Author: buildbot
Date: Mon Nov 24 22:42:13 2014
New Revision: 930358
Log:
Staging update by buildbot for ace
Added:
websites/staging/ace/trunk/content/docs/
websites/staging/ace/trunk/content/docs.html
websites/staging/ace/trunk/content/docs/ace-authentication.html
websites/staging/ace/trunk/content/docs/ace-deployment-strategies.html
websites/staging/ace/trunk/content/docs/ace-roles.html
websites/staging/ace/trunk/content/docs/ace_dnd_artifacts.png (with props)
websites/staging/ace/trunk/content/docs/ace_dnd_artifacts_fail.png (with
props)
websites/staging/ace/trunk/content/docs/ace_dnd_artifacts_ok.png (with
props)
websites/staging/ace/trunk/content/docs/ace_dynamic_association.png (with
props)
websites/staging/ace/trunk/content/docs/ace_server_topology.png (with
props)
websites/staging/ace/trunk/content/docs/ace_server_ui.png (with props)
websites/staging/ace/trunk/content/docs/ace_static_association.png (with
props)
websites/staging/ace/trunk/content/docs/ace_target_tag_editor.png (with
props)
websites/staging/ace/trunk/content/docs/ace_user_management_admin_ui.png
(with props)
websites/staging/ace/trunk/content/docs/ace_user_management_newuser_ui.png
(with props)
websites/staging/ace/trunk/content/docs/ace_user_management_user_ui.png
(with props)
websites/staging/ace/trunk/content/docs/adding-custom-artifact-types.html
websites/staging/ace/trunk/content/docs/analysis/
websites/staging/ace/trunk/content/docs/analysis/auditlog-analysis.html
websites/staging/ace/trunk/content/docs/analysis/bundlerepository-analysis.html
websites/staging/ace/trunk/content/docs/analysis/index.html
websites/staging/ace/trunk/content/docs/analysis/security-analysis-flow.svg
(with props)
websites/staging/ace/trunk/content/docs/analysis/security-analysis.html
websites/staging/ace/trunk/content/docs/analysis/src/
websites/staging/ace/trunk/content/docs/analysis/src/security-analysis-flow.graffle
(with props)
websites/staging/ace/trunk/content/docs/analysis/template-mechanism.html
websites/staging/ace/trunk/content/docs/architecture.html
websites/staging/ace/trunk/content/docs/auth_api.svg (with props)
websites/staging/ace/trunk/content/docs/auth_connectionfactory.svg (with
props)
websites/staging/ace/trunk/content/docs/auth_main_components.svg (with
props)
websites/staging/ace/trunk/content/docs/coding-standards.html
websites/staging/ace/trunk/content/docs/configuring-relay-servers.html
websites/staging/ace/trunk/content/docs/deployment_strategy_classdiagram.svg
(with props)
websites/staging/ace/trunk/content/docs/deployment_strategy_update_seq.svg
(with props)
websites/staging/ace/trunk/content/docs/design/
websites/staging/ace/trunk/content/docs/design/auditlog-protocol.html
websites/staging/ace/trunk/content/docs/design/index.html
websites/staging/ace/trunk/content/docs/design/remote-interfaces-components.svg
(with props)
websites/staging/ace/trunk/content/docs/design/remote-interfaces.html
websites/staging/ace/trunk/content/docs/design/src/
websites/staging/ace/trunk/content/docs/design/src/remote-interfaces-components.graffle
(with props)
websites/staging/ace/trunk/content/docs/design/src/remoteinterfaces-components.graffle
(with props)
websites/staging/ace/trunk/content/docs/getting-started-5-mins.html
websites/staging/ace/trunk/content/docs/history-and-background.html
websites/staging/ace/trunk/content/docs/relay_functional_overview.png
(with props)
websites/staging/ace/trunk/content/docs/release-guide.html
websites/staging/ace/trunk/content/docs/rest-api.html
websites/staging/ace/trunk/content/docs/setup-dev-environment.html
websites/staging/ace/trunk/content/docs/shell-api.html
websites/staging/ace/trunk/content/docs/simple-workflow.png (with props)
websites/staging/ace/trunk/content/docs/test-script.html
websites/staging/ace/trunk/content/docs/use-cases/
websites/staging/ace/trunk/content/docs/use-cases/index.html
websites/staging/ace/trunk/content/docs/use-cases/uc-01.html
websites/staging/ace/trunk/content/docs/use-cases/uc-02.html
websites/staging/ace/trunk/content/docs/use-cases/uc-03.html
websites/staging/ace/trunk/content/docs/use-cases/uc-04.html
websites/staging/ace/trunk/content/docs/use-cases/uc-05.html
websites/staging/ace/trunk/content/docs/use-cases/uc-06.html
websites/staging/ace/trunk/content/docs/use-cases/uc-07.html
websites/staging/ace/trunk/content/docs/use-cases/uc-08.html
websites/staging/ace/trunk/content/docs/use-cases/uc-09.html
websites/staging/ace/trunk/content/docs/use-cases/uc-10.html
websites/staging/ace/trunk/content/docs/use-cases/uc-11.html
websites/staging/ace/trunk/content/docs/use-cases/uc-12.html
websites/staging/ace/trunk/content/docs/use-cases/uc-13.html
websites/staging/ace/trunk/content/docs/use-cases/uc-14.html
websites/staging/ace/trunk/content/docs/use-cases/uc-15.html
websites/staging/ace/trunk/content/docs/use-cases/uc-16.html
websites/staging/ace/trunk/content/docs/use-cases/uc-17.html
websites/staging/ace/trunk/content/docs/use-cases/uc-18.html
websites/staging/ace/trunk/content/docs/use-cases/uc-19.html
websites/staging/ace/trunk/content/docs/use-cases/uc-20.html
websites/staging/ace/trunk/content/docs/use-cases/uc-21.html
websites/staging/ace/trunk/content/docs/use-cases/uc-22.html
