Modified: karaf/site/production/manual/latest/developers-guide/security-framework.html URL: http://svn.apache.org/viewvc/karaf/site/production/manual/latest/developers-guide/security-framework.html?rev=1688715&r1=1688714&r2=1688715&view=diff ============================================================================== --- karaf/site/production/manual/latest/developers-guide/security-framework.html (original) +++ karaf/site/production/manual/latest/developers-guide/security-framework.html Wed Jul 1 19:43:35 2015 @@ -8,7 +8,7 @@ <link href="../css/style.css" rel="stylesheet" type="text/css"/> <link href="../css/pygmentize.css" rel="stylesheet" type="text/css"/> <title> - Apache Karaf 3.0.3-SNAPSHOT Guides + Apache Karaf 4.0.1-SNAPSHOT Guides </title> </head> <body> @@ -101,12 +101,12 @@ </td> <td height="100%" width="100%"> <div class="wiki-content"> -<h1 id="Securityframework">Security framework</h1><p>Karaf supports <a href="http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html";>JAAS</a> with some enhancements to allow JAAS to work nicely in an OSGi environment. This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime. </p><h2 id="Overview">Overview</h2><p>This feature allows runtime deployment of JAAS based configuration for use in various parts of the application. This<br/>includes the remote console login, which uses the <tt>karaf</tt> realm, but which is configured with a dummy login module<br/>by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in<br/>or sending messages into the bus.</p><p>In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting up HTTPS connectors or using certificates for WS-Secu rity.</p><p>A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.</p><h2 id="Schema">Schema</h2><p>To override or deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a Spring xml configuration file.</p><p>Following is the XML Schema to use when defining Karaf realms:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="c"><!--</span>

<span class="c"> Licensed to the Apache Software Foundation (ASF) under one or more</span>
<span class="c"> contributor license agreements. See the NOTICE file distributed with</span>
<span class="c"> this work for additional information regarding copyright ownership.</span>
<span class="c"> The ASF licenses this file to You under the Apache License, Versi on 2.0</span>
<span class="c"> (the "License"); you may not use this file except in compliance with</span>
<span class="c"> the License. You may obtain a copy of the License at</span>

<span class="c"> http://www.apache.org/licenses/LICENSE-2.0</span>

<span class="c"> Unless required by applicable law or agreed to in writing, software</span>
<span class="c"> distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="c"> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="c"> See the License for the specific language governing permissions and</span>
<span class="c"> limitations under the License.</span>

<span class="c">--></span>
<span class="nt"><xs:schema</span> <span class="na">elementFormDefault=</span><span class="s">'qualified'</span>
 <span class="na">targetNamespace=</span><span class="s">'http://karaf.apache.org/xmlns/jaas/v1.1.0'</span>
 <span class="na">xmlns:xs=</span><span class="s">'http://www.w3.org/2001/XMLSchema'</span>
 <span class="na">xmlns:bp=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:tns=</span><span class="s">'http://karaf.apache.org/xmlns/jaas/v1.1.0'</span><span class="nt">></span>

 <span class="nt"><xs:import</span> <span class="na">namespace=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span><span class="nt">/></span>

 <span class="nt"><xs:element</span> <span class="na">name=</span><span class="s">"config"</span><span class="nt">></span>
 <span class="nt"><xs:complexType></span>
 <span class="nt"><xs:sequence></span>
 <span class="nt"><xs:element</span> <span class="na">name=</span><span class="s">"module"</span> <span class="na">minOccurs=</span><span class="s">"0"</span> <span class="na">maxOccurs=</span><span class="s">"unbounded"</span><span class="nt">></span>
 <span class="nt"><xs:complexType</span> <span class="na">mixed=</span><span class="s">"true"</span><span class="nt">></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"name"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"className"</span> <span class="na">use=</span><span class="s">"required" ;</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"flags"</span> <span class="na">default=</span><span class="s">"required"</span><span class="nt">></span>
 <span class="nt"><xs:simpleType></span>
 <span class="nt"><xs:restriction</span> <span class="na">base=</span><span class="s">"xs:NMTOKEN"</span><span class="nt">></span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"required"</span><span class="nt">/></span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"requisite"</span><span class="nt">/></ span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"sufficient"</span><span class="nt">/></span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"optional"</span><span class="nt">/></span>
 <span class="nt"></xs:restriction></span>
 <span class="nt"></xs:simpleType></span>
 <span class="nt"></xs:attribute></span>
 <span class="nt"></xs:complexType></span>
 <span class="nt"></xs:element></span>
 <span class="nt"></xs:sequence></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"name"</span> <span class="na">use=</span><s pan class="s">"required"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"rank"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">default=</span><span class="s">"0"</span> <span class="na">type=</span><span class="s">"xs:int"</span><span class="nt">/></span>
 <span class="nt"></xs:complexType></span>
 <span class="nt"></xs:element></span>

 <span class="nt"><xs:element</span> <span class="na">name=</span><span class="s">"keystore"</span><span class="nt">></span>
 <span class="nt"><xs:complexType></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"name"</span> <span class="n a">use=</span><span class="s">"required"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"rank"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">default=</span><span class="s">"0"</span> <span class="na">type=</span><span class="s">"xs:int"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"path"</span> <span class="na">use=</span><span class="s">"required"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"keystorePassword"</span> <span class="na">use= </span><span class="s">"optional"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"keyPasswords"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"></xs:complexType></span>
 <span class="nt"></xs:element></span>

<span class="nt"></xs:schema></span>
</pre></div>
</div><p>You can find the schema at the following <a href="http://karaf.apache.org/xmlns/jaas/v1.1.0";>location</a>.</p><p>Here are two examples using this schema:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span> 
<span class="nt"> <blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.0.0"</span>
 <span class="na">xmlns:ext=</span><span class="s">"http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"</span><span class="nt">></span>

 <span class="c"><!-- Bean to allow the $[karaf.base] property to be correctly resolved --></span>
 <span class="nt"><ext:property-placeholder</span> <span class="na">placeholder-prefix=</span><span class="s">"$["</span> <span class="na">placeholder-suffix=</span><span class="s">"]"</span><span class="nt">/></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"myrealm"</span><span class="nt">></span>
 <span class ="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"</span> 
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 users = $[karaf.base]/etc/users.properties
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

