Re: Security in Module
Jaas only sets the context inside the PriviledgedAction call. So after the call it is normal that you can not get the context anymore. If you try AccessController.getContext(); inside the run() method it should work. The problem is that the way the HttpContex-authenticated works you can not call the rest of the code inside the Priviledged Action. So honestly I am not sure how to approach this. Christian On 25.06.2015 12:50, kuvalda wrote: Hi, Christian! I've found a post about this problem here. http://stackoverflow.com/questions/26592821/configure-authentication-for-servlets-in-osgi http://stackoverflow.com/questions/26592821/configure-authentication-for-servlets-in-osgi Achim answered here, that the only way to authenticate in Servlets, registered by OSGi way (whiteboard in our case), is to use specific HttpContext with Servlet. I tried to use AuthHttpContext from Pax Web Samples with modified method for JAAS Login: protected boolean authenticated(HttpServletRequest request) { request.setAttribute(AUTHENTICATION_TYPE, HttpServletRequest.BASIC_AUTH); try { LoginContext lc = new LoginContext(realm, new BasicAuthCallbackHandler( request.getHeader(Authorization))); lc.login(); Subject.doAs(lc.getSubject(), new PrivilegedActionVoid() { @Override public Void run() { return null; } }); AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); System.out.println(subject == null); request.setAttribute(REMOTE_USER, test); return true; } catch (LoginException e) { return false; } } There's a mock PrivilegedAction, doing notihng. But subject is null again in AccessController.getContext() even after Subject.doAs(). What's the problem can be? Thanks in advance! Pavel cschneider wrote A JAAS login is not enough. You also need to call subject.doAs(handler); Inside this call the AccessControlContext will then contain your subject. For web there should be a better way to establish a JAAS context. Maybe you can make pax web or jetty check the authentication and already establish a JAAS context for you. I forwarded to Achim. He might know if that works. Christian - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4041072.html Sent from the Karaf - User mailing list archive at Nabble.com. -- Christian Schneider http://www.liquid-reality.de Open Source Architect http://www.talend.com
Re: Security in Module
Christian, any news on a proplem? I'm trying to use embedded security solution. Or you'd advice to try shiro? Any problems is known with shiro? -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4041046.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
015-06-17 13:39:16,639 | WARN | qtp1776346584-58 | AbstractHttpConnection | 79 - org.eclipse.jetty.aggregate.jetty-all-server - 8.1.15.v20140411 | / java.lang.RuntimeException: java.lang.ClassNotFoundException: org.eclipse.jetty.plus.jaas.JAASRole at org.eclipse.jetty.plus.jaas.JAASLoginService.getGroups(JAASLoginService.java:332)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:244)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:47)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:90)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:492)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1088)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.Server.handle(Server.java:370)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at java.lang.Thread.run(Thread.java:745)[:1.7.0_80] Caused by: java.lang.ClassNotFoundException: org.eclipse.jetty.plus.jaas.JAASRole at java.net.URLClassLoader$1.run(URLClassLoader.java:366)[:1.7.0_80] at java.net.URLClassLoader$1.run(URLClassLoader.java:355)[:1.7.0_80] at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_80] at java.net.URLClassLoader.findClass(URLClassLoader.java:354)[:1.7.0_80] at java.lang.ClassLoader.loadClass(ClassLoader.java:425)[:1.7.0_80] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)[:1.7.0_80] at java.lang.ClassLoader.loadClass(ClassLoader.java:358)[:1.7.0_80] at org.eclipse.jetty.plus.jaas.JAASLoginService.getGroups(JAASLoginService.java:320)[79:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] ... 21 more - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040972.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
Can you give the full stack trace so we see where the error occurs? Christian On 17.06.2015 13:35, kuvalda wrote: I've tried to enable basic http auth in etc\jetty.xml and after logging in I get an error in karaf.log: *java.lang.ClassNotFoundException: org.eclipse.jetty.plus.jaas.JAASRole.* But I found this class in pax web Jetty bundle by karaf console. Any ideas, what's the problem? cschneider wrote A JAAS login is not enough. You also need to call subject.doAs(handler); Inside this call the AccessControlContext will then contain your subject. For web there should be a better way to establish a JAAS context. Maybe you can make pax web or jetty check the authentication and already establish a JAAS context for you. I forwarded to Achim. He might know if that works. Christian - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040970.html Sent from the Karaf - User mailing list archive at Nabble.com. -- Christian Schneider http://www.liquid-reality.de Open Source Architect http://www.talend.com
Re: Security in Module