websites/staging/ace/trunk/content/docs/use-cases/uc-23.html
websites/staging/ace/trunk/content/docs/use-cases/usecasesview.svg (with
props)
websites/staging/ace/trunk/content/docs/user-guide.html
websites/staging/ace/trunk/content/docs/user-management-guide.html
websites/staging/ace/trunk/content/docs/using-client-certificates.html
websites/staging/ace/trunk/content/docs/writing-tests.html
Removed:
websites/staging/ace/trunk/content/dev-doc/
websites/staging/ace/trunk/content/user-doc/
Modified:
websites/staging/ace/trunk/content/ (props changed)
websites/staging/ace/trunk/content/sitemap.html
Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Nov 24 22:42:13 2014
@@ -1 +1 @@
-1620416
+1641501
Added: websites/staging/ace/trunk/content/docs.html
==============================================================================
--- websites/staging/ace/trunk/content/docs.html (added)
+++ websites/staging/ace/trunk/content/docs.html Mon Nov 24 22:42:13 2014
@@ -0,0 +1,231 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html lang="en">
+ <head>
+ <title>Documentation</title>
+ <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
+ <meta property="og:image" content="//www.apache.org/images/asf_logo.gif" />
+ <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+ <link href="/css/prettify.css" rel="stylesheet" media="screen">
+ <link href="/css/code.css" rel="stylesheet" media="screen">
+ <script src="//code.jquery.com/jquery.js"></script>
+ <script src="/js/bootstrap.min.js"></script>
+ <script src="/js/prettify.js"></script>
+
+
+
+ <script>
+ $(function () { prettyPrint() })
+ $().dropdown()
+ </script>
+ </head>
+ <body style="padding-top: 50px;">
+ <div class="navbar navbar-fixed-top navbar-inverse">
+ <div class="navbar-inner">
+ <div class="container">
+ <a class="brand" href="/index.html">Apache ACE™</a>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">News <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/news.html">News</a>
+ </li>
+ <li>
+ <a href="/on-the-web.html">On the web</a>
+ </li>
+ </ul>
+ </li>
+ <li>
+ <a href="/downloads.html">Downloads</a>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Users <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/user-doc/introduction.html">Introduction</a>
+ </li>
+ <li>
+ <a href="/user-doc/getting-started.html">Getting Started</a>
+ </li>
+ <li>
+ <a href="/user-doc/user-guide.html">User Guide</a>
+ </li>
+ <li>
+ <a href="/user-doc/features.html">Features</a>
+ </li>
+ <li>
+ <a href="/user-doc/shellapi.html">Client Shell API</a>
+ </li>
+ <li>
+ <a href="/user-doc/restapi.html">Client REST API</a>
+ </li>
+ <li>
+ <a href="/user-doc/useradmin-ui.html">User Management Guide</a>
+ </li>
+ <li>
+ <a href="/user-doc/faq.html">FAQ</a>
+ </li>
+ <li>
+ <a href="/user-doc/support.html">Support</a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developers <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/dev-doc/getting-started.html">Getting Started</a>
+ </li>
+ <li>
+ <a href="/dev-doc/requirements/">Requirements</a>
+ </li>
+ <li>
+ <a href="/dev-doc/architecture.html">Architecture</a>
+ </li>
+ <li>
+ <a href="/dev-doc/analysis/">Analysis</a>
+ </li>
+ <li>
+ <a href="/dev-doc/design/">Design</a>
+ </li>
+ <li>
+ <a href="/dev-doc/coding-standards.html">Coding Standards</a>
+ </li>
+ <li>
+ <a href="/dev-doc/release-guide.html">Release Guide</a>
+ </li>
+ <li>
+ <a href="/dev-doc/writing-tests.html">Writing unit/integration
tests</a>
+ </li>
+ <li>
+ <a href="/dev-doc/adding-custom-artifact-types.html">Adding custom
artifact types</a>
+ </li>
+ <li>
+ <a href="/dev-doc/configuring-relay-servers.html">Configuring and
using relay servers</a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Get Involved <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/get-involved/mailing-lists.html">Mailing Lists</a>
+ </li>
+ <li>
+ <a href="/get-involved/issue-tracking.html">Issue Tracking</a>
+ </li>
+ <li>
+ <a href="/get-involved/continuous-integration.html">Continuous
Integration</a>
+ </li>
+ <li>
+ <a href="/get-involved/source-code.html">Source Code</a>
+ </li>
+ <li>
+ <a href="/get-involved/project-team.html">Project Team</a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Wiki <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/ACE/Board+Reports";>Board
Reports <i class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/ACE/Index";>Homepage <i
class="icon-share-alt"></i></a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="http://www.apache.org/";>Apache Homepage <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/";>Licenses <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/security/";>Security <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/thanks.html";>Thanks <i
class="icon-share-alt"></i></a>
+ </li>
+ </ul>
+ </li>
+</ul>
+
+ </div>
+ </div>
+ </div>
+ <div class="container">
+ <p><a href="/"><i class='icon-home'></i> Home</a></p>
+ <h1>Documentation</h1>
+ <div class="clear"></div>
+ <div id="content"><p>Apache ACE is a software distribution framework
that allows you to manage and deploy
+modular OSGi-based applications to many different clients, also known as
"targets" in ACE
+terminology, allowing precise control over which target gets which software.
