4:47 a.m.
Hi
You can achieve by writing a tomcat authenticator and putting it in
WEB-INF/context.xml (JBAS) or META-INF/context.xml (tomcat).
The auth-name is a string defined in the servlet spec.
thanks for the tip.
What is the difference between writing a custom Tomcat authenticator and a custom
LoginModule, example,
org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule ?
My understanding is that having custom login modules :
- makes it easy to stack together different modules, as shown for ex at [1]
- but requires the explicit loading of (JBoss Security) AuthenticationManager (at least
when services are POJOs)
cheers, Sergey
[1] http://community.jboss.org/wiki/SAMLEJBIntegrationwithPicketLinkSTS
On 07/13/2010 11:35 AM, Bill Burke wrote:
> Remy, Anil,
>
> (I'm cc'ing jboss-dev for archive purposes)
>
> Sergey , a new web services/resteasy hire, has done some great work
> around OAuth lately. I'm interested in taking his stuff to the next
> level and make it consumable in a way JBoss AS users are used to
> configuring security.
>
> Specifically, I'm interested in defining a OAuth
> login-config/auth-method within web.xml i.e.
>
> <login-config>
> <auth-name>OAuth</auth-name>
> <realm-name>...</realm-name>
> </login-config>
>
> This would be an initial step, eventually I'd like to be able to
> configure a web app to support multiple authentication mechanisms,
so
> that one URL could support both OAuth and traditional clients.
>
> Is JSR 196 the way to do this? Do we support in AS6? Is there doco
> someplace? (I couldn't find with a search).
>
> Thanks,
>
> Bill
9:53 a.m.
New subject: pluggable auth-method
Just guessing,
Isn't the login module responsible for the actual authentication and
authorization? Tomcat authenticator is just responsible for extracting
header info?
Sergey Beryozkin wrote:
Hi
> You can achieve by writing a tomcat authenticator and putting it in
> WEB-INF/context.xml (JBAS) or META-INF/context.xml (tomcat).
>
> The auth-name is a string defined in the servlet spec.
>
thanks for the tip.
What is the difference between writing a custom Tomcat authenticator and a custom
LoginModule, example,
org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule ?
My understanding is that having custom login modules :
- makes it easy to stack together different modules, as shown for ex at [1]
- but requires the explicit loading of (JBoss Security) AuthenticationManager (at least
when services are POJOs)
cheers, Sergey
[1] http://community.jboss.org/wiki/SAMLEJBIntegrationwithPicketLinkSTS
> On 07/13/2010 11:35 AM, Bill Burke wrote:
>> Remy, Anil,
>>
>> (I'm cc'ing jboss-dev for archive purposes)
>>
>> Sergey , a new web services/resteasy hire, has done some great work
>> around OAuth lately. I'm interested in taking his stuff to the next
>> level and make it consumable in a way JBoss AS users are used to
>> configuring security.
>>
>> Specifically, I'm interested in defining a OAuth
>> login-config/auth-method within web.xml i.e.
>>
>> <login-config>
>> <auth-name>OAuth</auth-name>
>> <realm-name>...</realm-name>
>> </login-config>
>>
>> This would be an initial step, eventually I'd like to be able to
>> configure a web app to support multiple authentication mechanisms,
> so
>> that one URL could support both OAuth and traditional clients.
>>
>> Is JSR 196 the way to do this? Do we support in AS6? Is there doco
>> someplace? (I couldn't find with a search).
>>
>> Thanks,
>>
>> Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:16 a.m.
New subject: pluggable auth-method
Yes.
Authenticator is a Catalina/Web construct that delegates to a Realm
(Catalina construct) that, in JBAS is backed by LoginModules (JAAS
constructs, JBoss implementations).
JAAS LoginModules are constrained by their own API which means they get
access to only certain callbacks (username, password, etc) and have no
knowledge of the Servlet API. You can do authentication in an
Authenticator but that's not portable to other non-Tomcat/JBW
environments. The naming is a bit confusing IMO. It made sense for
Tomcat but adds confusion in JBAS.
You don't need to worry about writing an Authenticator unless you need
access to something that you don't already get from the existing
Authenticators, such as cookies, etc.
-CB
On 07/14/2010 10:53 AM, Bill Burke wrote:
Just guessing,
Isn't the login module responsible for the actual authentication and
authorization? Tomcat authenticator is just responsible for extracting
header info?
Sergey Beryozkin wrote:
> Hi
>
>> You can achieve by writing a tomcat authenticator and putting it in
>> WEB-INF/context.xml (JBAS) or META-INF/context.xml (tomcat).
>>
>> The auth-name is a string defined in the servlet spec.
>>
>
> thanks for the tip.
>
> What is the difference between writing a custom Tomcat authenticator and a custom
LoginModule, example,
> org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule ?
