Added: karaf/site/production/manual/latest/security-framework.html URL: http://svn.apache.org/viewvc/karaf/site/production/manual/latest/security-framework.html?rev=1741445&view=auto ============================================================================== --- karaf/site/production/manual/latest/security-framework.html (added) +++ karaf/site/production/manual/latest/security-framework.html Thu Apr 28 15:03:08 2016 @@ -0,0 +1,1712 @@ +<!DOCTYPE html> +<html lang="en"> +<head> +<meta charset="UTF-8"> +<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<meta name="generator" content="Asciidoctor 1.5.2"> +<title>Security framework</title> +<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400";> +<style> +/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */ +/* Remove the comments around the @import statement below when using this as a custom stylesheet */ +/*@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400";*/ +article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block} +audio,canvas,video{display:inline-block} +audio:not([controls]){display:none;height:0} +[hidden],template{display:none} +script{display:none!important} +html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%} +body{margin:0} +a{background:transparent} +a:focus{outline:thin dotted} +a:active,a:hover{outline:0} +h1{font-size:2em;margin:.67em 0} +abbr[title]{border-bottom:1px dotted} +b,strong{font-weight:bold} +dfn{font-style:italic} +hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0} +mark{background:#ff0;color:#000} +code,kbd,pre,samp{font-family:monospace;font-size:1em} +pre{white-space:pre-wrap} +q{quotes:"\201C" "\201D" "\2018" "\2019"} +small{font-size:80%} +sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline} +sup{top:-.5em} +sub{bottom:-.25em} +img{border:0} +svg:not(:root){overflow:hidden} +figure{margin:0} +fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em} +legend{border:0;padding:0} +button,input,select,textarea{font-family:inherit;font-size:100%;margin:0} +button,input{line-height:normal} +button,select{text-transform:none} +button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer} +button[disabled],html input[disabled]{cursor:default} +input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0} +input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box} +input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none} +button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0} +textarea{overflow:auto;vertical-align:top} +table{border-collapse:collapse;border-spacing:0} +*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box} +html,body{font-size:100%} +body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto} +a:hover{cursor:pointer} +img,object,embed{max-width:100%;height:auto} +object,embed{height:100%} +img{-ms-interpolation-mode:bicubic} +#map_canvas img,#map_canvas embed,#map_canvas object,.map_canvas img,.map_canvas embed,.map_canvas object{max-width:none!important} +.left{float:left!important} +.right{float:right!important} +.text-left{text-align:left!important} +.text-right{text-align:right!important} +.text-center{text-align:center!important} +.text-justify{text-align:justify!important} +.hide{display:none} +.antialiased,body{-webkit-font-smoothing:antialiased} +img{display:inline-block;vertical-align:middle} +textarea{height:auto;min-height:50px} +select{width:100%} +p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6} +.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em} +div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr} +a{color:#2156a5;text-decoration:underline;line-height:inherit} +a:hover,a:focus{color:#1d4b8f} +a img{border:none} +p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility} +p aside{font-size:.875em;line-height:1.35;font-style:italic} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em} +h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0} +h1{font-size:2.125em} +h2{font-size:1.6875em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em} +h4,h5{font-size:1.125em} +h6{font-size:1em} +hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0} +em,i{font-style:italic;line-height:inherit} +strong,b{font-weight:bold;line-height:inherit} +small{font-size:60%;line-height:inherit} +code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9)} +ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit} +ul,ol,ul.no-bullet,ol.no-bullet{margin-left:1.5em} +ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em} +ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit} +ul.square{list-style-type:square} +ul.circle{list-style-type:circle} +ul.disc{list-style-type:disc} +ul.no-bullet{list-style:none} +ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0} +dl dt{margin-bottom:.3125em;font-weight:bold} +dl dd{margin-bottom:1.25em} +abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help} +abbr{text-transform:none} +blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd} +blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)} +blockquote cite:before{content:"\2014 \0020"} +blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)} +blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)} +@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2} +h1{font-size:2.75em} +h2{font-size:2.3125em} +h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em} +h4{font-size:1.4375em}}table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede} +table thead,table tfoot{background:#f7f8f7;font-weight:bold} +table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left} +table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)} +table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7} +table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6} +h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em} +h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400} +.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table} +.clearfix:after,.float-group:after{clear:both} +*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;padding:.1em .5ex;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed} +pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed} +.keyseq{color:rgba(51,51,51,.8)} +kbd{display:inline-block;color:rgba(0,0,0,.8);font-size:.75em;line-height:1.4;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:-.15em .15em 0 .15em;padding:.2em .6em .2em .5em;vertical-align:middle;white-space:nowrap} +.keyseq kbd:first-child{margin-left:0} +.keyseq kbd:last-child{margin-right:0} +.menuseq,.menu{color:rgba(0,0,0,.8)} +b.button:before,b.button:after{position:relative;top:-1px;font-weight:400} +b.button:before{content:"[";padding:0 3px 0 2px} +b.button:after{content:"]";padding:0 2px 0 3px} +p a>code:hover{color:rgba(0,0,0,.9)} +#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em} +#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table} +#header:after,#content:after,#footnotes:after,#footer:after{clear:both} +#content{margin-top:1.25em} +#content:before{content:none} +#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0} +#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8} +#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px} +#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap} +#header .details span:first-child{margin-left:-.125em} +#header .details span.email a{color:rgba(0,0,0,.85)} +#header .details br{display:none} +#header .details br+span:before{content:"\00a0\2013\00a0"} +#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)} +#header .details br+span#revremark:before{content:"\00a0|\00a0"} +#header #revnumber{text-transform:capitalize} +#header #revnumber:after{content:"\00a0"} +#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem} +#toc{border-bottom:1px solid #efefed;padding-bottom:.5em} +#toc>ul{margin-left:.125em} +#toc