[
https://issues.apache.org/jira/browse/FELIX-651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12627243#action_12627243
]
Felix Meschberger commented on FELIX-651:
-----------------------------------------
Having a private OBR makes absolutely sense to me. Yet, your proposed approach
has some drawbacks in my opinion:
(1) It uses a JVM wide setting to enable password transfer. I don't think such
an approach is suitable for a bundle in an OSGi framework. All the more
considering the framework may be started as part of a web application in a
servlet container or even as a bundle in an OSGi capable application server,
which already has set the default authenticator. Yes, you also note this, but I
rather see the problems than the advantages.
(2) I personally am not a fan of URLs with user name and password in it.
Because this is certainly not very secure. All the more as the URLs on which
the bundle repository bundle operates can be queried.
(3) And then, you "secured" the URL to the repository.xml file. How about the
URLs in the repository.xml file itself ? Do they bear some user name and
password, too ?
(4) To really do a secure OBR, I would rather suggest, as you also do, to use
HTTPS. Yet I think, this would probably also require more on the
bundlerepository part in terms of key management.
In fact, using HTTPS with client keys even enables per-user settings and
controls...
Another solution might be to use Apache HttpComponents to be able to fully
control credentials processing and to use user/password setting out of band of
the URL.
> Access to password protected OBR
> --------------------------------
>
> Key: FELIX-651
> URL: https://issues.apache.org/jira/browse/FELIX-651
> Project: Felix
> Issue Type: Improvement
> Components: Bundle Repository (OBR)
> Reporter: Remco Poortinga - van Wijnen
> Priority: Trivial
> Attachments: UrlEmbeddedCredentialsAuthenticator.java
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> For a project I would like to configure a 'private' OBR (somewhat against the
> federated idea of OBR I guess, but anyway). In other words: username/password
> protected access. Https OBR are possible, but I have no idea if there is an
> 'official' way (from Felix' point of view) for specifying credentials for the
> specified OBR URLs.
> Just to see whether it would work I created a test version where
> username/password can be specified in a RFC1738 compliant way, e.g.
> https://user:[EMAIL PROTECTED]:port/rest and added an Authenticator to the
> bundlerepository bundle, which gets the username/password from the URL if it
> is set (see
> http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo()).
> This seems to work OK; would this be interesting for others as well?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
