Sorry Guillaume but I do not take enough time to elaborate
With J2EE applications, we can setup the security in the web.xml file
using the following tags :
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>karaf</realm-name>
</login-config>
By adding the following bean configuration in /etc/jetty.xml file of jetty
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">karaf</Set>
<Set name="loginModuleName">karaf</Set>
<Set name="roleClassNames">
<Array type="java.lang.String">
<Item>org.apache.karaf.jaas.modules.RolePrincipal</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
we can deploy WAR project on Karaf where the security is externalized
from the Servlet that we deploy but will be handle by the Web
Container (Jetty) with Authentication framework (JAAS)
If we can use the same philosophy for OSGI world, that should be great.
This is why I propose to use a Servlet Filter
(http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/servlet.html)
to authenticate user with the JAASSecurityProvider of Karaf or a new
one which is more generic.
In a config file we can configure the filter
org.apache.felix.http.whiteboardEnabled = true
org.apache.felix.http.filter.name = 'name of the Filter Authentication Servlet'
org.apache.felix.http.filter.Classname = 'name of the Filter
Authentication Servlet'
org.apache.felix.http.filter.init.param.name = ''path"
org.apache.felix.http.filter.init.param.value = ''/camel/*"
org.apache.felix.http.filter.init.param.name = ''role"
org.apache.felix.http.filter.init.param.value = ''admin"
org.apache.felix.http.filter.init.param.name = ''authentication"
org.apache.felix.http.filter.init.param.value = ''basic"
which will be registered with the OSGI HTTP Service
(http://svn.apache.org/repos/asf/felix/trunk/http/samples/filter/).
Then the camelServlet or any other (CXF, ...) can be deployed on
Karaf/ServiceMix to authenticate users based on JAAS in an independent
way.
Regards,
Charles
On Tue, Feb 15, 2011 at 4:32 PM, Guillaume Nodet <[email protected]> wrote:
> On Tue, Feb 15, 2011 at 16:08, Charles Moulliard <[email protected]> wrote:
>> Why don't we use pax-exam whiteboard for doing that (registering the
>> camelServlet + JAASecurity) ?
>
> Well, we could, but that would not work on anything else than pax-web.
> Felix and Equinox both provide their own http service, and i don't
> really see why we would not support those.
>
>> It could be also interesting that we provide a Generic Servlet Filter
>> to work with JAAS of Karaf. In this case, we don't have to create for
>> each servlet that we would like to use its own JAAS SecurityManager +
>> HttpContext?
>
> Not sure to follow. What I had suggested was to improve the
> camel-servlet to better behave when deployed as an OSGi bundle. So
> that would be done only once I think.
> But you're right that the security bits may be different if you want
> to use spring-security or jaas, as it's done in Karaf.
>
> The problem with not using JAAS is that you end up with a lot more
> dependencies and being tie to a given project. Maybe at some point
> we'll need a security abstraction in Camel, not sure though...
>
> I guess if it's too specific to Karaf, we could put an enhanced
> version of camel-servlet into
> http://svn.apache.org/repos/asf/camel/trunk/platforms/karaf/
>
>> On Fri, Jan 14, 2011 at 5:36 PM, Guillaume Nodet <[email protected]> wrote:
>>> Shouldn't the component be registered automatically using an activator ?
>>> Registering a serlvet is not the standard way in OSGi, it would only work
>>> with pax-web.
>>> So I think registering the servlet directly in the HttpService would allow
>>> you to create your own HttpContext and use it to do the authentication.
>>>
>>> Though forcing the use of JAAS may not be a good idea from a pure Karaf
>>> perspective ...
>>>
>>> On Fri, Jan 14, 2011 at 08:27, Guillaume Nodet <[email protected]> wrote:
>>>
>>>> Right, see how it's done in Karaf for the web console:
>>>>
>>>> http://svn.apache.org/repos/asf/karaf/trunk/webconsole/branding/src/main/java/org/apache/karaf/webconsole/JaasSecurityProvider.java
>>>>
>>>> That one is called by the HttpContext created by the webconsole in the
>>>> handleSecurity() method:
>>>>
>>>> http://svn.apache.org/repos/asf/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManagerHttpContext.java
>>>>
>>>> On Fri, Jan 14, 2011 at 07:33, Achim Nierbeck
>>>> <[email protected]>wrote:
>>>>
>>>>> I think for the OSGI Servlets, the OSGi container does the security
>>>>> directly like done with the webconsole plugin. Could you please take a
>>>>> look at it. Never the less I will take a deeper look at this later
>>>>> today :)
>>>>>
>>>>>
>>>>> 2011/1/14 Charles Moulliard <[email protected]>:
>>>>> > Hi,
>>>>> >
>>>>> > I have deployed successfully camel OSGI Servlet (as mentioned in the
>>>>> > wiki page updated of camel) - 2.6-SNAPSHOT and being able to use it
>>>>> > with a camel
>>>>> >
>>>>> > Now I would like to configure jetty using the configuration file
>>>>> > deployed in /etc/jetty.xml like this
>>>>> >
>>>>> > <?xml version="1.0" encoding="UTF-8"?>
>>>>> > <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting// DTD
>>>>> > Configure//EN" "http://jetty.mortbay.org/configure.dtd";>
>>>>> > <Configure class="org.eclipse.jetty.server.Server">
>>>>> >
>>>>> > <!-- =========================================================== -->
>>>>> > <!-- Set connectors -->
>>>>> > <!-- =========================================================== -->
>>>>> > <!-- One of each type! -->
>>>>> > <!-- =========================================================== -->
>>>>> >
>>>>> > <!-- Use this connector for many frequently idle connections
>>>>> > and for threadless continuations.