ul.sectlevel0>li>a{font-style:italic} +#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0} +#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none} +#toc a{text-decoration:none} +#toc a:active{text-decoration:underline} +#toctitle{color:#7a2518;font-size:1.2em} +@media only screen and (min-width:768px){#toctitle{font-size:1.375em} +body.toc2{padding-left:15em;padding-right:0} +#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto} +#toc.toc2 #toctitle{margin-top:0;font-size:1.2em} +#toc.toc2>ul{font-size:.9em;margin-bottom:0} +#toc.toc2 ul ul{margin-left:0;padding-left:1em} +#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em} +body.toc2.toc-right{padding-left:0;padding-right:15em} +body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0} +#toc.toc2{width:20em} +#toc.toc2 #toctitle{font-size:1.375em} +#toc.toc2>ul{font-size:.95em} +#toc.toc2 ul ul{padding-left:1.25em} +body.toc2.toc-right{padding-left:0;padding-right:20em}}#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +#content #toc>:first-child{margin-top:0} +#content #toc>:last-child{margin-bottom:0} +#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em} +#footer-text{color:rgba(255,255,255,.8);line-height:1.44} +.sect1{padding-bottom:.625em} +@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}.sect1+.sect1{border-top:1px solid #efefed} +#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400} +#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em} +#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible} +#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none} +#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221} +.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em} +.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic} +table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0} +.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)} +table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit} +.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%} +.admonitionblock>table td.icon{text-align:center;width:80px} +.admonitionblock>table td.icon img{max-width:none} +.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase} +.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)} +.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0} +.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px} +.exampleblock>.content>:first-child{margin-top:0} +.exampleblock>.content>:last-child{margin-bottom:0} +.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px} +.sidebarblock>:first-child{margin-top:0} +.sidebarblock>:last-child{margin-bottom:0} +.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center} +.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0} +.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8} +.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1} +.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em} +.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal} +@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)} +.listingblock pre.highlightjs{padding:0} +.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px} +.listingblock pre.prettyprint{border-width:0} +.listingblock>.content{position:relative} +.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999} +.listingblock:hover code[data-lang]:before{display:block} +.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999} +.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"} +table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none} +table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0} +table.pyhltable td.code{padding-left:.75em;padding-right:0} +pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8} +pre.pygments .lineno{display:inline-block;margin-right:.25em} +table.pyhltable .linenodiv{background:none!important;padding-right:0!important} +.quoteblock{margin:0 1em 1.25em 1.5em;display:table} +.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em} +.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify} +.quoteblock blockquote{margin:0;padding:0;border:0} +.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)} +.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0} +.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right} +.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)} +.quoteblock .quoteblock blockquote{padding:0 0 0 .75em} +.quoteblock .quoteblock blockquote:before{display:none} +.verseblock{margin:0 1em 1.25em 1em} +.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility} +.verseblock pre strong{font-weight:400} +.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex} +.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic} +.quoteblock .attribution br,.verseblock .attribution br{display:none} +.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.05em;color:rgba(0,0,0,.6)} +.quoteblock.abstract{margin:0 0 1.25em 0;display:block} +.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0} +.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none} +table.tableblock{max-width:100%;border-collapse:separate} +table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0} +table.spread{width:100%} +table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede} +table.grid-all th.tableblock,table.grid-all td.tableblock{border-width:0 1px 1px 0} +table.grid-all tfoot>tr>th.tableblock,table.grid-all tfoot>tr>td.tableblock{border-width:1px 1px 0 0} +table.grid-cols th.tableblock,table.grid-cols td.tableblock{border-width:0 1px 0 0} +table.grid-all *>tr>.tableblock:last-child,table.grid-cols *>tr>.tableblock:last-child{border-right-width:0} +table.grid-rows th.tableblock,table.grid-rows td.tableblock{border-width:0 0 1px 0} +table.grid-all tbody>tr:last-child>th.tableblock,table.grid-all tbody>tr:last-child>td.tableblock,table.grid-all thead:last-child>tr>th.tableblock,table.grid-rows tbody>tr:last-child>th.tableblock,table.grid-rows tbody>tr:last-child>td.tableblock,table.grid-rows thead:last-child>tr>th.tableblock{border-bottom-width:0} +table.grid-rows tfoot>tr>th.tableblock,table.grid-rows tfoot>tr>td.tableblock{border-width:1px 0 0 0} +table.frame-all{border-width:1px} +table.frame-sides{border-width:0 1px} +table.frame-topbot{border-width:1px 0} +th.halign-left,td.halign-left{text-align:left} +th.halign-right,td.halign-right{text-align:right} +th.halign-center,td.halign-center{text-align:center} +th.valign-top,td.valign-top{vertical-align:top} +th.valign-bottom,td.valign-bottom{vertical-align:bottom} +th.valign-middle,td.valign-middle{vertical-align:middle} +table thead th,table tfoot th{font-weight:bold} +tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7} +tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold} +p.tableblock>code:only-child{background:none;padding:0} +p.tableblock{font-size:1em} +td>div.verse{white-space:pre} +ol{margin-left:1.75em} +ul li ol{margin-left:1.5em} +dl dd{margin-left:1.125em} +dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0} +ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em} +ul.unstyled,ol.unnumbered,ul.checklist,ul.none{list-style-type:none} +ul.unstyled,ol.unnumbered,ul.checklist{margin-left:.625em} +ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1em;font-size:.85em} +ul.checklist li>p:first-child>input[type="checkbox"]:first-child{width:1em;position:relative;top:1px} +ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden} +ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block} +ul.inline>li>*{display:block} +.unstyled dl dt{font-weight:400;font-style:normal} +ol.arabic{list-style-type:decimal} +ol.decimal{list-style-type:decimal-leading-zero} +ol.loweralpha{list-style-type:lower-alpha} +ol.upperalpha{list-style-type:upper-alpha} +ol.lowerroman{list-style-type:lower-roman} +ol.upperroman{list-style-type:upper-roman} +ol.lowergreek{list-style-type:lower-greek} +.hdlist>table,.colist>table{border:0;background:none} +.