Its key
+features are:</p>
+<ul>
+<li>being able to deploy software to many different targets;</li>
+<li>atomic upgrades: if an upgrade fails for a target, it is automatically
rolled back to the former state;</li>
+<li>deploy different configurations for different targets;</li>
+<li>smart redeployments of only the changed artifacts to your targets;</li>
+<li>complete control on the deployment strategy for your targets.</li>
+</ul>
+<h2 id="getting-started">Getting started</h2>
+<p>If you are interested in just get Apache ACE up and running, you can read
the <a href="/docs/getting-started-5-mins.html">getting
+started in 5 minutes</a>. To get more information about
+the history of Apache ACE, read all about its <a
href="/docs/history-and-background.html">history and
+background</a>.</p>
+<h2 id="using-apache-ace">Using Apache ACE</h2>
+<p>Resources that go into more detail on using Apache ACE:</p>
+<ul>
+<li>read all about using Apache ACE in the <a
href="/docs/user-guide.html">users guide</a>;</li>
+<li>to manage users using ACE's web UI, read the <a
href="/docs/user-management-guide.html">user management guide</a>;</li>
+<li><a href="/docs/ace-roles.html">information about the various roles used in
Apache ACE</a>;</li>
+<li>accessing Apache ACE <a href="/docs/shell-api.html">using the Gogo
shell</a>;</li>
+<li>accessing Apache ACE from <a href="/docs/rest-api.html">its REST
API</a>;</li>
+<li>to handle a large number of targets, you can make use of <a
href="/docs/configuring-relay-servers.html">intermediate relay servers</a>;</li>
+<li>configuring ACE authentication is described in the <a
href="/docs/ace-authentication.html">authentication guide</a>;</li>
+<li>configuring ACE to use two-way SSL is described in <a
href="/docs/using-client-certificates.html">using client certificates</a>;</li>
+<li>various deployment strategies for Apache ACE are described in the <a
href="/docs/ace-deployment-strategies.html">ACE deployment strategies
document</a>;</li>
+</ul>
+<h2 id="developing-for-apache-ace">Developing for Apache ACE</h2>
+<p>There are several resources available on extending and developing for
Apache ACE, such as:</p>
+<ul>
+<li><a href="/docs/setup-dev-environment.html">setting up an development
environment for developing for Apache ACE</a>;</li>
+<li>more details on writing unit and/or integration tests can be found in <a
href="/docs/writing-tests.html">this document</a>;</li>
+<li>all about the coding style and guidelines can be found in the <a
href="/docs/coding-standards.html">coding standards</a>;</li>
+<li>guidelines for releasing Apache ACE can be found in <a
href="/docs/release-guide.html">the release guide</a>;</li>
+<li>more information about the architectural principals can be found in <a
href="/docs/architecture.html">the architectural guide</a>;</li>
+<li>if you are interested in performing load tests, or want to get started
with automating ACE deployments, read all about it in our <a
href="/docs/test-script.html">test script document</a>;</li>
+<li>
+<p>various use cases are described on the <a href="/docs/use-cases">use cases
page</a>;</p>
+</li>
+<li>
+<p><a href="/docs/adding-custom-artifact-types.html">adding support for new
types of artifacts</a>;</p>
+</li>
+<li>
+<p>detailed analysis documentation giving background information on some
development principles currently used:
+<strong> <a href="/docs/analysis/auditlog-analysis.html">audit log
analysis</a>;
+</strong> <a href="/docs/analysis/bundlerepository-analysis.html">bundle
repository analysis</a>;
+<strong> <a href="/docs/analysis/security-analysis.html">security analysis</a>;
+</strong> <a href="/docs/analysis/template-mechanism.html">template
mechanism</a>.</p>
+</li>
+<li>
+<p>detailed design documentation:
+<strong> <a href="/docs/design/remote-interfaces.html">remote interface
design</a>;
+</strong> <a href="/docs/design/auditlog-protocol.html">audit log
details</a>;</p>
+</li>
+</ul></div>
+ <hr>
+ <footer>
+ <p>Copyright © 2012-2014 <a href="http://www.apache.org/";>The
Apache Software Foundation</a>, Licensed under the <a
href="http://www.apache.org/licenses/LICENSE-2.0";>Apache License, Version
2.0</a>.<br/>Apache ACE, the Apache ACE logo, Apache and the Apache feather
logo are trademarks of The Apache Software Foundation. All other marks
mentioned may be trademarks or registered trademarks of their respective
owners.</p>
+ </footer>
+ </div>
+ </body>
+</html>
Added: websites/staging/ace/trunk/content/docs/ace-authentication.html
==============================================================================
--- websites/staging/ace/trunk/content/docs/ace-authentication.html (added)
+++ websites/staging/ace/trunk/content/docs/ace-authentication.html Mon Nov 24
22:42:13 2014
@@ -0,0 +1,464 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html lang="en">
+ <head>
+ <title>ACE Authentication</title>
+ <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
+ <meta property="og:image" content="//www.apache.org/images/asf_logo.gif" />
+ <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+ <link href="/css/prettify.css" rel="stylesheet" media="screen">
+ <link href="/css/code.css" rel="stylesheet" media="screen">
+ <script src="//code.jquery.com/jquery.js"></script>
+ <script src="/js/bootstrap.min.js"></script>
+ <script src="/js/prettify.js"></script>
+
+
+
+ <script>
+ $(function () { prettyPrint() })
+ $().dropdown()
+ </script>
+ </head>
+ <body style="padding-top: 50px;">
+ <div class="navbar navbar-fixed-top navbar-inverse">
+ <div class="navbar-inner">
+ <div class="container">
+ <a class="brand" href="/index.html">Apache ACE™</a>
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">News <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/news.html">News</a>
+ </li>
+ <li>
+ <a href="/on-the-web.html">On the web</a>
+ </li>
+ </ul>
+ </li>
+ <li>
+ <a href="/downloads.html">Downloads</a>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Users <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/user-doc/introduction.html">Introduction</a>
+ </li>
+ <li>
+ <a href="/user-doc/getting-started.html">Getting Started</a>
+ </li>
+ <li>
+ <a href="/user-doc/user-guide.html">User Guide</a>
+ </li>
+ <li>
+ <a href="/user-doc/features.html">Features</a>
+ </li>
+ <li>
+ <a href="/user-doc/shellapi.html">Client Shell API</a>
+ </li>
+ <li>
+ <a href="/user-doc/restapi.html">Client REST API</a>
+ </li>
+ <li>
+ <a href="/user-doc/useradmin-ui.html">User Management Guide</a>
+ </li>
+ <li>
+ <a href="/user-doc/faq.html">FAQ</a>
+ </li>
+ <li>
+ <a href="/user-doc/support.html">Support</a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developers <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/dev-doc/getting-started.html">Getting Started</a>
+ </li>
+ <li>
+ <a href="/dev-doc/requirements/">Requirements</a>
+ </li>
+ <li>
+ <a href="/dev-doc/architecture.html">Architecture</a>
+ </li>
+ <li>
+ <a href="/dev-doc/analysis/">Analysis</a>
+ </li>
+ <li>
+ <a href="/dev-doc/design/">Design</a>
+ </li>
+ <li>
+ <a href="/dev-doc/coding-standards.html">Coding Standards</a>
+ </li>
+ <li>
+ <a href="/dev-doc/release-guide.html">Release Guide</a>
+ </li>
+ <li>