I've tried to enable basic http auth in etc\jetty.xml and after logging in I get an error in karaf.log: *java.lang.ClassNotFoundException: org.eclipse.jetty.plus.jaas.JAASRole.* But I found this class in pax web Jetty bundle by karaf console. Any ideas, what's the problem? cschneider wrote A JAAS login is not enough. You also need to call subject.doAs(handler); Inside this call the AccessControlContext will then contain your subject. For web there should be a better way to establish a JAAS context. Maybe you can make pax web or jetty check the authentication and already establish a JAAS context for you. I forwarded to Achim. He might know if that works. Christian - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040970.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
Any info from Achym? -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040555.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
One thing to clarify the problem: I'm trying to use authentication and authorization in whiteboard servlet. There is such a code in doGet for debug: LoginContext lc = new LoginContext(umrp-realm, callbackHandler); lc.login(); System.out.println(lc.getSubject().getPrincipals()); Subject subject = Subject.getSubject(AccessController.getContext()); System.out.println(subject == null); I have a subject in loginContext after login, but subject in AccessControlContext is null. So calling the secured methods fails with /java.security.AccessControlException No JAAS login present/. Am I doing something wrong? kuvalda wrote Hi, Christian! I have questions about getting the authentication result in a place different of where we do authentication. There is such description of Subject.getSubject method In Javadoc: * Get the Subject associated with the provided AccessControlContext. The AccessControlContext may contain many Subjects (from nested doAs calls). In this situation, the most recent Subject associated with the AccessControlContext is returned. * So we can get that: 1. there is no any Subject in AccessControlContext, if we don't call any secured method. It means, that just after a simple LoginContext.login() we can't get a Subject from AccessControlContext. 2. If other Subject calls some secured method in the same thread, it replaces the current Subject in AccessControlContext, and the result of Subject.getSubject() will be different. Thanks! Pavel cschneider wrote There is one more thing you should look into. Quite often you will need the authentication result in a place different from the place where you do the authentication. Passing the subject around is not very effective. Luckily there is a quite unknown way in JAAS to do this: AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); This allows to get the subject at any place in your code. - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040447.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
Hi, Christian! I have questions about getting the authentication result in a place different of where we do authentication. There is such description of Subject.getSubject method In Javadoc: *Get the Subject associated with the provided AccessControlContext. The AccessControlContext may contain many Subjects (from nested doAs calls). In this situation, the most recent Subject associated with the AccessControlContext is returned.* So we can get that: 1. there is no any Subject in AccessControlContext, if we don't call any secured method. It means, that just after a simple LoginContext.login() we can't get a Subject from AccessControlContext. 2. If other Subject calls some secured method in the same thread, it replaces the current Subject in AccessControlContext, and the result of Subject.getSubject() will be different. Thanks! Pavel cschneider wrote There is one more thing you should look into. Quite often you will need the authentication result in a place different from the place where you do the authentication. Passing the subject around is not very effective. Luckily there is a quite unknown way in JAAS to do this: AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); This allows to get the subject at any place in your code. - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040437.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
A JAAS login is not enough. You also need to call subject.doAs(handler); Inside this call the AccessControlContext will then contain your subject. For web there should be a better way to establish a JAAS context. Maybe you can make pax web or jetty check the authentication and already establish a JAAS context for you. I forwarded to Achim. He might know if that works. Christian On 18.05.2015 17:37, kuvalda wrote: One thing to clarify the problem: I'm trying to use authentication and authorization in whiteboard servlet. There is such a code in doGet for debug: LoginContext lc = new LoginContext(umrp-realm, callbackHandler); lc.login(); System.out.println(lc.getSubject().getPrincipals()); Subject subject = Subject.getSubject(AccessController.getContext()); System.out.println(subject == null); I have a subject in loginContext after login, but subject in AccessControlContext is null. So calling the secured methods fails with /java.security.AccessControlException No JAAS login present/. Am I doing something wrong? kuvalda wrote Hi, Christian! I have questions about getting the authentication result in a place different of where we do authentication. There is such description of Subject.getSubject method In Javadoc: * Get the Subject associated with the provided AccessControlContext. The AccessControlContext may contain many Subjects (from nested doAs calls). In this situation, the most recent Subject associated with the AccessControlContext is returned. * So we can get that: 1. there is no any Subject in AccessControlContext, if we don't call any secured method. It means, that just after a simple LoginContext.login() we can't get a Subject from AccessControlContext. 