Sanjiva Weerawarana wrote: > Prabath, isn't there a standard protocol for this problem?? It seems > like a common scenario right? Not WS-Trust? The approach I suggested is based on the model behind WS-Trust.
We can also use WS-Trust directly here - but I guess it would be a over-kill fir this scenario. The other standard approach would be based on the SAML 2.0 protocol [which we do not have support yet]. > > How do you do step 6 BTW? If the Servlet trusts the Carbon for authenticating users - the Servlet needs to have the public cert of the Carbon in it's trust store. Thanks & regards. -Prabath > > Sanjiva. > > On Wed, Sep 2, 2009 at 10:14 AM, Prabath Siriwardena <[email protected] > <mailto:[email protected]>> wrote: > > Srinath Perera wrote: > > Hi Prabath; > > Any chance you can point me to a example? e.g. WebSEAL impl > > authentication for server/ client if that code is in our svn? > > --Srinath > > > Hi Srinath; > > WebSEAL is IBM proprietary - so code not available. > > Our use case would be something similar to this. > > 1. User authenticates to Carbon > > 2. And now wants to invoke the Servlet. > > 3. Now, carbon adds following to the HTTP header > > say, for example, > > - carbon-user [user logged into the system] > - carbon-user-signed [signature of carbon-user signed by Carbon] > > 4. Now at the Servlet end request hits the servlet filter > > 5. Servlet filter extracts the two header parameters. > > 6. Validates the signature of the 'carbon-user-signed' header > > 7. If validated let the user in. > > Thanks & regards. > -Prabath > > > On Wed, Sep 2, 2009 at 9:41 AM, Prabath > Siriwardena<[email protected] <mailto:[email protected]>> wrote: > > > >> Srinath Perera wrote: > >> > >>>> How do we generate the requests to the Servlet ? Is it from > inside the > >>>> Carbon after user logged in? > >>>> > >>>> > >>> Yes, It is after logged in, and I use Solr client, which uses > commons > >>> HTTP client. > >>> > >>> > >> If this is the case what we could do is - we can set a signed > HTTP header. > >> > >> So - at the ServletFilter - it verifies the presence of a > predefined HTTP > >> header and verifies the signature. > >> > >> To verify a given signature - at the ServletFilter end it keeps > the certs of > >> trusted partners [i.e Carbon] who actually authenticated the users. > >> > >> This is the pattern [similar] WebSEAL uses. > >> > >> Thanks & regards. > >> -Prabath > >> > >>> When I though about this I felt when https is used, SessionID > can be > >>> used to authenticate. For example, AFAIK even now when we move > across > >>> servlets/JSPs/WS in Cabron UI, this is how we authenticate, > which is > >>> not much different in this case. (Basically, if request has a > valid > >>> session ID, it is from a logged in user). Also since, Solr > Client use > >>> commons http client, setting session ID to it should be > possible, and > >>> then we do not need changes to the clients as well. > >>> > >>> > >>> > >>>> This scenario looks similar to the WebSEAL authentication. > >>>> > >>>> > >>> Where can I find the code to WebSEAL?. Ideally, we should do this > >>> without changing the Solr servelt, and do it though a > extension point > >>> like servelt filter or equivalent. > >>> > >>> Thanks > >>> Srinath > >>> > >>> > >>> > >>>> Thanks & regards. > >>>> -Prabath > >>>> > >>>> Srinath Perera wrote: > >>>> > >>>> > >>>>> Hi All; > >>>>> > >>>>> I want to integrate Apache Solr as a Server in to the carbon > (as a > >>>>> bundle, so you just drop the bundle in and you have Solr). > Simply, > >>>>> Solr is a Servlet, which I can add via componet.xml, but I want > >>>>> security. Basically, the Solr server should be accessible to > only > >>>>> users who has logged in to carbon. Dr. Sanjiva and myself where > >>>>> discussing this, and we thought may be we can do this via a > servlet > >>>>> filter, which intercepts requests to Solr and block > unauthenticated > >>>>> access. > >>>>> > >>>>> Any thoughts on how to do this? For example, if I create a > servlet > >>>>> filter that gets the JSession ID from the request and allow > only valid > >>>>> sessions to go in, will that do what I need? This same > Filter should > >>>>> be useful when we integrate any Servelt in to carbon. > >>>>> > >>>>> Thanks > >>>>> Srinath > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> Carbon-dev mailing list > >>>> [email protected] <mailto:[email protected]> > >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >>>> > >>>> > >>>> > >>> > >>> > >>> > >> > > > > > > > > > > > _______________________________________________ > Carbon-dev mailing list > [email protected] <mailto:[email protected]> > https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > > > > -- > Sanjiva Weerawarana, Ph.D. > Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ > email: [email protected] <mailto:[email protected]>; cell: +1 650 265 > 8311 | +94 77 787 6880 > blog: http://sanjiva.weerawarana.org/ > > The Open Source SOA Company > ------------------------------------------------------------------------ > > _______________________________________________ > Carbon-dev mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > _______________________________________________ Carbon-dev mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
