Some thoughts for next release

[GoogleCodeExporter]

1. Make it possible to configure everything via web.xml, especially composite 
authenticators, but also e.g. the login & login-error pages and anything else 
of this kind that is presently defined via a constructor parameter or method 
override. The idea being that you don't need to write any code, which will be 
possible if you are using the JAAS system.

2. If binary compatibility isn't a goal, which it doesn't seem to be, make more 
use of the javax.security.auth.message classes, given that they have to be 
present for the system to execute. For example, AuthException; AuthStatus 
instead of AuthenticationRequest.Status, MessageInfo instead of 
AuthenticationRequest, ServerAuthModule instead of PluggableAuthenticator, etc.

3. Pass around a Subject to the various authentication and loadPrincipal() 
methods.

4. The impending JAAS modules do not require any changes to the current API or 
internals. However I would like to make certain facilities available via the 
AuthenticationManager and AuthenticationRequest interfaces instead of via 
getInstance() methods as I presently have it.

TBC

Original issue reported on code.google.com by EsmondP...@gmail.com on 17 Nov 2010 at 5:55

[GoogleCodeExporter]

I've clarified my thoughts on (4) above. I would like to add a getSubject() 
method to AuthenticationRequest, that gets or creates a Subject from the 
current request attributes, and a getJAASAuthContext() method to the 
AuthenticationManager, that returns a per-context JAASAuthContext object TBA.

Original comment by EsmondP...@gmail.com on 17 Nov 2010 at 10:36

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Original comment by aike.som...@gmail.com on 18 Nov 2010 at 8:37

• Added labels: Milestone-API-0.5, Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

Aike, how do you want to proceed with this? I'm ready to upload my 
SSLClientAuthenticator class, and I have JAAS code that is now pretty stable. I 
will upload that too for your review but I wouldn't like it to appear until the 
milestone because of (4) above, which will eliminate a class from my code and 
make it all generally nicer. Removing that class will affect most or all of the 
others.

Original comment by EsmondP...@gmail.com on 19 Nov 2010 at 2:23

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

If your code works as is, i would like to commit it. If you dont feel 
comfortable with it, then we can postpone that, however.
Does your question also apply to the SSLClientAuthenticator-class you attached 
to issue 3? Or can i go ahead and commit that?

Original comment by aike.som...@gmail.com on 21 Nov 2010 at 5:01

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

There's a minor error in the Javadoc of SSLClientAuthenticator. New version 
attached. You can commit that now. I'll stabilize my JAAS code and upload in a 
couple of days. Nearly there, just kind of looking at it and wondering if the 
API is pretty enough ;-)

Original comment by EsmondP...@gmail.com on 22 Nov 2010 at 1:22

• Added labels: ****
• Removed labels: ****

Attachments:

• SSLClientAuthenticator.java

[GoogleCodeExporter]

Here is something for the next release, a configurable composite authenticator 
that gets its pluggable-authenticator class names out of the context init 
parameters.

Original comment by EsmondP...@gmail.com on 2 Dec 2010 at 6:08

• Added labels: ****
• Removed labels: ****

Attachments:

• ConfigurableCompositeAuthenticator.java

[GoogleCodeExporter]

I also need to have access to the CallbackHandler and the Subject.  I am using 
the PasswordValidationCallback to validate the credentials and populate the 
Subject with the groups.

Should these be made available via the AuthenticatorManager interface?  I don't 
know.  For right now, I added get methods to the AuthModule to make these 
available and am casting to this class to get access.

Original comment by bbergqui...@gmail.com on 7 Feb 2012 at 1:45

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Also it would be good to have add a method to PluggableAuthenticator that could 
be used to initialize the authenticator module once.  So for example I have an 
authenticator module that I want to read some context parameters or even 
configuration parameters configured into Glassfish for ServerAuthModule, I 
could read these once before the module is used.

Original comment by bbergqui...@gmail.com on 7 Feb 2012 at 2:19

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Re comment 8, just subclass it and write your own constructor. No need for 
another method.

Original comment by EsmondP...@gmail.com on 8 Feb 2012 at 10:24

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Re comment 7, that's not the right way to do it. You're better off using a 
javax.security.auth.message.callback.GroupPrincipalCallback from the JSR 196 
API. I've used it without any of the suggested changes to the 
AuthenticationManager interface, just use the stuff I've posted that adds JAAS 
to AuthenticRoast.

Original comment by EsmondP...@gmail.com on 16 Feb 2012 at 12:15

• Added labels: ****
• Removed labels: ****