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none} +td.hdlist1{padding-right:.75em;font-weight:bold} +td.hdlist1,td.hdlist2{vertical-align:top} +.literalblock+.colist,.listingblock+.colist{margin-top:-.5em} +.colist>table tr>td:first-of-type{padding:0 .75em;line-height:1} +.colist>table tr>td:last-of-type{padding:.25em 0} +.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd} +.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0} +.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em} +.imageblock>.title{margin-bottom:0} +.imageblock.thumb,.imageblock.th{border-width:6px} +.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em} +.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0} +.image.left{margin-right:.625em} +.image.right{margin-left:.625em} +a.image{text-decoration:none} +span.footnote,span.footnoteref{vertical-align:super;font-size:.875em} +span.footnote a,span.footnoteref a{text-decoration:none} +span.footnote a:active,span.footnoteref a:active{text-decoration:underline} +#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em} +#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0} +#footnotes .footnote{padding:0 .375em;line-height:1.3;font-size:.875em;margin-left:1.2em;text-indent:-1.2em;margin-bottom:.2em} +#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none} +#footnotes .footnote:last-of-type{margin-bottom:0} +#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0} +.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0} +.gist .file-data>table td.line-data{width:99%} +div.unbreakable{page-break-inside:avoid} +.big{font-size:larger} +.small{font-size:smaller} +.underline{text-decoration:underline} +.overline{text-decoration:overline} +.line-through{text-decoration:line-through} +.aqua{color:#00bfbf} +.aqua-background{background-color:#00fafa} +.black{color:#000} +.black-background{background-color:#000} +.blue{color:#0000bf} +.blue-background{background-color:#0000fa} +.fuchsia{color:#bf00bf} +.fuchsia-background{background-color:#fa00fa} +.gray{color:#606060} +.gray-background{background-color:#7d7d7d} +.green{color:#006000} +.green-background{background-color:#007d00} +.lime{color:#00bf00} +.lime-background{background-color:#00fa00} +.maroon{color:#600000} +.maroon-background{background-color:#7d0000} +.navy{color:#000060} +.navy-background{background-color:#00007d} +.olive{color:#606000} +.olive-background{background-color:#7d7d00} +.purple{color:#600060} +.purple-background{background-color:#7d007d} +.red{color:#bf0000} +.red-background{background-color:#fa0000} +.silver{color:#909090} +.silver-background{background-color:#bcbcbc} +.teal{color:#006060} +.teal-background{background-color:#007d7d} +.white{color:#bfbfbf} +.white-background{background-color:#fafafa} +.yellow{color:#bfbf00} +.yellow-background{background-color:#fafa00} +span.icon>.fa{cursor:default} +.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default} +.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c} +.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111} +.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900} +.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400} +.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000} +.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold} +.conum[data-value] *{color:#fff!important} +.conum[data-value]+b{display:none} +.conum[data-value]:after{content:attr(data-value)} +pre .conum[data-value]{position:relative;top:-.125em} +b.conum *{color:inherit!important} +.conum:not([data-value]):empty{display:none} +h1,h2{letter-spacing:-.01em} +dt,th.tableblock,td.content{text-rendering:optimizeLegibility} +p,td.content{letter-spacing:-.01em} +p strong,td.content strong{letter-spacing:-.005em} +p,blockquote,dt,td.content{font-size:1.0625rem} +p{margin-bottom:1.25rem} +.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em} +.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc} +.print-only{display:none!important} +@media print{@page{margin:1.25cm .75cm} +*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important} +a{color:inherit!important;text-decoration:underline!important} +a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important} +a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em} +abbr[title]:after{content:" (" attr(title) ")"} +pre,blockquote,tr,img{page-break-inside:avoid} +thead{display:table-header-group} +img{max-width:100%!important} +p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3} +h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid} +#toc,.sidebarblock,.exampleblock>.content{background:none!important} +#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important} +.sect1{padding-bottom:0!important} +.sect1+.sect1{border:0!important} +#header>h1:first-child{margin-top:1.25rem} +body.book #header{text-align:center} +body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0} +body.book #header .details{border:0!important;display:block;padding:0!important} +body.book #header .details span:first-child{margin-left:0!important} +body.book #header .details br{display:block} +body.book #header .details br+span:before{content:none!important} +body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important} +body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always} +.listingblock code[data-lang]:before{display:block} +#footer{background:none!important;padding:0 .9375em} +#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em} +.hide-on-print{display:none!important} +.print-only{display:block!important} +.hide-for-print{display:none!important} +.show-for-print{display:inherit!important}} +</style> +<style> +/* Stylesheet for CodeRay to match GitHub theme | MIT License | http://foundation.zurb.com */ +/*pre.CodeRay {background-color:#f7f7f8;}*/ +.CodeRay .line-numbers{border-right:1px solid #d8d8d8;padding:0 0.5em 0 .25em} +.CodeRay span.line-numbers{display:inline-block;margin-right:.5em;color:rgba(0,0,0,.3)} +.CodeRay .line-numbers strong{font-weight: normal} +table.CodeRay{border-collapse:separate;border-spacing:0;margin-bottom:0;border:0;background:none} +table.CodeRay td{vertical-align: top} +table.CodeRay td.line-numbers{text-align:right} +table.CodeRay td.line-numbers>pre{padding:0;color:rgba(0,0,0,.3)} +table.CodeRay td.code{padding:0 0 0 .5em} +table.CodeRay td.code>pre{padding:0} +.CodeRay .debug{color:#fff !important;background:#000080 !important} +.CodeRay .annotation{color:#007} +.CodeRay .attribute-name{color:#000080} +.CodeRay .attribute-value{color:#700} +.CodeRay .binary{color:#509} +.CodeRay .comment{color:#998;font-style:italic} +.CodeRay .char{color:#04d} +.CodeRay .char .content{color:#04d} +.CodeRay .char .delimiter{color:#039} +.CodeRay .class{color:#458;font-weight:bold} +.CodeRay .complex{color:#a08} +.CodeRay .constant,.CodeRay .predefined-constant{color:#008080} +.CodeRay .color{color:#099} +.CodeRay .class-variable{color:#369} +.CodeRay .decorator{color:#b0b} +.CodeRay .definition{color:#099} +.CodeRay .delimiter{color:#000} +.CodeRay .doc{color:#970} +.CodeRay .doctype{color:#34b} +.CodeRay .doc-string{color:#d42} +.CodeRay .escape{color:#666} +.CodeRay .entity{color:#800} +.CodeRay .error{color:#808} +.CodeRay .exception{color:inherit} +.CodeRay .filename{color:#099} +.CodeRay .function{color:#900;font-weight:bold} +.CodeRay .global-variable{color:#008080} +.CodeRay .hex{color:#058} +.CodeRay .integer,.CodeRay .float{color:#099} +.CodeRay .include{color:#555} +.CodeRay .inline{color:#00} +.CodeRay .inline .inline{background:#ccc} +.CodeRay .inline .inline .inline{background:#bbb} +.CodeRay .inline .inline-delimiter{color:#d14} +.CodeRay .inline-delimiter{color:#d14} +.CodeRay .important{color:#555;font-weight:bold} +.CodeRay .interpreted{color:#b2b} +.CodeRay .instance-variable{color:#008080} +.CodeRay .label{color:#970} +.CodeRay .local-variable{color:#963} +.CodeRay .octal{color:#40e} +.CodeRay .predefined{color:#369} +.CodeRay .preprocessor{color:#579} +.CodeRay .pseudo-class{color:#555} +.CodeRay .directive{font-weight:bold} +.CodeRay .type{font-weight:bold} +.CodeRay .predefined-type{color:inherit} +.CodeRay .reserved,.CodeRay .keyword {color:#000;font-weight:bold} +.CodeRay .key{color:#808} +.CodeRay .key .delimiter{color:#606} +.CodeRay .key .char{color:#80f} +.CodeRay .value{color:#088} +.CodeRay .regexp .delimiter{color:#808} +.CodeRay .regexp .content{color:#808} +.CodeRay .regexp .modifier{color:#808} +.CodeRay .regexp .char{color:#d14} +.CodeRay .regexp .function{color:#404;font-weight:bold} +.CodeRay .string{color:#d20} +.CodeRay .string .string .string{background:#ffd0d0} +.CodeRay .string .content{color:#d14} +.CodeRay .string .char{color:#d14} +.CodeRay .string .delimiter{color:#d14} +.CodeRay .shell{color:#d14} +.CodeRay .shell .delimiter{color:#d14} +.CodeRay .symbol{color:#990073} +.CodeRay .symbol .content{color:#a60} +.CodeRay .symbol .delimiter{color:#630} +.CodeRay .tag{color:#008080} +.CodeRay .tag-special{color:#d70} +.CodeRay .variable{color:#036} +.CodeRay .insert{background:#afa} +.CodeRay .delete{background:#faa} +.CodeRay .change{color:#aaf;background:#007} +.CodeRay .head{color:#f8f;background:#505} +.CodeRay .insert .insert{color:#080} +.CodeRay .delete .delete{color:#800} +.CodeRay .change .change{color:#66f} +.CodeRay .head .head{color:#f4f} +</style> +</head> +<body class="article"> +<div id="header"> +<div id="toc" class="toc"> +<div id="toctitle">Table of Contents</div> +<ul class="sectlevel2"> +<li><a href="#_security_framework">Security framework</a></li> +</ul> +</div> +</div> +<div id="content"> +<div class="sect2"> +<h3 id="_security_framework">Security framework</h3> +<div class="paragraph"> +<p>Karaf supports <a href="http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html";>JAAS</a> with +some enhancements to allow JAAS to work nicely in an OSGi environment.</p> +</div> +<div class="paragraph"> +<p>This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime.</p> +</div> +<div class="sect3"> +<h4 id="_overview">Overview</h4> +<div class="paragraph"> +<p>This feature allows runtime deployment of JAAS based configuration for use in various parts of the application. This +includes the remote console login, which uses the <code>karaf</code> realm, but which is configured with a dummy login module +by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in +or sending messages into the bus.</p> +</div> +<div class="paragraph"> +<p>In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting +up HTTPS connectors or using certificates for WS-Security.</p> +</div> +<div class="paragraph"> +<p>A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.</p> +</div> +</div> +<div class="sect3"> +<h4 id="_schema">Schema</h4> +<div class="paragraph"> +<p>To override or deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and +can thus be defined in a Spring xml configuration file.</p> +</div> +<div class="paragraph"> +<p>You can find the schema at the following <a href="http://karaf.apache.org/xmlns/jaas/v1.1.0"; class="bare">http://karaf.apache.org/xmlns/jaas/v1.1.0</a></p> +</div> +<div class="paragraph"> +<p>Here are two examples using this schema:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><?xml version="1.0" encoding="UTF-8"?> +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; + xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> + + <!-- Bean to allow the $[karaf.base] property to be correctly resolved --> + <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/> + + <jaas:config name="myrealm"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = $[karaf.base]/etc/users.properties + </jaas:module> + </jaas:config> + +</blueprint></pre> +</div> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"; + name="ks" + rank="1" + path="classpath:privatestore.jks" + keystorePassword="keyStorePassword" + keyPasswords="myalias=myAliasPassword"> +</jaas:keystore></pre> +</div> +</div> +<div class="paragraph"> +<p>The <code>id</code> attribute is the blueprint id of the bean, but it will be used by default as the name of the realm if no +<code>name</code> attribute is specified. Additional attributes on the <code>config</code> elements are a <code>rank</code>, which is an integer. +When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are +matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus +allowing the override of some realms with new values. The last attribute is <code>publish</code> which can be set to false to +not publish the realm in the OSGi registry, thereby disabling the use of this realm.</p> +</div> +<div class="paragraph"> +<p>Each realm can contain one or more module definitions. Each module identifies a LoginModule and the <code>className</code> +attribute must be set to the class name of the login module to use. Note that this login module must be available from +the bundle classloader, so either it has to be defined in the bundle itself, or the needed package needs to be correctly +imported. The <code>flags</code> attribute can take one of four values. +The content of the <code>module</code> element is parsed as a properties file and will be used to further configure the login module.</p> +</div> +<div class="paragraph"> +<p>Deploying such a code will lead to a JaasRealm object in the OSGi registry, which will then be used when using the JAAS login module.</p> +</div> +<div class="sect4"> +<h5 id="_configuration_override_and_use_of_the_code_rank_code_attribute">Configuration override and use of the <code>rank</code> attribute</h5> +<div class="paragraph"> +<p>The <code>rank</code> attribute on the <code>config</code> element is tied to the ranking of the underlying OSGi service. When the JAAS +framework performs an authentication, it will use the realm name to find a matching JAAS configuration. If multiple +configurations are used, the one with the highest <code>rank</code> attribute will be used. +So if you want to override the default security configuration in Karaf (which is used by the ssh shell, web console and +JMX layer), you need to deploy a JAAS configuration with the name <code>name="karaf"</code> and <code>rank="1"</code>.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><?xml version="1.0" encoding="UTF-8"?> +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"; + xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> + + <!-- Bean to allow the $[karaf.base] property to be correctly resolved --> + <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/> + + <jaas:config name="karaf" rank="1"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = $[karaf.base]/etc/users.properties + ... + </jaas:module> + </jaas:config> + +</blueprint></pre> +</div> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="_architecture">Architecture</h4> +<div class="paragraph"> +<p>Due to constraints in the JAAS specification, one class has to be available for all bundles. +This class is called ProxyLoginModule and is a LoginModule that acts as a proxy for an OSGi defines LoginModule. +If you plan to integrate this feature into another OSGi runtime, this class must be made available from the system +classloader and the related package be part of the boot delegation classpath (or be deployed as a fragment attached to +the system bundle).</p> +</div> +<div class="paragraph"> +<p>The xml schema defined above allows the use of a simple xml (leveraging spring xml extensibility) to configure and +register a JAAS configuration for a given realm. This configuration will be made available into the OSGi registry as a +JaasRealm and the OSGi specific Configuration will look for such services. +Then the proxy login module will be able to use the information provided by the realm to actually load the class from +the bundle containing the real login module.