You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Krzysztof Lembicz <k....@bigantfarm.com> on 2015/11/26 18:19:35 UTC
[JackRabbit] - DAV session maintenance and JAAS login
Dear All,
I have evaluating JackRabbit 2 (2.10.3) for couple of days and its usefulness for one of my projects. I have reached almost everything I needed including an external LoginModule authentication using a JAAS-compliant module which works. However I have encountered an issue I do not know how to solve or maybe I have misunderstood something.
I am going to use JackRabbit as a content server and communicate with it via WebDav HTTP interfaces (remotely). That works including mentioned JAAS LoginModule integration (KeyCloak) First lines of my test application are:
repository = JcrUtils.getRepository("http://localhost:8080/jackrabbit-webapp /server");
session = repository.login(new SimpleCredentials("test1", "test".toCharArray()), "default");
where test1 and test are valid Keycloak user credentials and the login process is successful. The problem is that many operations called before I call the session.logout() when I create nodes, search for nodes, remove nodes etc. - being theoretically applied in a correct, logged session - on the server's side are still preceded by JAAS authentication again and again - actually at each atomic operation I am performing within the session. Instead I would rather expect that logged once, before calling session.logout() JAAS login is omitted so I can work in a performant way. I do not know why at the DAV servlet side, the session is not cached/maintained/recognized so the again login is not needed since it already has taken place. And - unfortunately - the performance decrease I am observing that is really significant and unacceptable.
Does anyone can let me know whether I am doing something wrong, do I have to configure something in a better so the session is recognized/stored or is it a correct way it should work?
Any help would be much appreciated. Thank you.
Best regards,
Krzysztof Lembicz
Re: [JackRabbit] - DAV session maintenance and JAAS login
Posted by Chetan Mehrotra <ch...@gmail.com>.
I think you would need to implement some sort of Token authentication.
The default implementation supports Basic auth where the
username/password are to be sent for every request. If you want to
avoid authentication for every remote HTTP call then you would need to
implement some form of cookie or token auth. Looking at KeyClock it
appears to support Oauth and other protocols
So one rough approach can be like
1. Get a token issued off hand i.e. by making direct HTTP calls to
some servlet get a auth token issued for the user credential.
2. As part of Repository login pass that token as part of credential.
Use some special user account like "tokenauth" and pass the token as
part of password say base64 encoded. The username is not important
[2]!
3. On server side have a JAAS login module which extracts the token
from password and validates it. Most likely
org.keycloak.adapters.jaas.BearerTokenLoginModule should serve the
purpose here
With this setup HTTP Client used within Jcr client classes would pass
on the token on each call and they would get validated without the
extra overhead of full credential authentication (assuming
token/bearer auth is fast!)
Hope that helps!
Chetan Mehrotra
[1] https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jaas-adapter
[2] https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.java#L9
On Thu, Nov 26, 2015 at 10:49 PM, Krzysztof Lembicz
<k....@bigantfarm.com> wrote:
> Dear All,
>
> I have evaluating JackRabbit 2 (2.10.3) for couple of days and its usefulness for one of my projects. I have reached almost everything I needed including an external LoginModule authentication using a JAAS-compliant module which works. However I have encountered an issue I do not know how to solve or maybe I have misunderstood something.
>
> I am going to use JackRabbit as a content server and communicate with it via WebDav HTTP interfaces (remotely). That works including mentioned JAAS LoginModule integration (KeyCloak) First lines of my test application are:
>
> repository = JcrUtils.getRepository("http://localhost:8080/jackrabbit-webapp /server");
> session = repository.login(new SimpleCredentials("test1", "test".toCharArray()), "default");
>
> where test1 and test are valid Keycloak user credentials and the login process is successful. The problem is that many operations called before I call the session.logout() when I create nodes, search for nodes, remove nodes etc. - being theoretically applied in a correct, logged session - on the server's side are still preceded by JAAS authentication again and again - actually at each atomic operation I am performing within the session. Instead I would rather expect that logged once, before calling session.logout() JAAS login is omitted so I can work in a performant way. I do not know why at the DAV servlet side, the session is not cached/maintained/recognized so the again login is not needed since it already has taken place. And - unfortunately - the performance decrease I am observing that is really significant and unacceptable.
>
> Does anyone can let me know whether I am doing something wrong, do I have to configure something in a better so the session is recognized/stored or is it a correct way it should work?
> Any help would be much appreciated. Thank you.
>
> Best regards,
> Krzysztof Lembicz
>
>