Hi Reto, all spent some more time trying to understand the Stanbol Authentication module. In the following my findings, many questions and some suggestions.
Architecture: --------- This tires to explain the Architecture of "o.a.stanbol.commons.security" as I understood it while looking at the code. Reto please correct me if I got something wrong. ### extension points As far as I can see there are two extension points: * AuthenticationChecker: checks if a user exists and if the password matches * AuthenticationMethod: authenticate an user with the information provided in a http request ### Services: The * AuthenticationService: can be used to authenticate a Users. Wraps all available AuthenticationChecker * UserAwarePolicy: Class extending java.security.Policy registered as OSGI service. It uses information stored in an RDF graph (the Clerezza SYSTEM_GRAPH) to map a an authenticated user with Permissions. Permissions are defined using an RDF schema. Note also the SecurityActivator Component that ensures that the UserAwarePolicy is set/unset as soon as registered/unregistered as OSGI service. ### Questions: * What is the WebIdBasedPermissionProvider for? * What is the intension of the LoginListener? * Is there a Code example on how to use Permissions in Stanbol? * How would components define Permissions (e.g the Stanbol Enhancer to allow the execution of an EnhancementChain/EnhancementEngine) Stanbol Security and JAAS: ------- ? How is this related to JAAS: I see that the code seems to be based on JAAS as it uses a lot of classes from the according packages. Some code snippets are similar to [1], but a Google search also reveals that Karaf supports JAAS. There are even some hits for Sling and JAAS. I am not familiar with JAAS so it would be cool if someone could provide more information about that. ? Configuration: The current implementation uses a RDF for the configuration of users, permission ... The Karaf implementation uses an XML schema to do the same. Does it make sense ( and would it be possible) to use both possibilities within Stanbol? Would that be an other extension point related to the UserAwarePolicy? ? OSGI integration: I have found a lot of references to Classpath related problems with JAAS in OSGI. Karaf uses a ProxyLoginModule [2] to workaround those problems. I would really like to understand how this handled in the current implementation within Stanbol. How does the current implementation deal with this problem? Other things I noticed: ----- * I would suggest to move the AuthenticationChecker implementation to an own Module similar as the implementation of the AutenthicationMethod already are. * I would suggest to use the standard OSGI service.ranking instead of the "weight" property mainly because Stanbol already uses the "service.ranking" on several occasions (e.g. EnhancementChains, Entityhub Sites, Contenthub Stores). In addition using service.ranking also ensures that the OSGI ServiceTracker and @Refernece annotations do inject automatically the service with the highest ranking (in case single cardinality is used). * I would like to have the option to use a Stanbol specific variant of registering/populate/manage the MGraph used to read the permissions from (e.g. by making the OSGI filter string for the SystemGraph configurable). Than different components could be used to register/populate/manage the MGraph with the permissions. As bundles can also contribute configurations we could also automatically set the configuration based on the bundles loaded in the OSGI environment. best Rupert [1] http://wiki.trialox.org/confluence/display/DEV/User+Authorization+based+on+JAAS+in+OSGi+Environment [2] http://felix.apache.org/site/45-security-framework.html#4.5.Securityframework-Architecture On Sun, Sep 16, 2012 at 9:26 PM, Rupert Westenthaler <rupert.westentha...