I tested Pax-Web Context Processing as explained here:
https://ops4j1.jira.com/wiki/spaces/paxweb/pages/354025473/HTTP+Context+processing
<https://ops4j1.jira.com/wiki/spaces/paxweb/pages/354025473/HTTP+Context+processing>
And it does in fact, work. I was able to add BASIC authentication to my Camel
Routes outside of the bundle itself, and using Servlet Rest DSL with
Blueprint. I did not need to add a web.xml file. So basically, my Camel Rest
DSL is like this:
<restConfiguration
component="servlet"
bindingMode="json"
enableCORS="false"
skipBindingOnErrorCode="false"
clientRequestValidation="true">
<componentProperty key="matchOnUriPrefix" value="true"/>
<endpointProperty key="servletName" value=“MyServlet"/>
<endpointProperty key="disableStreamCache"
value="true"/>
<dataFormatProperty key="contentTypeHeader"
value="false" />
<dataFormatProperty key="baseUri"
value="{{context.path}}{{api.root.path}}" />
</restConfiguration>
Register the Camel Servlet:
<reference id="httpService"
interface="org.osgi.service.http.HttpService" />
<bean id="camelServlet"
class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
<bean
class="org.apache.camel.component.servlet.osgi.OsgiServletRegisterer"
init-method="register"
destroy-method="unregister">
<property name="servletName" value=“MyServlet"/>
<property name="alias" value="#{context.path}#{api.root.path}"
/>
<property name="httpService" ref="httpService" />
<property name="servlet" ref="camelServlet" />
</bean>
Then, add file
org.ops4j.pax.web.context-admin.cfg
to Karaf’s etc directory. Postfix ‘admin’ can be whatever you want.
bundle.symbolicName = <the symbolic name of bundle with Camel routes>
login.config.authMethod = BASIC
login.config.realmName = karaf
context.id = default
This solution has important advantages:
Only one Jetty instance for all bundles
Security is external, at the container level, which means it can be adapted to
use a different mechanism without changing the code of the Camel routes.
Leverages Karaf’s built in JAAS features.
Best regards,
Alex soto
> On May 13, 2020, at 12:56 PM, Gerald Kallas <catsh...@mailbox.org> wrote:
>
> As I have only Blueprint DSL routes it would be interesting how to configure
> this either in a Blueprint DSL file or globally in a config.
>
> Best
> - Gerald
>
>> Alex Soto <alex.s...@envieta.com> hat am 13. Mai 2020 16:26 geschrieben:
>>
>>
>> This looks promising:
>>
>> https://ops4j1.jira.com/wiki/spaces/paxweb/pages/354025473/HTTP+Context+processing
>>
>>
>>
>> Best regards,
>> Alex soto
>>
>>
>>
>>
>>
>>> On May 13, 2020, at 10:26 AM, Alex Soto <alex.s...@envieta.com> wrote:
>>> Re-sending to group
>>>
>>>
>>>
>>>
>>>> On May 13, 2020, at 9:38 AM, Alex Soto <alex.s...@envieta.com> wrote:
>>>> Thank you Gerald, I appreciate the link.
>>>>
>>>> I was starting going that route, but it is not optimal, because I have
>>>> more than one bundle that expose HTTP endpoints, and it is wasteful for
>>>> each one to run their own Jetty instance. Same thing with authentication,
>>>> I want to leverage the Karaf built in JAAS support, instead of recreating
>>>> it. To this point, I have been able to leverage a single Jetty instance
>>>> that is managed by PAX-WEB, but adding authentication is proving to be
>>>> impossible.
>>>>
>>>>
>>>> Best regards,
>>>> Alex soto
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On May 12, 2020, at 5:10 PM, Gerald Kallas <catsh...@mailbox.org> wrote:
>>>>> Hi Alex,
>>>>>
>>>>> we did make some experience with TLS and basic authentication on HTTP
>>>>> consumers in between (and with the help of this mailing list).
>>>>>
>>>>> I started a article series on my blog, see
>>>>>
>>>>> https://www.catshout.de/?p=161
>>>>>
>>>>> for a single HTTP consumer with TLS and basic authentication enabled.