<span class="nt"></blueprint></span>
</pre></div>
</div><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:keystore</span> <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span>
 <span class="na">name=</span><span class="s">"ks"</span>
 <span class="na">rank=</span><span class="s">"1"</span>
 <span class="na">path=</span><span class="s">"classpath:privatestore.jks"</span>
 <span class="na">keystorePassword=</span><span class="s">"keyStorePassword"</span>
 <span class="na">keyPasswords=</span><span class="s">"myalias=myAliasPassword"</span><span class="nt">></span>
<span class="nt"></jaas:keystore></span>
</pre></div>
</div><p>The <tt>id</tt> attribute is the blueprint id of the bean, but it will be used by default as the name of the realm if no<br/><tt>name</tt> attribute is specified. Additional attributes on the <tt>config</tt> elements are a <tt>rank</tt>, which is an integer.<br/>When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are<br/>matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus<br/>allowing the override of some realms with new values. The last attribute is <tt>p ublish</tt> which can be set to false to<br/>not publish the realm in the OSGi registry, thereby disabling the use of this realm.</p><p>Each realm can contain one or more module definitions. Each module identifies a LoginModule and the <tt>className</tt><br/>attribute must be set to the class name of the login module to use. Note that this login module must be available from<br/>the bundle classloader, so either it has to be defined in the bundle itself, or the needed package needs to be correctly<br/>imported. The <tt>flags</tt> attribute can take one of four values that are explained on the <a href="http://svn.apache.org/repos/asf/karaf/tags/karaf-2.0.0/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/ProxyLoginModule.java";>JAAS documentation</a>.<br/>The content of the <tt>module</tt> element is parsed as a properties file and will be used to further configure the login module.</p><p>Deploying such a code will lead to a <a href="http://svn.apache.org/repos/asf/karaf/tags/karaf- 2.0.0/jaas/config/src/main/java/org/apache/karaf/jaas/config/JaasRealm.java">JaasRealm</a> object in the OSGi registry, which will then be used when using the JAAS login module.</p><h3 id="Configurationoverrideanduseoftherankattribute">Configuration override and use of the <tt>rank</tt> attribute</h3><p>The <tt>rank</tt> attribute on the <tt>config</tt> element is tied to the ranking of the underlying OSGi service. When the JAAS<br/>framework performs an authentication, it will use the realm name to find a matching JAAS configuration. If multiple<br/>configurations are used, the one with the highest <tt>rank</tt> attribute will be used.<br/>So if you want to override the default security configuration in Karaf (which is used by the ssh shell, web console and<br/>JMX layer), you need to deploy a JAAS configuration with the name <tt>name="karaf"</tt> and <tt>rank="1"</tt>.</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding=& quot;UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span>
 <span class="na">xmlns:ext=</span><span class="s">"http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"</span><span class="nt">></span>

 <span class="c"><!-- Bean to allow the $[karaf.base] property to be correctly resolved --></span>
 <span class="nt"><ext:property-placeholder</span> <span class="na">placeholder-prefix=</span><span class="s">"$["</span> <span class="na">placeholder-suffix=</span><span class="s">"]"</span><span class="nt">/></span>

 <span class="nt"><type-converters></span>
 <span class="nt"><bean</span> <span class="na"> class=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesConverter"</span><span class="nt">/></span>
 <span class="nt"></type-converters></span> 

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span> <span class="na">rank=</span><span class="s">"1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"</span>
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 users = $[karaf.base]/etc/users.properties
 ...
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

<span class="nt"></blueprint></span> 
</pre></div>
</div><h2 id="Architecture">Architecture</h2><p>Due to constraints in the JAAS specification, one class has to be available for all bundles.<br/>This class is called <a href="http://svn.apache.org/repos/asf/karaf/tags/karaf-2.0.0/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/ProxyLoginModule.java";>ProxyLoginModule</a> and is a LoginModule that acts as a proxy for an OSGi defines LoginModule. If you plan to integrate this feature into another OSGi runtime, this class must be made available from the system classloader and the related package be part of the boot delegation classpath (or be deployed as a fragment attached to the system bundle).</p><p>The xml schema defined above allows the use of a simple xml (leveraging spring xml extensibility) to configure and<br/>register a JAAS configuration for a given realm. This configuration will be made available into the OSGi registry as a<br/><a href="http://svn.apache.org/repos/asf/karaf/tags/karaf-2.0.0/j aas/config/src/main/java/org/apache/karaf/jaas/config/JaasRealm.java">JaasRealm</a> and the OSGi specific Configuration will look for such services.<br/>Then the proxy login module will be able to use the information provided by the realm to actually load the class from<br/>the bundle containing the real login module.</p><p>Karaf itself provides a set of login modules ready to use, depending of the authentication backend that you need.</p><p>In addition of the login modules, Karaf also support backend engine. The backend engine is coupled to a login module and<br/>allows you to manipulate users and roles directly from Karaf (adding a new user, delete an existing user, etc).<br/>The backend engine is constructed by a backend engine factory, registered as an OSGi service.<br/>Some login modules (for security reason for instance) don't provide backend engine.</p><h2 id="Availablerealmandloginmodules">Available realm and login modules</h2><p>Karaf comes with a default realm named "karaf " using login modules.</p><p>Karaf also provides a set of login modules and backend engines to handle authentication needs for your environment.</p><h3 id="PropertiesLoginModule">PropertiesLoginModule</h3><div class="table-wrap"><table class="confluenceTable"><tr><td class="confluenceTd"> LoginModule </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.properties.PropertiesLoginModule </td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.properties.PropertiesBackendEngineFactory </td></tr></table></div><p>This login module is the one configured by default. It uses a properties text file to load the users, passwords and roles.</p><div class="table-wrap"><table class="confluenceTable"><tr><th class="confluenceTh"> Name </th><th class="confluenceTh"> Description </th></tr><tr><td class="confluenceTd"> <tt>users</tt> </td><td class="confluenceTd"> location of the prop erties file </td></tr></table></div><p>This file uses the <a href="http://download.oracle.com/javase/6/docs/api/java/util/Properties.html#load(java.io.Reader)">properties file format</a>.<br/>The format of the properties is as follows, with each line defining a user, its password and associated roles:</p><pre> +<h1 id="Securityframework">Security framework</h1><p>Karaf supports <a href="http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html";>JAAS</a> with some enhancements to allow JAAS to work nicely in an OSGi environment. This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime. </p><h2 id="Overview">Overview</h2><p>This feature allows runtime deployment of JAAS based configuration for use in various parts of the application. This<br/>includes the remote console login, which uses the <tt>karaf</tt> realm, but which is configured with a dummy login module<br/>by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in<br/>or sending messages into the bus.</p><p>In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting up HTTPS connectors or using certificates for WS-Secu rity.</p><p>A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.</p><h2 id="Schema">Schema</h2><p>To override or deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a Spring xml configuration file.</p><p>Following is the XML Schema to use when defining Karaf realms:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="c"><!--</span>

