Hello, Three months ago, we started to use keycloak for this purpose. In the first step we are using it only for authentication but in the second step we will also use it with all the rolles etc.
Christian > Am 01.08.2016 um 17:58 schrieb Nick Baker <nba...@pentaho.com>: > > Is Shiro even active at this point? > > We do some of what you’re looking for, but it’s all custom code. We have the > concept of logical permissions which can be bound to Users and/or Groups. Our > UI queries for these and uses the information to remove/disable UI elements. > As was mentioned though, you need to be doing the same checks on the > server-side or you’re going to get hacked. > > -Nick > > From: Jason Pratt <jpratt3...@gmail.com> > Reply-To: "user@karaf.apache.org" <user@karaf.apache.org> > Date: Monday, August 1, 2016 at 11:05 AM > To: "user@karaf.apache.org" <user@karaf.apache.org> > Subject: Re: Access control of OSGi Web app? > > Take a look at Shiro and JWT. You should be able to string something together > from that. > > On Sun, Jul 31, 2016 at 11:08 PM, Sigmund Lee <wua...@gmail.com> wrote: > Hi all, > > Thanks for advice and solutions you guys provided. > > Seems like they are all proper ways to protect server-side services. But as I > said we are a website, what I need is a solution can integrate frontend & > backend together, provide page-level access control. basically two steps > involved: > > 1. A externalized access control system to protect access to exposed > services(for example, restful service, web url, etc). > 2. After access is permitted, return corresponding respond page to > client(aka, browser), and every button or link on this responded page can be > display or hidden based on permissions of current user. > > Basically, what I need is a solution not only free backend engineers from > hard-coded authz code, but also free frontend engineers from hard-coding. > > Thanks again! > > Bests. > -- > Sig > > > > On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bcanh...@googlemail.com> > wrote: > yes, as filters without servlets can't be served. They don't have a URI > binding. > > regards, Achim > > 2016-07-29 15:33 GMT+02:00 Nick Baker <nba...@pentaho.com>: > Hey Achim, > > Thanks for this example. We’re looking part of our ongoing OSGi migration > will be URL security as well. We’re using Spring Security in the legacy > non-OSGI space. So this is a timely conversation for us J > > Quick question: are we still working with the limitation that Filters are > only invoked if a Servlet or Resource would already serve the URL? > > -Nick > > From: Achim Nierbeck <bcanh...@googlemail.com> > Reply-To: "user@karaf.apache.org" <user@karaf.apache.org> > Date: Friday, July 29, 2016 at 8:54 AM > To: "user@karaf.apache.org" <user@karaf.apache.org> > Subject: Re: Access control of OSGi Web app? > > Hi Sigmund, > > sorry for being late to the party ... if those solutions above don't work for > you you still have the possibility to create a customized filter which you > can re-use with your own applications. > For this you can either go the "classical" way of using web-fragments, or you > can share the httpContext between your osgi bundles. For this you need to > declare your httpContext to be sharable and after that you just need to > attach your filter bundle to that sharable httpContext. > > Take a look at the following Sample, or better integration test of Pax Web > [1]. > > regards, Achim > > [1] - > https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95 > > 2016-07-26 16:05 GMT+02:00 Christian Schneider <ch...@die-schneider.net>: > In karaf authentication is based on JAAS. Using login modules you can define > what source to authenticate against. > The karaf web console is protected by this by default. It is also possible to > enable JAAS based authentication for CXF e.g. for your REST services. > There is also role based and group based authentication out of the box. > > There is no attribute based access control available but you can create this > based on the JAAS authentication. > > This code can give you an idea of how to get the subject and the principals > from JAAS in karaf: > https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81 > > You could create your own annotations or OSGi service to handle the attribute > based authorization based on the authentication information. > > Christian > > > On 26.07.2016 08:29, Sigmund Lee wrote: > We are a website, using OSGi as microservices implementation. every feature > of our site is a standalone osgi-based webapp, and splited into several OSGi > bundles(api, impl, webapp, rest, etc). > > But there are functions that coupled with more that one bundle, for example > Access Control & Authorization. Currently our authorization code is > hard-coded everywhere and was so hard to maintain. > > My question is, what's the proper way to handle with access control when > using OSGi? Is there any osgi-compatible ABAC(Attribute-based access control, > because our authorization model need calculated based on attribute of > resource and context/environment) framework? > > > Thanks. > > -- > Sig > > > > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > http://www.talend.com > > > > -- > > Apache Member > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > blog <http://notizblog.nierbeck.de/> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> > > Software Architect / Project Manager / Scrum Master > > > > > -- > > Apache Member > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > blog <http://notizblog.nierbeck.de/> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> > > Software Architect / Project Manager / Scrum Master > > >
