Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
This one may be of interest? https://lists.apache.org/thread/pso52wffvjqvt8myb4qh2wdqropdxslo I managed to use shiro-jaxrs so that I can now use the annotations @RequiresUser, @RequiresRoles and @RequiresPermissions directly on the JAX-RS resource classes https://shiro.apache.org/jaxrs.html#example I added karaf runtime shiro-jaxrs support to my JerseyServlet class, and made a new release: https://github.com/steinarb/servlet?tab=readme-ov-file#jersey And for the first time it feels meaningful to create roles based on permissions, since I can define the permissions directly on the JAX-RS resources.
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
> fpapon : > Hi, > Thanks for the issue on Shiro, I will take a look. This was quick, thanks! :-)
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Hi, Thanks for the issue on Shiro, I will take a look. regards, François On 30/01/2024 19:27, Steinar Bang wrote: Paul Spencer : Apologies for misspelling your name. No worries! :-) (but since I'm a nit picker I couldn't help myself when I saw it the second time, sorry about that!) I have not opened an issue related to the dependencies. https://github.com/apache/shiro/issues/1300 -- -- François
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
> Paul Spencer : > Apologies for misspelling your name. No worries! :-) (but since I'm a nit picker I couldn't help myself when I saw it the second time, sorry about that!) > I have not opened an issue related to the dependencies. https://github.com/apache/shiro/issues/1300
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Steinar, Apologies for misspelling your name. I have not opened an issue related to the dependencies. Paul Spencer > On Jan 30, 2024, at 11:19 AM, Steinar Bang wrote: > >> Paul Spencer : > >> Steiner, > > (ps last "e" is an "a", "Steinar", approximate pronounciation > "Stay-nahr" (with the "r" rolling as in Scots or Spanish or Italian)) ;-) > >> I installed the feature shiro-core and had to add had to install the >> following bundles. >> mvn:commons-collections/commons-collections/3.2.2 >> mvn:commons-beanutils/commons-beanutils/1.9.4 >> mvn:org.apache.shiro/shiro-config-core/1.13.0 > > Thanks! > > Looks like I have added two of them to an authservice feature that is > loaded directly or indirectly by all the users of authservice, which > mean they are always present for other users: > https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/feature/feature.xml#L7 > > (Maybe I should make that dependency more explicit in the other > applications, but they won't work unless authservice is present anyway, > so...? ) > > I do not AFAICT load shiro-config-core. > > Have you opened an issue with Shiro about these bundles missing from the > feature? > > If not, I could do so. > > Thanks! > > > - Steinar >
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
> Paul Spencer : > Steiner, (ps last "e" is an "a", "Steinar", approximate pronounciation "Stay-nahr" (with the "r" rolling as in Scots or Spanish or Italian)) ;-) > I installed the feature shiro-core and had to add had to install the > following bundles. >mvn:commons-collections/commons-collections/3.2.2 >mvn:commons-beanutils/commons-beanutils/1.9.4 >mvn:org.apache.shiro/shiro-config-core/1.13.0 Thanks! Looks like I have added two of them to an authservice feature that is loaded directly or indirectly by all the users of authservice, which mean they are always present for other users: https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/feature/feature.xml#L7 (Maybe I should make that dependency more explicit in the other applications, but they won't work unless authservice is present anyway, so...? ) I do not AFAICT load shiro-config-core. Have you opened an issue with Shiro about these bundles missing from the feature? If not, I could do so. Thanks! - Steinar