<span class="c"> Licensed to the Apache Software Foundation (ASF) under one or more</span>
<span class="c"> contributor license agreements. See the NOTICE file distributed with</span>
<span class="c"> this work for additional information regarding copyright ownership.</span>
<span class="c"> The ASF licenses this file to You under the Apache License, Versi on 2.0</span>
<span class="c"> (the "License"); you may not use this file except in compliance with</span>
<span class="c"> the License. You may obtain a copy of the License at</span>

<span class="c"> http://www.apache.org/licenses/LICENSE-2.0</span>

<span class="c"> Unless required by applicable law or agreed to in writing, software</span>
<span class="c"> distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="c"> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="c"> See the License for the specific language governing permissions and</span>
<span class="c"> limitations under the License.</span>

<span class="c">--></span>
<span class="nt"><xs:schema</span> <span class="na">elementFormDefault=</span><span class="s">'qualified'</span>
 <span class="na">targetNamespace=</span><span class="s">'http://karaf.apache.org/xmlns/jaas/v1.1.0'</span>
 <span class="na">xmlns:xs=</span><span class="s">'http://www.w3.org/2001/XMLSchema'</span>
 <span class="na">xmlns:bp=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:tns=</span><span class="s">'http://karaf.apache.org/xmlns/jaas/v1.1.0'</span><span class="nt">></span>

 <span class="nt"><xs:import</span> <span class="na">namespace=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span><span class="nt">/></span>

 <span class="nt"><xs:element</span> <span class="na">name=</span><span class="s">"config"</span><span class="nt">></span>
 <span class="nt"><xs:complexType></span>
 <span class="nt"><xs:sequence></span>
 <span class="nt"><xs:element</span> <span class="na">name=</span><span class="s">"module"</span> <span class="na">minOccurs=</span><span class="s">"0"</span> <span class="na">maxOccurs=</span><span class="s">"unbounded"</span><span class="nt">></span>
 <span class="nt"><xs:complexType</span> <span class="na">mixed=</span><span class="s">"true"</span><span class="nt">></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"name"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"className"</span> <span class="na">use=</span><span class="s">"required" ;</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"flags"</span> <span class="na">default=</span><span class="s">"required"</span><span class="nt">></span>
 <span class="nt"><xs:simpleType></span>
 <span class="nt"><xs:restriction</span> <span class="na">base=</span><span class="s">"xs:NMTOKEN"</span><span class="nt">></span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"required"</span><span class="nt">/></span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"requisite"</span><span class="nt">/></ span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"sufficient"</span><span class="nt">/></span>
 <span class="nt"><xs:enumeration</span> <span class="na">value=</span><span class="s">"optional"</span><span class="nt">/></span>
 <span class="nt"></xs:restriction></span>
 <span class="nt"></xs:simpleType></span>
 <span class="nt"></xs:attribute></span>
 <span class="nt"></xs:complexType></span>
 <span class="nt"></xs:element></span>
 <span class="nt"></xs:sequence></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"name"</span> <span class="na">use=</span><s pan class="s">"required"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"rank"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">default=</span><span class="s">"0"</span> <span class="na">type=</span><span class="s">"xs:int"</span><span class="nt">/></span>
 <span class="nt"></xs:complexType></span>
 <span class="nt"></xs:element></span>

 <span class="nt"><xs:element</span> <span class="na">name=</span><span class="s">"keystore"</span><span class="nt">></span>
 <span class="nt"><xs:complexType></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"name"</span> <span class="n a">use=</span><span class="s">"required"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"rank"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">default=</span><span class="s">"0"</span> <span class="na">type=</span><span class="s">"xs:int"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"path"</span> <span class="na">use=</span><span class="s">"required"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"keystorePassword"</span> <span class="na">use= </span><span class="s">"optional"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"><xs:attribute</span> <span class="na">name=</span><span class="s">"keyPasswords"</span> <span class="na">use=</span><span class="s">"optional"</span> <span class="na">type=</span><span class="s">"xs:string"</span><span class="nt">/></span>
 <span class="nt"></xs:complexType></span>
 <span class="nt"></xs:element></span>

<span class="nt"></xs:schema></span>
</pre></div>
</div><p>You can find the schema at the following <a href="http://karaf.apache.org/xmlns/jaas/v1.1.0";>location</a>.</p><p>Here are two examples using this schema:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span> 
<span class="nt"> <blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.0.0"</span>
 <span class="na">xmlns:ext=</span><span class="s">"http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"</span><span class="nt">></span>

 <span class="c"><!-- Bean to allow the $[karaf.base] property to be correctly resolved --></span>
 <span class="nt"><ext:property-placeholder</span> <span class="na">placeholder-prefix=</span><span class="s">"$["</span> <span class="na">placeholder-suffix=</span><span class="s">"]"</span><span class="nt">/></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"myrealm"</span><span class="nt">></span>
 <span class ="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"</span> 
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 users = $[karaf.base]/etc/users.properties
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