</p> +</div> +<div class="paragraph"> +<p>Karaf itself provides a set of login modules ready to use, depending of the authentication backend that you need.</p> +</div> +<div class="paragraph"> +<p>In addition of the login modules, Karaf also support backend engine. The backend engine is coupled to a login module and +allows you to manipulate users and roles directly from Karaf (adding a new user, delete an existing user, etc). +The backend engine is constructed by a backend engine factory, registered as an OSGi service. +Some login modules (for security reason for instance) don’t provide backend engine.</p> +</div> +</div> +<div class="sect3"> +<h4 id="_available_realm_and_login_modules">Available realm and login modules</h4> +<div class="paragraph"> +<p>Karaf comes with a default realm named "karaf" using login modules.</p> +</div> +<div class="paragraph"> +<p>Karaf also provides a set of login modules and backend engines to handle authentication needs for your environment.</p> +</div> +<div class="sect4"> +<h5 id="_propertiesloginmodule">PropertiesLoginModule</h5> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">LoginModule</th> +<th class="tableblock halign-left valign-top">BackendEngineFactory</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.properties.PropertiesLoginModule</p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.properties.PropertiesBackendEngineFactory</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>This login module is the one configured by default. It uses a properties text file to load the users, passwords and roles.</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>users</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">location of the properties file</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>This file uses the <a href="http://download.oracle.com/javase/6/docs/api/java/util/Properties.html#load(java.io.Reader)">properties file format</a>. +The format of the properties is as follows, with each line defining a user, its password and associated roles:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>user=password[,role][,role]...</pre> +</div> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = ${karaf.etc}/users.properties + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="paragraph"> +<p>The PropertiesLoginModule provides a backend engine allowing:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>add a new user</p> +</li> +<li> +<p>delete an existing user</p> +</li> +<li> +<p>list the users, groups, and roles</p> +</li> +<li> +<p>add a new role to an user</p> +</li> +<li> +<p>delete a role from an user</p> +</li> +<li> +<p>add an user into a group</p> +</li> +<li> +<p>remove an user from a group</p> +</li> +<li> +<p>add a role to a group</p> +</li> +<li> +<p>delete a role from a group</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>To enable the backend engine, you have to register the corresponding OSGi service. For instance, the following blueprint +shows how to register the PropertiesLoginModule and the corresponding backend engine:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><?xml version="1.0" encoding="UTF-8"?> +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"; + xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> + + <jaas:config name="karaf" rank="-1"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = ${karaf.etc}/users.properties + </jaas:module> + </jaas:config> + + <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory"> + <bean class="org.apache.karaf.jaas.modules.properties.PropertiesBackingEngineFactory"/> + </service> + +</blueprint></pre> +</div> +</div> +</div> +<div class="sect4"> +<h5 id="_osgiconfigloginmodule">OsgiConfigLoginModule</h5> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">LoginModule</th> +<th class="tableblock halign-left valign-top">BackendEngineFactory</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule</p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">N/A</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>The OsgiConfigLoginModule uses the OSGi ConfigurationAdmin service to provide the users, passwords and roles.</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>pid</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">the PID of the configuration containing user definitions</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>The format of the configuration is the same than for the <code>PropertiesLoginModule</code> with properties prefixed with <code>user.</code>.</p> +</div> +<div class="paragraph"> +<p>For instance, in the Karaf etc folder, we create a file <code>org.apache.karaf.authentication.cfg</code> containing:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>user.karaf=karaf,admin +user.user=password,role</pre> +</div> +</div> +<div class="paragraph"> +<p>The following blueprint shows how to use this configuration:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><?xml version="1.0" encoding="UTF-8"?> +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"> + + <jaas:config name="karaf" rank="-1"> + <jaas:module className="org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule" + flags="required"> + pid = org.apache.karaf.authentication + </jaas:module> + </jaas:config> + +</blueprint></pre> +</div> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<div class="title">Note</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>The OsgiConfigLoginModule doesn’t provide a backend engine.</p> +</div> +</td> +</tr> +</table> +</div> +</div> +<div class="sect4"> +<h5 id="_jdbcloginmodule">JDBCLoginModule</h5> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">LoginModule</th> +<th class="tableblock halign-left valign-top">BackendEngineFactory</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule</p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.jdbc.JDBCBackendEngineFactory</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>The JDBCLoginModule uses a database to load the users, passwords and roles from a provided data source (normal or XA). +The data source and the queries for password and role retrieval are configurable using the following parameters.</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>datasource</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The datasource as on OSGi ldap filter or as JDNI name</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>query.password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The SQL query that retries the password of the user</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>query.role</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The SQL query that retries the roles of the user</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>To use an OSGi ldap filter, the prefix osgi: needs to be provided, as shown below:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule" + flags="required"> + datasource = osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb) + query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=? + query.role = SELECT ROLE FROM ROLES WHERE USERNAME=? + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="paragraph"> +<p>To use an JNDI name, the prefix jndi: needs to be provided. The example below assumes the use of Aries jndi to expose +services via JNDI.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule" + flags="required"> + datasource = jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb) + query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=? + query.role = SELECT ROLE FROM ROLES WHERE USERNAME=? + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="paragraph"> +<p>The JDBCLoginModule provides a backend engine allowing:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>add a new user</p> +</li> +<li> +<p>delete an user</p> +</li> +<li> +<p>list users, roles</p> +</li> +<li> +<p>add a new role to an user</p> +</li> +<li> +<p>remove a role from an user</p> +</li> +</ul> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<div class="title">Note</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>The groups are not fully supported by the JDBCBackingEngine.