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Steiner, I installed the feature shiro-core and had to add had to install the following bundles. mvn:commons-collections/commons-collections/3.2.2 mvn:commons-beanutils/commons-beanutils/1.9.4 mvn:org.apache.shiro/shiro-config-core/1.13.0 Paul Spencer > On Jan 30, 2024, at 8:48 AM, Steinar Bang wrote: > >> Paul Spencer : > >> Steiner, >> Just a followup: > >> - The Shiro 1.13.0 feature is missing required Shiro and Apache commons >> bundles, which may be resolved in 2.0 alpha, as well as the config package >> is split across multiple bundles, described in SHIRO-654 and also resolved >> in 2.0 alpha. So despite your examples, I was not able to get version 1.13.0 >> working. > > Hi, > > Do you have a list of the missing dependencies in the shiro 1.13.0 feature? > > Ie, groupId/artifactId/version for the missing dependencies? > > (I wonder why I haven't run into that? Or if I have: how I've fixed it (and > forgot about it...)?) >
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
FWIW what I do (in all of the examples I listed), is to create a DS @Component providing a ServletContextHelper service, like so: https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/java/no/priv/bang/oldalbum/web/security/OldAlbumServletContextHelper.java#L22 Then I use the ServletContext resulting from that, both for the frontend https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.frontend/src/main/java/no/priv/bang/oldalbum/web/frontend/OldalbumServlet.java#L46 and the REST API https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/OldAlbumWebApiServlet.java#L33 and then the shiro authentication automagically works for both. (The JerseyServlet is my own home cooked wrapper that makes injected OSGi services available as HK2 injected services in Jersey)
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
> Paul Spencer : > Steiner, > Just a followup: > - The Shiro 1.13.0 feature is missing required Shiro and Apache commons > bundles, which may be resolved in 2.0 alpha, as well as the config package is > split across multiple bundles, described in SHIRO-654 and also resolved in > 2.0 alpha. So despite your examples, I was not able to get version 1.13.0 > working. Hi, Do you have a list of the missing dependencies in the shiro 1.13.0 feature? Ie, groupId/artifactId/version for the missing dependencies? (I wonder why I haven't run into that? Or if I have: how I've fixed it (and forgot about it...)?)
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Ciprian,
This has gotten me closer, as my REST implementation is now able to see the
Principal in requestContext.getSecurityContext().getUserPrincipal() in filters.
The Principal in REST API remains null. An example REST API is
listCustomer(@Context HttpServletRequest servletRequest) and
servletRequest.getUserPrincipal() return null.
I created an authorization filter that:
- validates the user credentials and creates customUserPrincipal with the
username and roles
- Creates a customerSecurityContext passing in the customUserPrincipal, or null
if no authorization header existed.
- Set the security context of the requestContext to the newly created
customerSecurityContext.
I also created an authentication filter that uses the security context from the
requestContext and verifier the roles, as declared via
javax.annotation.security, using the same logic as described in "Jersey REST
API Security Example".
Paul Spencer
> On Jan 29, 2024, at 12:00 PM, Ciprian Ciubotariu wrote:
>
> The way I have done it in the past is to set the security context with a
> custom implementation on the authentication success path, such as:
>
>requestContext.setSecurityContext(new
> CustomSecurityContext(username));
>
> and have a class implementing the security context, and another the user
> principal.
>
> public class CustomSecurityContext implements SecurityContext {
>
>private CustomUserPrincipal principal;
>
>CustomSecurityContext(String username) {
> this.principal = new CustomUserPrincipal(username);
>}
>
>@Override
>public Principal getUserPrincipal() {
>return principal;
>}
>
>
> }
>
> This could be extended with more data for authorization (roles etc), or
> perhaps you can find a stock library that already suits your needs.
>
> Ciprian
>
>
> On Monday, 29 January 2024 18:43:40 EET Paul Spencer wrote:
>> Steiner,
>> Just a followup:
>>
>> - The Shiro 1.13.0 feature is missing required Shiro and Apache commons
>> bundles, which may be resolved in 2.0 alpha, as well as the config package
>> is split across multiple bundles, described in SHIRO-654 and also resolved
>> in 2.0 alpha. So despite your examples, I was not able to get version 1.13.0
>> working.
>>
>> - aries-jax-rs-whiteboard-shiro v2.0.2 feature installs, but I could not get
>> the realm configuration working, as I was unable to find examples.
