I would like to add a new component to Aries. The component is a
blueprint extension that implements role based access control based on
an existing JAAS authentication and JEE annotations (@RolesAllowed).
I created a first prototype here:
https://github.com/cschneider/blueprint-authz
The component works very well with the newly enhanced CXF
JAASAuthenticationFeature which does a JAAS login based on basic auth or
username token.
So is there interest in Aries for this component and if yes where should
I place it? My proposal would be to place it a a new sub module of
blueprint.
Christian
----
Below you can find an example of how to use the extension. The example
publishes a CXF JAXWS endpoint and secures it with basic auth. By
default it uses the jaas context "karaf" so it works with the karaf users.
After successful authentication the service impl is called. Here the
blueprint extension kicks in and will limit access to methods based on
@RolesAllowed annoations on methods.
So for example @RolesAllowed("admin") will grant access to all users in
the admin group.
In the below example it is important to use implementorClass in the cxf
endpoint as else CXF will see the proxy instead of the bean and not be
able to reflect on the service.
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:authz="http://aries.apache.org/xmlns/authorization/v1.0.0"
xmlns:cxf="http://cxf.apache.org/blueprint/core" xmlns:jaxws="http://cxf.apache.org/blueprint/jaxws">
<authz:enable/>
<cxf:bus id="personServiceBus">
<cxf:features>
<bean
class="org.apache.cxf.interceptor.security.JAASAuthenticationFeature">
<property name="reportFault" value="true"/>
</bean>
</cxf:features>
</cxf:bus>
<jaxws:endpoint
implementor="#personServiceImpl"
address="/personService"
implementorClass="net.lr.tutorial.karaf.cxf.personservice.impl.PersonServiceImpl"/>
<bean id="personServiceImpl"
class="net.lr.tutorial.karaf.cxf.personservice.impl.PersonServiceImpl"/>
</blueprint>
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com