>>>>> It's based on camel-jetty. All examples are written in Blueprint DSL.
>>>>> Hope this helps a bit. Feel free to comment.
>>>>>
>>>>> I'll proceed with a REST API secured in same manner and some discussions
>>>>> about the limitations and options.
>>>>>
>>>>> Best
>>>>> - Gerald
>>>>>
>>>>>
>>>>>> Alex Soto <alex.s...@envieta.com> hat am 12. Mai 2020 19:55 geschrieben:
>>>>>>
>>>>>>
>>>>>> This threads talks about the need to :
>>>>>>
>>>>>> http://karaf.922171.n3.nabble.com/Jetty-security-camel-servlet-td2120289.html
>>>>>>
>>>>>> Quote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> you need to use the OSGi HTTP service
>>>>>>> api to properly configure the security bits (by implementing
>>>>>>> org.osgi.service.http.HttpContext interface).
>>>>>>
>>>>>>
>>>>>>
>>>>>> Are there any examples of this?
>>>>>>
>>>>>> Best regards,
>>>>>> Alex soto
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On May 12, 2020, at 11:42 AM, Alex Soto <alex.s...@envieta.com> wrote:
>>>>>>> Thanks, JB.
>>>>>>>
>>>>>>> I found the problem was, a typo in the `realm-name` in the web.xml
>>>>>>> file. It appears to be case-sensitive. I had:
>>>>>>>
>>>>>>> <login-config>
>>>>>>> <auth-method>BASIC</auth-method>
>>>>>>> <realm-name>Karaf</realm-name>
>>>>>>> </login-config>
>>>>>>>
>>>>>>>
>>>>>>> But in the jetty.xml:
>>>>>>>
>>>>>>> <New class="org.eclipse.jetty.jaas.JAASLoginService">
>>>>>>> <Set name="name">karaf</Set>
>>>>>>>
>>>>>>>
>>>>>>> So I think it could not match the `Karaf` in the Web.xml to the `karaf`
>>>>>>> in the Jetty.xml.
>>>>>>> I wish the error message was more explicit. Anyway, now the web app is
>>>>>>> properly initialized, BUT… the security constraint is not being applied
>>>>>>> to my Camel Rest services, only to the ‘/admin’. URL.
>>>>>>> For example:
>>>>>>>
>>>>>>> http://localhost:8181/admin/api/rest/executions
>>>>>>>
>>>>>>> Does not prompt for a password, it successfully returns the data from
>>>>>>> the Camel Rest DSL route. And this url
>>>>>>>
>>>>>>> http://localhost:8181/admin
>>>>>>>
>>>>>>> is protected with basic authentication, so the browser prompts me for
>>>>>>> the user name and password.
>>>>>>>
>>>>>>> What I need is protect everything starting with '/admin’
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Alex soto
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On May 12, 2020, at 11:24 AM, Jean-Baptiste Onofre <j...@nanthrax.net>
>>>>>>>> wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> It sounds like a class loader issue, so possible.
>>>>>>>>
>>>>>>>> Let me add an example in Karaf showing basic auth.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> JB
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Le 12 mai 2020 à 15:39, Alex Soto <alex.s...@envieta.com> a écrit :
>>>>>>>>> I found that I have multiple versions of Jetty deployed in Karaf,
>>>>>>>>> that is: 9.4.20.v20190813, and 9.4.22.v20191022
>>>>>>>>> Would this be the reason for the following exception:
>>>>>>>>>
>>>>>>>>> 2020-05-12T09:10:19,122 | ERROR | paxweb-extender-2-thread-1 |
>>>>>>>>> WebAppPublisher | 302 - org.ops4j.pax.web.pax-web-extender-war -
>>>>>>>>> 7.2.14 | Error deploying web application
>>>>>>>>> java.lang.IllegalStateException: No LoginService for
>>>>>>>>> org.eclipse.jetty.security.authentication.BasicAuthenticator@1d7311a1
>>>>>>>>> in ConstraintSecurityHandler@64779d1e{STARTING}
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:92)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:344)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:419)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:106)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:504)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:106)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:879)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:357)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.startContext(HttpServiceContext.java:396)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:821)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:276)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doStart(HttpServiceContext.java:272)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.service.jetty.internal.JettyServerImpl$1.start(JettyServerImpl.java:329)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.service.internal.HttpServiceStarted.end(HttpServiceStarted.java:1264)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.service.internal.HttpServiceProxy.end(HttpServiceProxy.java:456)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.RegisterWebAppVisitorWC.end(RegisterWebAppVisitorWC.java:405)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.model.WebApp.accept(WebApp.java:658)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.WebAppPublisher$WebAppDependencyListener.register(WebAppPublisher.java:228)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.WebAppPublisher$WebAppDependencyListener.addingService(WebAppPublisher.java:173)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.WebAppPublisher$WebAppDependencyListener.addingService(WebAppPublisher.java:129)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:941)
>>>>>>>>> ~[osgi.core-6.0.0.jar:?]