>>
>> - Jersey REST API Security Example,
>> https://howtodoinjava.com/jersey/jersey-rest-security/, provided a way to
>> utilize the javax.annotation.security annotations and
>> authentication/authorization stored in a database. This implementation is
>> simply a filter that does the authentication/authorization and updates the
>> response with the appropiate success or fail code. It does not set the user
>> principle in the session.
>>
>>
>> At this point I am utilizing the "Jersey REST API Security Example" because:
>> - JAXRS Service is utilizing standard security annotations.
>> - My implementation is for internal use only and protected behind firewalls.
>> - I am out of time.
>>
>>
>> I will continue to look for a solution that leverage the OSGi JAX-RS
>> whiteboard REST service and the security services within Karaf as time
>> becomes available.
>>
>> Paul Spencer
>>
>>
>>
>>> On Jan 24, 2024, at 5:08 PM, Paul Spencer wrote:
>>>
>>> Steinar,
>>> This helps!
>>>
>>> Paul Spencer
>>>
>>> On 2024/01/24 12:38:27 Steinar Bang wrote:
>>>>>>>>> Paul Spencer :
>>>>
>>>>> Karaf 4.4.5
>>>>> How do I protect a OSGi JAX-RS whiteboard REST service using Basic
>>>>> Authentication?
>>>>
>>>> Apache Shiro can do basic auth (among other things).
>>>> https://shiro.apache.org
>>>>
>>>> This project is a shiro realm with a simple JDBC database and a react.js
>>>> frontend to to user management:
>>>> https://github.com/steinarb/authservice
>>>>
>>>> You can install it directly in karaf by installing it's karaf feature
>>>> (the feature and all bundles are released to maven central, and is
>>>> released under APLv2).
>>>>
>>>> Some web whiteboard projects using authservice for users and roles and
>>>> stuff:
>>>> https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/resources/shiro.ini
>>>> https://github.com/steinarb
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
The way I have done it in the past is to set the security context with a custom
implementation on the authentication success path, such as:
requestContext.setSecurityContext(new
CustomSecurityContext(username));
and have a class implementing the security context, and another the user
principal.
public class CustomSecurityContext implements SecurityContext {
private CustomUserPrincipal principal;
CustomSecurityContext(String username) {
this.principal = new CustomUserPrincipal(username);
}
@Override
public Principal getUserPrincipal() {
return principal;
}
}
This could be extended with more data for authorization (roles etc), or perhaps
you can find a stock library that already suits your needs.
Ciprian
On Monday, 29 January 2024 18:43:40 EET Paul Spencer wrote:
> Steiner,
> Just a followup:
>
> - The Shiro 1.13.0 feature is missing required Shiro and Apache commons
> bundles, which may be resolved in 2.0 alpha, as well as the config package is
> split across multiple bundles, described in SHIRO-654 and also resolved in
> 2.0 alpha. So despite your examples, I was not able to get version 1.13.0
> working.
>
> - aries-jax-rs-whiteboard-shiro v2.0.2 feature installs, but I could not get
> the realm configuration working, as I was unable to find examples.
>
> - Jersey REST API Security Example,
> https://howtodoinjava.com/jersey/jersey-rest-security/, provided a way to
> utilize the javax.annotation.security annotations and
> authentication/authorization stored in a database. This implementation is
> simply a filter that does the authentication/authorization and updates the
> response with the appropiate success or fail code. It does not set the user
> principle in the session.
>
>
> At this point I am utilizing the "Jersey REST API Security Example" because:
> - JAXRS Service is utilizing standard security annotations.
> - My implementation is for internal use only and protected behind firewalls.
> - I am out of time.
>
>
> I will continue to look for a solution that leverage the OSGi JAX-RS
> whiteboard REST service and the security services within Karaf as time
> becomes available.
>
> Paul Spencer
>
>
>
> > On Jan 24, 2024, at 5:08 PM, Paul Spencer wrote:
> >
> > Steinar,
> > This helps!