2. If other Subject calls some secured method in the same thread, it replaces the current Subject in AccessControlContext, and the result of Subject.getSubject() will be different. Thanks! Pavel cschneider wrote There is one more thing you should look into. Quite often you will need the authentication result in a place different from the place where you do the authentication. Passing the subject around is not very effective. Luckily there is a quite unknown way in JAAS to do this: AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); This allows to get the subject at any place in your code. - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040447.html Sent from the Karaf - User mailing list archive at Nabble.com. -- Christian Schneider http://www.liquid-reality.de Open Source Architect http://www.talend.com
Re: Security in Module
Thanks, Christian Issue is created. https://issues.apache.org/jira/browse/ARIES-1316 https://issues.apache.org/jira/browse/ARIES-1316 cschneider wrote Hi Pavel, the link is https://issues.apache.org/jira/browse/ARIES you can find this link on the aries website in http://aries.apache.org/community/gettinginvolved.html too. Christian - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040085.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
Really, I have some problem with it. Could you provide some link, where I can do it? cschneider wrote Hmm .. I think this is a bug then. Probably we should always look in both the interface and the class for the annotations. Can you open an issue for this ? - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040077.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
Hi Pavel, the link is https://issues.apache.org/jira/browse/ARIES you can find this link on the aries website in http://aries.apache.org/community/gettinginvolved.html too. Christian On 29.04.2015 16:39, kuvalda wrote: Really, I have some problem with it. Could you provide some link, where I can do it? cschneider wrote Hmm .. I think this is a bug then. Probably we should always look in both the interface and the class for the annotations. Can you open an issue for this ? - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040077.html Sent from the Karaf - User mailing list archive at Nabble.com. -- Christian Schneider http://www.liquid-reality.de Open Source Architect http://www.talend.com
Re: Security in Module
Hmm .. I think this is a bug then. Probably we should always look in both the interface and the class for the annotations. Can you open an issue for this ? Christian On 27.04.2015 20:00, kuvalda wrote: Hi, Christian! I tried your blueprint-authz bundle to to authorize in OSGi services and found out in its code, that SecurityAnotationParser parses beans, so looks for annotations in class. But in runtime AuthorizationInterceptor looks for annotations in called method's declaring class. As an OSGi service is an interface, we can get such a situation, that method of a class would require athorization, but could not get it, if service's interface would not be annotated with @RolesAlowed. It's a code example below: public interface EchoService { //@RolesAllowed(admin) public String echo(String message); } public class SimpleEchoService implements EchoService { @RolesAllowed(admin) @Override public String echo(String message) { String result = message; return result; } } @Command(scope = kb, name = echo) public class EchoCommand extends OsgiCommandSupport { private EchoService echoService; public EchoService getEchoService() { return echoService; } public void setEchoService(EchoService echoService) { this.echoService = echoService; } @Argument(index = 0, name = message, required = true, multiValued = false) private String message; @Override protected Object doExecute() throws Exception { return echoService.echo(message); } } Calling echo command in karaf console in this case we will get an error message with empty roles' list Method call interface biz.lorien.umrp.kb.properties.EchoService.echo denied. Roles allowed are []. And it's OK with uncommented annotation @RolesAllowed(admin) in EchoService interface. I think, it's not the best way to duplicate annotations both in interface and implementing class. Perhaps, it's my incorrect use of blueprint-authz? What do you think about it? Thanks in advance! Pavel cschneider wrote There is one more thing you should look into. Quite often you will need the authentication result in a place different from the place where you do the authentication. Passing the subject around is not very effective. Luckily there is a quite unknown way in JAAS to do this: AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); This allows to get the subject at any place in your code. An even more convenient way if you use blueprint is to authorize based on security annotations. See the blueprint-auhtz module: https://fisheye6.atlassian.com/browse/~br=trunk/aries/trunk/blueprint/blueprint-authz - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040001.html Sent from the Karaf - User mailing list archive at Nabble.com. -- Christian Schneider http://www.liquid-reality.de Open Source Architect http://www.talend.com
