Grizzly 2.x and Basic auth. and Filters

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Grizzly 2.x and Basic auth. and Filters

Gay David (Annecy)

Hi all,

 

I’m looking for the good way to add authentication support in Grizzly 2.x

I want to support Basic and Kerberos.

 

I don’t know if there is today an already build-in mechanism in Grizzly 2.x ?

 

But as far as I understand, it seems to me that Grizzly Filters is the good way to implements that because :

* I need to check the auth before going into the HttpHandler

* I don’t want that the various HttpHandler to known and implements anything about authentication

* I want to be able to add new auth. system if needed, without modifying my HttpHandlers

 

Does it make sense to use filter for authentication ?

 

I’m also very interesting in Grizzly filters for various reasons, mostly because it could allow me to add side features without putting these in the HttpHandler (auditing, logging, performance, reject request if not in a ip range, etc.). I’ve also see an AddOn interface that seems really nice for packaging all this filters.

 

Does it make sense also to use filters for that ?

 

 

I’m right now didn’t going deeper in the filter API (I will), but the interface org.glassfish.grizzly.filterchain.Filter is not so obvious, at least for me.

So, is there some filters examples I could use somewhere that could help me ?

 

 

Thanks for any helps

Regards, David.

 

Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

oleksiys
Administrator
Hi David,

 

I’m looking for the good way to add authentication support in Grizzly 2.x

I want to support Basic and Kerberos.

I don’t know if there is today an already build-in mechanism in Grizzly 2.x ?

Not at the moment.
 

But as far as I understand, it seems to me that Grizzly Filters is the good way to implements that because :

* I need to check the auth before going into the HttpHandler

* I don’t want that the various HttpHandler to known and implements anything about authentication

* I want to be able to add new auth. system if needed, without modifying my HttpHandlers

Does it make sense to use filter for authentication ?

Absolutely.
 

I’m also very interesting in Grizzly filters for various reasons, mostly because it could allow me to add side features without putting these in the HttpHandler (auditing, logging, performance, reject request if not in a ip range, etc.). I’ve also see an AddOn interface that seems really nice for packaging all this filters.

Does it make sense also to use filters for that ?

Yep.

I’m right now didn’t going deeper in the filter API (I will), but the interface org.glassfish.grizzly.filterchain.Filter is not so obvious, at least for me.

So, is there some filters examples I could use somewhere that could help me ?

Sure :)
Here is the section from user guide which may help [1].

In general HttpServer FilterChain looks like:

TransportFilter <-> HttpCodecFilter <-> HttpServerFilter

Depending on features you might want to use, you can add Filters to the chain. For example secured HttpServer's FilterChain will look like:

TransportFilter <-> SSLFilter <-> HttpCodecFilter <-> HttpServerFilter

If you want to add HTTP authentication feature, the best approach would be to add YourAuthFilter like:

TransportFilter <-> HttpCodecFilter <-> YourAuthFilter <-> HttpServerFilter

so YourAuthFilter will be able to process HTTP request before it reaches HttpServerFilter. You'll be able to pass control upstream to HttpServerFilter, or write HTTP response directly from YourAuthFilter.
You may want to read about Grizzly low-level HTTP framework here [2].

IMO the first step you can do - implement YourAuthFilter like:

public class YourAuthFilter extends BaseFilter {
    private final Logger logger = Grizzly.logger(YourAuthFilter.class);

    @Override
    public NextAction handleRead(FilterChainContext ctx) throws IOException {
        logger.log(level, "LogFilter handleRead. Connection={0} message={1}",
                new Object[] {ctx.getConnection(), ctx.getMessage()});
        return ctx.getInvokeAction();
    }

    @Override
    public NextAction handleWrite(FilterChainContext ctx) throws IOException {
        logger.log(level, "LogFilter handleWrite. Connection={0} message={1}",
                new Object[] {ctx.getConnection(), ctx.getMessage()});
        return ctx.getInvokeAction();
    }
}

Check the HTTP messages passing up/downstream.

Thanks.

WBR,
Alexey.

