Author: buildbot
Date: Wed Apr 25 11:35:39 2012
New Revision: 814378
Log:
Staging update by buildbot for ace
Modified:
websites/staging/ace/trunk/content/ (props changed)
websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
websites/staging/ace/trunk/content/dev-doc/design/auth_connectionfactory.svg
Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Wed Apr 25 11:35:39 2012
@@ -1 +1 @@
-1330182
+1330212
Modified:
websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
==============================================================================
--- websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
(original)
+++ websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
Wed Apr 25 11:35:39 2012
@@ -162,8 +162,8 @@ In this article, the recently added auth
<p><img alt="Figure 1: Overview of components and communication paths in ACE"
src="auth_main_components.svg" title="Figure 1: Overview of components and
communication paths" /></p>
<p>In figure 1, several communication paths exists (denoted by the circled
digits):</p>
<ol>
-<li>the client communicates to the server by means of both direct calls to its
services as well as remoted calls (by means of HTTP<sup id="fnref:1"><a
href="#fn:1" rel="footnote">1</a></sup>);</li>
-<li>a management agent (representing the target) communicates to the
management server through HTTP calls;</li>
+<li>the client communicates to the ACE server by means of both direct calls to
its services as well as remoted calls (by means of HTTP<sup id="fnref:1"><a
href="#fn:1" rel="footnote">1</a></sup>);</li>
+<li>a management agent (representing the target) communicates to the ACE
server through HTTP calls;</li>
<li>the REST API exposes the entire client API in a RESTful way. Communication
to the client occurs by both direct calls as well as through HTTP;</li>
<li>the Vaadin Web UI exposes the entire client API as web application.
Similar as the REST API, it communicates both directly as through HTTP with the
client.</li>
</ol>
@@ -264,86 +264,86 @@ In this article, the recently added auth
<p>To make this more concrete, an example of how the
<code>BundleServlet</code> is to be configured:</p>
<h4 id="service-configuration">Service configuration</h4>
<p>The service configuration, located in
<code>org.apache.ace.obr.servlet.cfg</code>, looks like:</p>
-<div class="codehilite"><pre><span class="c1"># Endpoint for this
servlet</span>
-<span class="n">org</span><span class="o">.</span><span
class="n">apache</span><span class="o">.</span><span class="n">ace</span><span
class="o">.</span><span class="n">server</span><span class="o">.</span><span
class="n">servlet</span><span class="o">.</span><span
class="n">endpoint</span><span class="o">=/</span><span class="n">obr</span>
-<span class="c1"># Whether or not authentication is to be used</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">enabled</span> <span class="o">=</span> <span class="n">true</span>
+<div class="codehilite"><pre><span class="c"># Endpoint for this servlet</span>
+<span class="na">org.apache.ace.server.servlet.endpoint</span><span
class="o">=</span><span class="s">/obr</span>
+<span class="c"># Whether or not authentication is to be used</span>
+<span class="na">authentication.enabled</span> <span class="o">=</span> <span
class="s">true</span>
</pre></div>
<p>In <code>BundleServlet</code> we add the following code:</p>
-<div class="codehilite"><pre><span class="n">private</span> <span
class="n">volatile</span> <span class="n">boolean</span> <span
class="n">m_useAuth</span><span class="p">;</span>
-<span class="n">private</span> <span class="n">volatile</span> <span
class="n">AuthenticationService</span> <span
class="n">m_authService</span><span class="p">;</span>
+<div class="codehilite"><pre><span class="kd">private</span> <span
class="kd">volatile</span> <span class="kt">boolean</span> <span
class="n">m_useAuth</span><span class="o">;</span>
+<span class="kd">private</span> <span class="kd">volatile</span> <span
class="n">AuthenticationService</span> <span
class="n">m_authService</span><span class="o">;</span>
-<span class="sr">//</span> <span class="o">...</span>
+<span class="c1">// ...</span>
-<span class="n">public</span> <span class="n">void</span> <span
class="n">updated</span><span class="p">(</span><span
class="n">Dictionary</span> <span class="n">settings</span><span
class="p">)</span> <span class="n">throws</span> <span
class="n">ConfigurationException</span> <span class="p">{</span>