> >
> > Paul Spencer
> >
> > On 2024/01/24 12:38:27 Steinar Bang wrote:
> >>>>>>> Paul Spencer :
> >>
> >>> Karaf 4.4.5
> >>> How do I protect a OSGi JAX-RS whiteboard REST service using Basic
> >>> Authentication?
> >>
> >> Apache Shiro can do basic auth (among other things).
> >> https://shiro.apache.org
> >>
> >> This project is a shiro realm with a simple JDBC database and a react.js
> >> frontend to to user management:
> >> https://github.com/steinarb/authservice
> >>
> >> You can install it directly in karaf by installing it's karaf feature
> >> (the feature and all bundles are released to maven central, and is
> >> released under APLv2).
> >>
> >> Some web whiteboard projects using authservice for users and roles and
> >> stuff:
> >> https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/resources/shiro.ini
> >> https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/resources/shiro.ini
> >> https://github.com/steinarb/handlelapp/blob/master/handlelapp.web.security/src/main/resources/shiro.ini
> >> https://github.com/steinarb/sampleapp/blob/master/sampleapp.web.security/src/main/resources/shiro.ini
> >>
> >> None of them use basic auth, but that should basically (pun not
> >> intended) just be to replace "authc" with "authcBasic".
> >>
> >> Later specific definitions in the [url] sections, will override earlier
> >> more generic definitions. So you can block the API requiring a loging
> >> of a user with a certain role, and then open up for e.g. login or login
> >> state check endpoints.
> >>
> >> (The reason for anon access of many rest endpoints is to avoid 302
> >> redirects on REST API calls I need to do before logging in, because web
> >> browsers don't handle 302 redirects on REST API calls real well)
> >>
> >>
>
>
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Steiner, Just a followup: - The Shiro 1.13.0 feature is missing required Shiro and Apache commons bundles, which may be resolved in 2.0 alpha, as well as the config package is split across multiple bundles, described in SHIRO-654 and also resolved in 2.0 alpha. So despite your examples, I was not able to get version 1.13.0 working. - aries-jax-rs-whiteboard-shiro v2.0.2 feature installs, but I could not get the realm configuration working, as I was unable to find examples. - Jersey REST API Security Example, https://howtodoinjava.com/jersey/jersey-rest-security/, provided a way to utilize the javax.annotation.security annotations and authentication/authorization stored in a database. This implementation is simply a filter that does the authentication/authorization and updates the response with the appropiate success or fail code. It does not set the user principle in the session. At this point I am utilizing the "Jersey REST API Security Example" because: - JAXRS Service is utilizing standard security annotations. - My implementation is for internal use only and protected behind firewalls. - I am out of time. I will continue to look for a solution that leverage the OSGi JAX-RS whiteboard REST service and the security services within Karaf as time becomes available. Paul Spencer > On Jan 24, 2024, at 5:08 PM, Paul Spencer wrote: > > Steinar, > This helps! > > Paul Spencer > > On 2024/01/24 12:38:27 Steinar Bang wrote: >>>>>>> Paul Spencer : >> >>> Karaf 4.4.5 >>> How do I protect a OSGi JAX-RS whiteboard REST service using Basic >>> Authentication? >> >> Apache Shiro can do basic auth (among other things). >> https://shiro.apache.org >> >> This project is a shiro realm with a simple JDBC database and a react.js >> frontend to to user management: >> https://github.com/steinarb/authservice >> >> You can install it directly in karaf by installing it's karaf feature >> (the feature and all bundles are released to maven central, and is >> released under APLv2). >> >> Some web whiteboard projects using authservice for users and roles and >> stuff: >> https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/resources/shiro.ini >> https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/resources/shiro.ini >> https://github.com/steinarb/handlelapp/blob/master/handlelapp.web.security/src/main/resources/shiro.ini >> https://github.com/steinarb/sampleapp/blob/master/sampleapp.web.security/src/main/resources/shiro.ini >> >> None of them use basic auth, but that should basically (pun not >> intended) just be to replace "authc" with "authcBasic". >> >> Later specific definitions in the [url] sections, will override earlier >> more generic definitions. So you can block the API requiring a loging >> of a user with a certain role, and then open up for e.g. login or login >> state check endpoints. >> >> (The reason for anon access of many rest endpoints is to avoid 302 >> redirects on REST API calls I need to do before logging in, because web >> browsers don't handle 302 redirects on REST API calls real well) >> >>
