There is one more thing you should look into. Quite often you will need
the authentication result in a place different from the place where you
do the authentication.
Passing the subject around is not very effective.
Luckily there is a quite unknown way in JAAS to do this:
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
This allows to get the subject at any place in your code.
An even more convenient way if you use blueprint is to authorize based
on security annotations.
See the blueprint-auhtz module:
https://fisheye6.atlassian.com/browse/~br=trunk/aries/trunk/blueprint/blueprint-authz
And an example:
https://github.com/cschneider/Karaf-Tutorial/tree/master/cxf/personservice/server
https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/resources/OSGI-INF/blueprint/blueprint.xml
https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/java/net/lr/tutorial/karaf/cxf/personservice/impl/PersonServiceImpl.java
The example uses cxf and the cxf JAASAuthenticationFeature for
establishing the JAAS login and the blueprint authz module to do the
authorization using @RolesAllowed.
So while the example uses cxf you the authorization part is in no way
tied to cxf. You can use it together with your own login code.
Christian
On 26.03.2015 20:33, Andrew Phillips wrote:
Now that i do it, seems so simple. The trick is that the Principals
are exposed as Group and Role principals from the karaf boot module.
Maybe an example of how to do something like that would be helpful on
the site. I’d be more than happy to give an example or update it
myself somewhere:
Subject subject =newSubject();
LoginContext loginContext =newLoginContext(karafRealm,
subject,newCallbackHandler() {
@Override
public voidhandle(Callback[] callbacks)throwsIOException,
UnsupportedCallbackException {
for(Callback callback : callbacks) {
if(callbackinstanceofNameCallback) {
((NameCallback) callback).setName(userName);
}
if(callbackinstanceofPasswordCallback) {
((PasswordCallback)
callback).setPassword(password).toCharArray());
}
}
}
});
loginContext.login();
then you can say something like:
public booleanisUserInGroup(String g) {
for(GroupPrincipal principal :subject.getPrincipals(GroupPrincipal.class))
{
if(principal.getName().equals(g))return true;
}
return false;
}
public booleanisUserInRole(String s) {
for(RolePrincipal principal :subject.getPrincipals(RolePrincipal.class)) {
if(principal.getName().equals(s))return true;
}
return false;
}
Great product, Karaf! Love it, thanks!
Andy P
On Mar 26, 2015, at 1:37 AM, Jean-Baptiste Onofré <[email protected]
<mailto:[email protected]>> wrote:
Hi Andy,
you can directly use the JAAS subject provider.
You get a LoginContext and Subject.
Regards
JB
On 03/26/2015 01:47 AM, Andrew Phillips wrote:
I am hoping to utilize the Karaf security module in a bundle of
mine. What is the best way, if there is an example, of
authenticating a user if i have a user name and password and getting
back the roles so i can use the built in security module?
I appreciate the help. Love the product, I am using Karaf 3.0.3.
Thanks!
Andy P
--
Jean-Baptiste Onofré
[email protected] <mailto:[email protected]>
http://blog.nanthrax.net
Talend - http://www.talend.com
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
