[jira] Updated: (KARAF-172) Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules

[Ioannis Canellos (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ioannis Canellos updated KARAF-172:
-----------------------------------

    Attachment: KARAF-172-patch.txt

I am uploading a patch that does the following:

a) Introduces KarafAbstractLoginModule which handles RolePolicies if any (the 
rest login modules inherit from that).
b) Introduces a group policy GROUP_ROLES. This policy creates a Group Object 
with a configurable name and adds all RolesPrincipals into that Group 
(JBoss-like approach).
c) Introduces a group policy PREFIXED_ROLES which discriminates RolePricipals 
by adding a configurable prefix.

Some policy examples:

GROUP_ROLES:

    <jaas:config name="example">
        <jaas:module 
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" 
flags="required">
            users = $[karaf.base]/etc/users.properties
            rolePolicy = group
            roleDisciriminator = ROLES
        </jaas:module>
    </jaas:config>

PREFIXED_ROLES:

    <jaas:config name="example">
        <jaas:module 
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" 
flags="required">
            users = $[karaf.base]/etc/users.properties
            rolePolicy = prefix
            roleDisciriminator = ROLE_
        </jaas:module>
    </jaas:config>




> Implement a mechanism that would allow a karaf application to distingush 
> between UserPrincipal & RolePrincipal without depending from Karaf JAAS 
> Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: KARAF-172
>                 URL: https://issues.apache.org/jira/browse/KARAF-172
>             Project: Karaf
>          Issue Type: New Feature
>            Reporter: Ioannis Canellos
>         Attachments: KARAF-172-patch.txt
>
>
> A karaf application that makes use of JAAS for authentication and 
> authorization will obtain a LoginContext that contains UserPrincipal and 
> RolePrincipal objects (both classes are inside 
> org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based 
> authorization), will have to depend from 
> org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules 
> and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix 
> on Roles, or goruping roles under a Group with a fixed name (jboss 
> approach)). This mechanism could be implemented by Karaf Login Modules and 
> even better could be pluggable.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.