Re: [osgi-dev] Remote service (thread) context properties?

[Scott Lewis via osgi-dev]

On 2/6/2019 5:35 AM, Tim Ward via osgi-dev wrote:
Hi Bernd,
What you’re asking for isn’t a required part of the RSA standard, 
which means that providers don’t have to offer it. There is, however, 
room for it to exist within the standard.

OSGi Remote Services (and Remote Service Admin) define the concept of 
“intents” which are additional features or qualities of service that a 
distribution provider can offer. An example of an existing intent is 
the “osgi.async” intent. This intent is used to indicate that the 
distribution provider can handle asynchronous return types such as 
OSGi Promises and Java futures. OSGi services that need to be remoted 
can then require that the distribution provider offer the intent by 
advertising the “service.exported.intents” property in addition to the 
service.exported.interfaces property.

What you’re asking for is therefore an intent which provides security 
context along with the call. I’m not aware of any distribution 
provider that does this, but it would be possible for them to add it. 
If they did they should add an advertised intent indicating the 
support, and your service should then require the intent.

I’m not aware of any implementations that support security context 
flow in this way currently.


ECF's implementation of remote services [1] has a distribution provider 
spi, and multiple distribution providers [2].  Although we don't yet 
have a OS distribution provider that supports exactly the desired 
security context, many/most of the existing distribution providers are 
extensible such that you could add your desired context to create a 
custom distribution provider for your specific use (or open if you 
desire).  For example,  you could use CXF or Jersey's extension 
mechanisms by extending this provider [3].

Scott

[1] https://wiki.eclipse.org/Eclipse_Communication_Framework_Project

[2] https://wiki.eclipse.org/Distribution_Providers

[3] https://github.com/ECF/JaxRSProviders   (note: we are in the process 
of updating the supported Jersey version from 2.22 -> 2.28)



Best Regards,

Tim

On 6 Feb 2019, at 13:13, Bernd Eckenfels via osgi-dev 
<osgi-dev@mail.osgi.org <mailto:osgi-dev@mail.osgi.org>> wrote:

I guess most is thread local, it would be good if 
extraction/marshaling and transport and demarshalling/setting on both 
ends could be enhanced with interceptors.

But maybe a provide specific interface is enough? Did you do it for 
Aeris RSA Fastbin?

Gruss
Bernd

Gruss
Bernd
--
http://bernd.eckenfels.net
------------------------------------------------------------------------
*Von:* Christian Schneider <ch...@die-schneider.net 
<mailto:ch...@die-schneider.net>>
*Gesendet:* Mittwoch, Februar 6, 2019 2:07 PM
*An:* Bernd Eckenfels; OSGi Developer Mail List
*Betreff:* Re: [osgi-dev] Remote service (thread) context properties?
JAAS is already standardised. So if the provider (like CXF SOAP or 
JAX-RS) establishes a JAAS context on your thread then you can access 
it. I can provide an example if you want.
I think for open tracing there is also an API that can be used.

I am not sure about the others like peer-address, audit, tenant and 
request ids.
Do you have an idea how it can / should work in practice?

Christian

Am Mi., 6. Feb. 2019 um 03:08 Uhr schrieb Bernd Eckenfels via 
osgi-dev <osgi-dev@mail.osgi.org <mailto:osgi-dev@mail.osgi.org>>:

    When I use a Remote Service for distributed OSGi application I
    would like my provider to be able to implicitly pass some thread
    context like tracing IDs and also a user authorization token.

    The OSGi compendium talks about implementation specific security
    based on codesigning, but not on thread identity (JAAS Context).
    Was there any plan to add something, like an interceptor mechanism?

    Some of it could be implementation specific, but some form of
    portable endpoint binding access would be nice, like
    peer-address, jaas-context, opentracing-id, maybe audit, tenant
    and request-ids?

    I can enrich my services with a Map<String,String> for most of
    it, however then there is no reliable way for the provider to
    add/ensure some of its protocol header properties and it hides
    the business interface under removing parameters.

    Gruss
    Bernd
    -- 
    http://bernd.eckenfels.net <http://bernd.eckenfels.net/>
    _______________________________________________
    OSGi Developer Mail List
    osgi-dev@mail.osgi.org <mailto:osgi-dev@mail.osgi.org>
    https://mail.osgi.org/mailman/listinfo/osgi-dev



--
--
Christian Schneider
http://www.liquid-reality.de <http://www.liquid-reality.de/>

Computer Scientist
http://www.adobe.com <http://www.adobe.com/>

_______________________________________________
OSGi Developer Mail List
osgi-dev@mail.osgi.org <mailto:osgi-dev@mail.osgi.org>
https://mail.osgi.org/mailman/listinfo/osgi-dev


_______________________________________________
OSGi Developer Mail List
osgi-dev@mail.osgi.org
https://mail.osgi.org/mailman/listinfo/osgi-dev


_______________________________________________
OSGi Developer Mail List
osgi-dev@mail.osgi.org
https://mail.osgi.org/mailman/listinfo/osgi-dev