+ <a href="/dev-doc/writing-tests.html">Writing unit/integration
tests</a>
+ </li>
+ <li>
+ <a href="/dev-doc/adding-custom-artifact-types.html">Adding custom
artifact types</a>
+ </li>
+ <li>
+ <a href="/dev-doc/configuring-relay-servers.html">Configuring and
using relay servers</a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Get Involved <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="/get-involved/mailing-lists.html">Mailing Lists</a>
+ </li>
+ <li>
+ <a href="/get-involved/issue-tracking.html">Issue Tracking</a>
+ </li>
+ <li>
+ <a href="/get-involved/continuous-integration.html">Continuous
Integration</a>
+ </li>
+ <li>
+ <a href="/get-involved/source-code.html">Source Code</a>
+ </li>
+ <li>
+ <a href="/get-involved/project-team.html">Project Team</a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Wiki <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/ACE/Board+Reports";>Board
Reports <i class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a
href="https://cwiki.apache.org/confluence/display/ACE/Index";>Homepage <i
class="icon-share-alt"></i></a>
+ </li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li>
+ <a href="http://www.apache.org/";>Apache Homepage <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/";>Licenses <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/security/";>Security <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship <i
class="icon-share-alt"></i></a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/thanks.html";>Thanks <i
class="icon-share-alt"></i></a>
+ </li>
+ </ul>
+ </li>
+</ul>
+
+ </div>
+ </div>
+ </div>
+ <div class="container">
+ <p><a href="/"><i class='icon-home'></i> Home</a> » <a
href="/docs/">Docs</a></p>
+ <h1>ACE Authentication</h1>
+ <div class="clear"></div>
+ <div id="content"><p><em>Enabling authentication in ACE</em></p>
+<p>Revision 1.0, last updated: April 26th, 2012.</p>
+<div class="toc">
+<ul>
+<li><a href="#introduction">Introduction</a></li>
+<li><a href="#communication-paths">Communication paths</a></li>
+<li><a href="#authentication-design">Authentication design</a><ul>
+<li><a href="#remote-services">Remote services</a></li>
+</ul>
+</li>
+<li><a href="#configuring-authentication">Configuring authentication</a><ul>
+<li><a href="#configuring-authentication-for-remote-services">Configuring
authentication for remote services</a><ul>
+<li><a href="#configuring-the-authentication">Configuring the
authentication</a></li>
+<li><a href="#making-use-of-the-service-configuration">Making use of the
service configuration</a></li>
+<li><a href="#implementing-the-authentication-check">Implementing the
authentication check</a></li>
+</ul>
+</li>
+<li><a href="#configuring-the-connection-factory">Configuring the connection
factory</a></li>
+<li><a href="#configuring-the-management-agent">Configuring the management
agent</a></li>
+<li><a href="#configuring-users">Configuring users</a></li>
+</ul>
+</li>
+<li><a href="#troubleshooting">Troubleshooting</a></li>
+<li><a href="#notes">Notes</a></li>
+</ul>
+</div>
+<h2 id="introduction">Introduction</h2>
+<p>When provisioning software (partly) to targets, one has to rely upon the
trustworthiness of both the network and the target. Even if everything is under
your control and governance, one cannot entirely be sure that unwanted access
takes place. A first step in order to prevent unwanted access is
<em>authentication</em>, which gives you the ability to verify the identity of
someone. Once the identity is known, one can apply <em>authorization</em> in
order to determine what actions are allowed and which are not.
+In this article, the recently added authentication layer of ACE is explained
in more depth and how to configure authentication to your situation.<br />
+The remainder of this article assumes the reader has basic knowledge of the
principles behind ACE, and has sufficient programming skills. For this
article, the latest code of ACE (0.8.1-SNAPSHOT, rev.1329269) was used.</p>
+<h2 id="communication-paths">Communication paths</h2>
+<p>Before going in more detail on the design and configuration of the
authentication layer in ACE, we first need to pinpoint all places were
authentication needs to be applied. The following figure shows the main
components in ACE and their communication paths, providing a global overview of
where authentication is applicable to ACE.</p>
+<p><img alt="Figure 1: Overview of components and communication paths in ACE"
src="auth_main_components.svg" title="Figure 1: Overview of components and
communication paths" /><br />
+<strong>Figure 1</strong>: Overview of components and communication paths.</p>
+<p>In the above figure, several of the communication paths (denoted by the
circled digits) that can be identified in ACE are represented:</p>
+<ol>
+<li>the client communicates to the ACE server by means of both direct calls to
its services as well as remote (HTTP<sup id="fnref:1"><a class="footnote-ref"
href="#fn:1" rel="footnote">1</a></sup>) calls;</li>
+<li>a management agent (representing the target) communicates to the ACE
server through remote calls;</li>
+<li>the REST API exposes the entire client and server APIs in a RESTful way.
Communication to the client occurs by both direct and remote calls;</li>
+<li>the Vaadin Web UI exposes the entire client API as web application.
Similar as the REST API, it communicates both directly as remotely with the
client.</li>
+</ol>
+<p>As can be seen from the above figure, most of the communication paths are
remoted. The reason for this is twofold:</p>
+<ol>
+<li>It allows reuse of components; for example access to the OBR-servlet is
used by the both the client-API as well the web UI to upload new artifacts;</li>
+<li>it enables scalability by allowing components to be deployed on different
machines; for example, one does not need to run the client on the same machine
as the server. This could be useful for working on high-latency networks.</li>
+</ol>
+<p>All direct (i.e., non remoted) communication paths do not need to be
authenticated, as they require that both caller and callee run in the same
virtual machine, making it impossible to be used outside the virtual
machine<sup id="fnref:2"><a class="footnote-ref" href="#fn:2"
rel="footnote">2</a></sup>. Hence, we only need to add an authentication layer
to the remote endpoints. However, adding authentication to all remote endpoints
poses us with the challenge to let the "internal" communication paths that use
remote calls to authenticate themselves as well. Not doing so would prevent ACE
from functioning correctly. A disadvantage of this approach is that it is an
all-or-nothing approach, either all users of the remote endpoints use
authentication, or none of them. However, the way users authenticate themselves
can be different, meaning that one set of users can use basic authentication to
identify themselves, while another set uses client certificates to identify
themselves.</p>
+<h2 id="authentication-design">Authentication design</h2>
+<p>The high-level design for security in ACE is explained in the <a
href="/docs/design/remote-interfaces.html">remote interface design</a>. From
this design, we can derive several requirements for the design of ACE's