<span class="nt"></blueprint></span>
</pre></div>
</div><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:keystore</span> <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span>
 <span class="na">name=</span><span class="s">"ks"</span>
 <span class="na">rank=</span><span class="s">"1"</span>
 <span class="na">path=</span><span class="s">"classpath:privatestore.jks"</span>
 <span class="na">keystorePassword=</span><span class="s">"keyStorePassword"</span>
 <span class="na">keyPasswords=</span><span class="s">"myalias=myAliasPassword"</span><span class="nt">></span>
<span class="nt"></jaas:keystore></span>
</pre></div>
</div><p>The <tt>id</tt> attribute is the blueprint id of the bean, but it will be used by default as the name of the realm if no<br/><tt>name</tt> attribute is specified. Additional attributes on the <tt>config</tt> elements are a <tt>rank</tt>, which is an integer.<br/>When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are<br/>matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus<br/>allowing the override of some realms with new values. The last attribute is <tt>p ublish</tt> which can be set to false to<br/>not publish the realm in the OSGi registry, thereby disabling the use of this realm.</p><p>Each realm can contain one or more module definitions. Each module identifies a LoginModule and the <tt>className</tt><br/>attribute must be set to the class name of the login module to use. Note that this login module must be available from<br/>the bundle classloader, so either it has to be defined in the bundle itself, or the needed package needs to be correctly<br/>imported. The <tt>flags</tt> attribute can take one of four values that are explained on the <a href="http://svn.apache.org/repos/asf/karaf/tags/karaf-2.0.0/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/ProxyLoginModule.java";>JAAS documentation</a>.<br/>The content of the <tt>module</tt> element is parsed as a properties file and will be used to further configure the login module.</p><p>Deploying such a code will lead to a <a href="http://svn.apache.org/repos/asf/karaf/tags/karaf- 2.0.0/jaas/config/src/main/java/org/apache/karaf/jaas/config/JaasRealm.java">JaasRealm</a> object in the OSGi registry, which will then be used when using the JAAS login module.</p><h3 id="Configurationoverrideanduseoftherankattribute">Configuration override and use of the <tt>rank</tt> attribute</h3><p>The <tt>rank</tt> attribute on the <tt>config</tt> element is tied to the ranking of the underlying OSGi service. When the JAAS<br/>framework performs an authentication, it will use the realm name to find a matching JAAS configuration. If multiple<br/>configurations are used, the one with the highest <tt>rank</tt> attribute will be used.<br/>So if you want to override the default security configuration in Karaf (which is used by the ssh shell, web console and<br/>JMX layer), you need to deploy a JAAS configuration with the name <tt>name="karaf"</tt> and <tt>rank="1"</tt>.</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding=& quot;UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span>
 <span class="na">xmlns:ext=</span><span class="s">"http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"</span><span class="nt">></span>

 <span class="c"><!-- Bean to allow the $[karaf.base] property to be correctly resolved --></span>
 <span class="nt"><ext:property-placeholder</span> <span class="na">placeholder-prefix=</span><span class="s">"$["</span> <span class="na">placeholder-suffix=</span><span class="s">"]"</span><span class="nt">/></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span> <sp an class="na">rank=</span><span class="s">"1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"</span>
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 users = $[karaf.base]/etc/users.properties
 ...
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

<span class="nt"></blueprint></span>
</pre></div>
</div><h2 id="Architecture">Architecture</h2><p>Due to constraints in the JAAS specification, one class has to be available for all bundles.<br/>This class is called <a href="http://svn.apache.org/repos/asf/karaf/tags/karaf-2.0.0/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/ProxyLoginModule.java"; >ProxyLoginModule</a> and is a LoginModule that acts as a proxy for an OSGi >defines LoginModule. If you plan to integrate this feature into another OSGi >runtime, this class must be made available from the system classloader and >the related package be part of the boot delegation classpath (or be deployed >as a fragment attached to the system bundle).</p><p>The xml schema defined >above allows the use of a simple xml (leveraging spring xml extensibility) to >configure and<br/>register a JAAS configuration for a given realm. This >configuration will be made available into the OSGi registry as a<br/><a >href="http://svn.apache.org/repos/asf/karaf/tags/karaf-2.0.0/jaas/config/src/main/java/org/apache/karaf/jaas/config/JaasRealm.java";>JaasRealm</a> > and the OSGi specific Configuration will look for such services.<br/>Then >the proxy login module will be able to use the information provided by the >realm to actually load the class from<br/>the bundle containing the real >login module.</p><p>Karaf itself provides a set of login modules ready to use, depending of the authentication backend that you need.</p><p>In addition of the login modules, Karaf also support backend engine. The backend engine is coupled to a login module and<br/>allows you to manipulate users and roles directly from Karaf (adding a new user, delete an existing user, etc).<br/>The backend engine is constructed by a backend engine factory, registered as an OSGi service.<br/>Some login modules (for security reason for instance) don't provide backend engine.</p><h2 id="Availablerealmandloginmodules">Available realm and login modules</h2><p>Karaf comes with a default realm named "karaf" using login modules.</p><p>Karaf also provides a set of login modules and backend engines to handle authentication needs for your environment.</p><h3 id="PropertiesLoginModule">PropertiesLoginModule</h3><div class="table-wrap"><table class="confluenceTable"><tr><td class="confluenceTd"> LoginModule </td><td class="con fluenceTd"> org.apache.karaf.jaas.modules.properties.PropertiesLoginModule </td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.properties.PropertiesBackendEngineFactory </td></tr></table></div><p>This login module is the one configured by default. It uses a properties text file to load the users, passwords and roles.</p><div class="table-wrap"><table class="confluenceTable"><tr><th class="confluenceTh"> Name </th><th class="confluenceTh"> Description </th></tr><tr><td class="confluenceTd"> <tt>users</tt> </td><td class="confluenceTd"> location of the properties file </td></tr></table></div><p>This file uses the <a href="http://download.oracle.com/javase/6/docs/api/java/util/Properties.html#load(java.io.Reader)">properties file format</a>.<br/>The format of the properties is as follows, with each line defining a user, its password and associated roles:</p><pre> user=password[,role][,role]... </pre><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"</span> 
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 users = ${karaf.etc}/users.properties
 <span class="nt"></jaas:module></span>
<span class="nt"></jaas:config></span>
</pre></div>
</div><p>The PropertiesLoginModule provides a backend engine allowing:</p><ul><li>add a new user</li><li>delete an existing user</li><li>list the users, groups, and roles</li><li>add a new role to an user</li><li>delete a role from an user</li><li>add an user into a group</li><li>remove an user from a grou p</li><li>add a role to a group</li><li>delete a role from a group</li></ul><p>To enable the backend engine, you have to register the corresponding OSGi service. For instance, the following blueprint<br/>shows how to register the PropertiesLoginModule and the corresponding backend engine:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span>
 <span class="na">xmlns:ext=</span><span class="s">"http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"</span><span class="nt">></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">&quo t;karaf"</span> <span class="na">rank=</span><span class="s">"-1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"</span>
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 users = ${karaf.etc}/users.properties
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

