Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rdebusscher/secspikeweb
Security Spec Web version
https://github.com/rdebusscher/secspikeweb
Last synced: about 2 months ago
JSON representation
Security Spec Web version
- Host: GitHub
- URL: https://github.com/rdebusscher/secspikeweb
- Owner: rdebusscher
- License: apache-2.0
- Created: 2015-05-07T08:18:42.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2015-05-07T08:41:55.000Z (over 9 years ago)
- Last Synced: 2023-04-03T18:53:43.204Z (almost 2 years ago)
- Language: Java
- Size: 164 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# secSpikeWeb
Security Spec Web versionBased on the ideas of Adam Bien's (and Arjan Tijms - Omnisecurity)
https://github.com/AdamBien/secspike
## Tried
- Custom form authentication with PrimeFaces and JASPIC
- SecurityContext, single place for programmatic login and Principal/Subject## Status
Not succeeded -> But maybe due to the fact that I can't integrate the required code into the server core.
## Issues
- How can we define the authentication method in web.xml with JASPIC?
```
FORM
custom
/login.xhtml
/error.xhtml
```
- How can we define the URL paths which are protected?
```
Todos
/pages/*
USER
```
Now hardcoded in org.omnifaces.security.jaspic.factory.OmniServerAuthContext#validateRequest- SecurityContext needs to access the JASPIC helper class HttpMsgContext, but is not available there. So I added it to the HttpServletRequest as attribute (see org.secspike.todo.auth.CustomFormAuthModule#initializeModule and javax.security.SecurityContext#getContext)
- Assumed that when the user isn't authenticated the Principal name is **ANONYMOUS** . But this isn't standardized. (see javax.security.SecurityContext#isAuthenticated)