1 p.m.
Undertow team,
I'm trying to integrate our integration with JBoss into Wildfy 8.x. Its a
reverse proxy that generates a token in a header that is then decoded and
the context is set. It works in JBoss 7.x using a combination of a Valve
and a JAAS LoginModule but am struggling to figure out what the replacement
of the Valve would be.
Doing some googling I found
http://undertow.io/documentation/core/security.html but it doesn't point
out how to configure this without writing custom code to add mechanism to
the chain. I found a stacktrace article about setting up a servlet
extension that creates the mechanism, but I don't feel like thats the
*best* solution. When I did the JBoss 7 integration I used PicketLink's
SAML integration as an example but it looks like it isn't yet working for
Wildfly 8.x and won't work until 9?
I know this isn't a JBoss list but my post on the JBoss forums isn't going
anywhere so I thought I'd ask here. If someone could point me to an
example (I usually start with an example of authenticating based on a
username in a header) I'd really appreciate it.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
<marc.boorshtein(a)tremolosecurity.com>
2:42 p.m.
Hi Marc,
I know this isn't a JBoss list but my post on the JBoss forums
isn't going anywhere so I thought I'd ask here. If someone could point me to an
example (I usually start with an example of authenticating based on a username in a
header) I'd really appreciate it.
If you're looking for custom authentication then there's a
standardized SPI/API for that: JASPIC. It's supported relatively well
by WildFly 8.x.
There's an example of building a simple module here:
http://www.trajano.net/2014/06/creating-a-simple-jaspic-auth-module
and somewhat more complex one by the same author here:
http://www.trajano.net/2014/07/oauth-2-0-jaspic-implementation
I've posted about the background of JASPIC here:
http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentic...
and created several tests that demonstrate a variety of behaviors
here: https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic
(see also https://github.com/javaee-samples/javaee7-samples/issues/243)
Another example can be found here: https://github.com/arjantijms/two-factor-sam
This should hopefully be enough to start with an example where you
authenticate based on a header.
Kind regards,
Arjan
On Wed, Oct 15, 2014 at 8:00 PM, Marc Boorshtein
<marc.boorshtein(a)tremolosecurity.com> wrote:
Undertow team,
I'm trying to integrate our integration with JBoss into Wildfy 8.x. Its a
reverse proxy that generates a token in a header that is then decoded and
the context is set. It works in JBoss 7.x using a combination of a Valve
and a JAAS LoginModule but am struggling to figure out what the replacement
of the Valve would be.
Doing some googling I found
http://undertow.io/documentation/core/security.html but it doesn't point out
how to configure this without writing custom code to add mechanism to the
chain. I found a stacktrace article about setting up a servlet extension
that creates the mechanism, but I don't feel like thats the *best* solution.
When I did the JBoss 7 integration I used PicketLink's SAML integration as
an example but it looks like it isn't yet working for Wildfly 8.x and won't
work until 9?
I know this isn't a JBoss list but my post on the JBoss forums isn't going
anywhere so I thought I'd ask here. If someone could point me to an example
(I usually start with an example of authenticating based on a username in a
header) I'd really appreciate it.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
5:47 p.m.
The equivalent of a valve is a HttpHandler, you can wire them up programatically via
jboss-web.xml, something like:
<jboss-web>
<http-handler>
<class-name>org.jboss.as.test.integration.web.handlers.SetHeaderHandler</class-name>
<param>
<param-name>name</param-name>
<param-value>MyHeader</param-value>
</param>
<param>
<param-name>value</param-name>
<param-value>MyValue</param-value>
</param>
</http-handler>
</jboss-web>
Stuart
----- Original Message -----
From: "Marc Boorshtein"
<marc.boorshtein(a)tremolosecurity.com>
To: "undertow-dev@lists jboss. org" <undertow-dev(a)lists.jboss.org>
Sent: Thursday, 16 October, 2014 5:00:26 AM
Subject: [undertow-dev] How to do custom authentication?
Undertow team,
I'm trying to integrate our integration with JBoss into Wildfy 8.x. Its a
reverse proxy that generates a token in a header that is then decoded and
the context is set. It works in JBoss 7.x using a combination of a Valve and
a JAAS LoginModule but am struggling to figure out what the replacement of
the Valve would be.
Doing some googling I found
http://undertow.io/documentation/core/security.html but it doesn't point out
how to configure this without writing custom code to add mechanism to the
chain. I found a stacktrace article about setting up a servlet extension
that creates the mechanism, but I don't feel like thats the *best* solution.