 <span class="nt"><service</span> <span class="na">interface=</span><span class="s">"org.apache.karaf.jaas.modules.BackingEngineFactory"</span><span class="nt">></span>
 <span class="nt"><bean</span> <span class="na">class=</span><span class="s">"org.apache.karaf.jaas.modules.properties.PropertiesBackingEngineFactory"</span><spa n class="nt">/></span>
 <span class="nt"></service></span>

<span class="nt"></blueprint></span>
</pre></div>
</div><h3 id="OsgiConfigLoginModule">OsgiConfigLoginModule</h3><div class="table-wrap"><table class="confluenceTable"><tr><td class="confluenceTd"> LoginModule </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule </td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td class="confluenceTd"> N/A </td></tr></table></div><p>The OsgiConfigLoginModule uses the OSGi ConfigurationAdmin service to provide the users, passwords and roles.</p><div class="table-wrap"><table class="confluenceTable"><tr><th class="confluenceTh"> Name </th><th class="confluenceTh"> Description </th></tr><tr><td class="confluenceTd"> <tt>pid</tt> </td><td class="confluenceTd"> the PID of the configuration containing user def initions </td></tr></table></div><p>The format of the configuration is the same than for the <tt>PropertiesLoginModule</tt> with properties prefixed with <tt>user.</tt>.</p><p>For instance, in the Karaf etc folder, we create a file <tt>org.apache.karaf.authentication.cfg</tt> containing:</p><pre> user.karaf=karaf,admin user.user=password,role -</pre><p>The following blueprint shows how to use this configuration:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span><span class="nt">></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span> <span class="na">rank=</span><span class="s">"-1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule"</span>
 <span class="na">flags=</span><span class=" s">"required"</span><span class="nt">></span>
 pid = org.apache.karaf.authentication
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

<span class="nt"></blueprint></span>
</pre></div>
</div><p>NB: the OsgiConfigLoginModule doesn't provide a backend engine.</p><h3 id="JDBCLoginModule">JDBCLoginModule</h3><div class="table-wrap"><table class="confluenceTable"><tr><td class="confluenceTd"> LoginModule </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule </td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.jdbc.JDBCBackendEngineFactory </td></tr></table></div><p>The JDBCLoginModule uses a database to load the users, passwords and roles from a provided data source <em>(normal or XA)</em>.<br/>The data source and the queries for password and role retrieval are configurable using the following parameters.</p><div class="table-wrap"><table class="confluenceTable"><tr><th class="confluenceTh"> Name </th><th class="confluenceTh"> Description </th></tr><tr><td class="confluenceTd"> <tt>datasource</tt> </td><td class="confluenceTd"> The datasource as on OSGi ldap filter or as JDNI name</td></tr><tr><td class="confluenceTd"> <tt>query.password</tt> </td><td class="confluenceTd"> The SQL query that retries the password of the user </td></tr><tr><td class="confluenceTd"> <tt>query.role</tt> </td><td class="confluenceTd"> The SQL query that retries the roles of the user </td></tr></table></div><p><u>Passing a data source as an OSGi ldap filter</u></p><p>To use an OSGi ldap filter, the prefix osgi: needs to be provided, as shown below:</p><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf&qu ot;</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"</span> 
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 datasource = osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
 query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
 query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
 <span class="nt"></jaas:module></span>
<span class="nt"></jaas:config></span>
</pre></div>
</div><p><u>Passing a data source as a JNDI name</u></p><p>To use an JNDI name, the prefix jndi: needs to be provided. The example below assumes the use of Aries jndi to expose<br/>services via JNDI.</p><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span > <span class="na">name=</span><span class="s">"karaf"</span><span > class="nt">></span>
 <span class="nt"><jaas:module</span> > <span class="na">className=</span><span > class="s">"org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"</span> > 
 <span class="na">flags=</span><span > class="s">"required"</span><span class="nt">></span>
 > datasource = > jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
 > query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
 > query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
 <span > class="nt"></jaas:module></span>
<span > class="nt"></jaas:config></span>
</pre></div>
</div><p>The > JDBCLoginModule provides a backend engine allowing:</p><ul><li>add a new > user</li><li>delete an user</li><li>list users, roles</li><li>add a new role > to an user</li><li>remove a role from an user</li> </ul><p>NB: the groups are not fully supported by the JDBCBackingEngine.</p><p>The following blueprint shows how to define the JDBCLoginModule with the corresponding backend engine:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span><span class="nt">></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"</span>
 <span cl ass="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 datasource = jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
 query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
 query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
 insert.user = INSERT INTO USERS(USERNAME,PASSWORD) VALUES(?,?)
 insert.role = INSERT INTO ROLES(ROLE,USERNAME) VALUES(?,?)
 delete.user = DELETE FROM USERS WHERE USERNAME=?
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

 <span class="nt"><service</span> <span class="na">interface=</span><span class="s">"org.apache.karaf.jaas.modules.BackingEngineFactory"</span><span class="nt">></span>
 <span class="nt"><bean</span> <span class="na">class=</span><span class="s" >"org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactory"</span><span > class="nt">/></span>
 <span >class="nt"></service></span>

