and it recognize that user is authenticated so
it creates new ConversationState for this user and register it to ConversationRegistry.
But note that previous ConversationState is lost. So credentials are not registered in
current ConversationState --> WSS can't work
>
> I have my branch here https://github.com/mposolda/gatein-portal/tree/pcwci which is
based on top of your branch and it addresses (1) and (2). I fixed (2) by similar approach
like was before your changes, which means:
> - After successful authentication are credentials bind to temporary
authenticationRegistry, which exists only during authentication
> - I added new filter ConversationStateUpdateFilter, which removes credentials from
temporary registry and adds them to ConversationState. ConversationStateUpdateFilter is
added after SetCurrentIdentityFilter, which ensures that correct ConversationState is
bound to threadLocal when it's called.
>
> I did not test with WSS enabled, but I verified that after my change is
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS) returning correct
credentials value, which should fix GTNPORTAL-2567 .
>
> Let me know if my branch with those changes
https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you have some other ideas to
improve this.
>
> Personally I would prefer to use WCI authenticationListener for register credentials
but unfortunately listener doesn't have information about password of user, so I
created WCI jira https://issues.jboss.org/browse/GTNWCI-37 to address this. I think you
told about this limitation on IRC yesterday as well. WDYT?
we can fix WCI and make password available again.
if yes we can make a release today.
>
> 3) I saw some exceptions due to gatein-sample-extension and gatein-sample-portal. It
seems that we need to remove those obsolete servlets from web.xml and login.jsp. Also it
seems that other products on top of GateIn will need to adapt those changes as well. I did
not fix those in my branch for now…
this is correct, it needs more correction before final merge, this is still a WIP :-)
>
> I will try to test with SSO later in the afternoon but I did not expect any major
problems as you keep "/dologin" secure URL, so I think that it should work
without any changes. Will update later if found any problems.
>
> Marek
>
> On 18/09/12 08:51, Julien Viet wrote:
>> they actually need more work from Trong before being merged and careful checks.
>>
>> I believe we can finish that by the end of this week.
>>
>> On Sep 17, 2012, at 10:45 PM, Julien Viet <julien(a)julienviet.com> wrote:
>>
>>> Hi,
>>>
>>> I pushed the initial rewrite of the authentication in GateIn that is based on
WCI and Servlet 3.0 authentication.
>>>
>>> The good news is it improves things by simplifying the code and remove all
the previous http redirects that we needed.
>>>
>>> I wrote a doc about it there :
https://community.jboss.org/wiki/GateIn35Authentication
>>>
>>> - Marek and Matt should look at the authentication with SSO and WS-Security
>>> - Trong should look at the login form redirection for groups and users as now
we don't rely anymore on servlet container security constraint (like it is already for
portal pages)
>>>
>>> Note that this integrates with the new Alpha common/wci/pc stack, Bolek and I
have been working for a couple of weeks. I guess it could also affect WSRP if it is using
WCI in some way (WCI has had many simplifications last week with the removal of
unnecessary stuff).
>>>
>>> cheers
>>>
>>> Julien
>>
>> _______________________________________________
>> gatein-dev mailing list
>> gatein-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
2:03 p.m.
@Julien Why did you remove the logout event from WCI? I need it at kernel
level
On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <julien(a)julienviet.com> wrote:
it is now merged in gatein-portal/master
kuddos to you and Trong for the responsiveness and the good work
On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com> wrote:
>
> On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
>
>> Hi Julien,
>>
>> I am checking the branch
https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for this
authentication simplification. I have some comments:
>>
>> 1) I tested on AS7 and saw some compilation failures in wsrp-extension
component (namely in class WSRPServiceIntegration) because it still used
old WCI api for obtaining ServletContainer.
>> I fixed it simply by using: ServletContainer servletContainer =
ServletContainerFactory.getServletContainer();
>> instead of DefaultServletContainerFactory as you suggested on irc.
>>
>> 2) Second thing is more major and it's related to the WSS issue with
credentials. Unfortunately it doesn't work correctly in your branch because
LoginServlet.bindCredentialsToConversationState is called directly after
authentication, which is too early as it still don't have correct
conversationState at this moment. What happens here is:
>> - Request http://localhost:8080/portal/login?username=john&password=gtnis
send
>> -- SetCurrentIdentityFilter is called at the beginning of the request,
but at this moment user is not authenticated. So it uses ConversationState
for anonymous identity (IdentityConstants.ANONIM)
>> -- request is processed by LoginServlet, which invokes wci
authentication. But at this moment there is still ConversationState for
anonymous user bind to threadLocal, so Credentials are registered to this
conversationState. Then we have redirection to initialURI like
"/portal/classic"
>> - Request http://localhost:8080/portal/classic is send
>> -- SetCurrentIdentityFilter is called and it recognize that user is
authenticated so it creates new ConversationState for this user and
register it to ConversationRegistry. But note that previous
ConversationState is lost. So credentials are not registered in current
ConversationState --> WSS can't work
>>
>> I have my branch here
https://github.com/mposolda/gatein-portal/tree/pcwci which is based on
top of your branch and it addresses (1) and (2). I fixed (2) by similar
approach like was before your changes, which means:
>> - After successful authentication are credentials bind to temporary
authenticationRegistry, which exists only during authentication
>> - I added new filter ConversationStateUpdateFilter, which removes
credentials from temporary registry and adds them to ConversationState.
ConversationStateUpdateFilter is added after SetCurrentIdentityFilter,
which ensures that correct ConversationState is bound to threadLocal when
it's called.
>>
>> I did not test with WSS enabled, but I verified that after my change is
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
returning correct credentials value, which should fix GTNPORTAL-2567 .
>>
>> Let me know if my branch with those changes
https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you have
some other ideas to improve this.
>>
>> Personally I would prefer to use WCI authenticationListener for
register credentials but unfortunately listener doesn't have information
about password of user, so I created WCI jira
https://issues.jboss.org/browse/GTNWCI-37 to address this. I think you
told about this limitation on IRC yesterday as well. WDYT?
>
> we can fix WCI and make password available again.
>
> if yes we can make a release today.
>
>>
>> 3) I saw some exceptions due to gatein-sample-extension and
gatein-sample-portal. It seems that we need to remove those obsolete
servlets from web.xml and login.jsp. Also it seems that other products on
top of GateIn will need to adapt those changes as well. I did not fix those
in my branch for now…
>
> this is correct, it needs more correction before final merge, this is
still a WIP :-)
>
>>
>> I will try to test with SSO later in the afternoon but I did not expect
any major problems as you keep "/dologin" secure URL, so I think that it
should work without any changes. Will update later if found any problems.
>
>>
>> Marek
>>
>> On 18/09/12 08:51, Julien Viet wrote:
>>> they actually need more work from Trong before being merged and
careful checks.
>>>
>>> I believe we can finish that by the end of this week.
>>>
>>> On Sep 17, 2012, at 10:45 PM, Julien Viet <julien(a)julienviet.com>
wrote:
>>>
>>>> Hi,
>>>>
>>>> I pushed the initial rewrite of the authentication in GateIn that is
based on WCI and Servlet 3.0 authentication.
>>>>
>>>> The good news is it improves things by simplifying the code and
remove all the previous http redirects that we needed.
>>>>
>>>> I wrote a doc about it there :
https://community.jboss.org/wiki/GateIn35Authentication
>>>>
>>>> - Marek and Matt should look at the authentication with SSO and
WS-Security
>>>> - Trong should look at the login form redirection for groups and
users as now we don't rely anymore on servlet container security constraint
(like it is already for portal pages)
>>>>
>>>> Note that this integrates with the new Alpha common/wci/pc stack,
Bolek and I have been working for a couple of weeks. I guess it could also
affect WSRP if it is using WCI in some way (WCI has had many
simplifications last week with the removal of unnecessary stuff).
>>>>
>>>> cheers
>>>>
>>>> Julien
>>>
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
2:38 a.m.
Not sure why GateIn WCI events are required at eXo Kernel level but *in
general*, it would be great if you (and actually anyone interested by
GateIn development) could join the #gatein room on IRC Freenode. The
changes have been discussed there in details and it enabled great
collaboration between Julien, Trong and Marek. There were few emails on
this list as well though but it can't be the same amount of details.
Also it's not hyper-active so it shouldn't be too disturbing.
If there is such a room for eXo JCR/Kernel/Core this could be useful as
well so that we all know what happens on the other side of the fence.
BTW: For those who met it, I can try to resurrect/enhance BYOBot if
there is interest (A feature helped to catchup on what happened while
away without having to read full history).
Thomas
On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
@Julien Why did you remove the logout event from WCI? I need it at
kernel level
On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
it is now merged in gatein-portal/master
kuddos to you and Trong for the responsiveness and the good work
On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
>
> On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
>
>> Hi Julien,
>>
>> I am checking the branch
https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
this authentication simplification. I have some comments:
>>
>> 1) I tested on AS7 and saw some compilation failures in
wsrp-extension component (namely in class WSRPServiceIntegration)
because it still used old WCI api for obtaining ServletContainer.
>> I fixed it simply by using: ServletContainer servletContainer =
ServletContainerFactory.getServletContainer();
>> instead of DefaultServletContainerFactory as you suggested on irc.
>>
>> 2) Second thing is more major and it's related to the WSS issue
with credentials. Unfortunately it doesn't work correctly in your
branch because LoginServlet.bindCredentialsToConversationState is
called directly after authentication, which is too early as it
still don't have correct conversationState at this moment. What
happens here is:
>> - Request
http://localhost:8080/portal/login?username=john&password=gtn is send
>> -- SetCurrentIdentityFilter is called at the beginning of the
request, but at this moment user is not authenticated. So it uses
ConversationState for anonymous identity (IdentityConstants.ANONIM)
>> -- request is processed by LoginServlet, which invokes wci
authentication. But at this moment there is still
ConversationState for anonymous user bind to threadLocal, so
Credentials are registered to this conversationState. Then we have
redirection to initialURI like "/portal/classic"
>> - Request http://localhost:8080/portal/classic is send
>> -- SetCurrentIdentityFilter is called and it recognize that
user is authenticated so it creates new ConversationState for this
user and register it to ConversationRegistry. But note that
previous ConversationState is lost. So credentials are not
registered in current ConversationState --> WSS can't work
>>
>> I have my branch here
https://github.com/mposolda/gatein-portal/tree/pcwci which is
based on top of your branch and it addresses (1) and (2). I fixed
(2) by similar approach like was before your changes, which means:
>> - After successful authentication are credentials bind to
temporary authenticationRegistry, which exists only during
authentication
>> - I added new filter ConversationStateUpdateFilter, which
removes credentials from temporary registry and adds them to
ConversationState. ConversationStateUpdateFilter is added after
SetCurrentIdentityFilter, which ensures that correct
ConversationState is bound to threadLocal when it's called.
>>
>> I did not test with WSS enabled, but I verified that after my
change is
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
returning correct credentials value, which should fix GTNPORTAL-2567 .
>>
>> Let me know if my branch with those changes
https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you
have some other ideas to improve this.
>>
>> Personally I would prefer to use WCI authenticationListener for
register credentials but unfortunately listener doesn't have
information about password of user, so I created WCI jira
https://issues.jboss.org/browse/GTNWCI-37 to address this. I think
you told about this limitation on IRC yesterday as well. WDYT?
>
> we can fix WCI and make password available again.
>
> if yes we can make a release today.
>
>>
>> 3) I saw some exceptions due to gatein-sample-extension and
gatein-sample-portal. It seems that we need to remove those
obsolete servlets from web.xml and login.jsp. Also it seems that
other products on top of GateIn will need to adapt those changes
as well. I did not fix those in my branch for now…
>
> this is correct, it needs more correction before final merge,
this is still a WIP :-)
>
>>
>> I will try to test with SSO later in the afternoon but I did
not expect any major problems as you keep "/dologin" secure URL,
so I think that it should work without any changes. Will update
later if found any problems.
>
>>
>> Marek
>>
>> On 18/09/12 08:51, Julien Viet wrote:
>>> they actually need more work from Trong before being merged
and careful checks.
>>>
>>> I believe we can finish that by the end of this week.
>>>
>>> On Sep 17, 2012, at 10:45 PM, Julien Viet
<julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I pushed the initial rewrite of the authentication in GateIn
that is based on WCI and Servlet 3.0 authentication.
>>>>
>>>> The good news is it improves things by simplifying the code
and remove all the previous http redirects that we needed.
>>>>
>>>> I wrote a doc about it there :
https://community.jboss.org/wiki/GateIn35Authentication
>>>>
>>>> - Marek and Matt should look at the authentication with SSO
and WS-Security
>>>> - Trong should look at the login form redirection for groups
and users as now we don't rely anymore on servlet container
security constraint (like it is already for portal pages)
>>>>
>>>> Note that this integrates with the new Alpha common/wci/pc
stack, Bolek and I have been working for a couple of weeks. I
guess it could also affect WSRP if it is using WCI in some way
(WCI has had many simplifications last week with the removal of
unnecessary stuff).
>>>>
>>>> cheers
>>>>
>>>> Julien
>>>
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/gatein-dev
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
2:46 a.m.
I tend to agree/disagree on this.
We need both channels.
IRC is wonderful for interactive sessions and also for social aspect and team cohesion.
However mailing list is important for discussing aspects with all actors involved in
gatein.
We cannot blame someone that would not be on IRC for some reason (no network, some prefer
to work in asynchronous manner, travelling, meeting, taking care of child, etc...).
(Until recently I ignored that kernel was using WCI).
On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
Not sure why GateIn WCI events are required at eXo Kernel level but *in general*, it
would be great if you (and actually anyone interested by GateIn development) could join
the #gatein room on IRC Freenode. The changes have been discussed there in details and it
enabled great collaboration between Julien, Trong and Marek. There were few emails on this
list as well though but it can't be the same amount of details.
Also it's not hyper-active so it shouldn't be too disturbing.
If there is such a room for eXo JCR/Kernel/Core this could be useful as well so that we
all know what happens on the other side of the fence.
BTW: For those who met it, I can try to resurrect/enhance BYOBot if there is interest (A
feature helped to catchup on what happened while away without having to read full
history).
Thomas
On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
> @Julien Why did you remove the logout event from WCI? I need it at kernel level
>
> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
>
> it is now merged in gatein-portal/master
>
> kuddos to you and Trong for the responsiveness and the good work
>
> On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com
> <mailto:julien@julienviet.com>> wrote:
>
> >
> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
> >
> >> Hi Julien,
> >>
> >> I am checking the branch
> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
> this authentication simplification. I have some comments:
> >>
> >> 1) I tested on AS7 and saw some compilation failures in
> wsrp-extension component (namely in class WSRPServiceIntegration)
> because it still used old WCI api for obtaining ServletContainer.
> >> I fixed it simply by using: ServletContainer servletContainer =
> ServletContainerFactory.getServletContainer();
> >> instead of DefaultServletContainerFactory as you suggested on irc.
