We already have the PublicKeyLoginModule (that we use for SSH key based
authentication).
As you describe, I see it more in Karaf, maybe extending/leveraging the
PublicKeyLoginModule.
Regards
JB
On 07/10/2014 06:12 PM, Christian Schneider wrote:
That is possible of course. I think it would not really match the scope
of cxf though.
The LoginModule would be pretty generic with no dependency on cxf. On
the other hand I think that a LoginModule for cert based authentication
can also make sense for karaf. For example if a user wants to secure the
karaf webconsole or a Servlet with client certs then he should have the
same requirements.
So I hope we can store this in karaf and provide it for all kinds of web
based authentication with ssl and certificates.
In fact the scope of login modules that provide just details about the
user without doing authentication would be every kind of authentication
that happens outside of JAAS.
So compared to Spring security it would be something like the
UserDetailsService they define.
So in case karaf is not a good place for this maybe it could be done in
pax ?
One further argument why it should not be done in CXF is if you look at
ActiveMQ they also have classes covering JAAS based authentication. Even
supporing certificate based authentication.
So if we put it in CXF we would basically duplicate the effort. So
ideally I think it should live in a project where ActiveMQ, CXF and
Karaf can use it.
Christian
Am 10.07.2014 16:54, schrieb Jean-Baptiste Onofré:
Hi Christian,
why not providing a login module in CXF (dedicated) ?
Regards
JB
On 07/10/2014 04:52 PM, Christian Schneider wrote:
We have the following issue in CXF:
https://issues.apache.org/jira/browse/CXF-5118
What we want to achieve is to let a user authenticate against a
webservice running in karaf using a client certificate.
We would like to leverage the karaf JAAS support to do the mapping from
certificate to user and to lookup the roles.
I have described some ideas how to do this in the issue above.
Some would require to change the LDAPLoginModule to support a mode to
just retrieve the groups and not do actual authentication
(configurable).
Which could be an issue if someone uses it as a user/password login
module and configures it incorrectly.
The other solutions have other issues.
So what solution would you choose?
Or should we alternatively keep this complete code out of karaf?
Christian
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