<span >class="nt"></blueprint></span>
</pre></div>
</div><h3 >id="LDAPLoginModule">LDAPLoginModule</h3><div class="table-wrap"><table >class="confluenceTable"><tr><td class="confluenceTd"> LoginModule ></td><td class="confluenceTd"> >org.apache.karaf.jaas.modules.ldap.LDAPLoginModule ></td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td >class="confluenceTd"> N/A > </td></tr></table></div><p>The LDAPLoginModule uses LDAP to load the >users and roles and bind the users on the LDAP to check passwords.</p><p>The >LDAPLoginModule supports the following parameters:</p><div >class="table-wrap"><table class="confluenceTable"><tr><th >class="confluenceTh"> Name </th><th >class="confluenceTh"> Des cription </th></tr><tr><td class="confluenceTd"> <tt>connection.url</tt> </td><td class="confluenceTd"> The LDAP connection URL, e.g. ldap://hostname </td></tr><tr><td class="confluenceTd"> <tt>connection.username</tt> </td><td class="confluenceTd"> Admin username to connect to the LDAP. This parameter is optional, if it's not provided, the LDAP connection will be anonymous. </td></tr><tr><td class="confluenceTd"> <tt>connection.password</tt> </td><td class="confluenceTd"> Admin password to connect to the LDAP. Only used if the <tt>connection.username</tt> is specified. </td></tr><tr><td class="confluenceTd"> <tt>user.base.dn</tt> </td><td class="confluenceTd"> The LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org </td></tr><tr><td class="confluenceTd"> <tt>user.filter</tt> </td><td class="confluenceTd"> The LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username. </td></tr><tr><td class ="confluenceTd"> <tt>user.search.subtree</tt> </td><td class="confluenceTd"> If "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL). </td></tr><tr><td class="confluenceTd"> <tt>role.base.dn</tt> </td><td class="confluenceTd"> The LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org </td></tr><tr><td class="confluenceTd"> <tt>role.filter</tt> </td><td class="confluenceTd"> The LDAP filter used to looking for user's role, e.g. (member:=uid=%u) </td></tr><tr><td class="confluenceTd"> <tt>role.name.attribute</tt> </td><td class="confluenceTd"> The LDAP role attribute containing the role string used by Karaf, e.g. cn </td></tr><tr><td class="confluenceTd"> <tt>role.search.subtree</tt> </td><td class="confluenceTd"> If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL). </td> </tr><tr><td class="confluenceTd"> <tt>authentication</tt> </td><td class="confluenceTd"> Define the authentication backend used on the LDAP server. The default is simple. </td></tr><tr><td class="confluenceTd"> <tt>initial.context.factory</tt> </td><td class="confluenceTd"> Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory </td></tr><tr><td class="confluenceTd"> <tt>ssl</tt> </td><td class="confluenceTd"> If "true" or if the protocol on the <tt>connection.url</tt> is <tt>ldaps</tt>, an SSL connection will be used </td></tr><tr><td class="confluenceTd"> <tt>ssl.provider</tt> </td><td class="confluenceTd"> The provider name to use for SSL </td></tr><tr><td class="confluenceTd"> <tt>ssl.protocol</tt> </td><td class="confluenceTd"> The protocol name to use for SSL (SSL for example)</td></tr><tr><td class="confluenceTd"> <tt>ssl.algorithm</tt> </td><td class= "confluenceTd"> The algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example) </td></tr><tr><td class="confluenceTd"> <tt>ssl.keystore</tt> </td><td class="confluenceTd"> The key store name to use for SSL. The key store must be deployed using a <tt>jaas:keystore</tt> configuration. </td></tr><tr><td class="confluenceTd"> <tt>ssl.keyalias</tt> </td><td class="confluenceTd"> The key alias to use for SSL </td></tr><tr><td class="confluenceTd"> <tt>ssl.truststore</tt> </td><td class="confluenceTd"> The trust store name to use for SSL. The trust store must be deployed using a <tt>jaas:keystore</tt> configuration. </td></tr></table></div><p>A example of LDAPLoginModule usage follows:</p><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span cl ass="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"</span> <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 connection.url = ldap://localhost:389
 user.base.dn = ou=user,dc=apache,dc=org
 user.filter = (cn=%u)
 user.search.subtree = true
 role.base.dn = ou=group,dc=apache,dc=org
 role.filter = (member:=uid=%u)
 role.name.attribute = cn
 role.search.subtree = true
 authentication = simple
 <span class="nt"></jaas:module></span>
<span class="nt"></jaas:config></span>
</pre></div>
</div><p>If you wish to use an SSL connection, the following configuration can be used as an example:</p><div class="syntax"><div class="highlight"><pre><span class="nt"><ext:property-placeholder</span> <span class="nt">/></span>� 0A;
<span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span> <span class="na">rank=</span><span class="s">"1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"</span> <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 connection.url = ldaps://localhost:10636
 user.base.dn = ou=users,ou=system
 user.filter = (uid=%u)
 user.search.subtree = true
 role.base.dn = ou=groups,ou=system
 role.filter = (uniqueMember=uid=%u)
 role.name.attribute = cn
 role.search.subtree = true
 authentication = simple
 ssl.protocol=SSL
 ssl.truststore=ks
 ssl.algorithm=PKIX� 00A; <span class="nt"></jaas:module></span>
<span class="nt"></jaas:config></span>

<span class="nt"><jaas:keystore</span> <span class="na">name=</span><span class="s">"ks"</span>
 <span class="na">path=</span><span class="s">"file:///${karaf.home}/etc/trusted.ks"</span>
 <span class="na">keystorePassword=</span><span class="s">"secret"</span> <span class="nt">/></span>
</pre></div>
</div><p>The LDAPLoginModule supports the following patterns that you can use in the filter (user and role filters):</p><ul><li><tt>%u</tt> is replaced by the user</li><li><tt>%dn</tt> is replaced by the user DN</li><li><tt>%fqdn</tt> is replaced by the user full qualified DN (<tt>userDN,userBaseDN</tt>).</li><li><tt>%nsdn</tt> is replaced by the userDNNamespace (interesting especially for ActiveDirectory).</li></ul><p>For instance, the following configuration will work properly with ActiveDirectory (adding the ActiveDirectory to the<br/>default <tt>karaf</tt> realm):</p><pre> +</pre><p>The following blueprint shows how to use this configuration:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span><span class="nt">></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span> <span class="na">rank=</span><span class="s">"-1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule"</span>
 <span class="na">flags=</span><span class=" s">"required"</span><span class="nt">></span>
 pid = org.apache.karaf.authentication
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