</p> +</div> +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>The following blueprint shows how to define the JDBCLoginModule with the corresponding backend engine:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><?xml version="1.0" encoding="UTF-8"?> +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"> + + <jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule" + flags="required"> + datasource = jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb) + query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=? + query.role = SELECT ROLE FROM ROLES WHERE USERNAME=? + insert.user = INSERT INTO USERS(USERNAME,PASSWORD) VALUES(?,?) + insert.role = INSERT INTO ROLES(ROLE,USERNAME) VALUES(?,?) + delete.user = DELETE FROM USERS WHERE USERNAME=? + </jaas:module> + </jaas:config> + + <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory"> + <bean class="org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactory"/> + </service> + +</blueprint></pre> +</div> +</div> +</div> +<div class="sect4"> +<h5 id="_ldaploginmodule">LDAPLoginModule</h5> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">LoginModule</th> +<th class="tableblock halign-left valign-top">BackendEngineFactory</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.ldap.LDAPLoginModule</p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">N/A</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>The LDAPLoginModule uses LDAP to load the users and roles and bind the users on the LDAP to check passwords.</p> +</div> +<div class="paragraph"> +<p>The LDAPLoginModule supports the following parameters:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>connection.url</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP connection URL, e.g. ldap://hostname</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>connection.username</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Admin username to connect to the LDAP. This parameter is optional, if it’s not provided, the LDAP connection will be anonymous.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>connection.password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Admin password to connect to the LDAP. Only used if the <code>connection.username</code> is specified.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>user.base.dn</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>user.filter</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>user.search.subtree</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">If "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.base.dn</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.filter</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP filter used to looking for user’s role, e.g. (member:=uid=%u)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.name.attribute</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP role attribute containing the role string used by Karaf, e.g. cn</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.search.subtree</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL).</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.mapping</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Define a mapping between roles defined in the LDAP directory for the user, and corresponding roles in Karaf. The format is ldapRole1=karafRole1,karafRole2;ldapRole2=karafRole3,karafRole4.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>authentication</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Define the authentication backend used on the LDAP server. The default is simple.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>initial.context.factory</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">If "true" or if the protocol on the <code>connection.url</code> is <code>ldaps</code>, an SSL connection will be used</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.provider</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The provider name to use for SSL</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.protocol</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The protocol name to use for SSL (SSL for example)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.algorithm</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.keystore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The key store name to use for SSL. The key store must be deployed using a <code>jaas:keystore</code> configuration.</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.keyalias</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The key alias to use for SSL</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.truststore</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">The trust store name to use for SSL. The trust store must be deployed using a <code>jaas:keystore</code> configuration.</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>A example of LDAPLoginModule usage follows:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> + connection.url = ldap://localhost:389 + user.base.dn = ou=user,dc=apache,dc=org + user.filter = (cn=%u) + user.search.subtree = true + role.base.dn = ou=group,dc=apache,dc=org + role.filter = (member:=uid=%u) + role.name.attribute = cn + role.search.subtree = true + authentication = simple + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="paragraph"> +<p>If you wish to use an SSL connection, the following configuration can be used as an example:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><ext:property-placeholder /> + +<jaas:config name="karaf" rank="1"> + <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> + connection.url = ldaps://localhost:10636 + user.base.dn = ou=users,ou=system + user.filter = (uid=%u) + user.search.subtree = true + role.base.dn = ou=groups,ou=system + role.filter = (uniqueMember=uid=%u) + role.name.attribute = cn + role.search.subtree = true + authentication = simple + ssl.protocol=SSL + ssl.truststore=ks + ssl.algorithm=PKIX + </jaas:module> +</jaas:config> + +<jaas:keystore name="ks" + path="file:///${karaf.home}/etc/trusted.ks" + keystorePassword="secret" /></pre> +</div> +</div> +<div class="paragraph"> +<p>The LDAPLoginModule supports the following patterns that you can use in the filter (user and role filters):</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><code>%u</code> is replaced by the user</p> +</li> +<li> +<p><code>%dn</code> is replaced by the user DN</p> +</li> +<li> +<p><code>%fqdn</code> is replaced by the user full qualified DN (<code>userDNNamespace</code>).</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>For instance, the following configuration will work properly with ActiveDirectory (adding the ActiveDirectory to the +default <code>karaf</code> realm):</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf" rank="2"> + <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connection.username=admin + connection.password=xxxxxxx + connection.protocol= + connection.url=ldap://activedirectory_host:389 + user.base.dn=ou=Users,ou=there,DC=local + user.filter=(sAMAccountName=%u) + user.search.subtree=true + role.base.dn=ou=Groups,ou=there,DC=local + role.name.attribute=cn + role.filter=(member=%fqdn) + role.search.subtree=true + authentication=simple + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<div class="title">Note</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>The LDAPLoginModule doesn’t provide backend engine. It means that the administration of the users and roles should be +performed directly on the LDAP backend.