[1] http://grizzly.java.net/nonav/docs/docbkx2.0/html/filterchain-filters.html
[2] http://grizzly.java.net/nonav/docs/docbkx2.0/html/http.html

Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Sumit Aneja
Hi Alexy,
Had similar problem one question though request to handler mapping happens in handlerchain.
If there is no mapping handler(404 scenario) how can i ensure my filter doesn't run.
Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Sumit Aneja
Also how to propagate created subject
Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

oleksiys
Administrator
Hi Sumit,

your question sounds very abstract to me :)) Could you pls. provide more
details on how you implement Auth and what is your expectation?

Thanks.

WBR,
Alexey.

On 6/17/16 3:44 AM, Sumit Aneja wrote:
> Also how to propagate created subject
>
>
>
> --
> View this message in context: http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711043.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Sumit Aneja
HI Alexy,
here are my queries, If i have an authentication filter in chain
TransportFilter <-> HttpCodecFilter <-> MyAuthFilter <-> HttpServerFilter.

Filter is executed for all incoming requests. So even if URI of request is invalid (i.e is not mapping to any URI on grizzly container), MyAuthFilter  gets executed. This seems illogical to me. I would like this MyAuthFilter  to be executed to valid request URI only.


Second in MyAuthFilter  i build a subject. How can i pass/set this subject in AccessController

Usually subject information is retrieved through javax.security.auth.SubjectSubject.getSubject(java.security.AccessControllerAccessController.getContext()).



If its HTTP container(i.e servlet filter) i invoke rest of filter chain under privileged code. But in grizzly it allows me to return next Action not execute.
Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Sumit Aneja
Addding to above I have a use case, where i retrieve subject information in MyHandler service method.

using javax.security.auth.Subject.getSubject(java.security.AccessController.getContext())

So propagating subject from filter to handler is requirement i am looking at.
Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

oleksiys
Administrator
In reply to this post by Sumit Aneja
Hi Sumit,


> here are my queries, If i have an authentication filter in chain
> TransportFilter <-> HttpCodecFilter <-> MyAuthFilter <-> HttpServerFilter.
>
> Filter is executed for all incoming requests. So even if URI of request is
> invalid (i.e is not mapping to any URI on grizzly container), MyAuthFilter
> gets executed. This seems illogical to me. I would like this MyAuthFilter
> to be executed to valid request URI only.
The ctx.getMessage() in the MyAuthFilter will return you
HttpRequestPacket object, which could be used to store object you might
need later in HttpHandler.
Just use HttpRequestPacket.setAttribute(key, value), and inside the
HttpHandler you can use request.getRequest().getAttribute(key).

If low-level Filters approach doesn't work for you, maybe you can create
something like AuthAwareHttpHandler, that handle authentication and just
inherit it where you need to deploy app HttpHandlers.

Thanks.

WBR,
Alexey.

>
>
> Second in MyAuthFilter  i build a subject. How can i pass/set this subject
> in AccessController
>
> Usually subject information is retrieved through
> javax.security.auth.SubjectSubject.getSubject(java.security.AccessControllerAccessController.getContext()).
>
>
>
> If its HTTP container(i.e servlet filter) i invoke rest of filter chain
> under privileged code. But in grizzly it allows me to return next Action not
> execute.
>
>
>
> --
> View this message in context: http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711045.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Sumit Aneja
Thanks for response for Alexey. Actually i was looking for generic filter which can be applied to all valid http requests.

Custom HttpHandler would mean asking consumers to re-write there handler.

And using attribute is again something propriety. Is there  any alternate approach which can be generic enough to implement.

I saw that in HttpHandler grizzly handovers request to workerthreadpool. At that time subject set is not being transferred to new thread. To me This seems bug with grizzly. Just a thought if i can use custom executor implementation which has capability to set subject in execution context. Do you know if this is possible, if yes how.


Also What are your thoughts on second problem, i.e only valid requests for which a  valid handler/servlet mapping exists, should this filter be executed. Is there a generic way to do that. From my understanding mapping of requests to handlers/servlets happens in httpHandlerChain , but filter is executed before that.

Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Ryan Lubke-2
If you want to implement something portable that doesn't rely on Grizzly directly, then I would really recommend using the Servlet support offered by Grizzly instead of the HTTP framework.  There you can use Servlets and Servlet Filters (which is really what you're wanting). 

June 21, 2016 at 02:55
Thanks for response for Alexey. Actually i was looking for generic filter
which can be applied to all valid http requests.

Custom HttpHandler would mean asking consumers to re-write there handler.

And using attribute is again something propriety. Is there any alternate
approach which can be generic enough to implement.

I saw that in HttpHandler grizzly handovers request to workerthreadpool. At
that time subject set is not being transferred to new thread. To me This
seems bug with grizzly. Just a thought if i can use custom executor
implementation which has capability to set subject in execution context. Do
you know if this is possible, if yes how.


Also What are your thoughts on second problem, i.e only valid requests for
which a valid handler/servlet mapping exists, should this filter be
executed. Is there a generic way to do that. From my understanding mapping
of requests to handlers/servlets happens in httpHandlerChain , but filter is
executed before that.





--
View this message in context: http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711048.html
Sent from the Grizzly - Users mailing list archive at Nabble.com.
June 17, 2016 at 03:44
Also how to propagate created subject



--
View this message in context: http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711043.html
Sent from the Grizzly - Users mailing list archive at Nabble.com.
June 17, 2016 at 02:21
Hi Alexy,
Had similar problem one question though request to handler mapping happens
in handlerchain.
If there is no mapping handler(404 scenario) how can i ensure my filter
doesn't run.



--
View this message in context: http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711042.html
Sent from the Grizzly - Users mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Grizzly 2.x and Basic auth. and Filters

Sumit Aneja
Hi Ryan,
Actually i was looking for solution that can work on all valid(mapping to servlet/Httphandler/Rest resource) Inbound http request.

But if i go with servletfilters, i wont be able to apply those to HttpHandler.



What you said can be applicable only for
Ryan Lubke-2 wrote
If you want to implement something portable that doesn't rely on Grizzly
directly, then I would really recommend using the Servlet support
offered by Grizzly instead of the HTTP framework.  There you can use
Servlets and Servlet Filters (which is really what you're wanting).

> Sumit Aneja <mailto:[hidden email]>
> June 21, 2016 at 02:55
> Thanks for response for Alexey. Actually i was looking for generic filter
> which can be applied to all valid http requests.
>
> Custom HttpHandler would mean asking consumers to re-write there handler.
>
> And using attribute is again something propriety. Is there any alternate
> approach which can be generic enough to implement.
>
> I saw that in HttpHandler grizzly handovers request to
> workerthreadpool. At
> that time subject set is not being transferred to new thread. To me This
> seems bug with grizzly. Just a thought if i can use custom executor
> implementation which has capability to set subject in execution
> context. Do
> you know if this is possible, if yes how.
>
>
> Also What are your thoughts on second problem, i.e only valid requests for
> which a valid handler/servlet mapping exists, should this filter be
> executed. Is there a generic way to do that. From my understanding mapping
> of requests to handlers/servlets happens in httpHandlerChain , but
> filter is
> executed before that.
>
>
>
>
>
> --
> View this message in context:
> http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711048.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.
> Sumit Aneja <mailto:[hidden email]>
> June 17, 2016 at 03:44
> Also how to propagate created subject
>
>
>
> --
> View this message in context:
> http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711043.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.
> Sumit Aneja <mailto:[hidden email]>
> June 17, 2016 at 02:21
> Hi Alexy,
> Had similar problem one question though request to handler mapping happens
> in handlerchain.
> If there is no mapping handler(404 scenario) how can i ensure my filter
> doesn't run.
>
>
>
> --
> View this message in context:
> http://grizzly.1045725.n5.nabble.com/Grizzly-2-x-and-Basic-auth-and-Filters-tp4770236p5711042.html
> Sent from the Grizzly - Users mailing list archive at Nabble.com.