<span class="nt"></blueprint></span>
</pre></div>
</div><p>NB: the OsgiConfigLoginModule doesn't provide a backend engine.</p><h3 id="JDBCLoginModule">JDBCLoginModule</h3><div class="table-wrap"><table class="confluenceTable"><tr><td class="confluenceTd"> LoginModule </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule </td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td class="confluenceTd"> org.apache.karaf.jaas.modules.jdbc.JDBCBackendEngineFactory </td></tr></table></div><p>The JDBCLoginModule uses a database to load the users, passwords and roles from a provided data source <em>(normal or XA)</em>.<br/>The data source and the queries for password and role retrieval are configurable using the following parameters.</p><div class="table-wrap"><table class="confluenceTable"><tr><th class="confluenceTh"> Name </th><th class="confluenceTh"> Description </th></tr><tr><td class="confluenceTd"> <tt>datasource</tt> </td><td class="confluenceTd"> The datasource as on OSGi ldap filter or as JDNI name</td></tr><tr><td class="confluenceTd"> <tt>query.password</tt> </td><td class="confluenceTd"> The SQL query that retries the password of the user </td></tr><tr><td class="confluenceTd"> <tt>query.role</tt> </td><td class="confluenceTd"> The SQL query that retries the roles of the user </td></tr></table></div><p><u>Passing a data source as an OSGi ldap filter</u></p><p>To use an OSGi ldap filter, the prefix osgi: needs to be provided, as shown below:</p><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf&qu ot;</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"</span> 
 <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 datasource = osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
 query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
 query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
 <span class="nt"></jaas:module></span>
<span class="nt"></jaas:config></span>
</pre></div>
</div><p><u>Passing a data source as a JNDI name</u></p><p>To use an JNDI name, the prefix jndi: needs to be provided. The example below assumes the use of Aries jndi to expose<br/>services via JNDI.</p><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span > <span class="na">name=</span><span class="s">"karaf"</span><span > class="nt">></span>
 <span class="nt"><jaas:module</span> > <span class="na">className=</span><span > class="s">"org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"</span> > 
 <span class="na">flags=</span><span > class="s">"required"</span><span class="nt">></span>
 > datasource = > jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
 > query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
 > query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
 <span > class="nt"></jaas:module></span>
<span > class="nt"></jaas:config></span>
</pre></div>
</div><p>The > JDBCLoginModule provides a backend engine allowing:</p><ul><li>add a new > user</li><li>delete an user</li><li>list users, roles</li><li>add a new role > to an user</li><li>remove a role from an user</li> </ul><p>NB: the groups are not fully supported by the JDBCBackingEngine.</p><p>The following blueprint shows how to define the JDBCLoginModule with the corresponding backend engine:</p><div class="syntax"><div class="highlight"><pre><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><blueprint</span> <span class="na">xmlns=</span><span class="s">"http://www.osgi.org/xmlns/blueprint/v1.0.0"</span>
 <span class="na">xmlns:jaas=</span><span class="s">"http://karaf.apache.org/xmlns/jaas/v1.1.0"</span><span class="nt">></span>

 <span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"</span>
 <span cl ass="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 datasource = jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
 query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
 query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
 insert.user = INSERT INTO USERS(USERNAME,PASSWORD) VALUES(?,?)
 insert.role = INSERT INTO ROLES(ROLE,USERNAME) VALUES(?,?)
 delete.user = DELETE FROM USERS WHERE USERNAME=?
 <span class="nt"></jaas:module></span>
 <span class="nt"></jaas:config></span>

 <span class="nt"><service</span> <span class="na">interface=</span><span class="s">"org.apache.karaf.jaas.modules.BackingEngineFactory"</span><span class="nt">></span>
 <span class="nt"><bean</span> <span class="na">class=</span><span class="s" >"org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactory"</span><span > class="nt">/></span>
 <span >class="nt"></service></span>