</p> +</div> +</td> +</tr> +</table> +</div> +</div> +<div class="sect4"> +<h5 id="_syncopeloginmodule">SyncopeLoginModule</h5> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">LoginModule</th> +<th class="tableblock halign-left valign-top">BackendEngineFactory</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule</p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.karaf.jaas.modules.syncope.SyncopeBackendEngineFactory</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>The Syncope login module uses the Syncope REST API to authenticate users and retrieve the roles.</p> +</div> +<div class="paragraph"> +<p>The Syncope login module just requires one parameter:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>address</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Location of the Syncope REST API</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>admin.user</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Admin username to administrate Syncope (only required by the backend engine)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>admin.password</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Admin password to administrate Syncope (only required by the backend engine)</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>The following snippet shows how to use Syncope with the karaf realm:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf" rank="2"> + <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule" flags="required"> + address=http://localhost:9080/syncope/cxf + admin.user=admin + admin.password=password + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="paragraph"> +<p>SyncopeLoginModule comes with a backend engine allowing to manipulate users and roles. You have to register the +SyncopeBackendEngineFactory service.</p> +</div> +<div class="paragraph"> +<p>For security reason, the SyncopeLoginModule backend engine allows only to list users and roles. You can’t create or delete +users and roles directly from Karaf. To do it, you have to use the Syncope web console.</p> +</div> +<div class="paragraph"> +<p>For instance, the following blueprint descriptor enables the SyncopeLoginModule and the backend engine factory:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><?xml version="1.0" encoding="UTF-8"?> +<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"; + xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> + + <jaas:config name="karaf" rank="2"> + <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule" + flags="required"> + address=http://localhost:9080/syncope/cxf + admin.user=admin + admin.password=password + </jaas:module> + </jaas:config> + + <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory"> + <bean class="org.apache.karaf.jaas.modules.syncope.SyncopeBackingEngineFactory"/> + </service> + +</blueprint></pre> +</div> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="_encryption_service">Encryption service</h4> +<div class="paragraph"> +<p>The EncryptionService is a service registered in the OSGi registry providing means to encrypt and check encrypted passwords. +This service acts as a factory for Encryption objects actually performing the encryption.</p> +</div> +<div class="paragraph"> +<p>This service is used in all Karaf login modules to support encrypted passwords.</p> +</div> +<div class="sect4"> +<h5 id="_configuring_properties">Configuring properties</h5> +<div class="paragraph"> +<p>Each login module supports the following additional set of properties:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.name</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the encryption service registered in OSGi (cf. Jasypt section)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.enabled</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Boolean used to turn on encryption</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.prefix</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Prefix for encrypted passwords</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.suffix</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Suffix for encrypted passwords</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.algorithm</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Name of an algorithm to be used for hashing, like "MD5" or "SHA-1"</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.encoding</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Encrypted passwords encoding (can be <code>hexadecimal</code> or <code>base64</code>)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.policy</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">A policy for identifying roles (can be <code>prefix</code> or <code>group</code>) (see Role discovery policies section)</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.discriminator</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">A discriminator value to be used by the role policy</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>A simple example follows:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = $[karaf.base]/etc/users.properties + encryption.enabled = true + encryption.algorithm = MD5 + encryption.encoding = hexadecimal + </jaas:module> +</jaas:config></pre> +</div> +</div> +</div> +<div class="sect4"> +<h5 id="_prefix_and_suffix">Prefix and suffix</h5> +<div class="paragraph"> +<p>The login modules have the ability to support both encrypted and plain passwords at the same time. +In some cases, some login modules may be able to encrypt the passwords on the fly and save them back in an encrypted form.</p> +</div> +</div> +<div class="sect4"> +<h5 id="_jasypt">Jasypt</h5> +<div class="paragraph"> +<p>Karaf default installation comes with a simple encryption service which usually fullfill simple needs. However, in some +cases, you may want to install the Jasypt (<a href="http://www.jasypt.org/"; class="bare">http://www.jasypt.org/</a>) library which provides stronger encryption algorithms +and more control over them.</p> +</div> +<div class="paragraph"> +<p>To install the Jasypt library, the easiest way is to install the available feature:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>karaf@root> features:install jasypt-encryption</pre> +</div> +</div> +<div class="paragraph"> +<p>It will download and install the required bundles and also register an <code>EncryptionService</code> for Jasypt in the OSGi registry.</p> +</div> +<div class="paragraph"> +<p>When configuring a login module to use Jasypt, you need to specify the <code>encryption.name</code> property and set it to a value of <code>jasypt</code> to make sure the Jasypt encryption service will be used.