authentication layer:</p>
+<ol>
+<li>should be applicable and configurable for all remoted endpoints. If a new
endpoint is added to ACE, it should be easy to add and configure authentication
for it;</li>
+<li>should be optional. If no authentication is desired, one should be able to
remove its services from the ACE distribution;</li>
+<li>should be pluggable. Various ways of authentication exist, and new ones
can emerge. Making the authentication mechanism pluggable allows new ways of
authentication to be used easily.</li>
+</ol>
+<p id="fig2">Based on these requirements, the design of the authentication
layer is represented in the following figure:</p>
+<p><img alt="Figure 2: Authentication layer class diagram" src="auth_api.svg"
title="Figure 2: Authentication layer class diagram" /><br />
+<strong>Figure 2</strong>: Authentication layer class diagram.</p>
+<p>The <tt>AuthenticationService</tt> is responsible for authenticating a user
based on some piece of information. This piece of information can be an array
containing a username/password combination, a <tt>HttpServletRequest</tt>
containing authentication request headers, or any other type of information
capable of uniquely identifying a user. The actual authentication itself is
delegated to one or more <tt>AuthenticationProcessor</tt>s, which know how to
handle a given set of information (e.g., <tt>HttpServletRequest</tt>) and can
map this information to a particular user. In more detail, the calling sequence
of <tt>AuthenticationService#authenticate</tt> would be:</p>
+<ol>
+<li><tt>AuthenticationService#authenticate</tt> is called with a blob of data,
for example a <tt>HttpServletRequest</tt>;</li>
+<li>for each known <tt>AuthenticationProcessor</tt>:<ul>
+<li><tt>AuthenticationProcessor#canHandle</tt> is called with that blob of
data. In this method, an authentication processor can decide whether the given
blob is something it can handle or not;</li>
+<li>if it can be handled, the <tt>AuthenticationProcessor#authenticate</tt> is
called with that blob of data, along with an instance of the <tt>UserAdmin</tt>
service. The authentication processor is now responsible for converting the
blob of data to an authenticated user, if possible.</li>
+</ul>
+</li>
+<li>if a <tt>User</tt> object is returned from the authentication service<sup
id="fnref:3"><a class="footnote-ref" href="#fn:3" rel="footnote">3</a></sup>,
the authentication phase will be regarded as successful. If <em>no</em>
<tt>User</tt> object is returned, the authentication phase will be regarded
unsuccessful.</li>
+</ol>
+<p>This is only half the story for authentication. As stated before, ACE
internally also communicates through remote endpoints to access certain
services. Without any changes, all those remote calls will fail due to missing
credentials. If we would leave those means of communications as-is, we need to
track down all places where remote calls are being made and inject the proper
credentials at each of those places. However, doing this is not only
<em>very</em> invasive and error prone but also not very developer friendly
from a service-oriented perspective. Alternatively, we could try to include the
credentials in the URL itself, making it self-contained. Not only would this
approach limit our ability to use any kind of authentication mechanism (it only
works for username/password combos), it also required us to supply the
credentials manually each and every time we want to create a remote connection.
Instead, we would like to refrain from passing around credentials, and leverage
the
service oriented aspects of OSGi to create remote connections for us. This
service could then be responsible for adding the right credentials for us,
leaving the calling party totally unaware about the fact authentication might
be used (or not). Such a service is denoted in the following figure:</p>
+<p><img alt="Figure 3: Connection Factory class diagram"
src="auth_connectionfactory.svg" title="Figure 3: Connection Factory class
diagram" /><br />
+<strong>Figure 3</strong>: Connection Factory class diagram.</p>
+<p>The <tt>ConnectionFactory</tt> is responsible for creating
<tt>URLConnection</tt>s, given a "plain" URL. So, instead of calling
<tt>URL#openConnection()</tt> or <tt>URL#openStream()</tt>, we'll now have to
call <tt>ConnectionFactory#createConnection(url)</tt> instead. But what
advantage does this give us? In order to allow the connection factory to supply
the credentials to <tt>URLConnection</tt>s, it is also registered as
<tt>ManagedServiceFactory</tt> that enables us to provide multiple
configurations of which credentials should be supplied to what (sets of) URLs.
The introduction of the connection factory thus allows us to abstract the
creation of a connection and passing of credentials to it from the URL.
Internally, the connection factory will match each URL given in
<tt>createConnection</tt> with the URLs it is configured with. If a matching
URL is found, it will use the credentials in that configuration to supply to
the <tt>URLConnection</tt>.</p>
+<h3 id="remote-services">Remote services</h3>
+<p>We've now closed the circle: we not only have defined how remote endpoints
can apply authentication, but also how all calling parties can remain using
these remote endpoints without having to be aware of authentication. The only
thing left, is a summary of which remote endpoints currently exist in ACE.<br />
+All remote services are configurable with respect to the endpoint they can be
accessed. The following table shows an overview of the remote services,
including the default endpoint they use:</p>
+<table>
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+<th>Endpoint</th>
+<th>Configuration PID<sup id="fnref:4"><a class="footnote-ref" href="#fn:4"
rel="footnote">4</a></sup></th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><tt>BundleServlet</tt></td>
+<td>provides access to the OBR (bundle repository) of ACE</td>
+<td><tt>/obr</tt></td>
+<td><tt>o.a.a.obr.servlet</tt></td>
+</tr>
+<tr>
+<td><tt>DeploymentServlet</tt></td>
+<td>handles the actual provisioning of deployment packages to a target</td>
+<td><tt>/deployment</tt></td>
+<td><tt>o.a.a.deployment.servlet</tt></td>
+</tr>
+<tr>
+<td><tt>LogServlet</tt></td>
+<td>allows any number of logs for a target to be synchronized and accessed</td>
+<td><tt>/auditlog</tt><sup id="fnref:5"><a class="footnote-ref" href="#fn:5"
rel="footnote">5</a></sup></td>
+<td><tt>o.a.a.server.log.servlet.factory</tt><br/><strong>note: this is a
configuration factory!</strong></td>
+</tr>
+<tr>
+<td><tt>RepositoryServlet</tt></td>
+<td>provides access to the various (artifact/feature/distribution/target)
internal repositories of ACE</td>
+<td><tt>/repository</tt></td>
+<td><tt>o.a.a.repository.servlet.<br/>RepositoryServlet</tt></td>
+</tr>
+<tr>
+<td><tt>RepositoryReplicationServlet</tt></td>
+<td>allows <em>relay nodes</em> to replicate the internal repositories of
ACE</td>
+<td><tt>/replication</tt></td>
+<td><tt>o.a.a.repository.servlet.<br/>RepositoryReplicationServlet</tt></td>
+</tr>
+<tr>
+<td><tt>RESTClientServlet</tt></td>
+<td>provides the RESTful interface to ACE</td>
+<td><tt>/client</tt></td>
