Hello Jean-Baptiste an thank you for the reply! your approach would be great as I just need the quickest way to protect the access with a username and password.
The problem is that the application is not a WAR, it is just a bundle with the <Web-ContextPath> that publish HTML/Javascript/CSS resources plus a Servlet registered via spring.xml with <osgi:service interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't have a web.xml For the moment I will try to enable http basic auth for the urls by changing the main karaf's jetty.xml file, this is ok to satisfy my short term needs. If you have in mind any idea to enable security-constraint from within the bundle (without touching the karaf's jetty.xml) when you don't have a web.xml, I'll be glad to know it as I would prefer not to touch the configuration of karaf. Thank you Cristiano Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré < j...@nanthrax.net> ha scritto: > Hi Cristiano, > > It depends if you want to use leverage the authentication/authorization to > access to a pattern/url or if you want to use JAAS internally to your > application with a subject. > > Basically, imagine you have your servlet where you defined the pattern to > /foo > (via the service properties if you use the http-whiteboard for instance). > > Then, you can define the security constraint in jetty.xml or in your > configuration. > > If you package as a war, you can use a web.xml similar to: > > <?xml version="1.0" encoding="UTF-8"?> > <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> > <display-name>cristiano_application</display-name> > <welcome-file-list> > <welcome-file>index.jsp</welcome-file> > </welcome-file-list> > <security-constraint> > <display-name>authenticated</display-name> > <web-resource-collection> > <web-resource-name>All files</web-resource-name> > <description/> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <description/> > <role-name>user</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>karaf</realm-name> > </login-config> > <security-role> > <description/> > <role-name>user</role-name> > </security-role> > </web-app> > > Then, the access to any servlet (/*) in your application will be secure > using > the karaf JAAS realm. > > Regards > JB > > On 04/28/2017 12:58 PM, Cristiano Costantini wrote: > > Hello All, > > > > How can I implement a Basic HTTP Authentication similar to the one use > by Karaf > > WebConsole (which I understand uses Jaas) to protect access to HTTP > resources in > > Karaf? > > > > thanks > > Cristiano > > -- > Jean-Baptiste Onofré > jbono...@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com >