Menu
▾
▴
Re: [Unity-idm-discuss] custom servlet endpoint authentication
|
From: Krzysztof B. <go...@ic...> - 2015-01-22 10:54:39
|
Hi, W dniu 22.01.2015 o 10:13, Terefang Verigorn pisze: > hi! > > i think that other 3rd parties might also like to go the non jax-rs route. > > we decided to use json-rpc with only the basic java objects > (Collection, Map, String, Integer, Boolean, Long, Float, Double) > for maximum interoperability due to language issues (perl, python, java, > dotnet) > (http://json-rpc.org/wiki/specification) > > for our java environment we chose jsonrpc4j, since it can be used > over almost any transport (stream) and and can use interface proxies. > (https://github.com/briandilley/jsonrpc4j#client) > > unit testing the rpc calls is trivial. > (i use RESTClient for directly calling the endpoint for verification) Well, I agree that JSON-RPC is both easy and portable. However, any other JSON based API (including RESTful APIs) is portable and even if you have JAX-RS based server side implementation you can use any technology to access the service. The real difference is around 'easy'. With the 'manually' created REST API you have to code more as you design how you use the low level (HTTP) protocol: what JSON objects are exchanged and what are the paths¶ms to send/get them. With JSON RPC you get this all for free. Now, the question is how you build this API. If you simply mirror the internal Unity API then you will have troubles when it will come to upgrade the server: Unity internal API and its params is subject to change. If you on another hand designed your own remote API and expose it via JSON-RPC then you will have more control and probably will be able to mask underlying Unity API changes. However also similar amount of work as in the RESTful API case so no much gain... OK, I don't know your use case so the above it is purely theoretical:) > ok now making it work ... So how to implement a new binding? All examples will refer to the unity-server-rest module which is the most similar. 1) You need to define a contract (interface) for authenticators to retrieve credentials from your binding. As in your case it is low level then your retrievals should be servlet filters. Example: CXFAuthentication (which uses interceptros) 2) You will have to implement a credential retrieval (implementing a contract from (1)) for each credential which you are going to use with this binding. Retrievals are responsible for getting a credential in a transport specific way and then use a provided verificator to check it. Examples: HttpBasicRetrieval* 3) You will need to code a class that will be responsible for collecting a complete authentication result, by retrieving authn results from all authenticators (guys from (2)) and feeding it to generic Unity code to get a composite decision. It will be another servelt filter in your case. See AuthenticationInterceptor. 4) You will need a code that will install all authenticators (of course Unity ensures that only compatible authenticators can be used used) on an endpoint (i.e. it will install the filters, including the final one from (3)). Example: RESTEndpoint#installAuthnInterceptors() Yes, this is quite a lot of work, and rather difficult - you have to understand in details what happens, what is the order of invocation etc. Good luck, Krzysztof |