When I did the JBoss 7 integration I used PicketLink's SAML integration as
an example but it looks like it isn't yet working for Wildfly 8.x and won't
work until 9?
I know this isn't a JBoss list but my post on the JBoss forums isn't going
anywhere so I thought I'd ask here. If someone could point me to an example
(I usually start with an example of authenticating based on a username in a
header) I'd really appreciate it.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
6:16 a.m.
On Thu, Oct 16, 2014 at 12:47 AM, Stuart Douglas <sdouglas(a)redhat.com>
wrote:
The equivalent of a valve is a HttpHandler, you can wire them up
programatically via jboss-web.xml, something like:
Or since upcoming wildfly 8.2 and 9 it is also possible as global
configuration in undertow subsystem
<host name="default-host" alias="localhost, some.host"
default-web-module="something.war">
<location name="/" handler="welcome-content">
<filter-ref name="custom-filter"/>
....
</host>
....
<filters>
<filter name="custom-filter"
class-name="io.undertow.server.handlers.HttpTraceHandler"
module="io.undertow.core" />
</filters>
7:04 a.m.
Thanks everyone. So would the beat approach be to use a http and let to
invoke a jaspic class or to invoke an undertow authentication class?
Thanks
Marc
On Oct 16, 2014 7:16 AM, "Tomaž Cerar" <tomaz.cerar(a)gmail.com> wrote:
On Thu, Oct 16, 2014 at 12:47 AM, Stuart Douglas <sdouglas(a)redhat.com>
wrote:
> The equivalent of a valve is a HttpHandler, you can wire them up
> programatically via jboss-web.xml, something like:
Or since upcoming wildfly 8.2 and 9 it is also possible as global
configuration in undertow subsystem
<host name="default-host" alias="localhost, some.host"
default-web-module="something.war">
<location name="/" handler="welcome-content">
<filter-ref name="custom-filter"/>
....
</host>
....
<filters>
<filter name="custom-filter"
class-name="io.undertow.server.handlers.HttpTraceHandler"
module="io.undertow.core" />
</filters>
7:36 a.m.
Hi,
On Thu, Oct 16, 2014 at 2:04 PM, Marc Boorshtein
<marc.boorshtein(a)tremolosecurity.com> wrote:
Thanks everyone. So would the beat approach be to use a http and let
to
invoke a jaspic class or to invoke an undertow authentication class?
I'd personally say JASPIC. The advantage it that it's a standardized
SPI/API, which means it very likely won't suddenly change in a major
incompatible way between JBoss versions.
Also note that the HttpHandler (and before that a Valve) is not an
authentication class perse, but a general mechanism. Using an
HttpHandler though gives you access to some very low-level Undertow
mechanics, that you won't be able to access from higher level and more
general JASPIC authentication modules.
As a middle ground; I've seen a couple of JASPIC authentication
modules that casted the HTTPServletRequest to a JBoss specific one and
then did some things with it that the plain Servlet API doesn't allow,
and ones that were combined with a Valve (JBoss EAP 6 and before).
JBoss themselves have published 3 JASPIC authentication modules where
they use this hybrid approach, see e.g.
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-web...
But I'd suggest starting with the plain JASPIC/Servlet APIs first and
only going JBoss specific when really needed.
Regards,
Arjan
Thanks
Marc
On Oct 16, 2014 7:16 AM, "Tomaž Cerar" <tomaz.cerar(a)gmail.com> wrote:
>
>
> On Thu, Oct 16, 2014 at 12:47 AM, Stuart Douglas <sdouglas(a)redhat.com>
> wrote:
>>
>> The equivalent of a valve is a HttpHandler, you can wire them up
>> programatically via jboss-web.xml, something like:
>
>
>
> Or since upcoming wildfly 8.2 and 9 it is also possible as global
> configuration in undertow subsystem
>
> <host name="default-host" alias="localhost, some.host"
> default-web-module="something.war">
> <location name="/" handler="welcome-content">
> <filter-ref name="custom-filter"/>
> ....
> </host>
> ....
>
> <filters>
> <filter name="custom-filter"
> class-name="io.undertow.server.handlers.HttpTraceHandler"
> module="io.undertow.core" />
> </filters>
>
>
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
3720
days inactive
3721
days old
5 comments
4 participants
participants (4)
-
arjan tijms -
Marc Boorshtein -
Stuart Douglas -
Tomaž Cerar