Javalin implementation

[tipsy [javalin]]

Last year I created a JVM web framework, Javalin (https://javalin.io).

It seems there is a pac4j implementation available for almost every framework, so maybe there should be one for Javalin too?

Let me know if I can help in any way.

[Jérôme LELEU]

Hi,

Yes, that's the idea of pac4j: one security engine for all frameworks.

The latest framework that joined the pac4j ecosystem was Pippo (in December 2017).

While I still actively maintain the first pac4j implementations, new pac4j libraries are hosted and supported by the framework communities. 

pac4j comes with a set of components and a security model. You need to create a "javalin-pac4j" module with 5 components:

- a specific WebContext which is the abstraction of the HTTP request/response

- a specific SessionStore which is the abstraction of the HTTP session

- a security interceptor to secure URLs (which delegates the work to the DefaultSecurityLogic)

- a callback endpoint to finish remote login processes (which delegates the work to the DefaultCallbackLogic)

- a logout endpoint to handle local/central logouts (which delegates the work to the DefaultLogoutLogic).

I recommend reading: http://www.pac4j.org/gettingstarted.html and http://www.pac4j.org/docs/how-to-implement-pac4j-for-a-new-framework.html

As Javalin seems to be strongly inspired by SparkJava (for which there is a pac4 support), I also recommend starting your work based on https://github.com/pac4j/spark-pac4j/tree/master/src/main/java/org/pac4j/sparkjava

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tipsy [javalin]]

Thanks Jérôme,

I see that you have 3.0.0-RC1 available. How far off is that? Should I target v3 or v2 ?

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.

[Jérôme LELEU]

We're very close ;-) A few weeks I would say... as I'm about to release RC2, but the API changes (although not backward compatible) are not very strong between v2 and v3.

If you're super quick, start with the v2 otherwise use the v3.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.

[Jérôme LELEU]

Hi,

The v3.0.0 of pac4j is now available. How do you manage with the Javalin implementation? Do you need some help?

Thanks.

Best regards,

Jérôme

On Monday, May 14, 2018 at 11:58:07 AM UTC+2, Jérôme LELEU wrote:

We're very close ;-) A few weeks I would say... as I'm about to release RC2, but the API changes (although not backward compatible) are not very strong between v2 and v3.

If you're super quick, start with the v2 otherwise use the v3.

Thanks.

Best regards,

Jérôme

[tipsy [javalin]]

Thanks for letting me know Jérôme.

I haven't started yet. I've been travelling, and yesterday I started working on Javalin v2. I figured I would skip pac4j for version 1.

Any help would of course be greatly appreciated.

On Friday, June 8, 2018 at 8:25:51 AM UTC+2, Jérôme LELEU wrote:

Hi,

[Jérôme LELEU]

Hi,

Sure. I took a quick look at the documentation. A few hints:

- to protect URLs, you should certainly create a SecurityHandler used as "before". Example: https://github.com/pac4j/spring-webmvc-pac4j/blob/master/src/main/java/org/pac4j/springframework/web/SecurityInterceptor.java#L58 or maybe: https://github.com/pac4j/spark-pac4j/blob/master/src/main/java/org/pac4j/sparkjava/SecurityFilter.java#L63

- for logout and callback, you need a LogoutHandler and a CallbackHandler, both used as endpoints: Examples: https://github.com/pac4j/spark-pac4j/blob/master/src/main/java/org/pac4j/sparkjava/CallbackRoute.java#L54 and https://github.com/pac4j/spark-pac4j/blob/master/src/main/java/org/pac4j/sparkjava/LogoutRoute.java#L55

These handlers will only create a JavalinContext and call the perform methods of the appropriate logics. The JavalinContext certainly inherits from the J2EContext and is built from the Javalin ctx.request(); and ctx.response().

In pac4j the web session is handled by a SessionStore, so you also need a JavalinSessionStore built from the Javalin ctx and delegating its calls to the ctx.sessionXXX methods (only implement the minimu methods at the beginning).

By default, use the J2ENoActionHttpAdapter and you'll see if you need something specific for Javalin (like https://github.com/pac4j/spark-pac4j/blob/master/src/main/java/org/pac4j/sparkjava/DefaultHttpActionAdapter.java) as I see you have some HaltException.

Hope it helps as a starting point. Keep me posted.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.

[tipsy [javalin]]

Hi again Jérôme. I finally got some time to work on this today: https://github.com/tipsy/javalin-pac4j

I haven't been able to get all the examples in the test directory to work, not sure how to set the username/pwd to use for form/basic auth.

It would be great if you could take a look and give me some feedback. I don't have a good understanding of what everything does yet, I'm mostly just copying from the other implementations. 

On Monday, June 11, 2018 at 5:53:40 PM UTC+2, Jérôme LELEU wrote:

Hi,

[Jérôme LELEU]

Hi,

I took a look at your implementation. It looks good. As pac4j is a security engine, it's mostly a matter of providing it with the right abstractions after and before calling it.

