https://github.com/steinarb/authservice
I wrote this to cover my own usecase, which was to have the same login
for nginx itself, as well as a couple of web whiteboard webapps running
in the same apache karaf, behind the nginx server through a reverse
proxy setup.
Cross-webapp SSO works by providing the shiro interfaces Realm[1] and
SessionDAO[2] as OSGi services to shiro web sessionmanagers.
Nginx authentication is handled by providing an nginx with a URL
suitable for the nginx auth_request module[3], that shares Realm and
SessionDAO with the karaf webapps.
Authservice is based on Shiro 1.3.1 (I can't remember why it isn't
1.3.2. I will try with 1.3.2 and if it works, release a new version of
authservice to maven central shortly), and it will be upgraded to the
first OSGi-friendly 1.4.x or 1.5 version released by Francois Papon.
The authservice license is Apache v2, and authservice has been deployed
to maven central.
To try it out:
1. From a karaf console, give the following commands:
feature:repo-add
mvn:no.priv.bang.authservice/authservice/LATEST/xml/features
feature:install authservice-with-derby-dbrealm-and-session
2. Open the URL http://localhost:8181/authservice in a web browser and
log in with username/password: jad/1ad
3. Verify that the "User administration UI" is inaccessible and use the
back button in the browser to get back to the main authservice page
4. Click on the "Change your own password" link and try changing the
password
5. After changing the password click on the back button in the browser
to get back to the main authservice page
Note: don't use the "Back to top" link because that links to two
levels up
6. Click on the "Change your own email and real name" and try changing
them
7. Click on the back button in the browser to get back to the main
authservice page (here also "Back to top" link, links two levelse
up, because both of these URLs are intended as self service URLs
linked to from the main nginx page)
8. Click on "Logout" and then login again as username/password:
admin/admin
9. Click on the "User administration UI" and try giving user jad the
useradmin role
10. Click on the "Up to authservice top" link and then click the
"Logout" link
11. Log in with username/password: jad/1ad
12. Verify that user jad now can use the "User administration UI"
The authservice-with-derby-dbrealm-and-session feature uses an in-memory
database that will disappear when karaf is stopped and restarted.
"Production" authservice uses PostgreSQL.
Authservice feature summary
- Based on Apache Shiro
- Apache Karaf application based on pax web whiteboard and OSGi Declarative
Services (DS)
- Plain HTML "self-service" pages for letting users change their
passwords and personal information
- A small user administration UI written in react and styled with
bootstrap v4
- A Shiro JDBC realm that supports base64 encoded password salt
- JDBC database schema and initial data setup provided by a liquibase
script, which means that in theory any JDBC database supported by
liquibase can be used to replace PosgreSQL (some code required, the
README has suggestions)
References:
[1]
<http://shiro.apache.org/static/1.3.1/apidocs/org/apache/shiro/realm/Realm.html>
[2]
<http://shiro.apache.org/static/1.3.1/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html>
[3] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>
