Srinath Perera wrote: >> How do we generate the requests to the Servlet ? Is it from inside the >> Carbon after user logged in? >> > > Yes, It is after logged in, and I use Solr client, which uses commons > HTTP client. > If this is the case what we could do is - we can set a signed HTTP header.
So - at the ServletFilter - it verifies the presence of a predefined HTTP header and verifies the signature. To verify a given signature - at the ServletFilter end it keeps the certs of trusted partners [i.e Carbon] who actually authenticated the users. This is the pattern [similar] WebSEAL uses. Thanks & regards. -Prabath > When I though about this I felt when https is used, SessionID can be > used to authenticate. For example, AFAIK even now when we move across > servlets/JSPs/WS in Cabron UI, this is how we authenticate, which is > not much different in this case. (Basically, if request has a valid > session ID, it is from a logged in user). Also since, Solr Client use > commons http client, setting session ID to it should be possible, and > then we do not need changes to the clients as well. > > >> This scenario looks similar to the WebSEAL authentication. >> > Where can I find the code to WebSEAL?. Ideally, we should do this > without changing the Solr servelt, and do it though a extension point > like servelt filter or equivalent. > > Thanks > Srinath > > >> Thanks & regards. >> -Prabath >> >> Srinath Perera wrote: >> >>> Hi All; >>> >>> I want to integrate Apache Solr as a Server in to the carbon (as a >>> bundle, so you just drop the bundle in and you have Solr). Simply, >>> Solr is a Servlet, which I can add via componet.xml, but I want >>> security. Basically, the Solr server should be accessible to only >>> users who has logged in to carbon. Dr. Sanjiva and myself where >>> discussing this, and we thought may be we can do this via a servlet >>> filter, which intercepts requests to Solr and block unauthenticated >>> access. >>> >>> Any thoughts on how to do this? For example, if I create a servlet >>> filter that gets the JSession ID from the request and allow only valid >>> sessions to go in, will that do what I need? This same Filter should >>> be useful when we integrate any Servelt in to carbon. >>> >>> Thanks >>> Srinath >>> >>> >>> >>> >>> >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > > > _______________________________________________ Carbon-dev mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