> >>
> >> 2) Second thing is more major and it's related to the WSS issue
> with credentials. Unfortunately it doesn't work correctly in your
> branch because LoginServlet.bindCredentialsToConversationState is
> called directly after authentication, which is too early as it
> still don't have correct conversationState at this moment. What
> happens here is:
> >> - Request
> http://localhost:8080/portal/login?username=john&password=gtn is send
> >> -- SetCurrentIdentityFilter is called at the beginning of the
> request, but at this moment user is not authenticated. So it uses
> ConversationState for anonymous identity (IdentityConstants.ANONIM)
> >> -- request is processed by LoginServlet, which invokes wci
> authentication. But at this moment there is still
> ConversationState for anonymous user bind to threadLocal, so
> Credentials are registered to this conversationState. Then we have
> redirection to initialURI like "/portal/classic"
> >> - Request http://localhost:8080/portal/classic is send
> >> -- SetCurrentIdentityFilter is called and it recognize that
> user is authenticated so it creates new ConversationState for this
> user and register it to ConversationRegistry. But note that
> previous ConversationState is lost. So credentials are not
> registered in current ConversationState --> WSS can't work
> >>
> >> I have my branch here
> https://github.com/mposolda/gatein-portal/tree/pcwci which is
> based on top of your branch and it addresses (1) and (2). I fixed
> (2) by similar approach like was before your changes, which means:
> >> - After successful authentication are credentials bind to
> temporary authenticationRegistry, which exists only during
> authentication
> >> - I added new filter ConversationStateUpdateFilter, which
> removes credentials from temporary registry and adds them to
> ConversationState. ConversationStateUpdateFilter is added after
> SetCurrentIdentityFilter, which ensures that correct
> ConversationState is bound to threadLocal when it's called.
> >>
> >> I did not test with WSS enabled, but I verified that after my
> change is
> ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
> returning correct credentials value, which should fix GTNPORTAL-2567 .
> >>
> >> Let me know if my branch with those changes
> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you
> have some other ideas to improve this.
> >>
> >> Personally I would prefer to use WCI authenticationListener for
> register credentials but unfortunately listener doesn't have
> information about password of user, so I created WCI jira
> https://issues.jboss.org/browse/GTNWCI-37 to address this. I think
> you told about this limitation on IRC yesterday as well. WDYT?
> >
> > we can fix WCI and make password available again.
> >
> > if yes we can make a release today.
> >
> >>
> >> 3) I saw some exceptions due to gatein-sample-extension and
> gatein-sample-portal. It seems that we need to remove those
> obsolete servlets from web.xml and login.jsp. Also it seems that
> other products on top of GateIn will need to adapt those changes
> as well. I did not fix those in my branch for now…
> >
> > this is correct, it needs more correction before final merge,
> this is still a WIP :-)
> >
> >>
> >> I will try to test with SSO later in the afternoon but I did
> not expect any major problems as you keep "/dologin" secure URL,
> so I think that it should work without any changes. Will update
> later if found any problems.
> >
> >>
> >> Marek
> >>
> >> On 18/09/12 08:51, Julien Viet wrote:
> >>> they actually need more work from Trong before being merged
> and careful checks.
> >>>
> >>> I believe we can finish that by the end of this week.
> >>>
> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
> <julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I pushed the initial rewrite of the authentication in GateIn
> that is based on WCI and Servlet 3.0 authentication.
> >>>>
> >>>> The good news is it improves things by simplifying the code
> and remove all the previous http redirects that we needed.
> >>>>
> >>>> I wrote a doc about it there :
> https://community.jboss.org/wiki/GateIn35Authentication
> >>>>
> >>>> - Marek and Matt should look at the authentication with SSO
> and WS-Security
> >>>> - Trong should look at the login form redirection for groups
> and users as now we don't rely anymore on servlet container
> security constraint (like it is already for portal pages)
> >>>>
> >>>> Note that this integrates with the new Alpha common/wci/pc
> stack, Bolek and I have been working for a couple of weeks. I
> guess it could also affect WSRP if it is using WCI in some way
> (WCI has had many simplifications last week with the removal of
> unnecessary stuff).
> >>>>
> >>>> cheers
> >>>>
> >>>> Julien
> >>>
> >>> _______________________________________________
> >>> gatein-dev mailing list
> >>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
> >>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>
> >
>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
>
>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/gatein-dev
2:55 a.m.
On 09/20/2012 09:46 AM, Julien Viet wrote:
I tend to agree/disagree on this.
We need both channels.
IRC is wonderful for interactive sessions and also for social aspect and team cohesion.
However mailing list is important for discussing aspects with all actors involved in
gatein.
We cannot blame someone that would not be on IRC for some reason (no network, some prefer
to work in asynchronous manner, travelling, meeting, taking care of child, etc...).
(Until recently I ignored that kernel was using WCI).
I fully agree on that, don't get me wrong.
I just suggest that more people join the IRC channel and I agree that it
has no guarantee of delivery. But it helps to synchronize and also helps
getting an idea of "what's going on". In this case we all ignored that
Kernel was using WCI and relevant info failed to reach that team, IRC
presence could have just give *one more chance* to avoid that.
Usually I look at few lines and I judge my interest on the topic and
decide to read more or not, it helps finding out things that are going
on in AS7 for instance or RichFaces that may impact us in the long term.
Thomas
On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
> Not sure why GateIn WCI events are required at eXo Kernel level but *in general*, it
would be great if you (and actually anyone interested by GateIn development) could join
the #gatein room on IRC Freenode. The changes have been discussed there in details and it
enabled great collaboration between Julien, Trong and Marek. There were few emails on this
list as well though but it can't be the same amount of details.
>
> Also it's not hyper-active so it shouldn't be too disturbing.
>
> If there is such a room for eXo JCR/Kernel/Core this could be useful as well so that
we all know what happens on the other side of the fence.
>
> BTW: For those who met it, I can try to resurrect/enhance BYOBot if there is interest
(A feature helped to catchup on what happened while away without having to read full
history).
>
> Thomas
>
> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
>> @Julien Why did you remove the logout event from WCI? I need it at kernel level
>>
>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
>>
>> it is now merged in gatein-portal/master
>>
>> kuddos to you and Trong for the responsiveness and the good work
>>
>> On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com
>> <mailto:julien@julienviet.com>> wrote:
>>
>> >
>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com
>> <mailto:mposolda@redhat.com>> wrote:
>> >
>> >> Hi Julien,
>> >>
>> >> I am checking the branch
>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
>> this authentication simplification. I have some comments:
>> >>
>> >> 1) I tested on AS7 and saw some compilation failures in
>> wsrp-extension component (namely in class WSRPServiceIntegration)
>> because it still used old WCI api for obtaining ServletContainer.
>> >> I fixed it simply by using: ServletContainer servletContainer =
>> ServletContainerFactory.getServletContainer();
>> >> instead of DefaultServletContainerFactory as you suggested on irc.
>> >>
>> >> 2) Second thing is more major and it's related to the WSS issue
>> with credentials. Unfortunately it doesn't work correctly in your
>> branch because LoginServlet.bindCredentialsToConversationState is
>> called directly after authentication, which is too early as it
>> still don't have correct conversationState at this moment. What
>> happens here is:
>> >> - Request
>> http://localhost:8080/portal/login?username=john&password=gtn is send
>> >> -- SetCurrentIdentityFilter is called at the beginning of the
>> request, but at this moment user is not authenticated. So it uses
>> ConversationState for anonymous identity (IdentityConstants.ANONIM)
>> >> -- request is processed by LoginServlet, which invokes wci
>> authentication. But at this moment there is still
>> ConversationState for anonymous user bind to threadLocal, so
>> Credentials are registered to this conversationState. Then we have
>> redirection to initialURI like "/portal/classic"
>> >> - Request http://localhost:8080/portal/classic is send
>> >> -- SetCurrentIdentityFilter is called and it recognize that
>> user is authenticated so it creates new ConversationState for this
>> user and register it to ConversationRegistry. But note that
>> previous ConversationState is lost. So credentials are not
>> registered in current ConversationState --> WSS can't work
>> >>
>> >> I have my branch here
>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
>> based on top of your branch and it addresses (1) and (2). I fixed
>> (2) by similar approach like was before your changes, which means:
>> >> - After successful authentication are credentials bind to
>> temporary authenticationRegistry, which exists only during
>> authentication
>> >> - I added new filter ConversationStateUpdateFilter, which
>> removes credentials from temporary registry and adds them to
>> ConversationState. ConversationStateUpdateFilter is added after
>> SetCurrentIdentityFilter, which ensures that correct
>> ConversationState is bound to threadLocal when it's called.
>> >>
>> >> I did not test with WSS enabled, but I verified that after my
>> change is
>> ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
>> returning correct credentials value, which should fix GTNPORTAL-2567 .
>> >>
>> >> Let me know if my branch with those changes
>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you
>> have some other ideas to improve this.
>> >>
>> >> Personally I would prefer to use WCI authenticationListener for
>> register credentials but unfortunately listener doesn't have
>> information about password of user, so I created WCI jira
>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I think
>> you told about this limitation on IRC yesterday as well. WDYT?
>> >
>> > we can fix WCI and make password available again.
>> >
>> > if yes we can make a release today.
>> >
>> >>
>> >> 3) I saw some exceptions due to gatein-sample-extension and
>> gatein-sample-portal. It seems that we need to remove those
>> obsolete servlets from web.xml and login.jsp. Also it seems that
>> other products on top of GateIn will need to adapt those changes
>> as well. I did not fix those in my branch for now…
>> >
>> > this is correct, it needs more correction before final merge,
>> this is still a WIP :-)
>> >
>> >>
>> >> I will try to test with SSO later in the afternoon but I did
>> not expect any major problems as you keep "/dologin" secure URL,
>> so I think that it should work without any changes. Will update
>> later if found any problems.
>> >
>> >>
>> >> Marek
>> >>
>> >> On 18/09/12 08:51, Julien Viet wrote:
>> >>> they actually need more work from Trong before being merged
>> and careful checks.
>> >>>
>> >>> I believe we can finish that by the end of this week.
>> >>>
>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
>> <julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
>> >>>
>> >>>> Hi,
>> >>>>
>> >>>> I pushed the initial rewrite of the authentication in
GateIn
>> that is based on WCI and Servlet 3.0 authentication.
>> >>>>
>> >>>> The good news is it improves things by simplifying the code
>> and remove all the previous http redirects that we needed.
>> >>>>
>> >>>> I wrote a doc about it there :
>> https://community.jboss.org/wiki/GateIn35Authentication
>> >>>>
>> >>>> - Marek and Matt should look at the authentication with SSO
>> and WS-Security
>> >>>> - Trong should look at the login form redirection for
groups
>> and users as now we don't rely anymore on servlet container
>> security constraint (like it is already for portal pages)
>> >>>>
>> >>>> Note that this integrates with the new Alpha common/wci/pc
>> stack, Bolek and I have been working for a couple of weeks. I
>> guess it could also affect WSRP if it is using WCI in some way
>> (WCI has had many simplifications last week with the removal of
>> unnecessary stuff).
>> >>>>
>> >>>> cheers
>> >>>>
>> >>>> Julien
>> >>>
>> >>> _______________________________________________
>> >>> gatein-dev mailing list
>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>> >>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>> >>
>> >
>>
>>
>> _______________________________________________
>> gatein-dev mailing list
>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>
>>
>>
>>
>> _______________________________________________
>> gatein-dev mailing list
>> gatein-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/gatein-dev
3:02 a.m.
I knew it was using it for a couple of days but thought it was only using webapp
deployment notifications and not authentication events.
On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
On 09/20/2012 09:46 AM, Julien Viet wrote:
> I tend to agree/disagree on this.
>
> We need both channels.
>
> IRC is wonderful for interactive sessions and also for social aspect and team
cohesion.
>
> However mailing list is important for discussing aspects with all actors involved in
gatein.
>
> We cannot blame someone that would not be on IRC for some reason (no network, some
prefer to work in asynchronous manner, travelling, meeting, taking care of child,
etc...).
>
> (Until recently I ignored that kernel was using WCI).
I fully agree on that, don't get me wrong.
I just suggest that more people join the IRC channel and I agree that it has no guarantee
of delivery. But it helps to synchronize and also helps getting an idea of
"what's going on". In this case we all ignored that Kernel was using WCI and
relevant info failed to reach that team, IRC presence could have just give *one more
chance* to avoid that.
Usually I look at few lines and I judge my interest on the topic and decide to read more
or not, it helps finding out things that are going on in AS7 for instance or RichFaces
that may impact us in the long term.
Thomas
>
> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
>
>> Not sure why GateIn WCI events are required at eXo Kernel level but *in general*,
it would be great if you (and actually anyone interested by GateIn development) could join
the #gatein room on IRC Freenode. The changes have been discussed there in details and it
enabled great collaboration between Julien, Trong and Marek. There were few emails on this
list as well though but it can't be the same amount of details.
>>
>> Also it's not hyper-active so it shouldn't be too disturbing.
>>
>> If there is such a room for eXo JCR/Kernel/Core this could be useful as well so
that we all know what happens on the other side of the fence.
>>
>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if there is
interest (A feature helped to catchup on what happened while away without having to read
full history).
>>
>> Thomas
>>
>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
>>> @Julien Why did you remove the logout event from WCI? I need it at kernel
level
>>>
>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
>>>
>>> it is now merged in gatein-portal/master
>>>
>>> kuddos to you and Trong for the responsiveness and the good work
>>>
>>> On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com
>>> <mailto:julien@julienviet.com>> wrote:
>>>
>>> >
>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <mposolda(a)redhat.com
>>> <mailto:mposolda@redhat.com>> wrote:
>>> >
>>> >> Hi Julien,
>>> >>
>>> >> I am checking the branch
>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
>>> this authentication simplification. I have some comments:
>>> >>
>>> >> 1) I tested on AS7 and saw some compilation failures in
>>> wsrp-extension component (namely in class WSRPServiceIntegration)
>>> because it still used old WCI api for obtaining ServletContainer.
>>> >> I fixed it simply by using: ServletContainer servletContainer =
>>> ServletContainerFactory.getServletContainer();
>>> >> instead of DefaultServletContainerFactory as you suggested on
irc.
>>> >>
>>> >> 2) Second thing is more major and it's related to the WSS
issue
>>> with credentials. Unfortunately it doesn't work correctly in your
>>> branch because LoginServlet.bindCredentialsToConversationState is
>>> called directly after authentication, which is too early as it
>>> still don't have correct conversationState at this moment. What
>>> happens here is:
>>> >> - Request
>>> http://localhost:8080/portal/login?username=john&password=gtn is send
>>> >> -- SetCurrentIdentityFilter is called at the beginning of the
>>> request, but at this moment user is not authenticated. So it uses
>>> ConversationState for anonymous identity (IdentityConstants.ANONIM)
>>> >> -- request is processed by LoginServlet, which invokes wci
>>> authentication. But at this moment there is still
>>> ConversationState for anonymous user bind to threadLocal, so
>>> Credentials are registered to this conversationState. Then we have
>>> redirection to initialURI like "/portal/classic"
>>> >> - Request http://localhost:8080/portal/classic is send
>>> >> -- SetCurrentIdentityFilter is called and it recognize that
>>> user is authenticated so it creates new ConversationState for this
>>> user and register it to ConversationRegistry. But note that
>>> previous ConversationState is lost. So credentials are not
>>> registered in current ConversationState --> WSS can't work
>>> >>
>>> >> I have my branch here
>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
>>> based on top of your branch and it addresses (1) and (2). I fixed
>>> (2) by similar approach like was before your changes, which means:
>>> >> - After successful authentication are credentials bind to
>>> temporary authenticationRegistry, which exists only during
>>> authentication
>>> >> - I added new filter ConversationStateUpdateFilter, which
>>> removes credentials from temporary registry and adds them to
>>> ConversationState. ConversationStateUpdateFilter is added after
>>> SetCurrentIdentityFilter, which ensures that correct
>>> ConversationState is bound to threadLocal when it's called.
>>> >>
>>> >> I did not test with WSS enabled, but I verified that after my
>>> change is
>>> ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
>>> returning correct credentials value, which should fix GTNPORTAL-2567 .
>>> >>
>>> >> Let me know if my branch with those changes
>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you
>>> have some other ideas to improve this.
>>> >>
>>> >> Personally I would prefer to use WCI authenticationListener for
>>> register credentials but unfortunately listener doesn't have
>>> information about password of user, so I created WCI jira
>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I think
>>> you told about this limitation on IRC yesterday as well. WDYT?