Re: Security in Module
Hi, Christian! I tried your blueprint-authz bundle to to authorize in OSGi services and found out in its code, that SecurityAnotationParser parses beans, so looks for annotations in class. But in runtime AuthorizationInterceptor looks for annotations in called method's declaring class. As an OSGi service is an interface, we can get such a situation, that method of a class would require athorization, but could not get it, if service's interface would not be annotated with @RolesAlowed. It's a code example below: public interface EchoService { //@RolesAllowed(admin) public String echo(String message); } public class SimpleEchoService implements EchoService { @RolesAllowed(admin) @Override public String echo(String message) { String result = message; return result; } } @Command(scope = kb, name = echo) public class EchoCommand extends OsgiCommandSupport { private EchoService echoService; public EchoService getEchoService() { return echoService; } public void setEchoService(EchoService echoService) { this.echoService = echoService; } @Argument(index = 0, name = message, required = true, multiValued = false) private String message; @Override protected Object doExecute() throws Exception { return echoService.echo(message); } } Calling echo command in karaf console in this case we will get an error message with empty roles' list Method call interface biz.lorien.umrp.kb.properties.EchoService.echo denied. Roles allowed are []. And it's OK with uncommented annotation @RolesAllowed(admin) in EchoService interface. I think, it's not the best way to duplicate annotations both in interface and implementing class. Perhaps, it's my incorrect use of blueprint-authz? What do you think about it? Thanks in advance! Pavel cschneider wrote There is one more thing you should look into. Quite often you will need the authentication result in a place different from the place where you do the authentication. Passing the subject around is not very effective. Luckily there is a quite unknown way in JAAS to do this: AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); This allows to get the subject at any place in your code. An even more convenient way if you use blueprint is to authorize based on security annotations. See the blueprint-auhtz module: https://fisheye6.atlassian.com/browse/~br=trunk/aries/trunk/blueprint/blueprint-authz - Pavel -- View this message in context: http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4040001.html Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Security in Module
Now that i do it, seems so simple. The trick is that the Principals are exposed as Group and Role principals from the karaf boot module. Maybe an example of how to do something like that would be helpful on the site. I’d be more than happy to give an example or update it myself somewhere: Subject subject = new Subject(); LoginContext loginContext = new LoginContext(karafRealm, subject, new CallbackHandler() { @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback) { ((NameCallback) callback).setName(userName); } if (callback instanceof PasswordCallback) { ((PasswordCallback) callback).setPassword(password).toCharArray()); } } } }); loginContext.login(); then you can say something like: public boolean isUserInGroup(String g) { for (GroupPrincipal principal : subject.getPrincipals(GroupPrincipal.class)) { if (principal.getName().equals(g)) return true; } return false; } public boolean isUserInRole(String s) { for (RolePrincipal principal : subject.getPrincipals(RolePrincipal.class)) { if (principal.getName().equals(s)) return true; } return false; } Great product, Karaf! Love it, thanks! Andy P On Mar 26, 2015, at 1:37 AM, Jean-Baptiste Onofré j...@nanthrax.net wrote: Hi Andy, you can directly use the JAAS subject provider. You get a LoginContext and Subject. Regards JB On 03/26/2015 01:47 AM, Andrew Phillips wrote: I am hoping to utilize the Karaf security module in a bundle of mine. What is the best way, if there is an example, of authenticating a user if i have a user name and password and getting back the roles so i can use the built in security module? I appreciate the help. Love the product, I am using Karaf 3.0.3. Thanks! Andy P -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
Re: Security in Module
Thanks, that is great information! As far as the CXF feature, I actually wrote my own to use in Jersey to do basic authentication (since i am using Jersey and couldn’t find anything out of the box). I should have a look at the JAASAuthenticationFeature in CXF since it is a RS compliant feature i am guessing to see how it compares. Thanks again for all the help! Andy P On Mar 26, 2015, at 2:49 PM, Christian Schneider ch...