Re: Simply Protect HTTP servlet

2019-06-04 Thread cooshal 
Hi:

I have similar concerns. I wanted to protect a particular endpoint. Here's
what I have done, so far:

// pom file




org.apache.felix
maven-bundle-plugin
3.3.0
true
true


/management
*
src
<_wab>src/main/webapp






and, as per the suggestion from JB in previous post on this thread, I added
following in src/main/webapp/WEB-INF/web.xml. I am trying to protect
http://localhost:8181/management/ endpoint.


http://java.sun.com/xml/ns/javaee; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee  
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;>
PRS-EAI Monitoring Console

index.html


authenticated

management

/management/*



user



BASIC
karaf



user

 

I checked few examples from pax-web as well. Did I do something wrong?

Regards,
Cooshal.



--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html

Re: Simply Protect HTTP servlet

2017-04-29 Thread Achim Nierbeck 
Hi Christiano,

you could try with a servlet filter, though since you already have a
Web-ContextPath you are actually already using the WAB approach.
With Pax-Web the file-extension actually doesn't matter. So if you just add
a web.xml to it you should be safe to use the default jaas mechanism
provided by karaf and pax-web/jetty at that point.

regards, Achim


2017-04-29 9:17 GMT+02:00 Cristiano Costantini <
cristiano.costant...@gmail.com>:

> Hello Jean-Baptiste an thank you for the reply!
>
> your approach would be great as I just need the quickest way to protect
> the access with a username and password.
>
> The problem is that the application is not a WAR, it is just a bundle with
> the  that publish  HTML/Javascript/CSS resources plus a
> Servlet registered via spring.xml with  interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't
> have a web.xml
>
> For the moment I will try to enable http basic auth for the urls by
> changing the main karaf's jetty.xml file, this is ok to satisfy my short
> term needs.
>
> If you have in mind any idea to enable security-constraint from within
> the bundle (without touching the karaf's jetty.xml) when you don't have a
> web.xml, I'll be glad to know it as I would prefer not to touch the
> configuration of karaf.
>
> Thank you
> Cristiano
>
>
> Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
> j...@nanthrax.net> ha scritto:
>
>> Hi Cristiano,
>>
>> It depends if you want to use leverage the authentication/authorization to
>> access to a pattern/url or if you want to use JAAS internally to your
>> application with a subject.
>>
>> Basically, imagine you have your servlet where you defined the pattern to
>> /foo
>> (via the service properties if you use the http-whiteboard for instance).
>>
>> Then, you can define the security constraint in jetty.xml or in your
>> configuration.
>>
>> If you package as a war, you can use a web.xml similar to:
>>
>> 
>> http://java.sun.com/xml/ns/javaee;
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;>
>>  cristiano_application
>>  
>>  index.jsp
>>  
>>  
>>  authenticated
>>  
>>  All files
>>  
>>  /*
>>  
>>  
>>  
>>  user
>>  
>>  
>>  
>>  BASIC
>>  karaf
>>  
>>  
>>  
>>  user
>>  
>> 
>>
>> Then, the access to any servlet (/*) in your application will be secure
>> using
>> the karaf JAAS realm.
>>
>> Regards
>> JB
>>
>> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
>> > Hello All,
>> >
>> > How can I implement a Basic HTTP Authentication similar to the one use
>> by Karaf
>> > WebConsole (which I understand uses Jaas) to protect access to HTTP
>> resources in
>> > Karaf?
>> >
>> > thanks
>> > Cristiano
>>
>> --
>> Jean-Baptiste Onofré
>> jbono...@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>>
>


-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Karaf Cookbook 

Software Architect / Project Manager / Scrum Master

Re: Simply Protect HTTP servlet

2017-04-29 Thread Cristiano Costantini 
Hello Jean-Baptiste an thank you for the reply!

your approach would be great as I just need the quickest way to protect the
access with a username and password.

The problem is that the application is not a WAR, it is just a bundle with
the  that publish  HTML/Javascript/CSS resources plus a
Servlet registered via spring.xml with  so I don't have
a web.xml

For the moment I will try to enable http basic auth for the urls by
changing the main karaf's jetty.xml file, this is ok to satisfy my short
term needs.

If you have in mind any idea to enable security-constraint from within the
bundle (without touching the karaf's jetty.xml) when you don't have a
web.xml, I'll be glad to know it as I would prefer not to touch the
configuration of karaf.

Thank you
Cristiano


Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
j...@nanthrax.net> ha scritto:

> Hi Cristiano,
>
> It depends if you want to use leverage the authentication/authorization to
> access to a pattern/url or if you want to use JAAS internally to your
> application with a subject.
>
> Basically, imagine you have your servlet where you defined the pattern to
> /foo
> (via the service properties if you use the http-whiteboard for instance).
>
> Then, you can define the security constraint in jetty.xml or in your
> configuration.
>
> If you package as a war, you can use a web.xml similar to:
>
> 
> http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;>
>  cristiano_application
>  
>  index.jsp
>  
>  
>  authenticated
>  
>  All files
>  
>  /*
>  
>  
>  
>  user
>  
>  
>  
>  BASIC
>  karaf
>  
>  
>  
>  user
>  
> 
>
> Then, the access to any servlet (/*) in your application will be secure
> using
> the karaf JAAS realm.
>
> Regards
> JB
>
> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
> > Hello All,
> >
> > How can I implement a Basic HTTP Authentication similar to the one use
> by Karaf
> > WebConsole (which I understand uses Jaas) to protect access to HTTP
> resources in
> > Karaf?
> >
> > thanks
> > Cristiano
>
> --
> Jean-Baptiste Onofré
> jbono...@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>

Re: Simply Protect HTTP servlet

2017-04-28 Thread Jean-Baptiste Onofré 

Hi Cristiano,

It depends if you want to use leverage the authentication/authorization to 
access to a pattern/url or if you want to use JAAS internally to your 
application with a subject.


Basically, imagine you have your servlet where you defined the pattern to /foo 
(via the service properties if you use the http-whiteboard for instance).


Then, you can define the security constraint in jetty.xml or in your 
configuration.

If you package as a war, you can use a web.xml similar to:


http://java.sun.com/xml/ns/javaee; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;>

cristiano_application

index.jsp


authenticated

All files

/*



user



BASIC
karaf



user



Then, the access to any servlet (/*) in your application will be secure using 
the karaf JAAS realm.


Regards
JB

On 04/28/2017 12:58 PM, Cristiano Costantini wrote:

Hello All,

How can I implement a Basic HTTP Authentication similar to the one use by Karaf
WebConsole (which I understand uses Jaas) to protect access to HTTP resources in
Karaf?

thanks
Cristiano


--
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Simply Protect HTTP servlet

2017-04-28 Thread Cristiano Costantini 
Hello All,

How can I implement a Basic HTTP Authentication similar to the one use by
Karaf WebConsole (which I understand uses Jaas) to protect access to HTTP
resources in Karaf?

thanks
Cristiano