>>> >
>>> > we can fix WCI and make password available again.
>>> >
>>> > if yes we can make a release today.
>>> >
>>> >>
>>> >> 3) I saw some exceptions due to gatein-sample-extension and
>>> gatein-sample-portal. It seems that we need to remove those
>>> obsolete servlets from web.xml and login.jsp. Also it seems that
>>> other products on top of GateIn will need to adapt those changes
>>> as well. I did not fix those in my branch for now…
>>> >
>>> > this is correct, it needs more correction before final merge,
>>> this is still a WIP :-)
>>> >
>>> >>
>>> >> I will try to test with SSO later in the afternoon but I did
>>> not expect any major problems as you keep "/dologin" secure
URL,
>>> so I think that it should work without any changes. Will update
>>> later if found any problems.
>>> >
>>> >>
>>> >> Marek
>>> >>
>>> >> On 18/09/12 08:51, Julien Viet wrote:
>>> >>> they actually need more work from Trong before being merged
>>> and careful checks.
>>> >>>
>>> >>> I believe we can finish that by the end of this week.
>>> >>>
>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
>>> <julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
>>> >>>
>>> >>>> Hi,
>>> >>>>
>>> >>>> I pushed the initial rewrite of the authentication in
GateIn
>>> that is based on WCI and Servlet 3.0 authentication.
>>> >>>>
>>> >>>> The good news is it improves things by simplifying the
code
>>> and remove all the previous http redirects that we needed.
>>> >>>>
>>> >>>> I wrote a doc about it there :
>>> https://community.jboss.org/wiki/GateIn35Authentication
>>> >>>>
>>> >>>> - Marek and Matt should look at the authentication with
SSO
>>> and WS-Security
>>> >>>> - Trong should look at the login form redirection for
groups
>>> and users as now we don't rely anymore on servlet container
>>> security constraint (like it is already for portal pages)
>>> >>>>
>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
>>> stack, Bolek and I have been working for a couple of weeks. I
>>> guess it could also affect WSRP if it is using WCI in some way
>>> (WCI has had many simplifications last week with the removal of
>>> unnecessary stuff).
>>> >>>>
>>> >>>> cheers
>>> >>>>
>>> >>>> Julien
>>> >>>
>>> >>> _______________________________________________
>>> >>> gatein-dev mailing list
>>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>>> >>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>> >>
>>> >
>>>
>>>
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> gatein-dev mailing list
>>> gatein-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
3:45 a.m.
Actually I use it for the hot reloading support available in developing
mode only (https://issues.jboss.org/browse/EXOJCR-1844), I need it to keep
the list of running sessions up to date in order to be able to invalidate
them in case one or several containers have to be reloaded, this is needed
since we can have hard references to the containers into the sessions which
:
1. Prevents the GC to remove them from memory that has actually a memory
leak
2. Prevents the application to work properly after a reload since some
part of the application keep on using the old containers
If I understand your answer properly, you don't want to put it back right?
On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com> wrote:
I knew it was using it for a couple of days but thought it was only
using
webapp deployment notifications and not authentication events.
On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
> On 09/20/2012 09:46 AM, Julien Viet wrote:
>> I tend to agree/disagree on this.
>>
>> We need both channels.
>>
>> IRC is wonderful for interactive sessions and also for social aspect
and team cohesion.
>>
>> However mailing list is important for discussing aspects with all
actors involved in gatein.
>>
>> We cannot blame someone that would not be on IRC for some reason (no
network, some prefer to work in asynchronous manner, travelling, meeting,
taking care of child, etc...).
>>
>> (Until recently I ignored that kernel was using WCI).
>
> I fully agree on that, don't get me wrong.
>
> I just suggest that more people join the IRC channel and I agree that it
has no guarantee of delivery. But it helps to synchronize and also helps
getting an idea of "what's going on". In this case we all ignored that
Kernel was using WCI and relevant info failed to reach that team, IRC
presence could have just give *one more chance* to avoid that.
>
> Usually I look at few lines and I judge my interest on the topic and
decide to read more or not, it helps finding out things that are going on
in AS7 for instance or RichFaces that may impact us in the long term.
>
> Thomas
>
>>
>> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
>>
>>> Not sure why GateIn WCI events are required at eXo Kernel level but
*in general*, it would be great if you (and actually anyone interested by
GateIn development) could join the #gatein room on IRC Freenode. The
changes have been discussed there in details and it enabled great
collaboration between Julien, Trong and Marek. There were few emails on
this list as well though but it can't be the same amount of details.
>>>
>>> Also it's not hyper-active so it shouldn't be too disturbing.
>>>
>>> If there is such a room for eXo JCR/Kernel/Core this could be useful
as well so that we all know what happens on the other side of the fence.
>>>
>>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if
there is interest (A feature helped to catchup on what happened while away
without having to read full history).
>>>
>>> Thomas
>>>
>>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
>>>> @Julien Why did you remove the logout event from WCI? I need it at
kernel level
>>>>
>>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet
<julien(a)julienviet.com<mailto:
julien(a)julienviet.com>> wrote:
>>>>
>>>> it is now merged in gatein-portal/master
>>>>
>>>> kuddos to you and Trong for the responsiveness and the good work
>>>>
>>>> On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com
>>>> <mailto:julien@julienviet.com>> wrote:
>>>>
>>>> >
>>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda
<mposolda(a)redhat.com
>>>> <mailto:mposolda@redhat.com>> wrote:
>>>> >
>>>> >> Hi Julien,
>>>> >>
>>>> >> I am checking the branch
>>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
>>>> this authentication simplification. I have some comments:
>>>> >>
>>>> >> 1) I tested on AS7 and saw some compilation failures in
>>>> wsrp-extension component (namely in class WSRPServiceIntegration)
>>>> because it still used old WCI api for obtaining ServletContainer.
>>>> >> I fixed it simply by using: ServletContainer
servletContainer =
>>>> ServletContainerFactory.getServletContainer();
>>>> >> instead of DefaultServletContainerFactory as you suggested
on
irc.
>>>> >>
>>>> >> 2) Second thing is more major and it's related to the
WSS issue
>>>> with credentials. Unfortunately it doesn't work correctly in
your
>>>> branch because LoginServlet.bindCredentialsToConversationState is
>>>> called directly after authentication, which is too early as it
>>>> still don't have correct conversationState at this moment. What
>>>> happens here is:
>>>> >> - Request
>>>> http://localhost:8080/portal/login?username=john&password=gtn is
send
>>>> >> -- SetCurrentIdentityFilter is called at the beginning of
the
>>>> request, but at this moment user is not authenticated. So it uses
>>>> ConversationState for anonymous identity (IdentityConstants.ANONIM)
>>>> >> -- request is processed by LoginServlet, which invokes wci
>>>> authentication. But at this moment there is still
>>>> ConversationState for anonymous user bind to threadLocal, so
>>>> Credentials are registered to this conversationState. Then we have
>>>> redirection to initialURI like "/portal/classic"
>>>> >> - Request http://localhost:8080/portal/classic is send
>>>> >> -- SetCurrentIdentityFilter is called and it recognize that
>>>> user is authenticated so it creates new ConversationState for this
>>>> user and register it to ConversationRegistry. But note that
>>>> previous ConversationState is lost. So credentials are not
>>>> registered in current ConversationState --> WSS can't work
>>>> >>
>>>> >> I have my branch here
>>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
>>>> based on top of your branch and it addresses (1) and (2). I fixed
>>>> (2) by similar approach like was before your changes, which means:
>>>> >> - After successful authentication are credentials bind to
>>>> temporary authenticationRegistry, which exists only during
>>>> authentication
>>>> >> - I added new filter ConversationStateUpdateFilter, which
>>>> removes credentials from temporary registry and adds them to
>>>> ConversationState. ConversationStateUpdateFilter is added after
>>>> SetCurrentIdentityFilter, which ensures that correct
>>>> ConversationState is bound to threadLocal when it's called.
>>>> >>
>>>> >> I did not test with WSS enabled, but I verified that after
my
>>>> change is
>>>>
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
>>>> returning correct credentials value, which should fix
GTNPORTAL-2567 .
>>>> >>
>>>> >> Let me know if my branch with those changes
>>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you
>>>> have some other ideas to improve this.
>>>> >>
>>>> >> Personally I would prefer to use WCI authenticationListener
for
>>>> register credentials but unfortunately listener doesn't have
>>>> information about password of user, so I created WCI jira
>>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I think
>>>> you told about this limitation on IRC yesterday as well. WDYT?
>>>> >
>>>> > we can fix WCI and make password available again.
>>>> >
>>>> > if yes we can make a release today.
>>>> >
>>>> >>
>>>> >> 3) I saw some exceptions due to gatein-sample-extension and
>>>> gatein-sample-portal. It seems that we need to remove those
>>>> obsolete servlets from web.xml and login.jsp. Also it seems that
>>>> other products on top of GateIn will need to adapt those changes
>>>> as well. I did not fix those in my branch for now…
>>>> >
>>>> > this is correct, it needs more correction before final merge,
>>>> this is still a WIP :-)
>>>> >
>>>> >>
>>>> >> I will try to test with SSO later in the afternoon but I
did
>>>> not expect any major problems as you keep "/dologin" secure
URL,
>>>> so I think that it should work without any changes. Will update
>>>> later if found any problems.
>>>> >
>>>> >>
>>>> >> Marek
>>>> >>
>>>> >> On 18/09/12 08:51, Julien Viet wrote:
>>>> >>> they actually need more work from Trong before being
merged
>>>> and careful checks.
>>>> >>>
>>>> >>> I believe we can finish that by the end of this week.
>>>> >>>
>>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
>>>> <julien(a)julienviet.com <mailto:julien@julienviet.com>>
wrote:
>>>> >>>
>>>> >>>> Hi,
>>>> >>>>
>>>> >>>> I pushed the initial rewrite of the authentication
in GateIn
>>>> that is based on WCI and Servlet 3.0 authentication.
>>>> >>>>
>>>> >>>> The good news is it improves things by simplifying
the code
>>>> and remove all the previous http redirects that we needed.
>>>> >>>>
>>>> >>>> I wrote a doc about it there :
>>>> https://community.jboss.org/wiki/GateIn35Authentication
>>>> >>>>
>>>> >>>> - Marek and Matt should look at the authentication
with SSO
>>>> and WS-Security
>>>> >>>> - Trong should look at the login form redirection
for groups
>>>> and users as now we don't rely anymore on servlet container
>>>> security constraint (like it is already for portal pages)
>>>> >>>>
>>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
>>>> stack, Bolek and I have been working for a couple of weeks. I
>>>> guess it could also affect WSRP if it is using WCI in some way
>>>> (WCI has had many simplifications last week with the removal of
>>>> unnecessary stuff).
>>>> >>>>
>>>> >>>> cheers
>>>> >>>>
>>>> >>>> Julien
>>>> >>>
>>>> >>> _______________________________________________
>>>> >>> gatein-dev mailing list
>>>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>>>> >>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>>> >>
>>>> >
>>>>
>>>>
>>>> _______________________________________________
>>>> gatein-dev mailing list
>>>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gatein-dev mailing list
>>>> gatein-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
4:08 a.m.
can you use an HttpSessionListener instead ?
On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
Actually I use it for the hot reloading support available in
developing mode only (https://issues.jboss.org/browse/EXOJCR-1844), I need it to keep the
list of running sessions up to date in order to be able to invalidate them in case one or
several containers have to be reloaded, this is needed since we can have hard references
to the containers into the sessions which :
• Prevents the GC to remove them from memory that has actually a memory leak
• Prevents the application to work properly after a reload since some part of the
application keep on using the old containers
If I understand your answer properly, you don't want to put it back right?
On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com> wrote:
I knew it was using it for a couple of days but thought it was only using webapp
deployment notifications and not authentication events.
On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
> On 09/20/2012 09:46 AM, Julien Viet wrote:
>> I tend to agree/disagree on this.
>>
>> We need both channels.
>>
>> IRC is wonderful for interactive sessions and also for social aspect and team
cohesion.
>>
>> However mailing list is important for discussing aspects with all actors
involved in gatein.
>>
>> We cannot blame someone that would not be on IRC for some reason (no network,
some prefer to work in asynchronous manner, travelling, meeting, taking care of child,
etc...).
>>
>> (Until recently I ignored that kernel was using WCI).
>
> I fully agree on that, don't get me wrong.
>
> I just suggest that more people join the IRC channel and I agree that it has no
guarantee of delivery. But it helps to synchronize and also helps getting an idea of
"what's going on". In this case we all ignored that Kernel was using WCI and
relevant info failed to reach that team, IRC presence could have just give *one more
chance* to avoid that.
>
> Usually I look at few lines and I judge my interest on the topic and decide to read
more or not, it helps finding out things that are going on in AS7 for instance or
RichFaces that may impact us in the long term.
>
> Thomas
>
>>
>> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
>>
>>> Not sure why GateIn WCI events are required at eXo Kernel level but *in
general*, it would be great if you (and actually anyone interested by GateIn development)
could join the #gatein room on IRC Freenode. The changes have been discussed there in
details and it enabled great collaboration between Julien, Trong and Marek. There were few
emails on this list as well though but it can't be the same amount of details.
>>>
>>> Also it's not hyper-active so it shouldn't be too disturbing.
>>>
>>> If there is such a room for eXo JCR/Kernel/Core this could be useful as well
so that we all know what happens on the other side of the fence.
>>>
>>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if there is
interest (A feature helped to catchup on what happened while away without having to read
full history).
>>>
>>> Thomas
>>>
>>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
>>>> @Julien Why did you remove the logout event from WCI? I need it at
kernel level
>>>>
>>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
>>>>
>>>> it is now merged in gatein-portal/master
>>>>
>>>> kuddos to you and Trong for the responsiveness and the good work
>>>>
>>>> On Sep 18, 2012, at 1:59 PM, Julien Viet <julien(a)julienviet.com
>>>> <mailto:julien@julienviet.com>> wrote:
>>>>
>>>> >
>>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda
<mposolda(a)redhat.com
>>>> <mailto:mposolda@redhat.com>> wrote:
>>>> >
>>>> >> Hi Julien,
>>>> >>
>>>> >> I am checking the branch
>>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
>>>> this authentication simplification. I have some comments:
>>>> >>
>>>> >> 1) I tested on AS7 and saw some compilation failures in
>>>> wsrp-extension component (namely in class WSRPServiceIntegration)
>>>> because it still used old WCI api for obtaining ServletContainer.
>>>> >> I fixed it simply by using: ServletContainer
servletContainer =
>>>> ServletContainerFactory.getServletContainer();
>>>> >> instead of DefaultServletContainerFactory as you suggested
on irc.
>>>> >>
>>>> >> 2) Second thing is more major and it's related to the
WSS issue
>>>> with credentials. Unfortunately it doesn't work correctly in
your
>>>> branch because LoginServlet.bindCredentialsToConversationState is
>>>> called directly after authentication, which is too early as it
>>>> still don't have correct conversationState at this moment. What
>>>> happens here is:
>>>> >> - Request
>>>> http://localhost:8080/portal/login?username=john&password=gtn is
send
>>>> >> -- SetCurrentIdentityFilter is called at the beginning of
the
>>>> request, but at this moment user is not authenticated. So it uses
>>>> ConversationState for anonymous identity (IdentityConstants.ANONIM)
>>>> >> -- request is processed by LoginServlet, which invokes wci
>>>> authentication. But at this moment there is still
>>>> ConversationState for anonymous user bind to threadLocal, so
>>>> Credentials are registered to this conversationState. Then we have
>>>> redirection to initialURI like "/portal/classic"
>>>> >> - Request http://localhost:8080/portal/classic is send
>>>> >> -- SetCurrentIdentityFilter is called and it recognize that
>>>> user is authenticated so it creates new ConversationState for this
>>>> user and register it to ConversationRegistry. But note that
>>>> previous ConversationState is lost. So credentials are not
>>>> registered in current ConversationState --> WSS can't work
>>>> >>
>>>> >> I have my branch here
>>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
>>>> based on top of your branch and it addresses (1) and (2). I fixed
>>>> (2) by similar approach like was before your changes, which means:
>>>> >> - After successful authentication are credentials bind to
>>>> temporary authenticationRegistry, which exists only during
>>>> authentication
>>>> >> - I added new filter ConversationStateUpdateFilter, which
>>>> removes credentials from temporary registry and adds them to
>>>> ConversationState. ConversationStateUpdateFilter is added after
>>>> SetCurrentIdentityFilter, which ensures that correct
>>>> ConversationState is bound to threadLocal when it's called.
