Can pac4j be used in an application using Dropwizard Framework? If so then how

[Raman Jhajj]

Can pac4j be used in an application using Dropwizard Framework? If so then how

[Jérôme LELEU]

Hi,

There is currently no specific support for Dropwizard.

I took a quick look at the documentation: this framework mainly targets web services: what would be your use case?

I guess a Pac4jAuthenticator could be created from: http://www.dropwizard.io/manual/auth.html to support at least direct clients (see: https://github.com/pac4j/j2e-pac4j/blob/master/src/main/java/org/pac4j/j2e/filter/RequiresAuthenticationFilter.java#L109)

Thanks.

Best regards,

Jérôme

2015-10-06 14:54 GMT+02:00 Raman Jhajj <bobby...@gmail.com>:

Can pac4j be used in an application using Dropwizard Framework? If so then how

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Raman Jhajj]

I am completely new to Pac4j and quite confused still.

My use case is, I have a Java Application based on dropwizard for Web services and AngularJS frontend. I have to authenticate use from Login page(user names and passwords are in application local database) and also authorize the rest calls.

Looking at the documentation I could see that I have to create a UsernamePassowordAuthenticator(to check username and password from database) which implements "UsernamePasswordAuthenticator" interface and also a CustomAuthorizer which implements Authorizer interface. Finally have to put all together using ConfigFactory. Am I right in what I understood? Please let me know.

Another question is, Do I have to use pac4j-http and j2e-pac4j for this?

Thanks a lot in advance

[Jérôme LELEU]

Hi,

You get it right.

pac4j is a generic security engine available via its pac4j-core module which is multi authentication mechanisms and frameworks.

Various authentication mechanisms are available through pac4j-* module: pac4j-oauth for OAuth (Facebook, Twitter...), pac4j-ldap for LDAP authentication...

Various framework implementations are available through *-pac4j projects: j2e-pac4j for J2E, play-pac4j for Play, vertx-pac4j for Vertx...

Indirect clients are authentication mechanisms where the user is redirected to an external identity provider (form authentication is considered so) while direct clients are used when credentials are passed directly along the HTTP request (web services).

As your dropwizard app is a J2E webapp, you can use the j2e-pac4j library to handle the security:

- the RequiresAuthenticationFilter protects url

- the CallbackFilter is necessary for indirect client to finish the process.

So in your case, you need to define two clients: a FormClient (from the pac4j-http library) for form login with a specific UsernamePasswordAuthenticator which checks credentials in the database (you could maybe use the DbAuthenticator from the pac4j-sql module).

For the REST calls: what are the credentials and authentication mechanism?

For example, you could create a ParameterClient (if it's a token) or a DirectBasicAuthClient (if it's a login/pwd passed via basic auth).

Both clients will be gathered in a Config which itself will be built via a ConfigFactory, whose name must be specified in one of the filters.

The authorizers (like CustomAuthorizer) only deal with authorizations (like roles, permissions...) so I don't think need them in your case.

I hope it's clearer now.

Thanks.

Best regards,

Jérôme

[Evan Meagher]

Pardon my digging up an old thread, but I recently wrote a Dropwizard bundle which should ease integration with j2e-pac4j. In short, it wires up a Dropwizard app's config file with an org.pac4j.j2e.filter.SecurityFilter attached to the application's Jetty server.

If anybody thinks this could be useful to them, please take a look and provide feedback. I haven't published any artifacts yet, as I'm wanting to gauge interest before investing more time in library upkeep.

[Jérôme LELEU]

Hi,

It looks very promising to me, I'm not sure how a separate Pac4jConfiguration interface is necessary though. The j2e-pac4j library is not used very much directly, but it has all the pac4j features and is a perfect basis like in Knox integration (security for Hadoop).

Following the design choices you made, it would be easy to add the CallbackFilter and handle indirect clients as well (form authentication, Facebook, CAS, SAML, OpenID Connect...)

I think the question should be asked on the Dropwizard users mailing list as well, and I see a technical discussion I'll dive into: https://groups.google.com/forum/#!topic/dropwizard-dev/Pc5J-V_QEx8

Notice we did that for Dropwizard lately: https://github.com/pac4j/pac4j/pull/616

In any case, if you want to go further on this, I'll be happy to help you.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[jez prime]

I can answer the question about Pac4jConfiguration interface - Configuration interfaces form the basis of how DropWizard config files are read by applications so if you want to configure your Pac4j clients via a yaml file containing all the rest of your application configuration, this will be necessary. An implementor of the overall application Configuration interface is what ultimately gets passed around (for example into the bundle at initialisation).

[Evan Meagher]

Jez is correct, the Pac4j{Configuration,Factory} wiring is used to bridge an application's YAML config file with the underlying j2e-pac4j filter. It's a bit odd from a Dropwizard convention perspective that one has to provide class names for the ConfigFactory, Clients, etc in the config file rather than configuration parameters that would be used to construct these classes internally. This is a consequence of ConfigFactory requiring a no-arg `build()` method and the fact that io.pac4j.j2e.core.config.ConfigBuilder uses reflection rather than dependency injection to create Config objects.

This is undoubtedly a consequence of my being unfamiliar with pac4j, so I may have missed some part of the documentation about alternative means of configuration.

I'd still like to stick with only supporting pac4j's SecurityFilter for an initial release, and perhaps add support for indirect clients as a follow-on change if it's desired by the community. Dropwizard is tailored towards REST servers, so I think support for direct clients will suffice for many use cases.

--

Evan Meagher

[jez prime]

I'll take a look at what you've done so far when I get the chance (I'm knee-deep in updating vertx-pac4j to latest pac4j and the features it offers, and unfortunately I'm very time-limited at present), you're ahead of me on DropWizard knowledge, I have a little pac4j core knowledge from working on vertx-pac4j, maybe I can offer something which will help you build out via the pac4j side of things in a reasonably DW-friendly way without too much pain. 

In addition, I suspect configuring a callback configuration might be less painful than you think but I agree that's something to come back to, I think direct clients are more interesting for most DW use-cases (it seems to be very popular for service-based architectures, I haven't seen many user-facing web apps built in it so for most consumers the indirect clients are likely to be a lower priority, exactly as you've said). I have a client who might be interested in using pac4j in their service authentication/authorisation stack - but that's only a might at present.

[Jérôme LELEU]

Hi,

About the build() method, the idea is to create the ConfigFactory with the needed parameters (in the constructor) before calling the build() method, but this could be revisited.

The ConfigFactory is the only option when you cannot pass any better parameter than a string, which is the case of J2E (the same constraint somehow occurs for Knox).

The YAML format allows you to define lists and maps, but here we need to be able to instantiate objects, so I don't think this is feasible.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.