Simon Laws wrote:
On Tue, Sep 28, 2010 at 2:10 PM, Millies, Sebastian
<[email protected]> wrote:
Hello Simon,
have you been able to find an example? I have looked around, but
the only detailed example I could find was in the Websphere feature
pack for SCA and depended on running SCA inside IBM Websphere's
security infrastructure, whereas I am looking at a standalone
Tuscany runtime.
-- Sebastian
-----Original Message-----
From: Simon Laws [mailto:[email protected]]
Sent: Tuesday, September 21, 2010 11:28 AM
To: [email protected]
Subject: Re: JAAS and the RequestContext object
On Mon, Sep 20, 2010 at 3:23 PM, Millies, Sebastian
<[email protected]> wrote:
Hello there,
I have been trying to figure out how I can authenticate a user
to my application (with username/password) so that every SCA
RequestContext object will afterwards contain a Principal or
SecuritySubject that allows me to associate any service method
call in my application with that user.
Can anyone point me in the right direction? I have managed a
JAAS Login Module, but how can I influence the contents of the
request context in Tuscany 1.6?
-- Sebastian
Hi Sebastien
IIRC there is a Security Indentity policy that moves the subject from
the Tuscany message into the context. Let me see if I can find an
example.
Simon
--
Apache Tuscany committer: tuscany.apache.org
Co-author of a book about Tuscany and SCA: tuscanyinaction.com
Oh blimey, I must have got distracted at the time as I forgot to look.
Apologies.
There is an itest in 1.x called policy-security-basicauth [1] that
defines a basicauth and identity policy as follows....
<definitions xmlns="http://www.osoa.org/xmlns/sca/1.0";
targetNamespace="http://itest/policy";
xmlns:sca="http://www.osoa.org/xmlns/sca/1.0";
xmlns:tuscany="http://tuscany.apache.org/xmlns/sca/1.0";
xmlns:ip="http://itest/policy"; >
<sca:policySet name="BasicAuthenticationPolicySet"
provides="authentication"
appliesTo="sca:binding.ws">
<tuscany:basicAuthentication>
<tuscany:userName>myname</tuscany:userName>
<tuscany:password>mypassword</tuscany:password>
</tuscany:basicAuthentication>
</sca:policySet>
<sca:policySet name="ImplementationIdentityPolicySet"
provides="tuscany:identity"
appliesTo="sca:implementation.java">
<securityIdentity>
<useCallerIdentity/>
</securityIdentity>
</sca:policySet>
</definitions>
There are used in a composite as follows:
<composite xmlns="http://www.osoa.org/xmlns/sca/1.0";
targetNamespace="http://itest/policy";
xmlns:sca="http://www.osoa.org/xmlns/sca/1.0";
xmlns:tuscany="http://tuscany.apache.org/xmlns/sca/1.0";
xmlns:ip="http://itest/policy";
name="Helloworld">
<component name="HelloWorldClientComponent">
<implementation.java class="helloworld.HelloWorldClientImpl" />
<service name="HelloWorldService">
<interface.java interface="helloworld.HelloWorldService"/>
<binding.sca/>
</service>
<reference name="helloworldWS" requires="authentication">
<binding.ws
uri="http://localhost:8085/HelloWorldServiceWSComponent"/>
</reference>
</component>
<component name="HelloWorldServiceWSComponent">
<implementation.java class="helloworld.HelloWorldServiceImpl"
requires="tuscany:identity"/>
<service name="HelloWorldService" requires="authentication">
<interface.java interface="helloworld.HelloWorldService"/>
<binding.ws
uri="http://localhost:8085/HelloWorldServiceWSComponent"/>
</service>
</component>
</composite>
Note the tuscany:identity intent on the implementation and the
authentication intent on the binding. The HelloWorldServiceImpl that
has the tuscany:identity intent applied accesses the request context
as follows:
@Service(HelloWorldService.class)
public class HelloWorldServiceImpl implements HelloWorldService {
@Context
protected RequestContext requestContext;
public String getGreetings(String name) {
Subject subject = requestContext.getSecuritySubject();
if (subject == null){
return "Hello " + name + " null subject";
} else {
return "Hello " + name + " " + subject.toString();
}
}
}
Now I should point out that the basic auth policy in this case is not
that useful. IIRC it only "applies to" the web services binding and
only deals with credentials stored in the policy set itself.
Luciano looked at security more generally over HTTP and plugging into
LDAP. There was an example of some of this in the store-secure sample
[2] but you're right, I don't see any examples of it being used in
combination with the identity policy. So there may very well be some
policy work to do to make those two work together.
I didn't have much luck with getting the store-secure sample to do
anything useful (on 1.6 and 1.6.1). There are three launchers:
launch.Launch
- this worked and prompted for a username and password, but didn't
seem to do any checking on what was entered.
launch.LaunchProtected
- this worked and didn't do any security prompting at all.
launch.LaunchSSL
- this didn't work (it hung on startup).
Any suggestions for how to fix this? I'll open a JIRA to track the issue.
Simon
[1]
http://svn.apache.org/repos/asf/tuscany/sca-java-1.x/trunk/itest/policy-security-basicauth/
[2]
http://svn.apache.org/repos/asf/tuscany/sca-java-1.x/trunk/samples/store-secure/
Regards
Simon