<span >class="nt"></blueprint></span>
</pre></div>
</div><h3 >id="LDAPLoginModule">LDAPLoginModule</h3><div class="table-wrap"><table >class="confluenceTable"><tr><td class="confluenceTd"> LoginModule ></td><td class="confluenceTd"> >org.apache.karaf.jaas.modules.ldap.LDAPLoginModule ></td></tr><tr><td class="confluenceTd"> BackendEngineFactory </td><td >class="confluenceTd"> N/A > </td></tr></table></div><p>The LDAPLoginModule uses LDAP to load the >users and roles and bind the users on the LDAP to check passwords.</p><p>The >LDAPLoginModule supports the following parameters:</p><div >class="table-wrap"><table class="confluenceTable"><tr><th >class="confluenceTh"> Name </th><th >class="confluenceTh"> Des cription </th></tr><tr><td class="confluenceTd"> <tt>connection.url</tt> </td><td class="confluenceTd"> The LDAP connection URL, e.g. ldap://hostname </td></tr><tr><td class="confluenceTd"> <tt>connection.username</tt> </td><td class="confluenceTd"> Admin username to connect to the LDAP. This parameter is optional, if it's not provided, the LDAP connection will be anonymous. </td></tr><tr><td class="confluenceTd"> <tt>connection.password</tt> </td><td class="confluenceTd"> Admin password to connect to the LDAP. Only used if the <tt>connection.username</tt> is specified. </td></tr><tr><td class="confluenceTd"> <tt>user.base.dn</tt> </td><td class="confluenceTd"> The LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org </td></tr><tr><td class="confluenceTd"> <tt>user.filter</tt> </td><td class="confluenceTd"> The LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username. </td></tr><tr><td class ="confluenceTd"> <tt>user.search.subtree</tt> </td><td class="confluenceTd"> If "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL). </td></tr><tr><td class="confluenceTd"> <tt>role.base.dn</tt> </td><td class="confluenceTd"> The LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org </td></tr><tr><td class="confluenceTd"> <tt>role.filter</tt> </td><td class="confluenceTd"> The LDAP filter used to looking for user's role, e.g. (member:=uid=%u) </td></tr><tr><td class="confluenceTd"> <tt>role.name.attribute</tt> </td><td class="confluenceTd"> The LDAP role attribute containing the role string used by Karaf, e.g. cn </td></tr><tr><td class="confluenceTd"> <tt>role.search.subtree</tt> </td><td class="confluenceTd"> If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL). </td> </tr><tr><td class="confluenceTd"> <tt>role.mapping</tt> </td><td class="confluenceTd"> Define a mapping between roles defined in the LDAP directory for the user, and corresponding roles in Karaf. The format is ldapRole1=karafRole1,karafRole2;ldapRole2=karafRole3,karafRole4. </td></tr><tr><td class="confluenceTd"> <tt>authentication</tt> </td><td class="confluenceTd"> Define the authentication backend used on the LDAP server. The default is simple. </td></tr><tr><td class="confluenceTd"> <tt>initial.context.factory</tt> </td><td class="confluenceTd"> Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory </td></tr><tr><td class="confluenceTd"> <tt>ssl</tt> </td><td class="confluenceTd"> If "true" or if the protocol on the <tt>connection.url</tt> is <tt>ldaps</tt>, an SSL connection will be used </td></tr><tr><td class="confluenceTd"> <tt>ssl.provider</tt> </td><td class ="confluenceTd"> The provider name to use for SSL </td></tr><tr><td class="confluenceTd"> <tt>ssl.protocol</tt> </td><td class="confluenceTd"> The protocol name to use for SSL (SSL for example)</td></tr><tr><td class="confluenceTd"> <tt>ssl.algorithm</tt> </td><td class="confluenceTd"> The algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example) </td></tr><tr><td class="confluenceTd"> <tt>ssl.keystore</tt> </td><td class="confluenceTd"> The key store name to use for SSL. The key store must be deployed using a <tt>jaas:keystore</tt> configuration. </td></tr><tr><td class="confluenceTd"> <tt>ssl.keyalias</tt> </td><td class="confluenceTd"> The key alias to use for SSL </td></tr><tr><td class="confluenceTd"> <tt>ssl.truststore</tt> </td><td class="confluenceTd"> The trust store name to use for SSL. The trust store must be deployed using a <tt>jaas:keystore</tt> configuration. </td></tr></table></div>< p>A example of LDAPLoginModule usage follows:</p><div class="syntax"><div class="highlight"><pre><span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"</span> <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 connection.url = ldap://localhost:389
 user.base.dn = ou=user,dc=apache,dc=org
 user.filter = (cn=%u)
 user.search.subtree = true
 role.base.dn = ou=group,dc=apache,dc=org
 role.filter = (member:=uid=%u)
 role.name.attribute = cn
 role.search.subtree = true
 authentication = simple
 <span class="nt"></jaas:module></span>
<span class="nt">< ;/jaas:config></span>
</pre></div>
</div><p>If you wish to use an SSL connection, the following configuration can be used as an example:</p><div class="syntax"><div class="highlight"><pre><span class="nt"><ext:property-placeholder</span> <span class="nt">/></span>

<span class="nt"><jaas:config</span> <span class="na">name=</span><span class="s">"karaf"</span> <span class="na">rank=</span><span class="s">"1"</span><span class="nt">></span>
 <span class="nt"><jaas:module</span> <span class="na">className=</span><span class="s">"org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"</span> <span class="na">flags=</span><span class="s">"required"</span><span class="nt">></span>
 connection.url = ldaps://localhost:10636
 user.base.dn = ou=users,ou=system
 user.filter = (uid=%u)
 user.search.subtree = true
 role.base.dn = ou =groups,ou=system
 role.filter = (uniqueMember=uid=%u)
 role.name.attribute = cn
 role.search.subtree = true
 authentication = simple
 ssl.protocol=SSL
 ssl.truststore=ks
 ssl.algorithm=PKIX
 <span class="nt"></jaas:module></span>
<span class="nt"></jaas:config></span>

<span class="nt"><jaas:keystore</span> <span class="na">name=</span><span class="s">"ks"</span>
 <span class="na">path=</span><span class="s">"file:///${karaf.home}/etc/trusted.ks"</span>
 <span class="na">keystorePassword=</span><span class="s">"secret"</span> <span class="nt">/></span>
</pre></div>
</div><p>The LDAPLoginModule supports the following patterns that you can use in the filter (user and role filters):</p><ul><li><tt>%u</tt> is replaced by the user</li><li><tt>%dn</tt> is rep laced by the user DN</li><li><tt>%fqdn</tt> is replaced by the user full qualified DN (<tt>userDNNamespace</tt>).</li></ul><p>For instance, the following configuration will work properly with ActiveDirectory (adding the ActiveDirectory to the<br/>default <tt>karaf</tt> realm):</p><pre> <jaas:config name="karaf" rank="2"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory @@ -119,7 +119,7 @@ user.user=password,role user.search.subtree=true role.base.dn=ou=Groups,ou=there,DC=local role.name.attribute=cn - role.filter=(member=%nsdn) + role.filter=(member=%fqdn) role.search.subtree=true authentication=simple </jaas:module> @@ -181,7 +181,7 @@ karaf@root()> feature:install jasypt-enc <td id="cell-3-2"> <div id="footer"> <div id="site-footer"> - © 2008-2011 The Apache Software Foundation + © 2008-2014 The Apache Software Foundation <br/> Apache Karaf, Karaf, Apache, the Apache feather logo, and the Apache Karaf project logo are trademarks of The Apache Software Foundation. </div>
Modified: karaf/site/production/manual/latest/developers-guide/services.html URL: http://svn.apache.org/viewvc/karaf/site/production/manual/latest/developers-guide/services.html?rev=1688715&r1=1688714&r2=1688715&view=diff ============================================================================== --- karaf/site/production/manual/latest/developers-guide/services.html (original) +++ karaf/site/production/manual/latest/developers-guide/services.html Wed Jul 1 19:43:35 2015 @@ -8,7 +8,7 @@ <link href="../css/style.css" rel="stylesheet" type="text/css"/> <link href="../css/pygmentize.css" rel="stylesheet" type="text/css"/> <title> - Apache Karaf 3.0.3-SNAPSHOT Guides + Apache Karaf 4.0.1-SNAPSHOT Guides </title> </head> <body> @@ -121,7 +121,7 @@ <td id="cell-3-2"> <div id="footer"> <div id="site-footer"> - © 2008-2011 The Apache Software Foundation + © 2008-2014 The Apache Software Foundation <br/> Apache Karaf, Karaf, Apache, the Apache feather logo, and the Apache Karaf project logo are trademarks of The Apache Software Foundation. </div>