+<td><tt>o.a.a.client.rest</tt></td>
+</tr>
+<tr>
+<td><tt>VaadinServlet</tt></td>
+<td>provides the Vaadin web interface</td>
+<td><tt>/ace</tt></td>
+<td><tt>o.a.a.webui.vaadin</tt></td>
+</tr>
+<tr>
+<td> </td>
+<td> </td>
+<td> </td>
+<td> </td>
+</tr>
+</tbody>
+</table>
+<h2 id="configuring-authentication">Configuring authentication</h2>
+<p>Now we have discussed the design of the authentication layer in ACE in
rather detail, lets continue with how we can configure the authentication. Note
that in order to make use of this functionality, you need to use the latest
TRUNK of ACE, as explained in the introduction.</p>
+<h3 id="configuring-authentication-for-remote-services">Configuring
authentication for remote services</h3>
+<p>In the section on the design of the authentication layer, we've mentioned
that if a remote service wants to make use of authentication, it can make use
of the <tt>AuthenticationService</tt>. However, one of the design requirements
was that authentication should be optional as well. In order to enable or
disable authentication, each remote service needs to do the following:</p>
+<ol>
+<li>add a <strong>mandatory</strong> configuration property
<tt>authentication.enabled = false|true</tt> to their configuration. Although
any kind of name for this configuration property can be used, it is
<em>strongly</em> advised to stick to the same name for all services;</li>
+<li>when the configuration of a remote service is updated, it should add a
service dependency to the <tt>AuthenticationService</tt>. By making this
service <strong>required</strong> if authentication is <em>enabled</em>, and
<strong>optional</strong> when authentication is <em>disabled</em>, we can
adhere to the requirement of optionality for authentication;</li>
+<li>in case authentication is <em>enabled</em>, each request the service
obtains needs to be passed to the <tt>AuthenticationService</tt> first, and
depending on its outcome, the request can continue or not.</li>
+</ol>
+<p>To make this more concrete, we walk through an example of how the
<tt>BundleServlet</tt> is to be configured. As this is a servlet (as almost all
other remote endpoints in ACE), we can intercept all service requests by
overriding the <tt>Servlet#service()</tt> method and perform our authentication
check there. If this check is successful, we continue passing the service
request, and return a "401 - Unauthorized" when the check is unsuccessful. </p>
+<h4 id="configuring-the-authentication">Configuring the authentication</h4>
+<p>The service configuration, denoted by the
<tt>org.apache.ace.obr.servlet.cfg</tt> in the stock ACE distribution, looks
like:</p>
+<div class="codehilite"><pre><span class="c"># Endpoint for this servlet</span>
+<span class="na">org.apache.ace.server.servlet.endpoint</span> <span
class="o">=</span> <span class="s">/obr</span>
+<span class="c"># Whether or not authentication is to be used</span>
+<span class="na">authentication.enabled</span> <span class="o">=</span> <span
class="s">true</span>
+</pre></div>
+
+
+<p>Note that we've added the <tt>authentication.enabled</tt> property that
allows us to enable or disable the authentication check for this servlet.</p>
+<h4 id="making-use-of-the-service-configuration">Making use of the service
configuration</h4>
+<p>To let the servlet pick up our configuration, it should be registered as
<tt>ManagedService(Factory)</tt>. To make use of the configuration, we need to
add the following code to our <tt>BundleServlet</tt>:</p>
+<div class="codehilite"><pre><span class="kd">private</span> <span
class="kd">volatile</span> <span class="kt">boolean</span> <span
class="n">m_useAuth</span><span class="o">;</span>
+<span class="kd">private</span> <span class="kd">volatile</span> <span
class="n">AuthenticationService</span> <span
class="n">m_authService</span><span class="o">;</span>
+
+<span class="c1">// ...</span>
+
+<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">updated</span><span class="o">(</span><span
class="n">Dictionary</span> <span class="n">settings</span><span
class="o">)</span> <span class="kd">throws</span> <span
class="n">ConfigurationException</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">settings</span> <span class="o">!=</span> <span
class="kc">null</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">String</span> <span class="n">useAuthString</span>
<span class="o">=</span> <span class="o">(</span><span
class="n">String</span><span class="o">)</span> <span
class="n">settings</span><span class="o">.</span><span
class="na">get</span><span class="o">(</span><span
class="s">"authentication.enabled"</span><span class="o">);</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">useAuthString</span> <span class="o">==</span> <span
class="kc">null</span> <span class="o">||</span> <span class="o">!(</span><span
class="s">"true"</span><span class="o">.</span><span
class="na">equalsIgnoreCase</span><span class="o">(</span><span
class="n">useAuthString</span><span class="o">)</span> <span
class="o">||</span> <span class="s">"false"</span><span
class="o">.</span><span class="na">equalsIgnoreCase</span><span
class="o">(</span><span class="n">useAuthString</span><span
class="o">)))</span> <span class="o">{</span>
+ <span class="k">throw</span> <span class="k">new</span> <span
class="nf">ConfigurationException</span><span class="o">(</span><span
class="s">"authentication.enabled"</span><span class="o">,</span>
<span class="s">"Missing or invalid value!"</span><span
class="o">);</span>
+ <span class="o">}</span>
+
+ <span class="n">m_useAuth</span> <span class="o">=</span> <span
class="n">Boolean</span><span class="o">.</span><span
class="na">parseBoolean</span><span class="o">(</span><span
class="n">useAuthString</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">else</span> <span class="o">{</span>
+ <span class="n">m_useAuth</span> <span class="o">=</span> <span
class="kc">false</span><span class="o">;</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="c1">// ...</span>
+
+<span class="cm">/**</span>
+<span class="cm"> * Called by Dependency Manager upon initialization of this
component.</span>
+<span class="cm"> */</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">init</span><span class="o">(</span><span class="n">Component</span>
<span class="n">comp</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">comp</span><span class="o">.</span><span
class="na">add</span><span class="o">(</span><span class="n">m_dm</span><span
class="o">.</span><span class="na">createServiceDependency</span><span
class="o">()</span>
+ <span class="o">.</span><span class="na">setService</span><span
class="o">(</span><span class="n">AuthenticationService</span><span
class="o">.</span><span class="na">class</span><span class="o">)</span>
+ <span class="o">.</span><span class="na">setRequired</span><span
class="o">(</span><span class="n">m_useAuth</span><span class="o">)</span>
+ <span class="o">.</span><span class="na">setInstanceBound</span><span
class="o">(</span><span class="kc">true</span><span class="o">)</span>
+ <span class="o">);</span>
+<span class="o">}</span>
+</pre></div>
+
+
+<p>As almost all of the services in ACE are managed by the Dependency Manager,