>>>>>>>>> at
>>>>>>>>> org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:870)
>>>>>>>>> ~[osgi.core-6.0.0.jar:?]
>>>>>>>>> at
>>>>>>>>> org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256)
>>>>>>>>> ~[osgi.core-6.0.0.jar:?]
>>>>>>>>> at
>>>>>>>>> org.osgi.util.tracker.AbstractTracked.trackInitial(AbstractTracked.java:183)
>>>>>>>>> ~[osgi.core-6.0.0.jar:?]
>>>>>>>>> at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:318)
>>>>>>>>> ~[osgi.core-6.0.0.jar:?]
>>>>>>>>> at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:261)
>>>>>>>>> ~[osgi.core-6.0.0.jar:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.WebAppPublisher.publish(WebAppPublisher.java:98)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.WebObserver.deploy(WebObserver.java:217)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.WebObserver$1.doStart(WebObserver.java:172)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.extender.SimpleExtension.start(SimpleExtension.java:59)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> org.ops4j.pax.web.extender.war.internal.extender.AbstractExtender.lambda$createExtension$0(AbstractExtender.java:277)
>>>>>>>>> ~[?:?]
>>>>>>>>> at
>>>>>>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>>>>>>>> [?:1.8.0_171]
>>>>>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>>>>>>>> [?:1.8.0_171]
>>>>>>>>> at
>>>>>>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>>>>>>>>> [?:1.8.0_171]
>>>>>>>>> at
>>>>>>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>>>>>>>>> [?:1.8.0_171]
>>>>>>>>> at
>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>>>>>>>> [?:1.8.0_171]
>>>>>>>>> at
>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>>>>>>>> [?:1.8.0_171]
>>>>>>>>> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Alex soto
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On May 11, 2020, at 12:50 PM, Alex Soto <alex.s...@envieta.com>
>>>>>>>>>> wrote:
>>>>>>>>>> A little more info. The class appears in many bundles:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> karaf@root()> bundle:find-class
>>>>>>>>>> org.eclipse.jetty.security.authentication.BasicAuthenticator
>>>>>>>>>>
>>>>>>>>>> Jetty :: Security (229)
>>>>>>>>>> org/eclipse/jetty/security/authentication/BasicAuthenticator.class
>>>>>>>>>>
>>>>>>>>>> Jetty :: Security (230)
>>>>>>>>>> org/eclipse/jetty/security/authentication/BasicAuthenticator.class
>>>>>>>>>>
>>>>>>>>>> Jetty :: JASPI Security (231)
>>>>>>>>>> org/eclipse/jetty/security/authentication/BasicAuthenticator.class
>>>>>>>>>>
>>>>>>>>>> Jetty :: JASPI Security (232)
>>>>>>>>>> org/eclipse/jetty/security/authentication/BasicAuthenticator.class
>>>>>>>>>>
>>>>>>>>>> OPS4J Pax Web - Jetty (309)
>>>>>>>>>> org/eclipse/jetty/security/authentication/BasicAuthenticator.class
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Alex soto
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On May 11, 2020, at 12:44 PM, Alex Soto <alex.s...@envieta.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>> org.eclipse.jetty.security.authentication.BasicAuthenticator
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>
