Re: Could/should OsgiConfiguration for JAAS fallback to default configuration
Thanks Sergiy, I will review. Regards JB On 11/28/2016 03:03 PM, Sergiy Shyrkov wrote: Hello guys, we've finally tested the fix successfully on our side and have submitted it as a pull request: https://github.com/apache/karaf/pull/271 Thank you! Kind regards Sergiy On Thu, 20 Oct 2016 08:59:03 +0200, Benjamin Papez wrote: Hi JB, thanks for looking into it. I already created a jira: https://issues.apache.org/jira/browse/KARAF-4784 The workaround with an own login module ain't that easy, because we do not know the names of all current jaas configurations customers have today (can be multiple per installation). As I understand with OSGI we (or they) would need to create one realm per such entry name and the login module would need to be able to read and copy the default configuration before osgi overrides it. If OsgiConfiguration would fallback to the default configuration, no action would be required (for us and for customers migrating to the new relase with Karaf). Regards, Benjamin Am 18.10.2016 um 18:25 schrieb Jean-Baptiste Onofré: Hi Benjamin, your proposal makes sense. I will review, create a Jira, and implement. In the mean time, as a workaround, I think you can provide your own login module acting as a bypass. Regards JB On 10/18/2016 06:19 PM, Benjamin Papez wrote: Hello, we plan to use Karaf embedded in the next version of our Web Application, which means that we still start the application server (Tomcat/JBoss/Websphere). Some of our customers are using a JAAS configuration, mainly Kerberos for SPNEGO. Unfortunately with the step to use Karaf the current default JAAS configuration is no longer picked up and used, because Karaf is setting the OsgiConfiguration object into Configuration.setConfiguration within OsgiConfiguration.init method. Is it wanted (by design) to ignore all standard/app-server specific ways of JAAS configuration? I would otherwise suggest a modification to OsgiConfiguration, with something like: private Configuration defaultConfiguration; public void init() { try { defaultConfiguration = Configuration.getConfiguration(); } catch (RuntimeException ex) { // } Configuration.setConfiguration(this); } ... public AppConfigurationEntry[] getAppConfigurationEntry(String name) { JaasRealm realm = null; for (JaasRealm r : realms) { if (r.getName().equals(name)) { if (realm == null || r.getRank() > realm.getRank()) { realm = r; } } } if (realm != null) { return realm.getEntries(); } else if (defaultConfiguration != null) { return defaultConfiguration.getAppConfigurationEntry(name); } return null; } public void refresh() { if (defaultConfiguration != null) { defaultConfiguration.refresh(); } } This way if no OSGI configured JAAS realm can find an AppConfigurationEntry, we would still try to get it from the default JAAS configuration, and our customers could keep the same JAAS configuration as before. Would implementing this suggestion break anything in Karaf? Regards, Benjamin -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
Re: Could/should OsgiConfiguration for JAAS fallback to default configuration
Hello guys, we've finally tested the fix successfully on our side and have submitted it as a pull request: https://github.com/apache/karaf/pull/271 Thank you! Kind regards Sergiy On Thu, 20 Oct 2016 08:59:03 +0200, Benjamin Papez wrote: Hi JB, thanks for looking into it. I already created a jira: https://issues.apache.org/jira/browse/KARAF-4784 The workaround with an own login module ain't that easy, because we do not know the names of all current jaas configurations customers have today (can be multiple per installation). As I understand with OSGI we (or they) would need to create one realm per such entry name and the login module would need to be able to read and copy the default configuration before osgi overrides it. If OsgiConfiguration would fallback to the default configuration, no action would be required (for us and for customers migrating to the new relase with Karaf). Regards, Benjamin Am 18.10.2016 um 18:25 schrieb Jean-Baptiste Onofré: Hi Benjamin, your proposal makes sense. I will review, create a Jira, and implement. In the mean time, as a workaround, I think you can provide your own login module acting as a bypass. Regards JB On 10/18/2016 06:19 PM, Benjamin Papez wrote: Hello, we plan to use Karaf embedded in the next version of our Web Application, which means that we still start the application server (Tomcat/JBoss/Websphere). Some of our customers are using a JAAS configuration, mainly Kerberos for SPNEGO. Unfortunately with the step to use Karaf the current default JAAS configuration is no longer picked up and used, because Karaf is setting the OsgiConfiguration object into Configuration.setConfiguration within OsgiConfiguration.init method. Is it wanted (by design) to ignore all standard/app-server specific ways of JAAS configuration? I would otherwise suggest a modification to OsgiConfiguration, with something like: private Configuration defaultConfiguration; public void init() { try { defaultConfiguration = Configuration.getConfiguration(); } catch (RuntimeException ex) { // } Configuration.setConfiguration(this); } ... public AppConfigurationEntry[] getAppConfigurationEntry(String name) { JaasRealm realm = null; for (JaasRealm r : realms) { if (r.getName().equals(name)) { if (realm == null || r.getRank() > realm.getRank()) { realm = r; } } } if (realm != null) { return realm.getEntries(); } else if (defaultConfiguration != null) { return defaultConfiguration.getAppConfigurationEntry(name); } return null; } public void refresh() { if (defaultConfiguration != null) { defaultConfiguration.refresh(); } } This way if no OSGI configured JAAS realm can find an AppConfigurationEntry, we would still try to get it from the default JAAS configuration, and our customers could keep the same JAAS configuration as before. Would implementing this suggestion break anything in Karaf? Regards, Benjamin -- Sergiy Shyrkov Software Architect Jahia Solutions Group SA http://www.jahia.com
Re: Could/should OsgiConfiguration for JAAS fallback to default configuration
