Srinath Perera wrote: > Hi Prabath; > Any chance you can point me to a example? e.g. WebSEAL impl > authentication for server/ client if that code is in our svn? > --Srinath > Hi Srinath;
WebSEAL is IBM proprietary - so code not available. Our use case would be something similar to this. 1. User authenticates to Carbon 2. And now wants to invoke the Servlet. 3. Now, carbon adds following to the HTTP header say, for example, - carbon-user [user logged into the system] - carbon-user-signed [signature of carbon-user signed by Carbon] 4. Now at the Servlet end request hits the servlet filter 5. Servlet filter extracts the two header parameters. 6. Validates the signature of the 'carbon-user-signed' header 7. If validated let the user in. Thanks & regards. -Prabath > On Wed, Sep 2, 2009 at 9:41 AM, Prabath Siriwardena<[email protected]> wrote: > >> Srinath Perera wrote: >> >>>> How do we generate the requests to the Servlet ? Is it from inside the >>>> Carbon after user logged in? >>>> >>>> >>> Yes, It is after logged in, and I use Solr client, which uses commons >>> HTTP client. >>> >>> >> If this is the case what we could do is - we can set a signed HTTP header. >> >> So - at the ServletFilter - it verifies the presence of a predefined HTTP >> header and verifies the signature. >> >> To verify a given signature - at the ServletFilter end it keeps the certs of >> trusted partners [i.e Carbon] who actually authenticated the users. >> >> This is the pattern [similar] WebSEAL uses. >> >> Thanks & regards. >> -Prabath >> >>> When I though about this I felt when https is used, SessionID can be >>> used to authenticate. For example, AFAIK even now when we move across >>> servlets/JSPs/WS in Cabron UI, this is how we authenticate, which is >>> not much different in this case. (Basically, if request has a valid >>> session ID, it is from a logged in user). Also since, Solr Client use >>> commons http client, setting session ID to it should be possible, and >>> then we do not need changes to the clients as well. >>> >>> >>> >>>> This scenario looks similar to the WebSEAL authentication. >>>> >>>> >>> Where can I find the code to WebSEAL?. Ideally, we should do this >>> without changing the Solr servelt, and do it though a extension point >>> like servelt filter or equivalent. >>> >>> Thanks >>> Srinath >>> >>> >>> >>>> Thanks & regards. >>>> -Prabath >>>> >>>> Srinath Perera wrote: >>>> >>>> >>>>> Hi All; >>>>> >>>>> I want to integrate Apache Solr as a Server in to the carbon (as a >>>>> bundle, so you just drop the bundle in and you have Solr). Simply, >>>>> Solr is a Servlet, which I can add via componet.xml, but I want >>>>> security. Basically, the Solr server should be accessible to only >>>>> users who has logged in to carbon. Dr. Sanjiva and myself where >>>>> discussing this, and we thought may be we can do this via a servlet >>>>> filter, which intercepts requests to Solr and block unauthenticated >>>>> access. >>>>> >>>>> Any thoughts on how to do this? For example, if I create a servlet >>>>> filter that gets the JSession ID from the request and allow only valid >>>>> sessions to go in, will that do what I need? This same Filter should >>>>> be useful when we integrate any Servelt in to carbon. >>>>> >>>>> Thanks >>>>> Srinath >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >>>> >>>> >>> >>> >>> >> > > > > _______________________________________________ Carbon-dev mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
