You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by Stefan Seifert <ss...@pro-vision.de> on 2009/10/15 19:03:21 UTC
trusted header authentication for felix web console?
according to current web console docs
http://felix.apache.org/site/apache-felix-web-console.html#ApacheFelixWebConsole-Security
only basic authentication is supported.
we need to use a trusted header authentication in our infrastructure with an SSO server.
is this possible, anyone done this already?
stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
RE: trusted header authentication for felix web console?
Posted by Stefan Seifert <ss...@pro-vision.de>.
>What I've done is to remove the authentication from the Web Console (by
>clearing out the username property via ConfigAdmin) and used a Servlet Filter
>(initially via my own Filter proxy and now with the Felix HttpService's Filter
>whiteboard function). In my case, I am using Spring Security, but there's
>nothing Spring Security-specific to this mode. I didn't even look at replacing
>the authentication/security process within the Web Console because I was
>looking to provide authentication across an entire web application, of which
>the Web Console is but one secured path segment.
>
>One thing to watch out for - if you do this and the bundle containing the
>Filter isn't started for some reason, the web console is unsecured. As such,
>what I did was have a little bootstrap class which unsets the Web Console
>password when the Filter service is registered and resets it when the Filter
>service is unregistered. There are probably other ways to handle this
>scenario.
>
>Justin
thanks, we'll have a look at this.
stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
RE: trusted header authentication for felix web console?
Posted by "Edelson, Justin" <Ju...@mtvstaff.com>.
Sort of.
What I've done is to remove the authentication from the Web Console (by clearing out the username property via ConfigAdmin) and used a Servlet Filter (initially via my own Filter proxy and now with the Felix HttpService's Filter whiteboard function). In my case, I am using Spring Security, but there's nothing Spring Security-specific to this mode. I didn't even look at replacing the authentication/security process within the Web Console because I was looking to provide authentication across an entire web application, of which the Web Console is but one secured path segment.
One thing to watch out for - if you do this and the bundle containing the Filter isn't started for some reason, the web console is unsecured. As such, what I did was have a little bootstrap class which unsets the Web Console password when the Filter service is registered and resets it when the Filter service is unregistered. There are probably other ways to handle this scenario.
Justin
________________________________
From: Stefan Seifert [mailto:sseifert@pro-vision.de]
Sent: Thu 10/15/2009 1:03 PM
To: 'users@felix.apache.org'
Subject: trusted header authentication for felix web console?
according to current web console docs
http://felix.apache.org/site/apache-felix-web-console.html#ApacheFelixWebConsole-Security
only basic authentication is supported.
we need to use a trusted header authentication in our infrastructure with an SSO server.
is this possible, anyone done this already?
stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: trusted header authentication for felix web console?
Posted by Felix Meschberger <fm...@gmail.com>.
Hi Stefan,
We have been discussing abstracting the authentication of the web
console out of the core servlet to support other means. For the Sling
case for example, we would like to integrate with the Sling
authentication mechanism.
Other people would like to integrate with JAAS.
Guillaume Nodet proposed a simple security API in [1]. I have also
created FELIX-1764 [2] to track this. So, if you would like to help, you
are very welcome ...
Regards
Felix
[1] http://markmail.org/message/5gwqlt7b3gfz7427
[2] https://issues.apache.org/jira/browse/FELIX-1764
Stefan Seifert schrieb:
> according to current web console docs
> http://felix.apache.org/site/apache-felix-web-console.html#ApacheFelixWebConsole-Security
> only basic authentication is supported.
>
> we need to use a trusted header authentication in our infrastructure with an SSO server.
> is this possible, anyone done this already?
>
> stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org