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Steinar, This helps! Paul Spencer On 2024/01/24 12:38:27 Steinar Bang wrote: > >>>>> Paul Spencer : > > > Karaf 4.4.5 > > How do I protect a OSGi JAX-RS whiteboard REST service using Basic > > Authentication? > > Apache Shiro can do basic auth (among other things). > https://shiro.apache.org > > This project is a shiro realm with a simple JDBC database and a react.js > frontend to to user management: > https://github.com/steinarb/authservice > > You can install it directly in karaf by installing it's karaf feature > (the feature and all bundles are released to maven central, and is > released under APLv2). > > Some web whiteboard projects using authservice for users and roles and > stuff: > > https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/resources/shiro.ini > > https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/resources/shiro.ini > > https://github.com/steinarb/handlelapp/blob/master/handlelapp.web.security/src/main/resources/shiro.ini > > https://github.com/steinarb/sampleapp/blob/master/sampleapp.web.security/src/main/resources/shiro.ini > > None of them use basic auth, but that should basically (pun not > intended) just be to replace "authc" with "authcBasic". > > Later specific definitions in the [url] sections, will override earlier > more generic definitions. So you can block the API requiring a loging > of a user with a certain role, and then open up for e.g. login or login > state check endpoints. > > (The reason for anon access of many rest endpoints is to avoid 302 > redirects on REST API calls I need to do before logging in, because web > browsers don't handle 302 redirects on REST API calls real well) > >
Re: How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
>>>>> Paul Spencer : > Karaf 4.4.5 > How do I protect a OSGi JAX-RS whiteboard REST service using Basic > Authentication? Apache Shiro can do basic auth (among other things). https://shiro.apache.org This project is a shiro realm with a simple JDBC database and a react.js frontend to to user management: https://github.com/steinarb/authservice You can install it directly in karaf by installing it's karaf feature (the feature and all bundles are released to maven central, and is released under APLv2). Some web whiteboard projects using authservice for users and roles and stuff: https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/resources/shiro.ini https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/resources/shiro.ini https://github.com/steinarb/handlelapp/blob/master/handlelapp.web.security/src/main/resources/shiro.ini https://github.com/steinarb/sampleapp/blob/master/sampleapp.web.security/src/main/resources/shiro.ini None of them use basic auth, but that should basically (pun not intended) just be to replace "authc" with "authcBasic". Later specific definitions in the [url] sections, will override earlier more generic definitions. So you can block the API requiring a loging of a user with a certain role, and then open up for e.g. login or login state check endpoints. (The reason for anon access of many rest endpoints is to avoid 302 redirects on REST API calls I need to do before logging in, because web browsers don't handle 302 redirects on REST API calls real well)
How do I protect a OSGi JAX-RS whiteboard REST service using Basic Authentication?
Karaf 4.4.5
How do I protect a OSGi JAX-RS whiteboard REST service using Basic
Authentication?
Using the default "karaf" realm, this should fail with a HTTP Response code 401
- Unauthorized
curl --user foo:bar http://localhost:8080/myRestApi/messageLog/
Using the default "karaf" realm, this should succeed with a HTTP Response code
200 - OK
curl --user karaf:karaf http://localhost:8080/myRestApi/messageLog/
***
* Example Protected REST api call /messageLog/
***
@DeclareRoles("ADMIN")
@DenyAll
@Path("/messageLog")
@Component(service = MessageLog.class)
@JaxrsResource
@JaxrsApplicationSelect("(osgi.jaxrs.name=myRestApi)")
public class MessageLog {
@RolesAllowed("ADMIN")
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/")
public Response getMessageLog() {
// Only users with the Role "ADMIN" can execute method.
...
}
}
Paul Spencer