>>>> >>
>>>> >> I did not test with WSS enabled, but I verified that after
my
>>>> change is
>>>> ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
>>>> returning correct credentials value, which should fix GTNPORTAL-2567
.
>>>> >>
>>>> >> Let me know if my branch with those changes
>>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or you
>>>> have some other ideas to improve this.
>>>> >>
>>>> >> Personally I would prefer to use WCI authenticationListener
for
>>>> register credentials but unfortunately listener doesn't have
>>>> information about password of user, so I created WCI jira
>>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I think
>>>> you told about this limitation on IRC yesterday as well. WDYT?
>>>> >
>>>> > we can fix WCI and make password available again.
>>>> >
>>>> > if yes we can make a release today.
>>>> >
>>>> >>
>>>> >> 3) I saw some exceptions due to gatein-sample-extension and
>>>> gatein-sample-portal. It seems that we need to remove those
>>>> obsolete servlets from web.xml and login.jsp. Also it seems that
>>>> other products on top of GateIn will need to adapt those changes
>>>> as well. I did not fix those in my branch for now…
>>>> >
>>>> > this is correct, it needs more correction before final merge,
>>>> this is still a WIP :-)
>>>> >
>>>> >>
>>>> >> I will try to test with SSO later in the afternoon but I
did
>>>> not expect any major problems as you keep "/dologin" secure
URL,
>>>> so I think that it should work without any changes. Will update
>>>> later if found any problems.
>>>> >
>>>> >>
>>>> >> Marek
>>>> >>
>>>> >> On 18/09/12 08:51, Julien Viet wrote:
>>>> >>> they actually need more work from Trong before being
merged
>>>> and careful checks.
>>>> >>>
>>>> >>> I believe we can finish that by the end of this week.
>>>> >>>
>>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
>>>> <julien(a)julienviet.com <mailto:julien@julienviet.com>>
wrote:
>>>> >>>
>>>> >>>> Hi,
>>>> >>>>
>>>> >>>> I pushed the initial rewrite of the authentication
in GateIn
>>>> that is based on WCI and Servlet 3.0 authentication.
>>>> >>>>
>>>> >>>> The good news is it improves things by simplifying
the code
>>>> and remove all the previous http redirects that we needed.
>>>> >>>>
>>>> >>>> I wrote a doc about it there :
>>>> https://community.jboss.org/wiki/GateIn35Authentication
>>>> >>>>
>>>> >>>> - Marek and Matt should look at the authentication
with SSO
>>>> and WS-Security
>>>> >>>> - Trong should look at the login form redirection
for groups
>>>> and users as now we don't rely anymore on servlet container
>>>> security constraint (like it is already for portal pages)
>>>> >>>>
>>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
>>>> stack, Bolek and I have been working for a couple of weeks. I
>>>> guess it could also affect WSRP if it is using WCI in some way
>>>> (WCI has had many simplifications last week with the removal of
>>>> unnecessary stuff).
>>>> >>>>
>>>> >>>> cheers
>>>> >>>>
>>>> >>>> Julien
>>>> >>>
>>>> >>> _______________________________________________
>>>> >>> gatein-dev mailing list
>>>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>>>> >>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>>> >>
>>>> >
>>>>
>>>>
>>>> _______________________________________________
>>>> gatein-dev mailing list
>>>> gatein-dev(a)lists.jboss.org <mailto:gatein-dev@lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gatein-dev mailing list
>>>> gatein-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
4:21 a.m.
I could but I don't want to since it is only available in developing mode
so I don't want to add a new HttpSessionListener in the web.xml for
something that is not always needed. Anyway finding a workaround is another
subject my question was to know if you cannot put it back, I just need a
clear yes or no
thx in advance
On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com> wrote:
can you use an HttpSessionListener instead ?
On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <
nicolas.filotto(a)exoplatform.com> wrote:
> Actually I use it for the hot reloading support available in developing
mode only (https://issues.jboss.org/browse/EXOJCR-1844), I need it to
keep the list of running sessions up to date in order to be able to
invalidate them in case one or several containers have to be reloaded, this
is needed since we can have hard references to the containers into the
sessions which :
> • Prevents the GC to remove them from memory that has actually a
memory leak
> • Prevents the application to work properly after a reload since
some part of the application keep on using the old containers
> If I understand your answer properly, you don't want to put it back
right?
>
> On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com>
wrote:
> I knew it was using it for a couple of days but thought it was only
using webapp deployment notifications and not authentication events.
>
> On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
>
> > On 09/20/2012 09:46 AM, Julien Viet wrote:
> >> I tend to agree/disagree on this.
> >>
> >> We need both channels.
> >>
> >> IRC is wonderful for interactive sessions and also for social aspect
and team cohesion.
> >>
> >> However mailing list is important for discussing aspects with all
actors involved in gatein.
> >>
> >> We cannot blame someone that would not be on IRC for some reason (no
network, some prefer to work in asynchronous manner, travelling, meeting,
taking care of child, etc...).
> >>
> >> (Until recently I ignored that kernel was using WCI).
> >
> > I fully agree on that, don't get me wrong.
> >
> > I just suggest that more people join the IRC channel and I agree that
it has no guarantee of delivery. But it helps to synchronize and also helps
getting an idea of "what's going on". In this case we all ignored that
Kernel was using WCI and relevant info failed to reach that team, IRC
presence could have just give *one more chance* to avoid that.
> >
> > Usually I look at few lines and I judge my interest on the topic and
decide to read more or not, it helps finding out things that are going on
in AS7 for instance or RichFaces that may impact us in the long term.
> >
> > Thomas
> >
> >>
> >> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
> >>
> >>> Not sure why GateIn WCI events are required at eXo Kernel level but
*in general*, it would be great if you (and actually anyone interested by
GateIn development) could join the #gatein room on IRC Freenode. The
changes have been discussed there in details and it enabled great
collaboration between Julien, Trong and Marek. There were few emails on
this list as well though but it can't be the same amount of details.
> >>>
> >>> Also it's not hyper-active so it shouldn't be too disturbing.
> >>>
> >>> If there is such a room for eXo JCR/Kernel/Core this could be useful
as well so that we all know what happens on the other side of the fence.
> >>>
> >>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if
there is interest (A feature helped to catchup on what happened while away
without having to read full history).
> >>>
> >>> Thomas
> >>>
> >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
> >>>> @Julien Why did you remove the logout event from WCI? I need it at
kernel level
> >>>>
> >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet
<julien(a)julienviet.com<mailto:
julien(a)julienviet.com>> wrote:
> >>>>
> >>>> it is now merged in gatein-portal/master
> >>>>
> >>>> kuddos to you and Trong for the responsiveness and the good
work
> >>>>
> >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet
<julien(a)julienviet.com
> >>>> <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> >
> >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <
mposolda(a)redhat.com
> >>>> <mailto:mposolda@redhat.com>> wrote:
> >>>> >
> >>>> >> Hi Julien,
> >>>> >>
> >>>> >> I am checking the branch
> >>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
> >>>> this authentication simplification. I have some comments:
> >>>> >>
> >>>> >> 1) I tested on AS7 and saw some compilation failures
in
> >>>> wsrp-extension component (namely in class
WSRPServiceIntegration)
> >>>> because it still used old WCI api for obtaining
ServletContainer.
> >>>> >> I fixed it simply by using: ServletContainer
servletContainer
=
> >>>> ServletContainerFactory.getServletContainer();
> >>>> >> instead of DefaultServletContainerFactory as you
suggested on
irc.
> >>>> >>
> >>>> >> 2) Second thing is more major and it's related to
the WSS
issue
> >>>> with credentials. Unfortunately it doesn't work correctly in
your
> >>>> branch because LoginServlet.bindCredentialsToConversationState
is
> >>>> called directly after authentication, which is too early as it
> >>>> still don't have correct conversationState at this moment.
What
> >>>> happens here is:
> >>>> >> - Request
> >>>>
http://localhost:8080/portal/login?username=john&password=gtnis send
> >>>> >> -- SetCurrentIdentityFilter is called at the beginning
of the
> >>>> request, but at this moment user is not authenticated. So it
uses
> >>>> ConversationState for anonymous identity
(IdentityConstants.ANONIM)
> >>>> >> -- request is processed by LoginServlet, which invokes
wci
> >>>> authentication. But at this moment there is still
> >>>> ConversationState for anonymous user bind to threadLocal, so
> >>>> Credentials are registered to this conversationState. Then we
have
> >>>> redirection to initialURI like "/portal/classic"
> >>>> >> - Request http://localhost:8080/portal/classic is send
> >>>> >> -- SetCurrentIdentityFilter is called and it recognize
that
> >>>> user is authenticated so it creates new ConversationState for
this
> >>>> user and register it to ConversationRegistry. But note that
> >>>> previous ConversationState is lost. So credentials are not
> >>>> registered in current ConversationState --> WSS can't
work
> >>>> >>
> >>>> >> I have my branch here
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
> >>>> based on top of your branch and it addresses (1) and (2). I
fixed
> >>>> (2) by similar approach like was before your changes, which
means:
> >>>> >> - After successful authentication are credentials bind
to
> >>>> temporary authenticationRegistry, which exists only during
> >>>> authentication
> >>>> >> - I added new filter ConversationStateUpdateFilter,
which
> >>>> removes credentials from temporary registry and adds them to
> >>>> ConversationState. ConversationStateUpdateFilter is added after
> >>>> SetCurrentIdentityFilter, which ensures that correct
> >>>> ConversationState is bound to threadLocal when it's called.
> >>>> >>
> >>>> >> I did not test with WSS enabled, but I verified that
after my
> >>>> change is
> >>>>
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
> >>>> returning correct credentials value, which should fix
GTNPORTAL-2567 .
> >>>> >>
> >>>> >> Let me know if my branch with those changes
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or
you
> >>>> have some other ideas to improve this.
> >>>> >>
> >>>> >> Personally I would prefer to use WCI
authenticationListener
for
> >>>> register credentials but unfortunately listener doesn't
have
> >>>> information about password of user, so I created WCI jira
> >>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I
think
> >>>> you told about this limitation on IRC yesterday as well. WDYT?
> >>>> >
> >>>> > we can fix WCI and make password available again.
> >>>> >
> >>>> > if yes we can make a release today.
> >>>> >
> >>>> >>
> >>>> >> 3) I saw some exceptions due to gatein-sample-extension
and
> >>>> gatein-sample-portal. It seems that we need to remove those
> >>>> obsolete servlets from web.xml and login.jsp. Also it seems
that
> >>>> other products on top of GateIn will need to adapt those
changes
> >>>> as well. I did not fix those in my branch for now…
> >>>> >
> >>>> > this is correct, it needs more correction before final
merge,
> >>>> this is still a WIP :-)
> >>>> >
> >>>> >>
> >>>> >> I will try to test with SSO later in the afternoon but
I did
> >>>> not expect any major problems as you keep "/dologin"
secure URL,
> >>>> so I think that it should work without any changes. Will update
> >>>> later if found any problems.
> >>>> >
> >>>> >>
> >>>> >> Marek
> >>>> >>
> >>>> >> On 18/09/12 08:51, Julien Viet wrote:
> >>>> >>> they actually need more work from Trong before
being merged
> >>>> and careful checks.
> >>>> >>>
> >>>> >>> I believe we can finish that by the end of this
week.
> >>>> >>>
> >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
> >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
> >>>> >>>
> >>>> >>>> Hi,
> >>>> >>>>
> >>>> >>>> I pushed the initial rewrite of the
authentication in GateIn
> >>>> that is based on WCI and Servlet 3.0 authentication.
> >>>> >>>>
> >>>> >>>> The good news is it improves things by
simplifying the code
> >>>> and remove all the previous http redirects that we needed.
> >>>> >>>>
> >>>> >>>> I wrote a doc about it there :
> >>>> https://community.jboss.org/wiki/GateIn35Authentication
> >>>> >>>>
> >>>> >>>> - Marek and Matt should look at the
authentication with SSO
> >>>> and WS-Security
> >>>> >>>> - Trong should look at the login form
redirection for groups
> >>>> and users as now we don't rely anymore on servlet container
> >>>> security constraint (like it is already for portal pages)
> >>>> >>>>
> >>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
> >>>> stack, Bolek and I have been working for a couple of weeks. I
> >>>> guess it could also affect WSRP if it is using WCI in some way
> >>>> (WCI has had many simplifications last week with the removal of
> >>>> unnecessary stuff).
> >>>> >>>>
> >>>> >>>> cheers
> >>>> >>>>
> >>>> >>>> Julien
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> gatein-dev mailing list
> >>>> >>> gatein-dev(a)lists.jboss.org <mailto:
gatein-dev(a)lists.jboss.org>
> >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>> >>
> >>>> >
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >
>
>
4:22 a.m.
unfortunately we cannot support it reliably (that's why it is removed).
On Sep 20, 2012, at 11:21 AM, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
I could but I don't want to since it is only available in
developing mode so I don't want to add a new HttpSessionListener in the web.xml for
something that is not always needed. Anyway finding a workaround is another subject my
question was to know if you cannot put it back, I just need a clear yes or no
thx in advance
On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com> wrote:
can you use an HttpSessionListener instead ?
On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
> Actually I use it for the hot reloading support available in developing mode only
(https://issues.jboss.org/browse/EXOJCR-1844), I need it to keep the list of running
sessions up to date in order to be able to invalidate them in case one or several
containers have to be reloaded, this is needed since we can have hard references to the
containers into the sessions which :
> • Prevents the GC to remove them from memory that has actually a memory leak
> • Prevents the application to work properly after a reload since some part of
the application keep on using the old containers
> If I understand your answer properly, you don't want to put it back right?
>
> On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com> wrote:
> I knew it was using it for a couple of days but thought it was only using webapp
deployment notifications and not authentication events.
>
> On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
>
> > On 09/20/2012 09:46 AM, Julien Viet wrote:
> >> I tend to agree/disagree on this.
> >>
> >> We need both channels.
> >>
> >> IRC is wonderful for interactive sessions and also for social aspect and
team cohesion.
> >>
> >> However mailing list is important for discussing aspects with all actors
involved in gatein.
> >>
> >> We cannot blame someone that would not be on IRC for some reason (no
network, some prefer to work in asynchronous manner, travelling, meeting, taking care of
child, etc...).
> >>
> >> (Until recently I ignored that kernel was using WCI).
> >
> > I fully agree on that, don't get me wrong.
> >
> > I just suggest that more people join the IRC channel and I agree that it has no
guarantee of delivery. But it helps to synchronize and also helps getting an idea of
"what's going on". In this case we all ignored that Kernel was using WCI and
relevant info failed to reach that team, IRC presence could have just give *one more
chance* to avoid that.
> >
> > Usually I look at few lines and I judge my interest on the topic and decide to
read more or not, it helps finding out things that are going on in AS7 for instance or
RichFaces that may impact us in the long term.