In the SecurityHandler, when the access is granted to a user, a specific class/value is returned to be aware of that and not halt the request processing. So you can safely keep your String instance for comparison, I followed your idea (instead of a class) for spark-pac4j (v2.3.0): https://github.com/pac4j/spark-pac4j/commit/d1c32ae92d1e1fcfeff6eeabf18d7e7ffb66c640

In the CallbackHandler, the default client is an expected parameter, like the defaultUrl or the multiProfile property. For example in the pure J2E implementation: https://github.com/pac4j/j2e-pac4j/blob/master/src/main/java/org/pac4j/j2e/filter/CallbackFilter.java#L48

For the form login page authentication, the username and password are expected to be request parameters send via the POST method with the name: username and password. See: https://github.com/pac4j/pac4j/blob/master/pac4j-http/src/main/java/org/pac4j/http/client/indirect/FormClient.java#L71 and https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/credentials/extractor/FormExtractor.java

For the basic auth authentication, the username and password are expected to be sent as a header "Authorization", with prefix "Basic: " and base64 encoding. See: https://github.com/pac4j/pac4j/blob/master/pac4j-http/src/main/java/org/pac4j/http/client/indirect/IndirectBasicAuthClient.java#L52 and https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/credentials/extractor/BasicAuthExtractor.java

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.

[tipsy [javalin]]

Thanks. I was confused by the SimpleTestUsernamePasswordAuthenticator,so I made my own implementation for the example. 

If you create pac4j/javalin-pac4j I'll create a PR. Will you take care of releases and version bumping for future versions?

On Monday, July 9, 2018 at 7:58:12 PM UTC+2, Jérôme LELEU wrote:

Hi,

I took a look at your implementation. It looks good. As pac4j is a security engine, it's mostly a matter of providing it with the right abstractions after and before calling it.

In the SecurityHandler, when the access is granted to a user, a specific class/value is returned to be aware of that and not halt the request processing. So you can safely keep your String instance for comparison, I followed your idea (instead of a class) for spark-pac4j (v2.3.0): https://github.com/pac4j/spark-pac4j/commit/d1c32ae92d1e1fcfeff6eeabf18d7e7ffb66c640

In the CallbackHandler, the default client is an expected parameter, like the defaultUrl or the multiProfile property. For example in the pure J2E implementation: https://github.com/pac4j/j2e-pac4j/blob/master/src/main/java/org/pac4j/j2e/filter/CallbackFilter.java#L48

For the form login page authentication, the username and password are expected to be request parameters send via the POST method with the name: username and password. See: https://github.com/pac4j/pac4j/blob/master/pac4j-http/src/main/java/org/pac4j/http/client/indirect/FormClient.java#L71 and https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/credentials/extractor/FormExtractor.java

For the basic auth authentication, the username and password are expected to be sent as a header "Authorization", with prefix "Basic: " and base64 encoding. See: https://github.com/pac4j/pac4j/blob/master/pac4j-http/src/main/java/org/pac4j/http/client/indirect/IndirectBasicAuthClient.java#L52 and https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/credentials/extractor/BasicAuthExtractor.java

Thanks.

Best regards,

Jérôme

[Jérôme LELEU]

Hi,

I just created the repository: https://github.com/pac4j/javalin-pac4j

You can submit a PR. For the README, I highly recommend you copy/paste the one from the j2e-pac4j implementation and adapt it.

I'll take care of the releases and upgrades as much as possible, I count on your help for the major Javalin upgrades.

Here is your specific logo: https://pac4j.github.io/pac4j/img/logo-javalin.png

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.

[tipsy [javalin]]

Sounds good, I'll create a PR soon. Can you give me write rights to the repo? I'm unable to fork it since it's empty.

On Wednesday, July 11, 2018 at 4:41:48 PM UTC+2, Jérôme LELEU wrote:

Hi,

I just created the repository: https://github.com/pac4j/javalin-pac4j

You can submit a PR. For the README, I highly recommend you copy/paste the one from the j2e-pac4j implementation and adapt it.

I'll take care of the releases and upgrades as much as possible, I count on your help for the major Javalin upgrades.

Here is your specific logo: https://pac4j.github.io/pac4j/img/logo-javalin.png

Thanks.

Best regards,

Jérôme

[Jérôme LELEU]

Just granted you the write access, you should have received an invitation...

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.

[Jérôme LELEU]

Hi,

I updated the pac4j web site with references to Javalin.

Is there a release to cut? Or something else?

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.

[tipsy [javalin]]

Hi Jérôme,

I'm currently on the final release candidate. I will let you know when I release 2.0 (late august or early september) and update the javalin-pac4j repo. After that you can release it to maven central.

[tipsy [javalin]]

Hi Jérôme, 2.0.0 has been released now.

[Jérôme LELEU]

Hi,

I just cut the 1.0.0.RC0 release, it will show up in the Maven central repo in a few hours.

I upgraded the version to 1.0.0-SNAPSHOT to prepare a final release.

Keep me posted.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+unsubscribe@googlegroups.com.