Cool. In that case I will file an issue for this. Thanks for the consideration. :-)
Cheers, =David > On Mar 5, 2018, at 17:34, Guillaume Nodet <[email protected]> wrote: > > That's a good point, and we indeed had the same requirements for Karaf. > As indicated by Christian, guarding the Function registered services was > the initial way of handling the problem. > In recent Karaf versions however, things have changed slightly, mainly > because in Karaf, Gogo does not access commands directly from the OSGi > registry anymore. > Usually, Karaf commands are not registered in the OSGi registry, so we can > more easily wrap them and add security bits. > > Last, I've recently added 2 interception points, > CommandProcessorImpl.invoke and CommandProcessorImpl.redirect which Karaf > overrides to add security checks too. > Those controls invocation through reflection and shell redirections. You > do want to add checks here in a secured environment. > > Gogo would definitely benefit from having a correct interception layer for > security... This would include those 2 last points along with visibility / > execution for commands. > > > 2018-03-03 22:52 GMT+01:00 Christian Schneider <[email protected]>: > >> Apache karaf has something like this. >> It uses a find hook to intercept services and add jaas + ACL based security >> checks. >> >> See: >> https://github.com/apache/karaf/tree/master/service/ >> guard/src/main/java/org/apache/karaf/service/guard/impl >> >> Actually I think this is something we could also build into felix gogo. >> >> Christian >> >> >> 2018-03-02 7:03 GMT+01:00 David Leangen <[email protected]>: >> >>> >>> Hi! >>> >>> I would like to implement a security feature in the command line, much >>> like I would do in a servlet. Is there an easy way to intercept command >>> calls so I can wrap each call with the security feature? >>> >>> Right now, I have to do something like this for each command method in my >>> component: >>> >>> return auth.call( () -> { >>> [code goes here]; >>> }); >>> >>> It would be preferable to do this just once for all commands, rather than >>> having to wrap each command individually. I would prefer not to have to >> use >>> a proxy object (makes it harder to debug) or create my own whiteboard >>> service host (a bit heavy-handed, taking the code further away from >> GOGO). >>> >>> >>> Cheers, >>> =David >>> >>> >>> >> >> >> -- >> -- >> Christian Schneider >> http://www.liquid-reality.de >> >> Computer Scientist >> http://www.adobe.com >> > > > > -- > ------------------------ > Guillaume Nodet