Hi JB, thanks for looking into it. I already created a jira: https://issues.apache.org/jira/browse/KARAF-4784 The workaround with an own login module ain't that easy, because we do not know the names of all current jaas configurations customers have today (can be multiple per installation). As I understand with OSGI we (or they) would need to create one realm per such entry name and the login module would need to be able to read and copy the default configuration before osgi overrides it. If OsgiConfiguration would fallback to the default configuration, no action would be required (for us and for customers migrating to the new relase with Karaf). Regards, Benjamin Am 18.10.2016 um 18:25 schrieb Jean-Baptiste Onofré: Hi Benjamin, your proposal makes sense. I will review, create a Jira, and implement. In the mean time, as a workaround, I think you can provide your own login module acting as a bypass. Regards JB On 10/18/2016 06:19 PM, Benjamin Papez wrote: Hello, we plan to use Karaf embedded in the next version of our Web Application, which means that we still start the application server (Tomcat/JBoss/Websphere). Some of our customers are using a JAAS configuration, mainly Kerberos for SPNEGO. Unfortunately with the step to use Karaf the current default JAAS configuration is no longer picked up and used, because Karaf is setting the OsgiConfiguration object into Configuration.setConfiguration within OsgiConfiguration.init method. Is it wanted (by design) to ignore all standard/app-server specific ways of JAAS configuration? I would otherwise suggest a modification to OsgiConfiguration, with something like: private Configuration defaultConfiguration; public void init() { try { defaultConfiguration = Configuration.getConfiguration(); } catch (RuntimeException ex) { // } Configuration.setConfiguration(this); } ... public AppConfigurationEntry[] getAppConfigurationEntry(String name) { JaasRealm realm = null; for (JaasRealm r : realms) { if (r.getName().equals(name)) { if (realm == null || r.getRank() > realm.getRank()) { realm = r; } } } if (realm != null) { return realm.getEntries(); } else if (defaultConfiguration != null) { return defaultConfiguration.getAppConfigurationEntry(name); } return null; } public void refresh() { if (defaultConfiguration != null) { defaultConfiguration.refresh(); } } This way if no OSGI configured JAAS realm can find an AppConfigurationEntry, we would still try to get it from the default JAAS configuration, and our customers could keep the same JAAS configuration as before. Would implementing this suggestion break anything in Karaf? Regards, Benjamin
Re: Could/should OsgiConfiguration for JAAS fallback to default configuration
Hi Benjamin, your proposal makes sense. I will review, create a Jira, and implement. In the mean time, as a workaround, I think you can provide your own login module acting as a bypass. Regards JB On 10/18/2016 06:19 PM, Benjamin Papez wrote: Hello, we plan to use Karaf embedded in the next version of our Web Application, which means that we still start the application server (Tomcat/JBoss/Websphere). Some of our customers are using a JAAS configuration, mainly Kerberos for SPNEGO. Unfortunately with the step to use Karaf the current default JAAS configuration is no longer picked up and used, because Karaf is setting the OsgiConfiguration object into Configuration.setConfiguration within OsgiConfiguration.init method. Is it wanted (by design) to ignore all standard/app-server specific ways of JAAS configuration? I would otherwise suggest a modification to OsgiConfiguration, with something like: private Configuration defaultConfiguration; public void init() { try { defaultConfiguration = Configuration.getConfiguration(); } catch (RuntimeException ex) { // } Configuration.setConfiguration(this); } ... public AppConfigurationEntry[] getAppConfigurationEntry(String name) { JaasRealm realm = null; for (JaasRealm r : realms) { if (r.getName().equals(name)) { if (realm == null || r.getRank() > realm.getRank()) { realm = r; } } } if (realm != null) { return realm.getEntries(); } else if (defaultConfiguration != null) { return defaultConfiguration.getAppConfigurationEntry(name); } return null; } public void refresh() { if (defaultConfiguration != null) { defaultConfiguration.refresh(); } } This way if no OSGI configured JAAS realm can find an AppConfigurationEntry, we would still try to get it from the default JAAS configuration, and our customers could keep the same JAAS configuration as before. Would implementing this suggestion break anything in Karaf? Regards, Benjamin -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
Could/should OsgiConfiguration for JAAS fallback to default configuration
Hello, we plan to use Karaf embedded in the next version of our Web Application, which means that we still start the application server (Tomcat/JBoss/Websphere). Some of our customers are using a JAAS configuration, mainly Kerberos for SPNEGO. Unfortunately with the step to use Karaf the current default JAAS configuration is no longer picked up and used, because Karaf is setting the OsgiConfiguration object into Configuration.setConfiguration within OsgiConfiguration.init method. Is it wanted (by design) to ignore all standard/app-server specific ways of JAAS configuration? I would otherwise suggest a modification to OsgiConfiguration, with something like: private Configuration defaultConfiguration; public void init() { try { defaultConfiguration = Configuration.getConfiguration(); } catch (RuntimeException ex) { // } Configuration.setConfiguration(this); } ... public AppConfigurationEntry[] getAppConfigurationEntry(String name) { JaasRealm realm = null; for (JaasRealm r : realms) { if (r.getName().equals(name)) { if (realm == null || r.getRank() > realm.getRank()) { realm = r; } } } if (realm != null) { return realm.getEntries(); } else if (defaultConfiguration != null) { return defaultConfiguration.getAppConfigurationEntry(name); } return null; } public void refresh() { if (defaultConfiguration != null) { defaultConfiguration.refresh(); } } This way if no OSGI configured JAAS realm can find an AppConfigurationEntry, we would still try to get it from the default JAAS configuration, and our customers could keep the same JAAS configuration as before. Would implementing this suggestion break anything in Karaf? Regards, Benjamin