we can leverage its dynamics to inject our <tt>BundleServlet</tt> with an
instance of the <tt>AuthenticationService</tt> and provide us with a
configuration<sup id="fnref:6"><a class="footnote-ref" href="#fn:6"
rel="footnote">6</a></sup>. In the <tt>updated()</tt> method, we perform a
check whether the prior mentioned <tt>authentication.enabled</tt> property is
present in the given configuration, and if so, whether it represents a valid
boolean value. The actual boolean value itself will be held in a field
(<tt>m_useAuth</tt>) for later use.</p>
+<h4 id="implementing-the-authentication-check">Implementing the authentication
check</h4>
+<p>The actual authentication implementation itself is rather trivial: we
simply intercept all incoming requests in our servlet and verify whether it
resolves to a valid user:</p>
+<div class="codehilite"><pre><span class="nd">@Override</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">service</span><span class="o">(</span><span
class="n">HttpServletRequest</span> <span class="n">req</span><span
class="o">,</span> <span class="n">HttpServletResponse</span> <span
class="n">resp</span><span class="o">)</span> <span class="kd">throws</span>
<span class="n">ServletException</span><span class="o">,</span> <span
class="n">IOException</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(!</span><span
class="n">authenticate</span><span class="o">(</span><span
class="n">req</span><span class="o">))</span> <span class="o">{</span>
+ <span class="c1">// Authentication failed; don't proceed with the
original request...</span>
+ <span class="n">resp</span><span class="o">.</span><span
class="na">sendError</span><span class="o">(</span><span
class="n">SC_UNAUTHORIZED</span><span class="o">);</span>
+ <span class="o">}</span> <span class="k">else</span> <span
class="o">{</span>
+ <span class="c1">// Authentication successful, proceed with original
request...</span>
+ <span class="kd">super</span><span class="o">.</span><span
class="na">service</span><span class="o">(</span><span
class="n">req</span><span class="o">,</span> <span class="n">resp</span><span
class="o">);</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="kd">private</span> <span class="kt">boolean</span> <span
class="nf">authenticate</span><span class="o">(</span><span
class="n">HttpServletRequest</span> <span class="n">request</span><span
class="o">)</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">m_useAuth</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">m_authService</span><span
class="o">.</span><span class="na">authenticate</span><span
class="o">(</span><span class="n">request</span><span class="o">);</span>
+ <span class="k">if</span> <span class="o">(</span><span
class="n">user</span> <span class="o">==</span> <span
class="kc">null</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">m_log</span><span class="o">.</span><span
class="na">log</span><span class="o">(</span><span
class="n">LogService</span><span class="o">.</span><span
class="na">LOG_INFO</span><span class="o">,</span> <span
class="s">"Authentication failure!"</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">return</span> <span class="o">(</span><span
class="n">user</span> <span class="o">!=</span> <span
class="kc">null</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">return</span> <span class="kc">true</span><span
class="o">;</span>
+<span class="o">}</span>
+</pre></div>
+
+
+<p>Note that this implementation does not tell <em>how</em> the authentication
should occur, only that it should occur. How the authentication is performed,
is determined internally by the <tt>AuthenticationService</tt>, with the help
of the registered <tt>AuthenticationProcessor</tt>s.<br />
+Also note that the <tt>authenticate</tt> method itself uses the previously
defined field (<tt>m_useAuth</tt>) to determine whether or not the
authentication check should be performed. If it is <em>not</em> performed, we
consider the request to be always authenticated, in order to obtain the same
semantics as we would have without this check.</p>
+<h3 id="configuring-the-connection-factory">Configuring the connection
factory</h3>
+<p>Now that the remote service itself is no longer accepting unauthenticated
requests, we need to supply the credentials to access this service to the
<tt>ConnectionFactory</tt> service. This service can be configured using the
PID <tt>org.apache.ace.connectionfactory</tt>. Note that it is a configuration
factory, accepting multiple configurations!<br />
+For accessing our <tt>BundleServlet</tt>, we need to supply it the following
configuration:</p>
+<div class="codehilite"><pre><span class="c"># What kind of authentication
should we supply</span>
+<span class="na">authentication.type</span> <span class="o">=</span> <span
class="s">basic</span>
+<span class="c"># The actual credentials for basic authentication</span>
+<span class="na">authentication.user.name</span> <span class="o">=</span>
<span class="s">d</span>
+<span class="na">authentication.user.password</span> <span class="o">=</span>
<span class="s">f</span>
+<span class="c"># What is the base URL that these credentials apply to:</span>
+<span class="na">authentication.baseURL</span> <span class="o">=</span> <span
class="s">http://localhost:8080/obr/</span>
+</pre></div>
+
+
+<p>When this configuration is supplied to the <tt>ConnectionFactory</tt>, it
will provide a basic HTTP authentication header to each connection created for
any URL starting with "<tt>http://localhost:8080/obr/</tt>"<sup id="fnref:7"><a
class="footnote-ref" href="#fn:7" rel="footnote">7</a></sup>.<br />
+To disable authentication for a particular URL, the
<tt>authentication.type</tt> option can be set to <tt>none</tt>. </p>
+<h3 id="configuring-the-management-agent">Configuring the management agent</h3>
+<p>The management agent itself also needs to use authentication to communicate
with the remote services of the ACE server. It reuses the
<tt>ConnectionFactory</tt> service for this, so it needs to obtain the same set
of configurations as described in the previous section. The only thing we need
to do is tell the management agent were it can find those configuration
file(s):</p>
+<div class="codehilite"><pre><span class="o">[</span>localhost:~/<span
class="o">]</span><span class="nv">$ </span>java -jar
org.apache.ace.launcher-0.8.1-SNAPSHOT.jar <span class="se">\</span>
+ <span class="nv">discovery</span><span
class="o">=</span>http://localhost:8080/ <span class="se">\</span>
+ <span class="nv">identification</span><span class="o">=</span>MyTarget <span
class="se">\</span>
+ <span class="nv">auth</span><span
class="o">=</span>/path/to/connectionfactory/config/file<span
class="o">(</span>s<span class="o">)</span>
+</pre></div>
+
+
+<p>Alternatively, one could adapt the code of the management agent to use the
<tt>ConfigAdmin</tt> service directly for creating the individual
configurations using the service factory PID
<tt>org.apache.ace.connectionfactory</tt>. </p>
+<h3 id="configuring-users">Configuring users</h3>
+<p>In order to successfully authenticate a user, it needs a corresponding
<tt>User</tt> that can be obtained from the <tt>UserAdmin</tt> service.