- <span class="k">if</span> <span class="p">(</span><span
class="n">settings</span> <span class="o">!=</span> <span
class="n">null</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">String</span> <span class="n">useAuthString</span>
<span class="o">=</span> <span class="p">(</span><span
class="n">String</span><span class="p">)</span> <span
class="n">settings</span><span class="o">.</span><span
class="n">get</span><span class="p">(</span><span
class="s">"authentication.enabled"</span><span class="p">);</span>
- <span class="k">if</span> <span class="p">(</span><span
class="n">useAuthString</span> <span class="o">==</span> <span
class="n">null</span> <span class="o">||</span> <span class="o">!</span><span
class="p">(</span><span class="s">"true"</span><span
class="o">.</span><span class="n">equalsIgnoreCase</span><span
class="p">(</span><span class="n">useAuthString</span><span class="p">)</span>
<span class="o">||</span> <span class="s">"false"</span><span
class="o">.</span><span class="n">equalsIgnoreCase</span><span
class="p">(</span><span class="n">useAuthString</span><span
class="p">)))</span> <span class="p">{</span>
- <span class="n">throw</span> <span class="k">new</span> <span
class="n">ConfigurationException</span><span class="p">(</span><span
class="s">"authentication.enabled"</span><span class="p">,</span>
<span class="s">"Missing or invalid value!"</span><span
class="p">);</span>
- <span class="p">}</span>
- <span class="n">boolean</span> <span class="n">useAuth</span> <span
class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span
class="n">parseBoolean</span><span class="p">(</span><span
class="n">useAuthString</span><span class="p">);</span>
-
- <span class="n">m_useAuth</span> <span class="o">=</span> <span
class="n">useAuth</span><span class="p">;</span>
- <span class="p">}</span>
- <span class="k">else</span> <span class="p">{</span>
- <span class="n">m_useAuth</span> <span class="o">=</span> <span
class="n">false</span><span class="p">;</span>
- <span class="p">}</span>
-<span class="p">}</span>
-
-<span class="sr">//</span> <span class="o">...</span>
-
-<span class="o">/**</span>
- <span class="o">*</span> <span class="n">Called</span> <span
class="n">by</span> <span class="n">Dependency</span> <span
class="n">Manager</span> <span class="n">upon</span> <span
class="n">initialization</span> <span class="n">of</span> <span
class="n">this</span> <span class="n">component</span><span class="o">.</span>
- <span class="o">*/</span>
-<span class="n">protected</span> <span class="n">void</span> <span
class="n">init</span><span class="p">(</span><span class="n">Component</span>
<span class="n">comp</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">comp</span><span class="o">.</span><span
class="n">add</span><span class="p">(</span><span class="n">m_dm</span><span
class="o">.</span><span class="n">createServiceDependency</span><span
class="p">()</span>
- <span class="o">.</span><span class="n">setService</span><span
class="p">(</span><span class="n">AuthenticationService</span><span
class="o">.</span><span class="n">class</span><span class="p">)</span>
- <span class="o">.</span><span class="n">setRequired</span><span
class="p">(</span><span class="n">m_useAuth</span><span class="p">)</span>
- <span class="o">.</span><span class="n">setInstanceBound</span><span
class="p">(</span><span class="n">true</span><span class="p">)</span>
- <span class="p">);</span>
-<span class="p">}</span>
+<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">updated</span><span class="o">(</span><span
class="n">Dictionary</span> <span class="n">settings</span><span
class="o">)</span> <span class="kd">throws</span> <span
class="n">ConfigurationException</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">settings</span> <span class="o">!=</span> <span
class="kc">null</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">String</span> <span class="n">useAuthString</span>
<span class="o">=</span> <span class="o">(</span><span
class="n">String</span><span class="o">)</span> <span
class="n">settings</span><span class="o">.</span><span
class="na">get</span><span class="o">(</span><span
class="s">"authentication.enabled"</span><span class="o">);</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">useAuthString</span> <span class="o">==</span> <span
class="kc">null</span> <span class="o">||</span> <span class="o">!(</span><span
class="s">"true"</span><span class="o">.</span><span
class="na">equalsIgnoreCase</span><span class="o">(</span><span
