Re: [osgi-dev] (Conditional)PermissionAdmin

Mon, 18 May 2015 11:03:06 -0700 

I have created something similar for blueprint:
https://github.com/apache/aries/tree/trunk/blueprint/blueprint-authz

I use the standard annotations @RolesAllowed, @PermitAll, @DenyAll.
You set the annotations on your classes and a blueprint interceptor takes care of enforcing the permissions.
To set the authentication context I use JAAS. So you do a JAAS login and execute your code in Subject.doAs() to set your identity. I suggest you use the same way in your code. This allows you to leverage existing authentications that set the JAAS context. For example there is a JAASLoginFeature for CXF. Much of the OSGi security also operates based on JAAS.
My solution is of course restricted to blueprint but the JAAS part should be portable.
Apache Karaf also works based on JAAS. For example if you login to karaf using ssh a JAAS context will be established. Karaf 3 also supports role base access control for jmx and OSGi services that is implemented in a very similar way to what you have in mind. It also creates a proxy for OSGi services and checks the permission in the proxy. 

http://karaf.apache.org/manual/latest/users-guide/security.html
https://issues.apache.org/jira/browse/KARAF-2435

Christian


On 18.05.2015 17:59, Frank Langel wrote:

Hi,
Please see attached slides. I am trying to implement security checks in OSGI 

 1. Ability to secure methods using @RequiresRoles @RequiresPermission
 2. Ability to create invocation context to transparent permission
    checking
As this doesn’t come out of the box, I created a few suggestions of how it could be done. Would you agree with suggestions ? I created PDF so that I could maintain nice formatting . 

Thanks a lot
Frank



_______________________________________________
OSGi Developer Mail List
osgi-dev@mail.osgi.org
https://mail.osgi.org/mailman/listinfo/osgi-dev



--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com


_______________________________________________
OSGi Developer Mail List
osgi-dev@mail.osgi.org
https://mail.osgi.org/mailman/listinfo/osgi-dev

Reply via email to