> >
> > Thomas
> >
> >>
> >> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
> >>
> >>> Not sure why GateIn WCI events are required at eXo Kernel level but *in
general*, it would be great if you (and actually anyone interested by GateIn development)
could join the #gatein room on IRC Freenode. The changes have been discussed there in
details and it enabled great collaboration between Julien, Trong and Marek. There were few
emails on this list as well though but it can't be the same amount of details.
> >>>
> >>> Also it's not hyper-active so it shouldn't be too disturbing.
> >>>
> >>> If there is such a room for eXo JCR/Kernel/Core this could be useful as
well so that we all know what happens on the other side of the fence.
> >>>
> >>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if
there is interest (A feature helped to catchup on what happened while away without having
to read full history).
> >>>
> >>> Thomas
> >>>
> >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
> >>>> @Julien Why did you remove the logout event from WCI? I need it at
kernel level
> >>>>
> >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet
<julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> it is now merged in gatein-portal/master
> >>>>
> >>>> kuddos to you and Trong for the responsiveness and the good
work
> >>>>
> >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet
<julien(a)julienviet.com
> >>>> <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> >
> >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda
<mposolda(a)redhat.com
> >>>> <mailto:mposolda@redhat.com>> wrote:
> >>>> >
> >>>> >> Hi Julien,
> >>>> >>
> >>>> >> I am checking the branch
> >>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
> >>>> this authentication simplification. I have some comments:
> >>>> >>
> >>>> >> 1) I tested on AS7 and saw some compilation failures
in
> >>>> wsrp-extension component (namely in class
WSRPServiceIntegration)
> >>>> because it still used old WCI api for obtaining
ServletContainer.
> >>>> >> I fixed it simply by using: ServletContainer
servletContainer =
> >>>> ServletContainerFactory.getServletContainer();
> >>>> >> instead of DefaultServletContainerFactory as you
suggested on irc.
> >>>> >>
> >>>> >> 2) Second thing is more major and it's related to
the WSS issue
> >>>> with credentials. Unfortunately it doesn't work correctly in
your
> >>>> branch because LoginServlet.bindCredentialsToConversationState
is
> >>>> called directly after authentication, which is too early as it
> >>>> still don't have correct conversationState at this moment.
What
> >>>> happens here is:
> >>>> >> - Request
> >>>>
http://localhost:8080/portal/login?username=john&password=gtn is send
> >>>> >> -- SetCurrentIdentityFilter is called at the beginning
of the
> >>>> request, but at this moment user is not authenticated. So it
uses
> >>>> ConversationState for anonymous identity
(IdentityConstants.ANONIM)
> >>>> >> -- request is processed by LoginServlet, which invokes
wci
> >>>> authentication. But at this moment there is still
> >>>> ConversationState for anonymous user bind to threadLocal, so
> >>>> Credentials are registered to this conversationState. Then we
have
> >>>> redirection to initialURI like "/portal/classic"
> >>>> >> - Request http://localhost:8080/portal/classic is send
> >>>> >> -- SetCurrentIdentityFilter is called and it recognize
that
> >>>> user is authenticated so it creates new ConversationState for
this
> >>>> user and register it to ConversationRegistry. But note that
> >>>> previous ConversationState is lost. So credentials are not
> >>>> registered in current ConversationState --> WSS can't
work
> >>>> >>
> >>>> >> I have my branch here
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
> >>>> based on top of your branch and it addresses (1) and (2). I
fixed
> >>>> (2) by similar approach like was before your changes, which
means:
> >>>> >> - After successful authentication are credentials bind
to
> >>>> temporary authenticationRegistry, which exists only during
> >>>> authentication
> >>>> >> - I added new filter ConversationStateUpdateFilter,
which
> >>>> removes credentials from temporary registry and adds them to
> >>>> ConversationState. ConversationStateUpdateFilter is added after
> >>>> SetCurrentIdentityFilter, which ensures that correct
> >>>> ConversationState is bound to threadLocal when it's called.
> >>>> >>
> >>>> >> I did not test with WSS enabled, but I verified that
after my
> >>>> change is
> >>>>
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
> >>>> returning correct credentials value, which should fix
GTNPORTAL-2567 .
> >>>> >>
> >>>> >> Let me know if my branch with those changes
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or
you
> >>>> have some other ideas to improve this.
> >>>> >>
> >>>> >> Personally I would prefer to use WCI
authenticationListener for
> >>>> register credentials but unfortunately listener doesn't
have
> >>>> information about password of user, so I created WCI jira
> >>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I
think
> >>>> you told about this limitation on IRC yesterday as well. WDYT?
> >>>> >
> >>>> > we can fix WCI and make password available again.
> >>>> >
> >>>> > if yes we can make a release today.
> >>>> >
> >>>> >>
> >>>> >> 3) I saw some exceptions due to gatein-sample-extension
and
> >>>> gatein-sample-portal. It seems that we need to remove those
> >>>> obsolete servlets from web.xml and login.jsp. Also it seems
that
> >>>> other products on top of GateIn will need to adapt those
changes
> >>>> as well. I did not fix those in my branch for now…
> >>>> >
> >>>> > this is correct, it needs more correction before final
merge,
> >>>> this is still a WIP :-)
> >>>> >
> >>>> >>
> >>>> >> I will try to test with SSO later in the afternoon but
I did
> >>>> not expect any major problems as you keep "/dologin"
secure URL,
> >>>> so I think that it should work without any changes. Will update
> >>>> later if found any problems.
> >>>> >
> >>>> >>
> >>>> >> Marek
> >>>> >>
> >>>> >> On 18/09/12 08:51, Julien Viet wrote:
> >>>> >>> they actually need more work from Trong before
being merged
> >>>> and careful checks.
> >>>> >>>
> >>>> >>> I believe we can finish that by the end of this
week.
> >>>> >>>
> >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
> >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
> >>>> >>>
> >>>> >>>> Hi,
> >>>> >>>>
> >>>> >>>> I pushed the initial rewrite of the
authentication in GateIn
> >>>> that is based on WCI and Servlet 3.0 authentication.
> >>>> >>>>
> >>>> >>>> The good news is it improves things by
simplifying the code
> >>>> and remove all the previous http redirects that we needed.
> >>>> >>>>
> >>>> >>>> I wrote a doc about it there :
> >>>> https://community.jboss.org/wiki/GateIn35Authentication
> >>>> >>>>
> >>>> >>>> - Marek and Matt should look at the
authentication with SSO
> >>>> and WS-Security
> >>>> >>>> - Trong should look at the login form
redirection for groups
> >>>> and users as now we don't rely anymore on servlet container
> >>>> security constraint (like it is already for portal pages)
> >>>> >>>>
> >>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
> >>>> stack, Bolek and I have been working for a couple of weeks. I
> >>>> guess it could also affect WSRP if it is using WCI in some way
> >>>> (WCI has had many simplifications last week with the removal of
> >>>> unnecessary stuff).
> >>>> >>>>
> >>>> >>>> cheers
> >>>> >>>>
> >>>> >>>> Julien
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> gatein-dev mailing list
> >>>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>> >>
> >>>> >
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >
>
>
4:36 a.m.
ok
On Thu, Sep 20, 2012 at 9:22 AM, Julien Viet <julien(a)julienviet.com> wrote:
unfortunately we cannot support it reliably (that's why it is
removed).
On Sep 20, 2012, at 11:21 AM, Nicolas Filotto <
nicolas.filotto(a)exoplatform.com> wrote:
> I could but I don't want to since it is only available in developing
mode so I don't want to add a new HttpSessionListener in the web.xml for
something that is not always needed. Anyway finding a workaround is another
subject my question was to know if you cannot put it back, I just need a
clear yes or no
>
> thx in advance
>
> On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com>
wrote:
> can you use an HttpSessionListener instead ?
>
> On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <
nicolas.filotto(a)exoplatform.com> wrote:
>
> > Actually I use it for the hot reloading support available in
developing mode only (https://issues.jboss.org/browse/EXOJCR-1844), I
need it to keep the list of running sessions up to date in order to be able
to invalidate them in case one or several containers have to be reloaded,
this is needed since we can have hard references to the containers into the
sessions which :
> > • Prevents the GC to remove them from memory that has actually a
memory leak
> > • Prevents the application to work properly after a reload since
some part of the application keep on using the old containers
> > If I understand your answer properly, you don't want to put it back
right?
> >
> > On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com>
wrote:
> > I knew it was using it for a couple of days but thought it was only
using webapp deployment notifications and not authentication events.
> >
> > On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
> >
> > > On 09/20/2012 09:46 AM, Julien Viet wrote:
> > >> I tend to agree/disagree on this.
> > >>
> > >> We need both channels.
> > >>
> > >> IRC is wonderful for interactive sessions and also for social
aspect and team cohesion.
> > >>
> > >> However mailing list is important for discussing aspects with all
actors involved in gatein.
> > >>
> > >> We cannot blame someone that would not be on IRC for some reason
(no network, some prefer to work in asynchronous manner, travelling,
meeting, taking care of child, etc...).
> > >>
> > >> (Until recently I ignored that kernel was using WCI).
> > >
> > > I fully agree on that, don't get me wrong.
> > >
> > > I just suggest that more people join the IRC channel and I agree
that it has no guarantee of delivery. But it helps to synchronize and also
helps getting an idea of "what's going on". In this case we all ignored
that Kernel was using WCI and relevant info failed to reach that team, IRC
presence could have just give *one more chance* to avoid that.
> > >
> > > Usually I look at few lines and I judge my interest on the topic and
decide to read more or not, it helps finding out things that are going on
in AS7 for instance or RichFaces that may impact us in the long term.
> > >
> > > Thomas
> > >
> > >>
> > >> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com>
wrote:
> > >>
> > >>> Not sure why GateIn WCI events are required at eXo Kernel level
but *in general*, it would be great if you (and actually anyone interested
by GateIn development) could join the #gatein room on IRC Freenode. The
changes have been discussed there in details and it enabled great
collaboration between Julien, Trong and Marek. There were few emails on
this list as well though but it can't be the same amount of details.
> > >>>
> > >>> Also it's not hyper-active so it shouldn't be too
disturbing.
> > >>>
> > >>> If there is such a room for eXo JCR/Kernel/Core this could be
useful as well so that we all know what happens on the other side of the
fence.
> > >>>
> > >>> BTW: For those who met it, I can try to resurrect/enhance BYOBot
if there is interest (A feature helped to catchup on what happened while
away without having to read full history).
> > >>>
> > >>> Thomas
> > >>>
> > >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
> > >>>> @Julien Why did you remove the logout event from WCI? I need
it
at kernel level
> > >>>>
> > >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <
julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
> > >>>>
> > >>>> it is now merged in gatein-portal/master
> > >>>>
> > >>>> kuddos to you and Trong for the responsiveness and the
good
work
> > >>>>
> > >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet <
julien(a)julienviet.com
> > >>>> <mailto:julien@julienviet.com>> wrote:
> > >>>>
> > >>>> >
> > >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <
mposolda(a)redhat.com
> > >>>> <mailto:mposolda@redhat.com>> wrote:
> > >>>> >
> > >>>> >> Hi Julien,
> > >>>> >>
> > >>>> >> I am checking the branch
> > >>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks
for
> > >>>> this authentication simplification. I have some comments:
> > >>>> >>
> > >>>> >> 1) I tested on AS7 and saw some compilation
failures in
> > >>>> wsrp-extension component (namely in class
WSRPServiceIntegration)
> > >>>> because it still used old WCI api for obtaining
ServletContainer.
> > >>>> >> I fixed it simply by using: ServletContainer
servletContainer =
> > >>>> ServletContainerFactory.getServletContainer();
> > >>>> >> instead of DefaultServletContainerFactory as you
suggested
on irc.
> > >>>> >>
> > >>>> >> 2) Second thing is more major and it's related
to the WSS
issue
> > >>>> with credentials. Unfortunately it doesn't work
correctly in
your
> > >>>> branch because
LoginServlet.bindCredentialsToConversationState
is
> > >>>> called directly after authentication, which is too early as
it
> > >>>> still don't have correct conversationState at this
moment. What
> > >>>> happens here is:
> > >>>> >> - Request
> > >>>>
http://localhost:8080/portal/login?username=john&password=gtnis send
> > >>>> >> -- SetCurrentIdentityFilter is called at the
beginning of
the
> > >>>> request, but at this moment user is not authenticated. So
it
uses
> > >>>> ConversationState for anonymous identity
(IdentityConstants.ANONIM)
> > >>>> >> -- request is processed by LoginServlet, which
invokes wci
> > >>>> authentication. But at this moment there is still
> > >>>> ConversationState for anonymous user bind to threadLocal,
so
> > >>>> Credentials are registered to this conversationState. Then
we
have
> > >>>> redirection to initialURI like "/portal/classic"
> > >>>> >> - Request http://localhost:8080/portal/classic is
send
> > >>>> >> -- SetCurrentIdentityFilter is called and it
recognize that
> > >>>> user is authenticated so it creates new ConversationState
for
this
> > >>>> user and register it to ConversationRegistry. But note
that
> > >>>> previous ConversationState is lost. So credentials are not
> > >>>> registered in current ConversationState --> WSS
can't work
> > >>>> >>
> > >>>> >> I have my branch here
> > >>>> https://github.com/mposolda/gatein-portal/tree/pcwci which
is
> > >>>> based on top of your branch and it addresses (1) and (2).
I
fixed
> > >>>> (2) by similar approach like was before your changes,
which
means:
> > >>>> >> - After successful authentication are credentials
bind to
> > >>>> temporary authenticationRegistry, which exists only during
> > >>>> authentication
> > >>>> >> - I added new filter
ConversationStateUpdateFilter, which
> > >>>> removes credentials from temporary registry and adds them
to
> > >>>> ConversationState. ConversationStateUpdateFilter is added
after
> > >>>> SetCurrentIdentityFilter, which ensures that correct
> > >>>> ConversationState is bound to threadLocal when it's
called.
> > >>>> >>
> > >>>> >> I did not test with WSS enabled, but I verified
that after
my
> > >>>> change is
> > >>>>
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
> > >>>> returning correct credentials value, which should fix
GTNPORTAL-2567 .
> > >>>> >>
> > >>>> >> Let me know if my branch with those changes
> > >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok
or
you
> > >>>> have some other ideas to improve this.
> > >>>> >>
> > >>>> >> Personally I would prefer to use WCI
authenticationListener
for
> > >>>> register credentials but unfortunately listener doesn't
have
> > >>>> information about password of user, so I created WCI jira
> > >>>> https://issues.jboss.org/browse/GTNWCI-37 to address this.
I
think
> > >>>> you told about this limitation on IRC yesterday as well.
WDYT?
> > >>>> >
> > >>>> > we can fix WCI and make password available again.
> > >>>> >
> > >>>> > if yes we can make a release today.
> > >>>> >
> > >>>> >>
> > >>>> >> 3) I saw some exceptions due to
gatein-sample-extension and
> > >>>> gatein-sample-portal. It seems that we need to remove
those
> > >>>> obsolete servlets from web.xml and login.jsp. Also it
seems
that
> > >>>> other products on top of GateIn will need to adapt those
changes
> > >>>> as well. I did not fix those in my branch for now…
> > >>>> >
> > >>>> > this is correct, it needs more correction before final
merge,
> > >>>> this is still a WIP :-)
> > >>>> >
> > >>>> >>
> > >>>> >> I will try to test with SSO later in the afternoon
but I did
> > >>>> not expect any major problems as you keep
"/dologin" secure
URL,
> > >>>> so I think that it should work without any changes. Will
update
> > >>>> later if found any problems.