class="n">useAuthString</span><span class="o">)</span> <span
class="o">||</span> <span class="s">"false"</span><span
class="o">.</span><span class="na">equalsIgnoreCase</span><span
class="o">(</span><span class="n">useAuthString</span><span
class="o">)))</span> <span class="o">{</span>
+ <span class="k">throw</span> <span class="k">new</span> <span
class="nf">ConfigurationException</span><span class="o">(</span><span
class="s">"authentication.enabled"</span><span class="o">,</span>
<span class="s">"Missing or invalid value!"</span><span
class="o">);</span>
+ <span class="o">}</span>
+ <span class="kt">boolean</span> <span class="n">useAuth</span> <span
class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span
class="na">parseBoolean</span><span class="o">(</span><span
class="n">useAuthString</span><span class="o">);</span>
+
+ <span class="n">m_useAuth</span> <span class="o">=</span> <span
class="n">useAuth</span><span class="o">;</span>
+ <span class="o">}</span>
+ <span class="k">else</span> <span class="o">{</span>
+ <span class="n">m_useAuth</span> <span class="o">=</span> <span
class="kc">false</span><span class="o">;</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="c1">// ...</span>
+
+<span class="cm">/**</span>
+<span class="cm"> * Called by Dependency Manager upon initialization of this
component.</span>
+<span class="cm"> */</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">init</span><span class="o">(</span><span class="n">Component</span>
<span class="n">comp</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">comp</span><span class="o">.</span><span
class="na">add</span><span class="o">(</span><span class="n">m_dm</span><span
class="o">.</span><span class="na">createServiceDependency</span><span
class="o">()</span>
+ <span class="o">.</span><span class="na">setService</span><span
class="o">(</span><span class="n">AuthenticationService</span><span
class="o">.</span><span class="na">class</span><span class="o">)</span>
+ <span class="o">.</span><span class="na">setRequired</span><span
class="o">(</span><span class="n">m_useAuth</span><span class="o">)</span>
+ <span class="o">.</span><span class="na">setInstanceBound</span><span
class="o">(</span><span class="kc">true</span><span class="o">)</span>
+ <span class="o">);</span>
+<span class="o">}</span>
</pre></div>
<p>As almost all of the services in ACE are managed by the Dependency Manager,
we can leverage its dynamics to inject our <code>BundleServlet</code> with an
instance of the <code>AuthenticationService</code> and provide us with a
configuration<sup id="fnref:5"><a href="#fn:5" rel="footnote">5</a></sup>. </p>
<h4 id="implemention">Implemention</h4>
<p>The actual authentication implementation itself is rather trivial: we
simply intercept all incoming requests in our servlet and verify whether it
resolves to a valid user:</p>
-<div class="codehilite"><pre><span class="nv">@Override</span>
-<span class="n">protected</span> <span class="n">void</span> <span
class="n">service</span><span class="p">(</span><span
class="n">HttpServletRequest</span> <span class="n">req</span><span
class="p">,</span> <span class="n">HttpServletResponse</span> <span
class="n">resp</span><span class="p">)</span> <span class="n">throws</span>
<span class="n">ServletException</span><span class="p">,</span> <span
class="n">IOException</span> <span class="p">{</span>
- <span class="k">if</span> <span class="p">(</span><span
class="o">!</span><span class="n">authenticate</span><span
class="p">(</span><span class="n">req</span><span class="p">))</span> <span
class="p">{</span>
- <span class="sr">//</span> <span class="n">Authentication</span> <span
class="n">failed</span><span class="p">;</span> <span class="n">don</span><span
class="err">'</span><span class="n">t</span> <span class="n">proceed</span>
<span class="n">with</span> <span class="n">the</span> <span
class="n">original</span> <span class="n">request</span><span
class="o">...</span>
- <span class="n">resp</span><span class="o">.</span><span
class="n">sendError</span><span class="p">(</span><span
class="n">SC_UNAUTHORIZED</span><span class="p">);</span>
- <span class="p">}</span> <span class="k">else</span> <span
class="p">{</span>
- <span class="sr">//</span> <span class="n">Authentication</span> <span
class="n">successful</span><span class="p">,</span> <span
class="n">proceed</span> <span class="n">with</span> <span
class="n">original</span> <span class="n">request</span><span