@die-schneider.net wrote: There is one more thing you should look into. Quite often you will need the authentication result in a place different from the place where you do the authentication. Passing the subject around is not very effective. Luckily there is a quite unknown way in JAAS to do this: AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); This allows to get the subject at any place in your code. An even more convenient way if you use blueprint is to authorize based on security annotations. See the blueprint-auhtz module: https://fisheye6.atlassian.com/browse/~br=trunk/aries/trunk/blueprint/blueprint-authz https://fisheye6.atlassian.com/browse/~br=trunk/aries/trunk/blueprint/blueprint-authz And an example: https://github.com/cschneider/Karaf-Tutorial/tree/master/cxf/personservice/server https://github.com/cschneider/Karaf-Tutorial/tree/master/cxf/personservice/server https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/resources/OSGI-INF/blueprint/blueprint.xml https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/resources/OSGI-INF/blueprint/blueprint.xml https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/java/net/lr/tutorial/karaf/cxf/personservice/impl/PersonServiceImpl.java https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/java/net/lr/tutorial/karaf/cxf/personservice/impl/PersonServiceImpl.java The example uses cxf and the cxf JAASAuthenticationFeature for establishing the JAAS login and the blueprint authz module to do the authorization using @RolesAllowed. So while the example uses cxf you the authorization part is in no way tied to cxf. You can use it together with your own login code. Christian On 26.03.2015 20:33, Andrew Phillips wrote: Now that i do it, seems so simple. The trick is that the Principals are exposed as Group and Role principals from the karaf boot module. Maybe an example of how to do something like that would be helpful on the site.I’d be more than happy to give an example or update it myself somewhere: Subject subject = new Subject(); LoginContext loginContext = new LoginContext(karafRealm, subject, new CallbackHandler() { @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback callback : callbacks) { if (callback instanceof NameCallback) { ((NameCallback) callback).setName(userName); } if (callback instanceof PasswordCallback) { ((PasswordCallback) callback).setPassword(password).toCharArray()); } } } }); loginContext.login(); then you can say something like: public boolean isUserInGroup(String g) { for (GroupPrincipal principal : subject.getPrincipals(GroupPrincipal.class)) { if (principal.getName().equals(g)) return true; } return false; } public boolean isUserInRole(String s) { for (RolePrincipal principal : subject.getPrincipals(RolePrincipal.class)) { if (principal.getName().equals(s)) return true; } return false; } Great product, Karaf! Love it, thanks! Andy P On Mar 26, 2015, at 1:37 AM, Jean-Baptiste Onofré j...@nanthrax.net mailto:j...@nanthrax.net wrote: Hi Andy, you can directly use the JAAS subject provider. You get a LoginContext and Subject. Regards JB On 03/26/2015 01:47 AM, Andrew Phillips wrote: I am hoping to utilize the Karaf security module in a bundle of mine. What is the best way, if there is an example, of authenticating a user if i have a user name and password and getting back the roles so i can use the built in security module? I appreciate the help. Love the product, I am using Karaf 3.0.3. Thanks! Andy P -- Jean-Baptiste Onofré jbono...@apache.org mailto:jbono...@apache.org http://blog.nanthrax.net http://blog.nanthrax.net/ Talend - http://www.talend.com http://www.talend.com/ -- Christian Schneider http://www.liquid-reality.de http://www.liquid-reality.de/ Open Source Architect http://www.talend.com http://www.talend.com/
Re: Security in Module
Hi Andy, you can directly use the JAAS subject provider. You get a LoginContext and Subject. Regards JB On 03/26/2015 01:47 AM, Andrew Phillips wrote: I am hoping to utilize the Karaf security module in a bundle of mine. What is the best way, if there is an example, of authenticating a user if i have a user name and password and getting back the roles so i can use the built in security module? I appreciate the help. Love the product, I am using Karaf 3.0.3. Thanks! Andy P -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
Re: Security in Module
Hi Andy, some time ago I did some test to use Spring Security within Karaf, the code I wrote for this study is published here: https://github.com/cristcost/springsec It is a very specific use case, in particular it is not a bundle but it is a War that is osgi-fied, but there is implemented a spring security login form so you may find it interesting. If you find it useful and have questions about it, feel free to ask. Regards, Cristiano Il giorno gio 26 mar 2015 alle ore 07:39 Jean-Baptiste Onofré j...@nanthrax.net ha scritto: Hi Andy, you can directly use the JAAS subject provider. You get a LoginContext and Subject. Regards JB On 03/26/2015 01:47 AM, Andrew Phillips wrote: I am hoping to utilize the Karaf security module in a bundle of mine. What is the best way, if there is an example, of authenticating a user if i have a user name and password and getting back the roles so i can use the built in security module? I appreciate the help. Love the product, I am using Karaf 3.0.3. Thanks! Andy P -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
Security in Module
I am hoping to utilize the Karaf security module in a bundle of mine. What is the best way, if there is an example, of authenticating a user if i have a user name and password and getting back the roles so i can use the built in security module? I appreciate the help. Love the product, I am using Karaf 3.0.3. Thanks! Andy P