@gmail.com> wrote: > Hi, > > The reason why I opted to exclude the authentication bundles form the > "stable" launcher was > > 1. The stable launcher is also some kind of a minimum launcher (only > containing the Enhancer and the Entityhub). > 2. Adding authentication forced me to use the "-XX:MaxPermSize=256m" > option to avoid PermGen OOM errors during startup > > Independent of that I think that having authentication in an own > bundle-list is a good think as it makes it more easy to add/skip this > feature by users that build their own customized Stanbol launcher. > >> 2012/9/14 Reto Bachmann-Gmür <r...@apache.org>: >>> While the problems you encountered with the stable launcher obviously must >>> be resolved (the problem afaik being that a bundle is missing that happens >>> to be provided by the shell list in the full launcher) > > I think you can solve this by adding those bundles to multiple bundle list. > >>> I don't think that disabling the authenticationg modules altogether is a >>> good option. > > But why do I see this increase of the PermGen size if the feature is > disabled? Any Idea? > > Can we provide a dummy implementation of "AuthenticationMethod" with > no external dependencies that has the same effect as disabling. Than > we can use this implementation in Launchers that do not use/support > authentication? > > best > Rupert > > On Fri, Sep 14, 2012 at 9:44 AM, Fabian Christ > <christ.fab...@googlemail.com> wrote: >> Hi, >> >> I think this is valid point by Reto. The functionality is really >> useful for business applications. So disabling like Reto described may >> be a better choice than removing the bundles. >> >> Anyway, I did not have a closer look at this feature but I imagine >> that it is possible to customize the authentication in many >> directions, right? If this is not the case, we should think about it >> as many companies use very different authentication policies and >> technologies. >> >> Best, >> - Fabian >> >> 2012/9/14 Reto Bachmann-Gmür <r...@apache.org>: >>> Hi Rupert >>> >>> While the problems you encountered with the stable launcher obviously must >>> be resolved (the problem afaik being that a bundle is missing that happens >>> to be provided by the shell list in the full launcher) I don't think that >>> disabling the authenticationg modules altogether is a good option. >>> >>> Disabling authentication is fine, in this case all operations are being >>> executed by an allmighty anonymous user but removing the bundles means that >>> stanbol bundles cannot rely in bundles being there telling who the current >>> user is. However I think that this is a feature not only needed for >>> multi-tenancy but one that can be used for many purposes. >>> >>> So I think the basic features should be included in all launchers as all >>> modules should be able to access this functionality. Developers of >>> components should be encouraged to use these features to make their bundle >>> user-aware and to provide reasonable permission checks for the >>> functionality thei're offering. >>> >>> Cheers, >>> Reto >>> >>> On Mon, Sep 10, 2012 at 7:54 PM, <rwes...@apache.org> wrote: >>> >>>> Author: rwesten >>>> Date: Mon Sep 10 17:54:19 2012 >>>> New Revision: 1383002 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=1383002&view=rev >>>> Log: >>>> STANBOL-721: Moved the dependencies needed for authentication to an own >>>> partial bundlelist. Currently used by the full and full-war launcher >>>> >>>> Added: >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/ (with >>>> props) >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/pom.xml >>>> (with props) >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/ >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/ >>>> >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/ >>>> >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/list.xml >>>> (with props) >>>> Modified: >>>> >>>> incubator/stanbol/trunk/launchers/bundlelists/stanbolcommons/src/main/bundles/list.xml >>>> incubator/stanbol/trunk/launchers/full-war/pom.xml >>>> incubator/stanbol/trunk/launchers/full/pom.xml >>>> incubator/stanbol/trunk/pom.xml >>>> >>>> Propchange: incubator/stanbol/trunk/launchers/bundlelists/authentication/ >>>> >>>> ------------------------------------------------------------------------------ >>>> --- svn:ignore (added) >>>> +++ svn:ignore Mon Sep 10 17:54:19 2012 >>>> @@ -0,0 +1,3 @@ >>>> +.settings >>>> + >>>> +.project >>>> >>>> Added: incubator/stanbol/trunk/launchers/bundlelists/authentication/pom.xml >>>> URL: >>>> http://svn.apache.org/viewvc/incubator/stanbol/trunk/launchers/bundlelists/authentication/pom.xml?rev=1383002&view=auto >>>> >>>> ============================================================================== >>>> --- incubator/stanbol/trunk/launchers/bundlelists/authentication/pom.xml >>>> (added) >>>> +++ incubator/stanbol/trunk/launchers/bundlelists/authentication/pom.xml >>>> Mon Sep 10 17:54:19 2012 >>>> @@ -0,0 +1,65 @@ >>>> +<?xml version="1.0" encoding="UTF-8"?> >>>> +<!-- >>>> + Licensed to the Apache Software Foundation (ASF) under one or more >>>> + contributor license agreements. See the NOTICE file distributed with >>>> + this work for additional information regarding copyright ownership. >>>> + The ASF licenses this file to You under the Apache License, Version 2.0 >>>> + (the "License"); you may not use this file except in compliance with >>>> + the License. You may obtain a copy of the License at >>>> + >>>> + http://www.apache.org/licenses/LICENSE-2.0 >>>> + >>>> + Unless required by applicable law or agreed to in writing, software >>>> + distributed under the License is distributed on an "AS IS" BASIS, >>>> + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >>>> + See the License for the specific language governing permissions and >>>> + limitations under the License. >>>> +--> >>>> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi=" >>>> http://www.w3.org/2001/XMLSchema-instance"; >>>> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 >>>> http://maven.apache.org/maven-v4_0_0.xsd";> >>>> + <modelVersion>4.0.0</modelVersion> >>>> + <parent> >>>> + <groupId>org.apache.stanbol</groupId> >>>> + <artifactId>stanbol-parent</artifactId> >>>> + <version>2-incubating-SNAPSHOT</version> >>>> + <relativePath>../../../parent</relativePath> >>>> + </parent> >>>> + >>>> + <groupId>org.apache.stanbol</groupId> >>>> + >>>> >>>> <artifactId>org.apache.stanbol.launchers.bundlelists.authentication</artifactId> >>>> + <version>0.10.0-incubating-SNAPSHOT</version> >>>> + <packaging>partialbundlelist</packaging> >>>> + >>>> + <name>Apache Stanbol Launchers Authentication Bundle List </name> >>>> + <description>This is a Maven project which produces the partial list >>>> containing the bundles related to Authentication.</description> >>>> + >>>> + <scm> >>>> + <connection> >>>> + scm:svn: >>>> http://svn.apache.org/repos/asf/incubator/stanbol/trunk/launchers/bundlelists/authentication >>>> + </connection> >>>> + <developerConnection> >>>> + scm:svn: >>>> https://svn.apache.org/repos/asf/incubator/stanbol/trunk/launchers/bundlelists/authentication >>>> + </developerConnection> >>>> + <url>http://incubator.apache.org/stanbol/</url> >>>> + </scm> >>>> + >>>> + <build> >>>> + <plugins> >>>> + <plugin> >>>> + <groupId>org.apache.sling</groupId> >>>> + <artifactId>maven-launchpad-plugin</artifactId> >>>> + <executions> >>>> + <execution> >>>> + <id>attach-bundle-list</id> >>>> + <goals> >>>> + <goal>attach-bundle-list</goal> >>>> + </goals> >>>> + <configuration> >>>> + <includeDefaultBundles>false</includeDefaultBundles> >>>> + </configuration> >>>> + </execution> >>>> + </executions> >>>> + </plugin> >>>> + </plugins> >>>> + </build> >>>> +</project> >>>> >>>> Propchange: >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/pom.xml >>>> >>>> ------------------------------------------------------------------------------ >>>> svn:mime-type = text/plain >>>> >>>> Added: >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/list.xml >>>> URL: >>>> http://svn.apache.org/viewvc/incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/list.xml?rev=1383002&view=auto >>>> >>>> ============================================================================== >>>> --- >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/list.xml >>>> (added) >>>> +++ >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/list.xml >>>> Mon Sep 10 17:54:19 2012 >>>> @@ -0,0 +1,47 @@ >>>> +<?xml version="1.0" encoding="UTF-8"?> >>>> +<!-- >>>> + Licensed to the Apache Software Foundation (ASF) under one or more >>>> + contributor license agreements. See the NOTICE file distributed with >>>> + this work for additional information regarding copyright ownership. >>>> + The ASF licenses this file to You under the Apache License, Version 2.0 >>>> + (the "License"); you may not use this file except in compliance with >>>> + the License. You may obtain a copy of the License at >>>> + >>>> + http://www.apache.org/licenses/LICENSE-2.0 >>>> + >>>> + Unless required by applicable law or agreed to in writing, software >>>> + distributed under the License is distributed on an "AS IS" BASIS, >>>> + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >>>> + See the License for the specific language governing permissions and >>>> + limitations under the License. >>>> +--> >>>> +<bundles> >>>> + <!-- authentication --> >>>> + <startLevel level="27"> >>>> + <bundle> >>>> + <groupId>org.apache.clerezza</groupId> >>>> + <artifactId>platform.config</artifactId> >>>> + <version>0.3-incubating</version> >>>> + </bundle> >>>> + <bundle> >>>> + <groupId>org.apache.clerezza</groupId> >>>> + <artifactId>permissiondescriptions</artifactId> >>>> + <version>0.1-incubating</version> >>>> + </bundle> >>>> + <bundle> >>>> + <groupId>org.apache.clerezza</groupId> >>>> + <artifactId>platform</artifactId> >>>> + <version>0.1-incubating</version> >>>> + </bundle> >>>> + <bundle> >>>> + <groupId>org.apache.stanbol</groupId> >>>> + <artifactId>org.apache.stanbol.commons.security</artifactId> >>>> + <version>0.10.0-incubating-SNAPSHOT</version> >>>> + </bundle> >>>> + <bundle> >>>> + <groupId>org.apache.stanbol</groupId> >>>> + >>>> <artifactId>org.apache.stanbol.commons.authentication.basic</artifactId> >>>> + <version>0.10.0-incubating-SNAPSHOT</version> >>>> + </bundle> >>>> + </startLevel> >>>> +</bundles> >>>> \ No newline at end of file >>>> >>>> Propchange: >>>> incubator/stanbol/trunk/launchers/bundlelists/authentication/src/main/bundles/list.xml >>>> >>>> ------------------------------------------------------------------------------ >>>> svn:mime-type = text/plain >>>> >>>> Modified: >>>> incubator/stanbol/trunk/launchers/bundlelists/stanbolcommons/src/main/bundles/list.xml >>>> URL: >>>> http://svn.apache.org/viewvc/incubator/stanbol/trunk/launchers/bundlelists/stanbolcommons/src/main/bundles/list.xml?rev=1383002&r1=1383001&r2=1383002&view=diff >>>> >>>> ============================================================================== >>>> --- >>>> incubator/stanbol/trunk/launchers/bundlelists/stanbolcommons/src/main/bundles/list.xml >>>> (original) >>>> +++ >>>> incubator/stanbol/trunk/launchers/bundlelists/stanbolcommons/src/main/bundles/list.xml >>>> Mon Sep 10 17:54:19 2012 >>>> @@ -293,35 +293,6 @@ >>>> </bundle> >>>> </startLevel> >>>> >>>> - <!