</p> +</div> +<div class="paragraph"> +<p>In addition to the standard properties above, the Jasypt service provides the following parameters:</p> +</div> +<table class="tableblock frame-all grid-all spread"> +<colgroup> +<col style="width: 50%;"> +<col style="width: 50%;"> +</colgroup> +<thead> +<tr> +<th class="tableblock halign-left valign-top">Name</th> +<th class="tableblock halign-left valign-top">Description</th> +</tr> +</thead> +<tbody> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>providerName</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the <code>java.security.Provider</code> name to use for obtaining the digest algorithm</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>providerClassName</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Class name for the security provider to be used for obtaining the digest algorithm</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>iterations</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Number of times the hash function will be applied recursively</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>saltSizeBytes</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Size of the salt to be used to compute the digest</p></td> +</tr> +<tr> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>saltGeneratorClassName</code></p></td> +<td class="tableblock halign-left valign-top"><p class="tableblock">Class name of the salt generator</p></td> +</tr> +</tbody> +</table> +<div class="paragraph"> +<p>A typical realm definition using Jasypt encryption service would look like:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = $[karaf.base]/etc/users.properties + encryption.enabled = true + encryption.name = jasypt + encryption.algorithm = SHA-256 + encryption.encoding = base64 + encryption.iterations = 100000 + encryption.saltSizeBytes = 16 + </jaas:module> +</jaas:config></pre> +</div> +</div> +</div> +<div class="sect4"> +<h5 id="_using_encrypted_property_placeholders">Using encrypted property placeholders</h5> +<div class="paragraph"> +<p>When using blueprint framework for OSGi for configuring devices that requires passwords like JDBC datasources, +it is undesirable to use plain text passwords in configuration files. To avoid this problem it is good to store database +passwords in encrypted format and use encrypted property placeholders when ever possible.</p> +</div> +<div class="paragraph"> +<p>Encrypted properties can be stored in plain properties files. The encrypted content is wrapped by an ENC() function.</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>#db.cfg / db.properties +db.url=localhost:9999 +db.username=admin +db.password=ENC(zRM7Pb/NiKyCalroBz8CKw==)</pre> +</div> +</div> +<div class="paragraph"> +<p>The encrypted property placeholders can be used either by defining Apache Aries ConfigAdmin <code>property-placeholder</code> +or by directly using the Apache Karaf <code>property-placeholder</code>. It has one child element <code>encryptor</code> that contains +the actual Jasypt configuration. For detailed information on how to configure the different Jasypt encryptors, see the +Jasypt documentation (<a href="http://www.jasypt.org/general-usage.html"; class="bare">http://www.jasypt.org/general-usage.html</a>).</p> +</div> +<div class="paragraph"> +<p>A typical definition using Jasypt encryption would look like:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; + xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"; + xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"; + xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0"> + + <!-- Configuration via ConfigAdmin property-placeholder --> + <!-- the etc/*.cfg can contain encrypted values with ENC() function --> + <cm:property-placeholder persistent-id="db" update-strategy="reload"> + <cm:default-properties> + <cm:property name="encoded" value="ENC(${foo})"/> + </cm:default-properties> + </cm:property-placeholder> + + <!-- Configuration via properties file --> + <!-- Instead of ConfigAdmin, we can load "regular" properties file from a location --> + <!-- Again, the db.properties file can contain encrypted values with ENC() function --> + <ext:property-placeholder> + <ext:location>file:etc/db.properties</ext:location> + </ext:property-placeholder> + + <enc:property-placeholder> + <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> + <property name="config"> + <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> + <property name="algorithm" value="PBEWithMD5AndDES"/> + <property name="passwordEnvName" value="ENCRYPTION_PASSWORD"/> + </bean> + </property> + </enc:encryptor> + </enc:property-placeholder> + + <!-- ... --> + +</blueprint></pre> +</div> +</div> +<div class="paragraph"> +<p>Don’t forget to install the jasypt feature to add the support of the enc namespace:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>karaf@root()> feature:install jasypt-encryption</pre> +</div> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="_role_discovery_policies">Role discovery policies</h4> +<div class="paragraph"> +<p>The JAAS specification does not provide means to distinguish between User and Role Principals without referring to the +specification classes. In order to provide means to the application developer to decouple the application from Karaf +JAAS implementation role policies have been created.</p> +</div> +<div class="paragraph"> +<p>A role policy is a convention that can be adopted by the application in order to identify Roles, without depending from the implementation. +Each role policy can be cofigured by setting a "role.policy" and "role.discriminator" property to the login module configuration. +Currently, Karaf provides two policies that can be applied to all Karaf Login Modules.</p> +</div> +<div class="olist arabic"> +<ol class="arabic"> +<li> +<p>Prefixed Roles</p> +</li> +<li> +<p>Grouped Roles</p> +</li> +</ol> +</div> +<div class="paragraph"> +<p>When the prefixed role policy is used the login module applies a configurable prefix <em>(property role.discriminator)</em> to +the role, so that the application can identify the role’s principals by its prefix. Example:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = $[karaf.base]/etc/users.properties + role.policy = prefix + role.discriminator = ROLE_ + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="paragraph"> +<p>The application can identify the role principals using a snippet like this:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>LoginContext ctx = new LoginContext("karaf", handler); +ctx.login(); +authenticated = true; +subject = ctx.getSubject(); +for (Principal p : subject.getPrincipals()) { + if (p.getName().startsWith("ROLE_")) { + roles.add((p.getName().substring("ROLE_".length()))); + } +}</pre> +</div> +</div> +<div class="paragraph"> +<p>When the group role policy is used the login module provides all roles as members of a group with a configurable name <em>(property role.discriminator)</em>. Example:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre><jaas:config name="karaf"> + <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" + flags="required"> + users = $[karaf.base]/etc/users.properties + role.policy = group + role.discriminator = ROLES + </jaas:module> +</jaas:config></pre> +</div> +</div> +<div class="listingblock"> +<div class="content"> +<pre>LoginContext ctx = new LoginContext("karaf", handler); +ctx.login(); +authenticated = true; +subject = ctx.getSubject(); +for (Principal p : subject.getPrincipals()) { + if ((p instanceof Group) && ("ROLES".equalsIgnoreCase(p.getName()))) { + Group g = (Group) p; + Enumeration<? extends Principal> members = g.members(); + while (members.hasMoreElements()) { + Principal member = members.nextElement(); + roles.add(member.getName()); + } + } +}</pre> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="_default_role_policies">Default role policies</h4> +<div class="paragraph"> +<p>The previous section describes how to leverage role policies. However, Karaf provides a default role policy, based on the following class names:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>org.apache.karaf.jaas.modules.UserPrincipal</p> +</li> +<li> +<p>org.apache.karaf.jaas.modules.RolePrincipal</p> +</li> +<li> +<p>org.apache.karaf.jaas.modules.GroupPrincipal</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>It allows you to directly handling the role class:</p> +</div> +<div class="listingblock"> +<div class="content"> +<pre>String rolePrincipalClass = "org.apache.karaf.jaas.modules.RolePrincipal"; + +for (Principal p : subject.getPrincipals()) { + if (p.getClass().getName().equals(rolePrincipalClass)) { + roles.add(p.getName()); + } +}</pre> +</div> +</div> +</div> +</div> +</div> +<div id="footer"> +<div id="footer-text"> +Last updated 2016-04-27 13:59:28 CEST +</div> +</div> +</body> +</html> \ No newline at end of file