>
> My understanding is that having custom login modules :
> - makes it easy to stack together different modules, as shown for ex at [1]
> - but requires the explicit loading of (JBoss Security) AuthenticationManager (at
least when services are POJOs)
>
> cheers, Sergey
>
> [1] http://community.jboss.org/wiki/SAMLEJBIntegrationwithPicketLinkSTS
>
>
>> On 07/13/2010 11:35 AM, Bill Burke wrote:
>>> Remy, Anil,
>>>
>>> (I'm cc'ing jboss-dev for archive purposes)
>>>
>>> Sergey , a new web services/resteasy hire, has done some great work
>>> around OAuth lately. I'm interested in taking his stuff to the next
>>> level and make it consumable in a way JBoss AS users are used to
>>> configuring security.
>>>
>>> Specifically, I'm interested in defining a OAuth
>>> login-config/auth-method within web.xml i.e.
>>>
>>> <login-config>
>>> <auth-name>OAuth</auth-name>
>>> <realm-name>...</realm-name>
>>> </login-config>
>>>
>>> This would be an initial step, eventually I'd like to be able to
>>> configure a web app to support multiple authentication mechanisms,
>> so
>>> that one URL could support both OAuth and traditional clients.
>>>
>>> Is JSR 196 the way to do this? Do we support in AS6? Is there doco
>>> someplace? (I couldn't find with a search).
>>>
>>> Thanks,
>>>
>>> Bill
10:28 a.m.
New subject: pluggable auth-method
For OAuth there are a few issues:
1. It has specific headers.
2. You create "secrets" on the fly which are used to authenticate and
authorize requests.
Maybe its best to first iterate on an Authenticator, then move logic up
the stack once you get a prototype going? I don't know how Sergey likes
to work :)
Chris Bredesen wrote:
Yes.
Authenticator is a Catalina/Web construct that delegates to a Realm
(Catalina construct) that, in JBAS is backed by LoginModules (JAAS
constructs, JBoss implementations).
JAAS LoginModules are constrained by their own API which means they get
access to only certain callbacks (username, password, etc) and have no
knowledge of the Servlet API. You can do authentication in an
Authenticator but that's not portable to other non-Tomcat/JBW
environments. The naming is a bit confusing IMO. It made sense for
Tomcat but adds confusion in JBAS.
You don't need to worry about writing an Authenticator unless you need
access to something that you don't already get from the existing
Authenticators, such as cookies, etc.
-CB
On 07/14/2010 10:53 AM, Bill Burke wrote:
> Just guessing,
>
> Isn't the login module responsible for the actual authentication and
> authorization? Tomcat authenticator is just responsible for extracting
> header info?
>
> Sergey Beryozkin wrote:
>> Hi
>>
>>> You can achieve by writing a tomcat authenticator and putting it in
>>> WEB-INF/context.xml (JBAS) or META-INF/context.xml (tomcat).
>>>
>>> The auth-name is a string defined in the servlet spec.
>>>
>> thanks for the tip.
>>
>> What is the difference between writing a custom Tomcat authenticator and a custom
LoginModule, example,
>> org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule ?
>>
>> My understanding is that having custom login modules :
>> - makes it easy to stack together different modules, as shown for ex at [1]
>> - but requires the explicit loading of (JBoss Security) AuthenticationManager
(at least when services are POJOs)
>>
>> cheers, Sergey
>>
>> [1] http://community.jboss.org/wiki/SAMLEJBIntegrationwithPicketLinkSTS
>>
>>
>>> On 07/13/2010 11:35 AM, Bill Burke wrote:
>>>> Remy, Anil,
>>>>
>>>> (I'm cc'ing jboss-dev for archive purposes)
>>>>
>>>> Sergey , a new web services/resteasy hire, has done some great work
>>>> around OAuth lately. I'm interested in taking his stuff to the next
>>>> level and make it consumable in a way JBoss AS users are used to
>>>> configuring security.
>>>>
>>>> Specifically, I'm interested in defining a OAuth
>>>> login-config/auth-method within web.xml i.e.
>>>>
>>>> <login-config>
>>>> <auth-name>OAuth</auth-name>
>>>> <realm-name>...</realm-name>
>>>> </login-config>
>>>>
>>>> This would be an initial step, eventually I'd like to be able to
>>>> configure a web app to support multiple authentication mechanisms,
>>> so
>>>> that one URL could support both OAuth and traditional clients.
>>>>
>>>> Is JSR 196 the way to do this? Do we support in AS6? Is there doco
>>>> someplace? (I couldn't find with a search).
>>>>
>>>> Thanks,
>>>>
>>>> Bill
_______________________________________________
jboss-development mailing list
jboss-development(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-development
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5279
days inactive
5279
days old
jboss-development@lists.jboss.org
3 comments
3 participants
participants (3)
-
Bill Burke -
Chris Bredesen -
Sergey Beryozkin