>>>>> > -->
>>>>> > <Call name="addConnector">
>>>>> > <Arg>
>>>>> > <New
>>>>> class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>>>> > <Set name="host"><Property name="jetty.host"/></Set>
>>>>> > <Set name="port"><Property name="jetty.port"
>>>>> default="8282"/></Set>
>>>>> > <Set name="maxIdleTime">300000</Set>
>>>>> > <Set name="Acceptors">2</Set>
>>>>> > <Set name="statsOn">false</Set>
>>>>> > <Set name="confidentialPort">8443</Set>
>>>>> > <Set name="lowResourcesConnections">20000</Set>
>>>>> > <Set name="lowResourcesMaxIdleTime">5000</Set>
>>>>> > </New>
>>>>> > </Arg>
>>>>> > </Call>
>>>>> >
>>>>> > <Call name="addBean">
>>>>> > <Arg>
>>>>> > <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
>>>>> > <Set name="name">karaf</Set>
>>>>> > <Set name="loginModuleName">karaf</Set>
>>>>> > </New>
>>>>> > </Arg>
>>>>> > </Call>
>>>>> >
>>>>> > - This option is enable using the following property :
>>>>> > org.ops4j.pax.web.config.file=./etc/jetty.xml
>>>>> > - The security is enable with the JAASLoginService
>>>>> >
>>>>> > Unfortunately the client is not authenticated when the browser sends
>>>>> > the request to the Jetty Server and receive well an answer from camel
>>>>> > route.
>>>>> >
>>>>> > Any idea is welcome ?
>>>>> >
>>>>> > Here is the list of bundles deployed.
>>>>> >
>>>>> > [ 240] [Active ] [ ] [ ] [ 60] camel-http
>>>>> > (2.6.0.SNAPSHOT)
>>>>> > [ 241] [Active ] [ ] [ ] [ 60] camel-servlet
>>>>> > (2.6.0.SNAPSHOT)
>>>>> > [ 242] [Active ] [ ] [ ] [ 60] CAMEL :: OSGI ::
>>>>> > Servlet (1.0.0)
>>>>> > [ 248] [Active ] [ ] [Started] [ 60] spring-context.xml
>>>>> (0.0.0)
>>>>> > [ 249] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > Extender - Whiteboard (0.8.2.SNAPSHOT)
>>>>> > [ 250] [Active ] [ ] [ ] [ 60] OPS4J Pax Url -
>>>>> > war:, war-i: (1.2.1)
>>>>> > [ 251] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > Jsp Support (0.8.2.SNAPSHOT)
>>>>> > [ 252] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > Extender - WAR (0.8.2.SNAPSHOT)
>>>>> > [ 253] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > FileInstall Deployer (0.8.2.SNAPSHOT)
>>>>> > [ 254] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > API (0.8.2.SNAPSHOT)
>>>>> > [ 255] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > Service SPI (0.8.2.SNAPSHOT)
>>>>> > [ 256] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > Runtime (0.8.2.SNAPSHOT)
>>>>> > [ 257] [Active ] [ ] [ ] [ 60] OPS4J Pax Web -
>>>>> > Jetty (0.8.2.SNAPSHOT)
>>>>> > [ 269] [Active ] [ ] [ ] [ 60] Jetty ::
>>>>> > Utilities (7.2.2.v20101205)
>>>>> > [ 270] [Active ] [ ] [ ] [ 60] Jetty :: Plus
>>>>> > (7.2.2.v20101205)
>>>>> > [ 271] [Active ] [ ] [ ] [ 60] Jetty :: JNDI
>>>>> > Naming (7.2.2.v20101205)
>>>>> >
>>>>> >
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>> >
>>>>> > Charles Moulliard
>>>>> >
>>>>> > Sr. Principal Solution Architect - FuseSource
>>>>> > Apache Committer
>>>>> >
>>>>> > Blog : http://cmoulliard.blogspot.com
>>>>> > Twitter : http://twitter.com/cmoulliard
>>>>> > Linkedin : http://www.linkedin.com/in/charlesmoulliard
>>>>> > Skype: cmoulliard
>>>>> >
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Cheers,
>>>> Guillaume Nodet
>>>> ------------------------
>>>> Blog: http://gnodet.blogspot.com/
>>>> ------------------------
>>>> Open Source SOA
>>>> http://fusesource.com
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Guillaume Nodet
>>> ------------------------
>>> Blog: http://gnodet.blogspot.com/
>>> ------------------------
>>> Open Source SOA
>>> http://fusesource.com
>>>
>>
>
>
>
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
> ------------------------
> Open Source SOA
> http://fusesource.com
>