> > >>>> >
> > >>>> >>
> > >>>> >> Marek
> > >>>> >>
> > >>>> >> On 18/09/12 08:51, Julien Viet wrote:
> > >>>> >>> they actually need more work from Trong before
being merged
> > >>>> and careful checks.
> > >>>> >>>
> > >>>> >>> I believe we can finish that by the end of
this week.
> > >>>> >>>
> > >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
> > >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
> > >>>> >>>
> > >>>> >>>> Hi,
> > >>>> >>>>
> > >>>> >>>> I pushed the initial rewrite of the
authentication in
GateIn
> > >>>> that is based on WCI and Servlet 3.0 authentication.
> > >>>> >>>>
> > >>>> >>>> The good news is it improves things by
simplifying the
code
> > >>>> and remove all the previous http redirects that we needed.
> > >>>> >>>>
> > >>>> >>>> I wrote a doc about it there :
> > >>>> https://community.jboss.org/wiki/GateIn35Authentication
> > >>>> >>>>
> > >>>> >>>> - Marek and Matt should look at the
authentication with
SSO
> > >>>> and WS-Security
> > >>>> >>>> - Trong should look at the login form
redirection for
groups
> > >>>> and users as now we don't rely anymore on servlet
container
> > >>>> security constraint (like it is already for portal pages)
> > >>>> >>>>
> > >>>> >>>> Note that this integrates with the new
Alpha common/wci/pc
> > >>>> stack, Bolek and I have been working for a couple of weeks.
I
> > >>>> guess it could also affect WSRP if it is using WCI in some
way
> > >>>> (WCI has had many simplifications last week with the
removal of
> > >>>> unnecessary stuff).
> > >>>> >>>>
> > >>>> >>>> cheers
> > >>>> >>>>
> > >>>> >>>> Julien
> > >>>> >>>
> > >>>> >>>
_______________________________________________
> > >>>> >>> gatein-dev mailing list
> > >>>> >>> gatein-dev(a)lists.jboss.org <mailto:
gatein-dev(a)lists.jboss.org>
> > >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
> > >>>> >>
> > >>>> >
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> gatein-dev mailing list
> > >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> > >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> gatein-dev mailing list
> > >>>> gatein-dev(a)lists.jboss.org
> > >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> > >
> >
> >
>
>
6:16 a.m.
FYI, In Servlet 3 you can even register HttpSessionListener via
javax.servlet.ServletContext#addListener programmatically
On 20 September 2012 16:21, Nicolas Filotto <nicolas.filotto(a)exoplatform.com
wrote:
> I could but I don't want to since it is only available in developing mode
> so I don't want to add a new HttpSessionListener in the web.xml for
> something that is not always needed. Anyway finding a workaround is another
> subject my question was to know if you cannot put it back, I just need a
> clear yes or no
>
> thx in advance
>
>
> On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com>wrote:
>
>> can you use an HttpSessionListener instead ?
>>
>> On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <
>> nicolas.filotto(a)exoplatform.com wrote:
>>
>> > Actually I use it for the hot reloading support available in developing
>> mode only (https://issues.jboss.org/browse/EXOJCR-1844), I need it to
>> keep the list of running sessions up to date in order to be able to
>> invalidate them in case one or several containers have to be reloaded, this
>> is needed since we can have hard references to the containers into the
>> sessions which :
>> > • Prevents the GC to remove them from memory that has actually a
>> memory leak
>> > • Prevents the application to work properly after a reload since
>> some part of the application keep on using the old containers
>> > If I understand your answer properly, you don't want to put it back
>> right?
>> >
>> > On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com>
> wrote:
>> > I knew it was using it for a couple of
days but thought it was only
>> using webapp deployment notifications and not authentication events.
>> >
>> > On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com wrote:
>> >
>> > > On 09/20/2012 09:46 AM, Julien Viet wrote:
>> > >> I tend to agree/disagree on this.
>> > >>
>> > >> We need both channels.
>> > >>
>> > >> IRC is wonderful for interactive sessions and also for social
aspect
>> and team cohesion.
>> > >>
>> > >> However mailing list is important for discussing aspects with all
>> actors involved in gatein.
>> > >>
>> > >> We cannot blame someone that would not be on IRC for some reason
(no
>> network, some prefer to work in asynchronous manner, travelling, meeting,
>> taking care of child, etc...).
>> > >>
>> > >> (Until recently I ignored that kernel was using WCI).
>> > >
>> > > I fully agree on that, don't get me wrong.
>> > >
>> > > I just suggest that more people join the IRC channel and I agree that
>> it has no guarantee of delivery. But it helps to synchronize and also helps
>> getting an idea of "what's going on". In this case we all ignored
that
>> Kernel was using WCI and relevant info failed to reach that team, IRC
>> presence could have just give *one more chance* to avoid that.
>> > >
>> > > Usually I look at few lines and I judge my interest on the topic and
>> decide to read more or not, it helps finding out things that are going on
>> in AS7 for instance or RichFaces that may impact us in the long term.
>> > >
>> > > Thomas
>> > >
>> > >>
>> > >> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com wrote:
>> > >>
>> > >>> Not sure why GateIn WCI events are required at eXo Kernel level
but
>> *in general*, it would be great if you (and actually anyone interested by
>> GateIn development) could join the #gatein room on IRC Freenode. The
>> changes have been discussed there in details and it enabled great
>> collaboration between Julien, Trong and Marek. There were few emails on
>> this list as well though but it can't be the same amount of details.
>> > >>>
>> > >>> Also it's not hyper-active so it shouldn't be too
disturbing.
>> > >>>
>> > >>> If there is such a room for eXo JCR/Kernel/Core this could be
>> useful as well so that we all know what happens on the other side of the
>> fence.
>> > >>>
>> > >>> BTW: For those who met it, I can try to resurrect/enhance
BYOBot if
>> there is interest (A feature helped to catchup on what happened while away
>> without having to read full history).
>> > >>>
>> > >>> Thomas
>> > >>>
>> > >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
>> > >>>> @Julien Why did you remove the logout event from WCI? I
need it at
>> kernel level
>> > >>>>
>> > >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <
>> julien(a)julienviet.com <mailto:julien@julienviet.com> wrote:
>> > >>>>
>> > >>>> it is now merged in gatein-portal/master
>> > >>>>
>> > >>>> kuddos to you and Trong for the responsiveness and the
good work
>> > >>>>
>> > >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet
<julien(a)julienviet.com
>> > >>>> <mailto:julien@julienviet.com> wrote:
>> > >>>>
>> > >>>> >
>> > >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <
>> mposolda(a)redhat.com
>> > >>>> <mailto:mposolda@redhat.com> wrote:
>> > >>>> >
>> > >>>> >> Hi Julien,
>> > >>>> >>
>> > >>>> >> I am checking the branch
>> > >>>> https://github.com/vietj/gatein-portal/tree/pcwci .
Thanks for
>> > >>>> this authentication simplification. I have some
comments:
>> > >>>> >>
>> > >>>> >> 1) I tested on AS7 and saw some compilation
failures in
>> > >>>> wsrp-extension component (namely in class
>> WSRPServiceIntegration)
>> > >>>> because it still used old WCI api for obtaining
>> ServletContainer.
>> > >>>> >> I fixed it simply by using: ServletContainer
>> servletContainer =
>> > >>>> ServletContainerFactory.getServletContainer();
>> > >>>> >> instead of DefaultServletContainerFactory as
you suggested
>> on irc.
>> > >>>> >>
>> > >>>> >> 2) Second thing is more major and it's
related to the WSS
>> issue
>> > >>>> with credentials. Unfortunately it doesn't work
correctly in
>> your
>> > >>>> branch because
LoginServlet.bindCredentialsToConversationState
>> is
>> > >>>> called directly after authentication, which is too early
as it
>> > >>>> still don't have correct conversationState at this
moment. What
>> > >>>> happens here is:
>> > >>>> >> - Request
>> > >>>>
http://localhost:8080/portal/login?username=john&password=gtnis send
>> > >>>> >> -- SetCurrentIdentityFilter is called at the
beginning of the
>> > >>>> request, but at this moment user is not authenticated.
So it
>> uses
>> > >>>> ConversationState for anonymous identity
>> (IdentityConstants.ANONIM)
>> > >>>> >> -- request is processed by LoginServlet, which
invokes wci
>> > >>>> authentication. But at this moment there is still
>> > >>>> ConversationState for anonymous user bind to
threadLocal, so
>> > >>>> Credentials are registered to this conversationState.
Then we
>> have
>> > >>>> redirection to initialURI like
"/portal/classic"
>> > >>>> >> - Request http://localhost:8080/portal/classic
is send
>> > >>>> >> -- SetCurrentIdentityFilter is called and it
recognize that
>> > >>>> user is authenticated so it creates new
ConversationState for
>> this
>> > >>>> user and register it to ConversationRegistry. But note
that
>> > >>>> previous ConversationState is lost. So credentials are
not
>> > >>>> registered in current ConversationState --> WSS
can't work
>> > >>>> >>
>> > >>>> >> I have my branch here
>> > >>>> https://github.com/mposolda/gatein-portal/tree/pcwci
which is
>> > >>>> based on top of your branch and it addresses (1) and
(2). I
>> fixed
>> > >>>> (2) by similar approach like was before your changes,
which
>> means:
>> > >>>> >> - After successful authentication are
credentials bind to
>> > >>>> temporary authenticationRegistry, which exists only
during
>> > >>>> authentication
>> > >>>> >> - I added new filter
ConversationStateUpdateFilter, which
>> > >>>> removes credentials from temporary registry and adds
them to
>> > >>>> ConversationState. ConversationStateUpdateFilter is
added after
>> > >>>> SetCurrentIdentityFilter, which ensures that correct
>> > >>>> ConversationState is bound to threadLocal when it's
called.
>> > >>>> >>
>> > >>>> >> I did not test with WSS enabled, but I verified
that after my
>> > >>>> change is
>> > >>>>
>> ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
>> > >>>> returning correct credentials value, which should fix
>> GTNPORTAL-2567 .
>> > >>>> >>
>> > >>>> >> Let me know if my branch with those changes
>> > >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is
ok or
>> you
>> > >>>> have some other ideas to improve this.
>> > >>>> >>
>> > >>>> >> Personally I would prefer to use WCI
authenticationListener
>> for
>> > >>>> register credentials but unfortunately listener
doesn't have
>> > >>>> information about password of user, so I created WCI
jira
>> > >>>> https://issues.jboss.org/browse/GTNWCI-37 to address
this. I
>> think
>> > >>>> you told about this limitation on IRC yesterday as well.
WDYT?
>> > >>>> >
>> > >>>> > we can fix WCI and make password available again.
>> > >>>> >
>> > >>>> > if yes we can make a release today.
>> > >>>> >
>> > >>>> >>
>> > >>>> >> 3) I saw some exceptions due to
gatein-sample-extension and
>> > >>>> gatein-sample-portal. It seems that we need to remove
those
>> > >>>> obsolete servlets from web.xml and login.jsp. Also it
seems that
>> > >>>> other products on top of GateIn will need to adapt those
changes
>> > >>>> as well. I did not fix those in my branch for now…
>> > >>>> >
>> > >>>> > this is correct, it needs more correction before
final merge,
>> > >>>> this is still a WIP :-)
>> > >>>> >
>> > >>>> >>
>> > >>>> >> I will try to test with SSO later in the
afternoon but I did
>> > >>>> not expect any major problems as you keep
"/dologin" secure URL,
>> > >>>> so I think that it should work without any changes. Will
update
>> > >>>> later if found any problems.
>> > >>>> >
>> > >>>> >>
>> > >>>> >> Marek
>> > >>>> >>
>> > >>>> >> On 18/09/12 08:51, Julien Viet wrote:
>> > >>>> >>> they actually need more work from Trong
before being merged
>> > >>>> and careful checks.
>> > >>>> >>>
>> > >>>> >>> I believe we can finish that by the end of
this week.
>> > >>>> >>>
>> > >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
>> > >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com> wrote:
>> > >>>> >>>
>> > >>>> >>>> Hi,
>> > >>>> >>>>
>> > >>>> >>>> I pushed the initial rewrite of the
authentication in
>> GateIn
>> > >>>> that is based on WCI and Servlet 3.0 authentication.
>> > >>>> >>>>
>> > >>>> >>>> The good news is it improves things by
simplifying the code
>> > >>>> and remove all the previous http redirects that we
needed.
>> > >>>> >>>>
>> > >>>> >>>> I wrote a doc about it there :
>> > >>>> https://community.jboss.org/wiki/GateIn35Authentication
>> > >>>> >>>>
>> > >>>> >>>> - Marek and Matt should look at the
authentication with SSO
>> > >>>> and WS-Security
>> > >>>> >>>> - Trong should look at the login form
redirection for
>> groups
>> > >>>> and users as now we don't rely anymore on servlet
container
>> > >>>> security constraint (like it is already for portal
pages)
>> > >>>> >>>>
>> > >>>> >>>> Note that this integrates with the new
Alpha common/wci/pc
>> > >>>> stack, Bolek and I have been working for a couple of
weeks. I
>> > >>>> guess it could also affect WSRP if it is using WCI in
some way
>> > >>>> (WCI has had many simplifications last week with the
removal of
>> > >>>> unnecessary stuff).
>> > >>>> >>>>
>> > >>>> >>>> cheers
>> > >>>> >>>>
>> > >>>> >>>> Julien
>> > >>>> >>>
>> > >>>> >>>
_______________________________________________
>> > >>>> >>> gatein-dev mailing list
>> > >>>> >>> gatein-dev(a)lists.jboss.org <mailto:
>> gatein-dev(a)lists.jboss.org>
>> > >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
>> > >>>> >>
>> > >>>> >
>> > >>>>
>> > >>>>
>> > >>>> _______________________________________________
>> > >>>> gatein-dev mailing list
>> > >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>> > >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> _______________________________________________
>> > >>>> gatein-dev mailing list
>> > >>>> gatein-dev(a)lists.jboss.org
>> > >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>> > >
>> >
>> >
>>
>>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
>
6:49 a.m.
eXo JCR 1.15 has not been upgraded to Servlet 3, is it mandatory?
On Thu, Sep 20, 2012 at 11:16 AM, Trong Tran <trongtt(a)gmail.com> wrote:
FYI, In Servlet 3 you can even register HttpSessionListener via
javax.servlet.ServletContext#addListener programmatically
On 20 September 2012 16:21, Nicolas Filotto <
nicolas.filotto(a)exoplatform.com> wrote:
> I could but I don't want to since it is only available in developing mode
> so I don't want to add a new HttpSessionListener in the web.xml for
> something that is not always needed. Anyway finding a workaround is another
> subject my question was to know if you cannot put it back, I just need a
> clear yes or no
>
> thx in advance
>
>
> On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com>wrote:
>
>> can you use an HttpSessionListener instead ?
>>
>> On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <
>> nicolas.filotto(a)exoplatform.com> wrote:
>>
>> > Actually I use it for the hot reloading support available in
>> developing mode only (https://issues.jboss.org/browse/EXOJCR-1844), I
>> need it to keep the list of running sessions up to date in order to be able
>> to invalidate them in case one or several containers have to be reloaded,
>> this is needed since we can have hard references to the containers into the
>> sessions which :
>> > • Prevents the GC to remove them from memory that has actually a
>> memory leak
>> > • Prevents the application to work properly after a reload since
>> some part of the application keep on using the old containers
>> > If I understand your answer properly, you don't want to put it back
>> right?
>> >
>> > On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com>
>> wrote:
>> > I knew it was using it for a couple of days but thought it was only
>> using webapp deployment notifications and not authentication events.