Initially, ACE imports a small set of users and roles defined in the
"<tt>org.apache.ace.server.repository.factory/ace-user.cfg</tt>" configuration
file. One could update this file in order to add users<sup id="fnref:8"><a
class="footnote-ref" href="#fn:8" rel="footnote">8</a></sup>, or add them, for
example, to an LDAP-service and make the <tt>UserAdmin</tt> service retrieve
users from this backend. The exact details on how to configure this are beyond
this article.</p>
+<h2 id="troubleshooting">Troubleshooting</h2>
+<p>If after configuring the authentication of ACE things no longer work, it
can be hard to find the exact cause of this. In this section, some pointers are
given to help you to find the probably cause of the problem.</p>
+<dl>
+<dt>I've enabled authentication, but I can still use all services without
passing any credentials!</dt>
+<dd>If you've updated the configuration files of a running server or
management agent, the configuration files are not automatically picked up by
default. You need to stop the server/management agent, clean its felix-cache
folder and start it again.</dd>
+<dt>With authentication enabled, how can I test whether the endpoints accept
my credentials?</dt>
+<dd>In order to test the remote endpoints of ACE, you can use a tool like <a
href="http://code.google.com/p/rest-client/";>REST client</a>. It allows you to
enter credentials for any given URL.</dd>
+<dt>After enabling authentication, I do not get any errors after starting the
ACE server, but it doesn't function correctly!</dt>
+<dd>Is the connection factory properly configured? Are <em>all</em>
<tt>authentication.type</tt> options correctly set to <tt>basic</tt> and are
the username/passwords correctly set? Are the configured base URLs not
overlapping each other (e.g.: <tt>baseURL = http://localhost:8080/</tt> and
<tt>baseURL = http://localhost:8080/obr</tt>)?</dd>
+<dt>After enabling authentication, the management agent(s) no longer
functions/I do not see them added in the web UI.</dt>
+<dd>Did you pass the <tt>auth=/path/to/config/file(s)</tt> option to the
management agent to configure the connection factory? Are those files correctly
stating the "<tt>authentication.type = basic</tt>", including the username and
password for the desired URLs? Can you access the URLs mentioned in the
configuration files with a tool like <a
href="http://code.google.com/p/rest-client/";>REST client</a>?</dd>
+<dt>I do not want basic HTTP authentication, I want to use (fill in the kind
of authentication)!</dt>
+<dd>The current implementation is quite simple and basic, but it can be
extended by means of custom authentication processors.</dd>
+</dl>
+<h2 id="notes">Notes</h2>
+<div class="footnote">
+<hr />
+<ol>
+<li id="fn:1">
+<p>Other communication protocols could be used as well. However, currently,
only HTTP is natively supported by ACE. For the remainder of this article,
we'll assume HTTP as protocol. <a class="footnote-backref" href="#fnref:1"
rev="footnote" title="Jump back to footnote 1 in the text">↩</a></p>
+</li>
+<li id="fn:2">
+<p>Assuming that all components in the ACE server are trusted and obtained
from trusted sources. If untrusted components would be allowed, we need to add
authentication to these communication paths as well. <a
class="footnote-backref" href="#fnref:2" rev="footnote" title="Jump back to
footnote 2 in the text">↩</a></p>
+</li>
+<li id="fn:3">
+<p>It is up to the implementation of <tt>AuthenticationService</tt> whether
the <em>first</em> found user is returned, or whether it checks if all
authentication processors yield the <em>same</em> user, or any other strategy
that is desired. <a class="footnote-backref" href="#fnref:3"
rev="footnote" title="Jump back to footnote 3 in the text">↩</a></p>
+</li>
+<li id="fn:4">
+<p>The common prefix of the shown configuration PIDs are abbreviated, so
"<tt>o.a.a</tt>" stands for "<tt>org.apache.ace</tt>". <a
class="footnote-backref" href="#fnref:4" rev="footnote" title="Jump back to
footnote 4 in the text">↩</a></p>
+</li>
+<li id="fn:5">
+<p>Amongst others, any number of log-endpoints can be defined, at least one is
needed for the audit log to be synchronized between target and ACE
server. <a class="footnote-backref" href="#fnref:5" rev="footnote"
title="Jump back to footnote 5 in the text">↩</a></p>
+</li>
+<li id="fn:6">
+<p>Note that we're using a configuration dependency for this service. This
way, the configuration <strong>must</strong> be present before the service
itself is registered, which allows us to determine if authentication should be
used or not. <a class="footnote-backref" href="#fnref:6" rev="footnote"
title="Jump back to footnote 6 in the text">↩</a></p>
+</li>
+<li id="fn:7">
+<p>Currently, a simple <tt>String#startsWith()</tt> is used to determine
whether or not a URL matches a configuration. This might change in the future
when a more sophisticated URL-matching strategy is needed. <a
class="footnote-backref" href="#fnref:7" rev="footnote" title="Jump back to
footnote 7 in the text">↩</a></p>
+</li>
+<li id="fn:8">
+<p>Make sure to clean the <tt>felix-cache</tt> directory before restarting the
server, otherwise the new configuration files will not be picked up! <a
class="footnote-backref" href="#fnref:8" rev="footnote" title="Jump back to
footnote 8 in the text">↩</a></p>
+</li>
+</ol>
+</div></div>
+ <hr>
+ <footer>
+ <p>Copyright © 2012-2014 <a href="http://www.apache.org/";>The
Apache Software Foundation</a>, Licensed under the <a
href="http://www.apache.org/licenses/LICENSE-2.0";>Apache License, Version
2.0</a>.<br/>Apache ACE, the Apache ACE logo, Apache and the Apache feather
logo are trademarks of The Apache Software Foundation. All other marks
mentioned may be trademarks or registered trademarks of their respective
owners.</p>
+ </footer>
+ </div>
+ </body>
+</html>