class="o">...</span>
- <span class="n">super</span><span class="o">.</span><span
class="n">service</span><span class="p">(</span><span class="n">req</span><span
class="p">,</span> <span class="n">resp</span><span class="p">);</span>
- <span class="p">}</span>
-<span class="p">}</span>
-
-<span class="n">private</span> <span class="n">boolean</span> <span
class="n">authenticate</span><span class="p">(</span><span
class="n">HttpServletRequest</span> <span class="n">request</span><span
class="p">)</span> <span class="p">{</span>
- <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">null</span><span class="p">;</span>
- <span class="k">if</span> <span class="p">(</span><span
class="n">m_useAuth</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">m_authService</span><span
class="o">.</span><span class="n">authenticate</span><span
class="p">(</span><span class="n">request</span><span class="p">);</span>
- <span class="p">}</span>
- <span class="k">if</span> <span class="p">(</span><span
class="n">user</span> <span class="o">==</span> <span
class="n">null</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">m_log</span><span class="o">.</span><span
class="nb">log</span><span class="p">(</span><span
class="n">LogService</span><span class="o">.</span><span
class="n">LOG_INFO</span><span class="p">,</span> <span
class="s">"Authentication failure!"</span><span class="p">);</span>
- <span class="p">}</span>
- <span class="k">return</span> <span class="p">(</span><span
class="n">user</span> <span class="o">!=</span> <span
class="n">null</span><span class="p">);</span>
-<span class="p">}</span>
+<div class="codehilite"><pre><span class="nd">@Override</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">service</span><span class="o">(</span><span
class="n">HttpServletRequest</span> <span class="n">req</span><span
class="o">,</span> <span class="n">HttpServletResponse</span> <span
class="n">resp</span><span class="o">)</span> <span class="kd">throws</span>
<span class="n">ServletException</span><span class="o">,</span> <span
class="n">IOException</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(!</span><span
class="n">authenticate</span><span class="o">(</span><span
class="n">req</span><span class="o">))</span> <span class="o">{</span>
+ <span class="c1">// Authentication failed; don't proceed with the
original request...</span>
+ <span class="n">resp</span><span class="o">.</span><span
class="na">sendError</span><span class="o">(</span><span
class="n">SC_UNAUTHORIZED</span><span class="o">);</span>
+ <span class="o">}</span> <span class="k">else</span> <span
class="o">{</span>
+ <span class="c1">// Authentication successful, proceed with original
request...</span>
+ <span class="kd">super</span><span class="o">.</span><span
class="na">service</span><span class="o">(</span><span
class="n">req</span><span class="o">,</span> <span class="n">resp</span><span
class="o">);</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="kd">private</span> <span class="kt">boolean</span> <span
class="nf">authenticate</span><span class="o">(</span><span
class="n">HttpServletRequest</span> <span class="n">request</span><span
class="o">)</span> <span class="o">{</span>
+ <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="kc">null</span><span class="o">;</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">m_useAuth</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">m_authService</span><span
class="o">.</span><span class="na">authenticate</span><span
class="o">(</span><span class="n">request</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">user</span> <span class="o">==</span> <span
class="kc">null</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">m_log</span><span class="o">.</span><span
class="na">log</span><span class="o">(</span><span
class="n">LogService</span><span class="o">.</span><span
class="na">LOG_INFO</span><span class="o">,</span> <span
class="s">"Authentication failure!"</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">return</span> <span class="o">(</span><span
class="n">user</span> <span class="o">!=</span> <span
class="kc">null</span><span class="o">);</span>
+<span class="o">}</span>
</pre></div>
<p>Note that this implementation does not tell <em>how</em> the authentication
should occur, only that it should occur. How the authentication is performed,
is determined internally by the <code>AuthenticationService</code>, with the
help of the registered <code>AuthenticationProcessor</code>s.</p>