>> >
>> > On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
>> >
>> > > On 09/20/2012 09:46 AM, Julien Viet wrote:
>> > >> I tend to agree/disagree on this.
>> > >>
>> > >> We need both channels.
>> > >>
>> > >> IRC is wonderful for interactive sessions and also for social
>> aspect and team cohesion.
>> > >>
>> > >> However mailing list is important for discussing aspects with all
>> actors involved in gatein.
>> > >>
>> > >> We cannot blame someone that would not be on IRC for some reason
>> (no network, some prefer to work in asynchronous manner, travelling,
>> meeting, taking care of child, etc...).
>> > >>
>> > >> (Until recently I ignored that kernel was using WCI).
>> > >
>> > > I fully agree on that, don't get me wrong.
>> > >
>> > > I just suggest that more people join the IRC channel and I agree
>> that it has no guarantee of delivery. But it helps to synchronize and also
>> helps getting an idea of "what's going on". In this case we all
ignored
>> that Kernel was using WCI and relevant info failed to reach that team, IRC
>> presence could have just give *one more chance* to avoid that.
>> > >
>> > > Usually I look at few lines and I judge my interest on the topic and
>> decide to read more or not, it helps finding out things that are going on
>> in AS7 for instance or RichFaces that may impact us in the long term.
>> > >
>> > > Thomas
>> > >
>> > >>
>> > >> On Sep 20, 2012, at 9:38 AM, Thomas Heute
<theute(a)redhat.com>
>> wrote:
>> > >>
>> > >>> Not sure why GateIn WCI events are required at eXo Kernel
level
>> but *in general*, it would be great if you (and actually anyone interested
>> by GateIn development) could join the #gatein room on IRC Freenode. The
>> changes have been discussed there in details and it enabled great
>> collaboration between Julien, Trong and Marek. There were few emails on
>> this list as well though but it can't be the same amount of details.
>> > >>>
>> > >>> Also it's not hyper-active so it shouldn't be too
disturbing.
>> > >>>
>> > >>> If there is such a room for eXo JCR/Kernel/Core this could be
>> useful as well so that we all know what happens on the other side of the
>> fence.
>> > >>>
>> > >>> BTW: For those who met it, I can try to resurrect/enhance
BYOBot
>> if there is interest (A feature helped to catchup on what happened while
>> away without having to read full history).
>> > >>>
>> > >>> Thomas
>> > >>>
>> > >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
>> > >>>> @Julien Why did you remove the logout event from WCI? I
need it
>> at kernel level
>> > >>>>
>> > >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet <
>> julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
>> > >>>>
>> > >>>> it is now merged in gatein-portal/master
>> > >>>>
>> > >>>> kuddos to you and Trong for the responsiveness and the
good
>> work
>> > >>>>
>> > >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet <
>> julien(a)julienviet.com
>> > >>>> <mailto:julien@julienviet.com>> wrote:
>> > >>>>
>> > >>>> >
>> > >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda <
>> mposolda(a)redhat.com
>> > >>>> <mailto:mposolda@redhat.com>> wrote:
>> > >>>> >
>> > >>>> >> Hi Julien,
>> > >>>> >>
>> > >>>> >> I am checking the branch
>> > >>>> https://github.com/vietj/gatein-portal/tree/pcwci .
Thanks for
>> > >>>> this authentication simplification. I have some
comments:
>> > >>>> >>
>> > >>>> >> 1) I tested on AS7 and saw some compilation
failures in
>> > >>>> wsrp-extension component (namely in class
>> WSRPServiceIntegration)
>> > >>>> because it still used old WCI api for obtaining
>> ServletContainer.
>> > >>>> >> I fixed it simply by using: ServletContainer
>> servletContainer =
>> > >>>> ServletContainerFactory.getServletContainer();
>> > >>>> >> instead of DefaultServletContainerFactory as
you suggested
>> on irc.
>> > >>>> >>
>> > >>>> >> 2) Second thing is more major and it's
related to the WSS
>> issue
>> > >>>> with credentials. Unfortunately it doesn't work
correctly in
>> your
>> > >>>> branch because
LoginServlet.bindCredentialsToConversationState
>> is
>> > >>>> called directly after authentication, which is too early
as it
>> > >>>> still don't have correct conversationState at this
moment. What
>> > >>>> happens here is:
>> > >>>> >> - Request
>> > >>>>
http://localhost:8080/portal/login?username=john&password=gtnis send
>> > >>>> >> -- SetCurrentIdentityFilter is called at the
beginning of
>> the
>> > >>>> request, but at this moment user is not authenticated.
So it
>> uses
>> > >>>> ConversationState for anonymous identity
>> (IdentityConstants.ANONIM)
>> > >>>> >> -- request is processed by LoginServlet, which
invokes wci
>> > >>>> authentication. But at this moment there is still
>> > >>>> ConversationState for anonymous user bind to
threadLocal, so
>> > >>>> Credentials are registered to this conversationState.
Then we
>> have
>> > >>>> redirection to initialURI like
"/portal/classic"
>> > >>>> >> - Request http://localhost:8080/portal/classic
is send
>> > >>>> >> -- SetCurrentIdentityFilter is called and it
recognize that
>> > >>>> user is authenticated so it creates new
ConversationState for
>> this
>> > >>>> user and register it to ConversationRegistry. But note
that
>> > >>>> previous ConversationState is lost. So credentials are
not
>> > >>>> registered in current ConversationState --> WSS
can't work
>> > >>>> >>
>> > >>>> >> I have my branch here
>> > >>>> https://github.com/mposolda/gatein-portal/tree/pcwci
which is
>> > >>>> based on top of your branch and it addresses (1) and
(2). I
>> fixed
>> > >>>> (2) by similar approach like was before your changes,
which
>> means:
>> > >>>> >> - After successful authentication are
credentials bind to
>> > >>>> temporary authenticationRegistry, which exists only
during
>> > >>>> authentication
>> > >>>> >> - I added new filter
ConversationStateUpdateFilter, which
>> > >>>> removes credentials from temporary registry and adds
them to
>> > >>>> ConversationState. ConversationStateUpdateFilter is
added after
>> > >>>> SetCurrentIdentityFilter, which ensures that correct
>> > >>>> ConversationState is bound to threadLocal when it's
called.
>> > >>>> >>
>> > >>>> >> I did not test with WSS enabled, but I verified
that after
>> my
>> > >>>> change is
>> > >>>>
>> ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
>> > >>>> returning correct credentials value, which should fix
>> GTNPORTAL-2567 .
>> > >>>> >>
>> > >>>> >> Let me know if my branch with those changes
>> > >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is
ok or
>> you
>> > >>>> have some other ideas to improve this.
>> > >>>> >>
>> > >>>> >> Personally I would prefer to use WCI
authenticationListener
>> for
>> > >>>> register credentials but unfortunately listener
doesn't have
>> > >>>> information about password of user, so I created WCI
jira
>> > >>>> https://issues.jboss.org/browse/GTNWCI-37 to address
this. I
>> think
>> > >>>> you told about this limitation on IRC yesterday as well.
WDYT?
>> > >>>> >
>> > >>>> > we can fix WCI and make password available again.
>> > >>>> >
>> > >>>> > if yes we can make a release today.
>> > >>>> >
>> > >>>> >>
>> > >>>> >> 3) I saw some exceptions due to
gatein-sample-extension and
>> > >>>> gatein-sample-portal. It seems that we need to remove
those
>> > >>>> obsolete servlets from web.xml and login.jsp. Also it
seems
>> that
>> > >>>> other products on top of GateIn will need to adapt
those
>> changes
>> > >>>> as well. I did not fix those in my branch for now…
>> > >>>> >
>> > >>>> > this is correct, it needs more correction before
final merge,
>> > >>>> this is still a WIP :-)
>> > >>>> >
>> > >>>> >>
>> > >>>> >> I will try to test with SSO later in the
afternoon but I did
>> > >>>> not expect any major problems as you keep
"/dologin" secure
>> URL,
>> > >>>> so I think that it should work without any changes. Will
update
>> > >>>> later if found any problems.
>> > >>>> >
>> > >>>> >>
>> > >>>> >> Marek
>> > >>>> >>
>> > >>>> >> On 18/09/12 08:51, Julien Viet wrote:
>> > >>>> >>> they actually need more work from Trong
before being merged
>> > >>>> and careful checks.
>> > >>>> >>>
>> > >>>> >>> I believe we can finish that by the end of
this week.
>> > >>>> >>>
>> > >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
>> > >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
>> > >>>> >>>
>> > >>>> >>>> Hi,
>> > >>>> >>>>
>> > >>>> >>>> I pushed the initial rewrite of the
authentication in
>> GateIn
>> > >>>> that is based on WCI and Servlet 3.0 authentication.
>> > >>>> >>>>
>> > >>>> >>>> The good news is it improves things by
simplifying the
>> code
>> > >>>> and remove all the previous http redirects that we
needed.
>> > >>>> >>>>
>> > >>>> >>>> I wrote a doc about it there :
>> > >>>> https://community.jboss.org/wiki/GateIn35Authentication
>> > >>>> >>>>
>> > >>>> >>>> - Marek and Matt should look at the
authentication with
>> SSO
>> > >>>> and WS-Security
>> > >>>> >>>> - Trong should look at the login form
redirection for
>> groups
>> > >>>> and users as now we don't rely anymore on servlet
container
>> > >>>> security constraint (like it is already for portal
pages)
>> > >>>> >>>>
>> > >>>> >>>> Note that this integrates with the new
Alpha common/wci/pc
>> > >>>> stack, Bolek and I have been working for a couple of
weeks. I
>> > >>>> guess it could also affect WSRP if it is using WCI in
some way
>> > >>>> (WCI has had many simplifications last week with the
removal of
>> > >>>> unnecessary stuff).
>> > >>>> >>>>
>> > >>>> >>>> cheers
>> > >>>> >>>>
>> > >>>> >>>> Julien
>> > >>>> >>>
>> > >>>> >>>
_______________________________________________
>> > >>>> >>> gatein-dev mailing list
>> > >>>> >>> gatein-dev(a)lists.jboss.org <mailto:
>> gatein-dev(a)lists.jboss.org>
>> > >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
>> > >>>> >>
>> > >>>> >
>> > >>>>
>> > >>>>
>> > >>>> _______________________________________________
>> > >>>> gatein-dev mailing list
>> > >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
>> > >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> _______________________________________________
>> > >>>> gatein-dev mailing list
>> > >>>> gatein-dev(a)lists.jboss.org
>> > >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
>> > >
>> >
>> >
>>
>>
>
> _______________________________________________
> gatein-dev mailing list
> gatein-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/gatein-dev
>
>
7:46 a.m.
you can use web fragment (web-fragment.xml file) in your jar that contains a
web-fragment.xml to register something.
however I think it must be in the war file (portal.war) for registering it.
On Sep 20, 2012, at 1:49 PM, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
eXo JCR 1.15 has not been upgraded to Servlet 3, is it mandatory?
On Thu, Sep 20, 2012 at 11:16 AM, Trong Tran <trongtt(a)gmail.com> wrote:
FYI, In Servlet 3 you can even register HttpSessionListener via
javax.servlet.ServletContext#addListener programmatically
On 20 September 2012 16:21, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
I could but I don't want to since it is only available in developing mode so I
don't want to add a new HttpSessionListener in the web.xml for something that is not
always needed. Anyway finding a workaround is another subject my question was to know if
you cannot put it back, I just need a clear yes or no
thx in advance
On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com> wrote:
can you use an HttpSessionListener instead ?
On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
> Actually I use it for the hot reloading support available in developing mode only
(https://issues.jboss.org/browse/EXOJCR-1844), I need it to keep the list of running
sessions up to date in order to be able to invalidate them in case one or several
containers have to be reloaded, this is needed since we can have hard references to the
containers into the sessions which :
> • Prevents the GC to remove them from memory that has actually a memory leak
> • Prevents the application to work properly after a reload since some part of
the application keep on using the old containers
> If I understand your answer properly, you don't want to put it back right?
>
> On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com> wrote:
> I knew it was using it for a couple of days but thought it was only using webapp
deployment notifications and not authentication events.
>
> On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
>
> > On 09/20/2012 09:46 AM, Julien Viet wrote:
> >> I tend to agree/disagree on this.
> >>
> >> We need both channels.
> >>
> >> IRC is wonderful for interactive sessions and also for social aspect and
team cohesion.
> >>
> >> However mailing list is important for discussing aspects with all actors
involved in gatein.
> >>
> >> We cannot blame someone that would not be on IRC for some reason (no
network, some prefer to work in asynchronous manner, travelling, meeting, taking care of
child, etc...).
> >>
> >> (Until recently I ignored that kernel was using WCI).
> >
> > I fully agree on that, don't get me wrong.
> >
> > I just suggest that more people join the IRC channel and I agree that it has no
guarantee of delivery. But it helps to synchronize and also helps getting an idea of
"what's going on". In this case we all ignored that Kernel was using WCI and
relevant info failed to reach that team, IRC presence could have just give *one more
chance* to avoid that.
> >
> > Usually I look at few lines and I judge my interest on the topic and decide to
read more or not, it helps finding out things that are going on in AS7 for instance or
RichFaces that may impact us in the long term.
> >
> > Thomas
> >
> >>
> >> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
> >>
> >>> Not sure why GateIn WCI events are required at eXo Kernel level but *in
general*, it would be great if you (and actually anyone interested by GateIn development)
could join the #gatein room on IRC Freenode. The changes have been discussed there in
details and it enabled great collaboration between Julien, Trong and Marek. There were few
emails on this list as well though but it can't be the same amount of details.
> >>>
> >>> Also it's not hyper-active so it shouldn't be too disturbing.
> >>>
> >>> If there is such a room for eXo JCR/Kernel/Core this could be useful as
well so that we all know what happens on the other side of the fence.
> >>>
> >>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if
there is interest (A feature helped to catchup on what happened while away without having
to read full history).
> >>>
> >>> Thomas
> >>>
> >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
> >>>> @Julien Why did you remove the logout event from WCI? I need it at
kernel level
> >>>>
> >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet
<julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> it is now merged in gatein-portal/master
> >>>>
> >>>> kuddos to you and Trong for the responsiveness and the good
work
> >>>>
> >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet
<julien(a)julienviet.com
> >>>> <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> >
> >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda
<mposolda(a)redhat.com
> >>>> <mailto:mposolda@redhat.com>> wrote:
> >>>> >
> >>>> >> Hi Julien,
> >>>> >>
> >>>> >> I am checking the branch
> >>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
> >>>> this authentication simplification. I have some comments:
> >>>> >>
> >>>> >> 1) I tested on AS7 and saw some compilation failures
in
> >>>> wsrp-extension component (namely in class
WSRPServiceIntegration)
> >>>> because it still used old WCI api for obtaining
ServletContainer.
> >>>> >> I fixed it simply by using: ServletContainer
servletContainer =
> >>>> ServletContainerFactory.getServletContainer();
> >>>> >> instead of DefaultServletContainerFactory as you
suggested on irc.
> >>>> >>
> >>>> >> 2) Second thing is more major and it's related to
the WSS issue
> >>>> with credentials. Unfortunately it doesn't work correctly in
your
> >>>> branch because LoginServlet.bindCredentialsToConversationState
is
> >>>> called directly after authentication, which is too early as it
> >>>> still don't have correct conversationState at this moment.
