Topics

Soteria Updates for PFD Changes


Will Hopkins
 

EG,

Trying to get a sense of how much work is left to get soteria updated to match the PFD version of the spec. A good chunk is already done, but I'd like to check on the following items, and will create JIRA issues for them if needed:
  • EL support -- Arjan, I know most of that is done -- is it finished for all annotations? Anything left to do there (ignoring DatabaseIdentityStoreDefinition.hashAlgorithm for a moment)?
  • Changes to the LdapIdentityStoreDefinition -- I see that the new attribute values have been picked up, does the behavior match what's expected per the updated javadoc, or does that need to be investigated/updated?  It doesn't look, for example, like search scopes are supported, or group lookup via memberOf attribute (using caller DN from CredentialValidationResult).
  • Changes to DatabaseIdentityStoreDefinition, primarily support for default hash algorithm? I think we actually need something better here than is spec'd, so probably best not to do more work on hash algorithm right now.
  • Changes to notifyContainerAboutLogin() to support expected behavior for caller vs. app principals? Looks like that's not done, or not fully done, though the signature changes have been made.
  • The changes to use AuthenticationException instead of AuthException look like they're complete.
  • Anything else anyone knows of?

Thanks,

Will

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


Arjan Tijms
 

Hi,

On Tue, Jul 18, 2017 at 10:54 PM, Will Hopkins <will.hopkins@...> wrote:

  • EL support -- Arjan, I know most of that is done -- is it finished for all annotations? Anything left to do there (ignoring DatabaseIdentityStoreDefinition.hashAlgorithm for a moment)?

EL support for all attributes is implemented now. Could do with more test coverage, but unless I missed something I think this is done.

DatabaseIdentityStoreDefinition.hashAlgorithm is there largely too. It now accepts an EL string -> string method expression. The bean where that method resides can get its parameters from whatever location is suitable for the user. To make it really complete a simple key/value list can be added to the annotation so parameters can be specified right from the annotation.

 
  • Changes to the LdapIdentityStoreDefinition -- I see that the new attribute values have been picked up, does the behavior match what's expected per the updated javadoc, or does that need to be investigated/updated?  It doesn't look, for example, like search scopes are supported, or group lookup via memberOf attribute (using caller DN from CredentialValidationResult).

The implementation of any new attributes has not been done. I renamed the existing one to match the PFD and EL enabled all of them, but that's it.

 
  • Changes to DatabaseIdentityStoreDefinition, primarily support for default hash algorithm? I think we actually need something better here than is spec'd, so probably best not to do more work on hash algorithm right now.

See above. Hashing is now being done, but could be fleshed out a bit more.
 
  • Changes to notifyContainerAboutLogin() to support expected behavior for caller vs. app principals? Looks like that's not done, or not fully done, though the signature changes have been made.
I think the RI (GlassFish/Soteria) doesn't need to make any additional changes here, as its defaults already work (in GlassFish the caller/app principal would already be the same, as it returns from HttpServletRequest#getUserPrincipal etc what the CallerPrincipalCallBack from JSR 196 puts into it).

Other servers can, when necessary, implement this in their own way. I'll walk through the spec text and code again to see whether I didn't miss anything for the RI.

 
  • The changes to use AuthenticationException instead of AuthException look like they're complete.
Yes, that's been taken care of.
 
  • Anything else anyone knows of?

As far as RI matching spec text, I think the above list is complete. 

The spec text could perhaps do with some clarifications, specifically as Rudy mentioned in another topic the LoginToContinue. Reading the spec I think theoretically everything is there, but it's terse and vendors may not fully interpret it as intended.

Kind regards,
Arjan Tijms


 

Thanks,

Will

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803