-- authentication --> >>>> - <startLevel level="27"> >>>> - <bundle> >>>> - <groupId>org.apache.clerezza</groupId> >>>> - <artifactId>platform.config</artifactId> >>>> - <version>0.3-incubating</version> >>>> - </bundle> >>>> - <bundle> >>>> - <groupId>org.apache.clerezza</groupId> >>>> - <artifactId>permissiondescriptions</artifactId> >>>> - <version>0.1-incubating</version> >>>> - </bundle> >>>> - <bundle> >>>> - <groupId>org.apache.clerezza</groupId> >>>> - <artifactId>platform</artifactId> >>>> - <version>0.1-incubating</version> >>>> - </bundle> >>>> - <bundle> >>>> - <groupId>org.apache.stanbol</groupId> >>>> - <artifactId>org.apache.stanbol.commons.security</artifactId> >>>> - <version>0.10.0-incubating-SNAPSHOT</version> >>>> - </bundle> >>>> - <bundle> >>>> - <groupId>org.apache.stanbol</groupId> >>>> - >>>> <artifactId>org.apache.stanbol.commons.authentication.basic</artifactId> >>>> - <version>0.10.0-incubating-SNAPSHOT</version> >>>> - </bundle> >>>> - </startLevel> >>>> - >>>> <!-- Stanbol Commons --> >>>> <startLevel level="27"> >>>> <!-- Allows to run Stanbol in offline mode --> >>>> >>>> Modified: incubator/stanbol/trunk/launchers/full-war/pom.xml >>>> URL: >>>> http://svn.apache.org/viewvc/incubator/stanbol/trunk/launchers/full-war/pom.xml?rev=1383002&r1=1383001&r2=1383002&view=diff >>>> >>>> ============================================================================== >>>> --- incubator/stanbol/trunk/launchers/full-war/pom.xml (original) >>>> +++ incubator/stanbol/trunk/launchers/full-war/pom.xml Mon Sep 10 17:54:19 >>>> 2012 >>>> @@ -135,6 +135,14 @@ >>>> <version>0.10.0-incubating-SNAPSHOT</version> >>>> <type>partialbundlelist</type> >>>> </dependency> >>>> + <!-- Authentication Support--> >>>> + <dependency> >>>> + <groupId>org.apache.stanbol</groupId> >>>> + >>>> >>>> <artifactId>org.apache.stanbol.launchers.bundlelists.authentication</artifactId> >>>> + <version>0.10.0-incubating-SNAPSHOT</version> >>>> + <type>partialbundlelist</type> >>>> + <scope>provided</scope> >>>> + </dependency> >>>> >>>> <!-- Stanbol CMS Adapter Bundle List --> >>>> <dependency> >>>> >>>> Modified: incubator/stanbol/trunk/launchers/full/pom.xml >>>> URL: >>>> http://svn.apache.org/viewvc/incubator/stanbol/trunk/launchers/full/pom.xml?rev=1383002&r1=1383001&r2=1383002&view=diff >>>> >>>> ============================================================================== >>>> --- incubator/stanbol/trunk/launchers/full/pom.xml (original) >>>> +++ incubator/stanbol/trunk/launchers/full/pom.xml Mon Sep 10 17:54:19 2012 >>>> @@ -165,6 +165,15 @@ >>>> <type>partialbundlelist</type> >>>> <scope>provided</scope> >>>> </dependency> >>>> + >>>> + <!-- Authentication Support--> >>>> + <dependency> >>>> + <groupId>org.apache.stanbol</groupId> >>>> + >>>> >>>> <artifactId>org.apache.stanbol.launchers.bundlelists.authentication</artifactId> >>>> + <version>0.10.0-incubating-SNAPSHOT</version> >>>> + <type>partialbundlelist</type> >>>> + <scope>provided</scope> >>>> + </dependency> >>>> >>>> <!-- zz> Shell Bundle List --> >>>> <dependency> >>>> >>>> Modified: incubator/stanbol/trunk/pom.xml >>>> URL: >>>> http://svn.apache.org/viewvc/incubator/stanbol/trunk/pom.xml?rev=1383002&r1=1383001&r2=1383002&view=diff >>>> >>>> ============================================================================== >>>> --- incubator/stanbol/trunk/pom.xml (original) >>>> +++ incubator/stanbol/trunk/pom.xml Mon Sep 10 17:54:19 2012 >>>> @@ -85,6 +85,7 @@ >>>> >>>> <module>launchers/bundlelists/osgiframework</module> >>>> <module>launchers/bundlelists/stanbolcommons</module> >>>> + <module>launchers/bundlelists/authentication</module> >>>> <module>launchers/bundlelists/zzshell</module> >>>> <module>launchers/full</module> >>>> <module>integration-tests</module> >>>> >>>> >>>> >> >> >> >> -- >> Fabian >> http://twitter.com/fctwitt > > > > -- > | Rupert Westenthaler rupert.westentha...@gmail.com > | Bodenlehenstraße 11 ++43-699-11108907 > | A-5500 Bischofshofen -- | Rupert Westenthaler rupert.westentha...@gmail.com | Bodenlehenstraße 11 ++43-699-11108907 | A-5500 Bischofshofen