What
> >>>> happens here is:
> >>>> >> - Request
> >>>>
http://localhost:8080/portal/login?username=john&password=gtn is send
> >>>> >> -- SetCurrentIdentityFilter is called at the beginning
of the
> >>>> request, but at this moment user is not authenticated. So it
uses
> >>>> ConversationState for anonymous identity
(IdentityConstants.ANONIM)
> >>>> >> -- request is processed by LoginServlet, which invokes
wci
> >>>> authentication. But at this moment there is still
> >>>> ConversationState for anonymous user bind to threadLocal, so
> >>>> Credentials are registered to this conversationState. Then we
have
> >>>> redirection to initialURI like "/portal/classic"
> >>>> >> - Request http://localhost:8080/portal/classic is send
> >>>> >> -- SetCurrentIdentityFilter is called and it recognize
that
> >>>> user is authenticated so it creates new ConversationState for
this
> >>>> user and register it to ConversationRegistry. But note that
> >>>> previous ConversationState is lost. So credentials are not
> >>>> registered in current ConversationState --> WSS can't
work
> >>>> >>
> >>>> >> I have my branch here
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
> >>>> based on top of your branch and it addresses (1) and (2). I
fixed
> >>>> (2) by similar approach like was before your changes, which
means:
> >>>> >> - After successful authentication are credentials bind
to
> >>>> temporary authenticationRegistry, which exists only during
> >>>> authentication
> >>>> >> - I added new filter ConversationStateUpdateFilter,
which
> >>>> removes credentials from temporary registry and adds them to
> >>>> ConversationState. ConversationStateUpdateFilter is added after
> >>>> SetCurrentIdentityFilter, which ensures that correct
> >>>> ConversationState is bound to threadLocal when it's called.
> >>>> >>
> >>>> >> I did not test with WSS enabled, but I verified that
after my
> >>>> change is
> >>>>
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
> >>>> returning correct credentials value, which should fix
GTNPORTAL-2567 .
> >>>> >>
> >>>> >> Let me know if my branch with those changes
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or
you
> >>>> have some other ideas to improve this.
> >>>> >>
> >>>> >> Personally I would prefer to use WCI
authenticationListener for
> >>>> register credentials but unfortunately listener doesn't
have
> >>>> information about password of user, so I created WCI jira
> >>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I
think
> >>>> you told about this limitation on IRC yesterday as well. WDYT?
> >>>> >
> >>>> > we can fix WCI and make password available again.
> >>>> >
> >>>> > if yes we can make a release today.
> >>>> >
> >>>> >>
> >>>> >> 3) I saw some exceptions due to gatein-sample-extension
and
> >>>> gatein-sample-portal. It seems that we need to remove those
> >>>> obsolete servlets from web.xml and login.jsp. Also it seems
that
> >>>> other products on top of GateIn will need to adapt those
changes
> >>>> as well. I did not fix those in my branch for now…
> >>>> >
> >>>> > this is correct, it needs more correction before final
merge,
> >>>> this is still a WIP :-)
> >>>> >
> >>>> >>
> >>>> >> I will try to test with SSO later in the afternoon but
I did
> >>>> not expect any major problems as you keep "/dologin"
secure URL,
> >>>> so I think that it should work without any changes. Will update
> >>>> later if found any problems.
> >>>> >
> >>>> >>
> >>>> >> Marek
> >>>> >>
> >>>> >> On 18/09/12 08:51, Julien Viet wrote:
> >>>> >>> they actually need more work from Trong before
being merged
> >>>> and careful checks.
> >>>> >>>
> >>>> >>> I believe we can finish that by the end of this
week.
> >>>> >>>
> >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
> >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
> >>>> >>>
> >>>> >>>> Hi,
> >>>> >>>>
> >>>> >>>> I pushed the initial rewrite of the
authentication in GateIn
> >>>> that is based on WCI and Servlet 3.0 authentication.
> >>>> >>>>
> >>>> >>>> The good news is it improves things by
simplifying the code
> >>>> and remove all the previous http redirects that we needed.
> >>>> >>>>
> >>>> >>>> I wrote a doc about it there :
> >>>> https://community.jboss.org/wiki/GateIn35Authentication
> >>>> >>>>
> >>>> >>>> - Marek and Matt should look at the
authentication with SSO
> >>>> and WS-Security
> >>>> >>>> - Trong should look at the login form
redirection for groups
> >>>> and users as now we don't rely anymore on servlet container
> >>>> security constraint (like it is already for portal pages)
> >>>> >>>>
> >>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
> >>>> stack, Bolek and I have been working for a couple of weeks. I
> >>>> guess it could also affect WSRP if it is using WCI in some way
> >>>> (WCI has had many simplifications last week with the removal of
> >>>> unnecessary stuff).
> >>>> >>>>
> >>>> >>>> cheers
> >>>> >>>>
> >>>> >>>> Julien
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> gatein-dev mailing list
> >>>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>> >>
> >>>> >
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >
>
>
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
7:43 a.m.
yes you can but only during the init phase of the servlet container.
On Sep 20, 2012, at 1:16 PM, Trong Tran <trongtt(a)gmail.com> wrote:
FYI, In Servlet 3 you can even register HttpSessionListener via
javax.servlet.ServletContext#addListener programmatically
On 20 September 2012 16:21, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
I could but I don't want to since it is only available in developing mode so I
don't want to add a new HttpSessionListener in the web.xml for something that is not
always needed. Anyway finding a workaround is another subject my question was to know if
you cannot put it back, I just need a clear yes or no
thx in advance
On Thu, Sep 20, 2012 at 9:08 AM, Julien Viet <julien(a)julienviet.com> wrote:
can you use an HttpSessionListener instead ?
On Sep 20, 2012, at 10:45 AM, Nicolas Filotto <nicolas.filotto(a)exoplatform.com>
wrote:
> Actually I use it for the hot reloading support available in developing mode only
(https://issues.jboss.org/browse/EXOJCR-1844), I need it to keep the list of running
sessions up to date in order to be able to invalidate them in case one or several
containers have to be reloaded, this is needed since we can have hard references to the
containers into the sessions which :
> • Prevents the GC to remove them from memory that has actually a memory leak
> • Prevents the application to work properly after a reload since some part of
the application keep on using the old containers
> If I understand your answer properly, you don't want to put it back right?
>
> On Thu, Sep 20, 2012 at 8:02 AM, Julien Viet <julien(a)julienviet.com> wrote:
> I knew it was using it for a couple of days but thought it was only using webapp
deployment notifications and not authentication events.
>
> On Sep 20, 2012, at 9:55 AM, Thomas Heute <theute(a)redhat.com> wrote:
>
> > On 09/20/2012 09:46 AM, Julien Viet wrote:
> >> I tend to agree/disagree on this.
> >>
> >> We need both channels.
> >>
> >> IRC is wonderful for interactive sessions and also for social aspect and
team cohesion.
> >>
> >> However mailing list is important for discussing aspects with all actors
involved in gatein.
> >>
> >> We cannot blame someone that would not be on IRC for some reason (no
network, some prefer to work in asynchronous manner, travelling, meeting, taking care of
child, etc...).
> >>
> >> (Until recently I ignored that kernel was using WCI).
> >
> > I fully agree on that, don't get me wrong.
> >
> > I just suggest that more people join the IRC channel and I agree that it has no
guarantee of delivery. But it helps to synchronize and also helps getting an idea of
"what's going on". In this case we all ignored that Kernel was using WCI and
relevant info failed to reach that team, IRC presence could have just give *one more
chance* to avoid that.
> >
> > Usually I look at few lines and I judge my interest on the topic and decide to
read more or not, it helps finding out things that are going on in AS7 for instance or
RichFaces that may impact us in the long term.
> >
> > Thomas
> >
> >>
> >> On Sep 20, 2012, at 9:38 AM, Thomas Heute <theute(a)redhat.com> wrote:
> >>
> >>> Not sure why GateIn WCI events are required at eXo Kernel level but *in
general*, it would be great if you (and actually anyone interested by GateIn development)
could join the #gatein room on IRC Freenode. The changes have been discussed there in
details and it enabled great collaboration between Julien, Trong and Marek. There were few
emails on this list as well though but it can't be the same amount of details.
> >>>
> >>> Also it's not hyper-active so it shouldn't be too disturbing.
> >>>
> >>> If there is such a room for eXo JCR/Kernel/Core this could be useful as
well so that we all know what happens on the other side of the fence.
> >>>
> >>> BTW: For those who met it, I can try to resurrect/enhance BYOBot if
there is interest (A feature helped to catchup on what happened while away without having
to read full history).
> >>>
> >>> Thomas
> >>>
> >>> On 09/19/2012 09:03 PM, Nicolas Filotto wrote:
> >>>> @Julien Why did you remove the logout event from WCI? I need it at
kernel level
> >>>>
> >>>> On Wed, Sep 19, 2012 at 6:01 PM, Julien Viet
<julien(a)julienviet.com <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> it is now merged in gatein-portal/master
> >>>>
> >>>> kuddos to you and Trong for the responsiveness and the good
work
> >>>>
> >>>> On Sep 18, 2012, at 1:59 PM, Julien Viet
<julien(a)julienviet.com
> >>>> <mailto:julien@julienviet.com>> wrote:
> >>>>
> >>>> >
> >>>> > On Sep 18, 2012, at 1:42 PM, Marek Posolda
<mposolda(a)redhat.com
> >>>> <mailto:mposolda@redhat.com>> wrote:
> >>>> >
> >>>> >> Hi Julien,
> >>>> >>
> >>>> >> I am checking the branch
> >>>> https://github.com/vietj/gatein-portal/tree/pcwci . Thanks for
> >>>> this authentication simplification. I have some comments:
> >>>> >>
> >>>> >> 1) I tested on AS7 and saw some compilation failures
in
> >>>> wsrp-extension component (namely in class
WSRPServiceIntegration)
> >>>> because it still used old WCI api for obtaining
ServletContainer.
> >>>> >> I fixed it simply by using: ServletContainer
servletContainer =
> >>>> ServletContainerFactory.getServletContainer();
> >>>> >> instead of DefaultServletContainerFactory as you
suggested on irc.
> >>>> >>
> >>>> >> 2) Second thing is more major and it's related to
the WSS issue
> >>>> with credentials. Unfortunately it doesn't work correctly in
your
> >>>> branch because LoginServlet.bindCredentialsToConversationState
is
> >>>> called directly after authentication, which is too early as it
> >>>> still don't have correct conversationState at this moment.
What
> >>>> happens here is:
> >>>> >> - Request
> >>>>
http://localhost:8080/portal/login?username=john&password=gtn is send
> >>>> >> -- SetCurrentIdentityFilter is called at the beginning
of the
> >>>> request, but at this moment user is not authenticated. So it
uses
> >>>> ConversationState for anonymous identity
(IdentityConstants.ANONIM)
> >>>> >> -- request is processed by LoginServlet, which invokes
wci
> >>>> authentication. But at this moment there is still
> >>>> ConversationState for anonymous user bind to threadLocal, so
> >>>> Credentials are registered to this conversationState. Then we
have
> >>>> redirection to initialURI like "/portal/classic"
> >>>> >> - Request http://localhost:8080/portal/classic is send
> >>>> >> -- SetCurrentIdentityFilter is called and it recognize
that
> >>>> user is authenticated so it creates new ConversationState for
this
> >>>> user and register it to ConversationRegistry. But note that
> >>>> previous ConversationState is lost. So credentials are not
> >>>> registered in current ConversationState --> WSS can't
work
> >>>> >>
> >>>> >> I have my branch here
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci which is
> >>>> based on top of your branch and it addresses (1) and (2). I
fixed
> >>>> (2) by similar approach like was before your changes, which
means:
> >>>> >> - After successful authentication are credentials bind
to
> >>>> temporary authenticationRegistry, which exists only during
> >>>> authentication
> >>>> >> - I added new filter ConversationStateUpdateFilter,
which
> >>>> removes credentials from temporary registry and adds them to
> >>>> ConversationState. ConversationStateUpdateFilter is added after
> >>>> SetCurrentIdentityFilter, which ensures that correct
> >>>> ConversationState is bound to threadLocal when it's called.
> >>>> >>
> >>>> >> I did not test with WSS enabled, but I verified that
after my
> >>>> change is
> >>>>
ConversationState.getCurrent().getAttribute(Credentials.CREDENTIALS)
> >>>> returning correct credentials value, which should fix
GTNPORTAL-2567 .
> >>>> >>
> >>>> >> Let me know if my branch with those changes
> >>>> https://github.com/mposolda/gatein-portal/tree/pcwci is ok or
you
> >>>> have some other ideas to improve this.
> >>>> >>
> >>>> >> Personally I would prefer to use WCI
authenticationListener for
> >>>> register credentials but unfortunately listener doesn't
have
> >>>> information about password of user, so I created WCI jira
> >>>> https://issues.jboss.org/browse/GTNWCI-37 to address this. I
think
> >>>> you told about this limitation on IRC yesterday as well. WDYT?
> >>>> >
> >>>> > we can fix WCI and make password available again.
> >>>> >
> >>>> > if yes we can make a release today.
> >>>> >
> >>>> >>
> >>>> >> 3) I saw some exceptions due to gatein-sample-extension
and
> >>>> gatein-sample-portal. It seems that we need to remove those
> >>>> obsolete servlets from web.xml and login.jsp. Also it seems
that
> >>>> other products on top of GateIn will need to adapt those
changes
> >>>> as well. I did not fix those in my branch for now…
> >>>> >
> >>>> > this is correct, it needs more correction before final
merge,
> >>>> this is still a WIP :-)
> >>>> >
> >>>> >>
> >>>> >> I will try to test with SSO later in the afternoon but
I did
> >>>> not expect any major problems as you keep "/dologin"
secure URL,
> >>>> so I think that it should work without any changes. Will update
> >>>> later if found any problems.
> >>>> >
> >>>> >>
> >>>> >> Marek
> >>>> >>
> >>>> >> On 18/09/12 08:51, Julien Viet wrote:
> >>>> >>> they actually need more work from Trong before
being merged
> >>>> and careful checks.
> >>>> >>>
> >>>> >>> I believe we can finish that by the end of this
week.
> >>>> >>>
> >>>> >>> On Sep 17, 2012, at 10:45 PM, Julien Viet
> >>>> <julien(a)julienviet.com
<mailto:julien@julienviet.com>> wrote:
> >>>> >>>
> >>>> >>>> Hi,
> >>>> >>>>
> >>>> >>>> I pushed the initial rewrite of the
authentication in GateIn
> >>>> that is based on WCI and Servlet 3.0 authentication.
> >>>> >>>>
> >>>> >>>> The good news is it improves things by
simplifying the code
> >>>> and remove all the previous http redirects that we needed.
> >>>> >>>>
> >>>> >>>> I wrote a doc about it there :
> >>>> https://community.jboss.org/wiki/GateIn35Authentication
> >>>> >>>>
> >>>> >>>> - Marek and Matt should look at the
authentication with SSO
> >>>> and WS-Security
> >>>> >>>> - Trong should look at the login form
redirection for groups
> >>>> and users as now we don't rely anymore on servlet container
> >>>> security constraint (like it is already for portal pages)
> >>>> >>>>
> >>>> >>>> Note that this integrates with the new Alpha
common/wci/pc
> >>>> stack, Bolek and I have been working for a couple of weeks. I
> >>>> guess it could also affect WSRP if it is using WCI in some way
> >>>> (WCI has had many simplifications last week with the removal of
> >>>> unnecessary stuff).
> >>>> >>>>
> >>>> >>>> cheers
> >>>> >>>>
> >>>> >>>> Julien
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> gatein-dev mailing list
> >>>> >>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> >>>
https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>> >>
> >>>> >
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
<mailto:gatein-dev@lists.jboss.org>
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> gatein-dev mailing list
> >>>> gatein-dev(a)lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/gatein-dev
> >
>
>
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
4759
days inactive
4762
days old
19 comments
6 participants
participants (6)
-
Boleslaw Dawidowicz -
Julien Viet -
Marek Posolda -
Nicolas Filotto -
Thomas Heute -
Trong Tran