>>>>> Paul Spencer <[email protected]>: > Karaf 4.4.5 > How do I protect a OSGi JAX-RS whiteboard REST service using Basic > Authentication?
Apache Shiro can do basic auth (among other things). https://shiro.apache.org This project is a shiro realm with a simple JDBC database and a react.js frontend to to user management: https://github.com/steinarb/authservice You can install it directly in karaf by installing it's karaf feature (the feature and all bundles are released to maven central, and is released under APLv2). Some web whiteboard projects using authservice for users and roles and stuff: https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/resources/shiro.ini https://github.com/steinarb/ukelonn/blob/master/ukelonn.web.security/src/main/resources/shiro.ini https://github.com/steinarb/handlelapp/blob/master/handlelapp.web.security/src/main/resources/shiro.ini https://github.com/steinarb/sampleapp/blob/master/sampleapp.web.security/src/main/resources/shiro.ini None of them use basic auth, but that should basically (pun not intended) just be to replace "authc" with "authcBasic". Later specific definitions in the [url] sections, will override earlier more generic definitions. So you can block the API requiring a loging of a user with a certain role, and then open up for e.g. login or login state check endpoints. (The reason for anon access of many rest endpoints is to avoid 302 redirects on REST API calls I need to do before logging in, because web browsers don't handle 302 redirects on REST API calls real well)