<h3 id="configuring-the-connection-factory">Configuring the connection
factory</h3>
<p>Now that the remote service itself is no longer accepting unauthenticated
requests, we need to supply the credentials to access this service to the
<code>ConnectionFactory</code> service. This service can be configured using
the PID <code>org.apache.ace.connectionfactory</code> (<em>note that it is a
configuration factory!</em>), which would result in the following configuration
for accessing our <code>BundleServlet</code>:</p>
-<div class="codehilite"><pre><span class="c1"># What kind of authentication
should we supply</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">type</span> <span class="o">=</span> <span class="n">basic</span>
-<span class="c1"># The actual credentials for basic authentication</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">user</span><span class="o">.</span><span class="n">name</span> <span
class="o">=</span> <span class="n">d</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">user</span><span class="o">.</span><span class="n">password</span>
<span class="o">=</span> <span class="n">f</span>
-<span class="c1"># What is the base URL that these credentials apply to:</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">baseURL</span> <span class="o">=</span> <span
class="n">http:</span><span class="sr">//</span><span
class="n">localhost:8080</span><span class="sr">/obr/</span>
+<div class="codehilite"><pre><span class="c"># What kind of authentication
should we supply</span>
+<span class="na">authentication.type</span> <span class="o">=</span> <span
class="s">basic</span>
+<span class="c"># The actual credentials for basic authentication</span>
+<span class="na">authentication.user.name</span> <span class="o">=</span>
<span class="s">d</span>
+<span class="na">authentication.user.password</span> <span class="o">=</span>
<span class="s">f</span>
+<span class="c"># What is the base URL that these credentials apply to:</span>
+<span class="na">authentication.baseURL</span> <span class="o">=</span> <span
class="s">http://localhost:8080/obr/</span>
</pre></div>
@@ -357,13 +357,13 @@ In this article, the recently added auth
<p>Other communication protocols could be used as well. However, currently,
only HTTP is natively supported by ACE. For the remainder of this article,
we'll assume HTTP as protocol. <a href="#fnref:1" rev="footnote"
title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:2">
-<p>Assuming that all components in the management server are trusted and
obtained from trusted sources. If untrusted components would be allowed, we
need to add authentication to these communication paths as well. <a
href="#fnref:2" rev="footnote" title="Jump back to footnote 2 in the
text">↩</a></p>
+<p>Assuming that all components in the ACE server are trusted and obtained
from trusted sources. If untrusted components would be allowed, we need to add
authentication to these communication paths as well. <a href="#fnref:2"
rev="footnote" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:3">
<p>It is up to the implementation of <code>AuthenticationService</code>
whether the <em>first</em> found user is returned, or whether it checks if all
authentication processors yield the <em>same</em> user, or any other strategy
that is desired. <a href="#fnref:3" rev="footnote" title="Jump back to
footnote 3 in the text">↩</a></p>
</li>
<li id="fn:4">
-<p>Amongst others, any number of log-endpoints can be defined, at least one is
needed for the audit log to be synchronized between target and management
server. <a href="#fnref:4" rev="footnote" title="Jump back to footnote 4
in the text">↩</a></p>
+<p>Amongst others, any number of log-endpoints can be defined, at least one is
needed for the audit log to be synchronized between target and ACE
server. <a href="#fnref:4" rev="footnote" title="Jump back to footnote 4
in the text">↩</a></p>
</li>
<li id="fn:5">
<p>Note that we're using a configuration dependency for this service. This
way, the configuration <strong>must</strong> be present before the service
itself is registered, which allows us to determine if authentication should be
used or not. <a href="#fnref:5" rev="footnote" title="Jump back to
footnote 5 in the text">↩</a></p>
Modified:
websites/staging/ace/trunk/content/dev-doc/design/auth_connectionfactory.svg
==============================================================================
Binary files - no diff available.
