Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rdebusscher/secspikeweb

Security Spec Web version
https://github.com/rdebusscher/secspikeweb

Last synced: about 2 months ago
JSON representation

Security Spec Web version

Awesome Lists containing this project

README

        

# secSpikeWeb
Security Spec Web version

Based on the ideas of Adam Bien's (and Arjan Tijms - Omnisecurity)

https://github.com/AdamBien/secspike

## Tried

- Custom form authentication with PrimeFaces and JASPIC
- SecurityContext, single place for programmatic login and Principal/Subject

## Status

Not succeeded -> But maybe due to the fact that I can't integrate the required code into the server core.

## Issues
- How can we define the authentication method in web.xml with JASPIC?
```

FORM
custom

/login.xhtml
/error.xhtml


```
- How can we define the URL paths which are protected?
```


Todos
/pages/*


USER


```
Now hardcoded in org.omnifaces.security.jaspic.factory.OmniServerAuthContext#validateRequest

- SecurityContext needs to access the JASPIC helper class HttpMsgContext, but is not available there. So I added it to the HttpServletRequest as attribute (see org.secspike.todo.auth.CustomFormAuthModule#initializeModule and javax.security.SecurityContext#getContext)
- Assumed that when the user isn't authenticated the Principal name is **ANONYMOUS** . But this isn't standardized. (see javax.security.SecurityContext#isAuthenticated)