You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Cristiano Costantini <cr...@gmail.com> on 2017/04/28 10:58:17 UTC
Simply Protect HTTP servlet
Hello All,
How can I implement a Basic HTTP Authentication similar to the one use by
Karaf WebConsole (which I understand uses Jaas) to protect access to HTTP
resources in Karaf?
thanks
Cristiano
Re: Simply Protect HTTP servlet
Posted by cooshal <ku...@gmail.com>.
Hi:
I have similar concerns. I wanted to protect a particular endpoint. Here's
what I have done, so far:
// pom file
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<version>3.3.0</version>
<inherited>true</inherited>
<extensions>true</extensions>
<configuration>
<instructions>
<Web-ContextPath>/management</Web-ContextPath>
<Private-Package>*</Private-Package>
<Include-Resource>src</Include-Resource>
<_wab>src/main/webapp</_wab>
</instructions>
</configuration>
</plugin>
</plugins>
</build>
and, as per the suggestion from JB in previous post on this thread, I added
following in src/main/webapp/WEB-INF/web.xml. I am trying to protect
http://localhost:8181/management/ endpoint.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>PRS-EAI Monitoring Console</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>authenticated</display-name>
<web-resource-collection>
<web-resource-name>management</web-resource-name>
<description/>
<url-pattern>/management/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>karaf</realm-name>
</login-config>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
</web-app>
I checked few examples from pax-web as well. Did I do something wrong?
Regards,
Cooshal.
--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html
Re: Simply Protect HTTP servlet
Posted by Cristiano Costantini <cr...@gmail.com>.
Hi all!
Yes! I've followed the both advices and it works!
I've been able to turn basic authentication on simply and quickly by
dropping a web.xml into the jar of my wab.
I'm trying to find a satisfying project setup to deploy a Polymer web
application in Karaf, if I get good results I'll then share some hints.
Thank you again,
Cristiano
Il giorno sab 29 apr 2017 alle 09:39 Achim Nierbeck <bc...@googlemail.com>
ha scritto:
> Hi Christiano,
>
> you could try with a servlet filter, though since you already have a
> Web-ContextPath you are actually already using the WAB approach.
> With Pax-Web the file-extension actually doesn't matter. So if you just
> add a web.xml to it you should be safe to use the default jaas mechanism
> provided by karaf and pax-web/jetty at that point.
>
> regards, Achim
>
>
> 2017-04-29 9:17 GMT+02:00 Cristiano Costantini <
> cristiano.costantini@gmail.com>:
>
>> Hello Jean-Baptiste an thank you for the reply!
>>
>> your approach would be great as I just need the quickest way to protect
>> the access with a username and password.
>>
>> The problem is that the application is not a WAR, it is just a bundle
>> with the <Web-ContextPath> that publish HTML/Javascript/CSS resources
>> plus a Servlet registered via spring.xml with <osgi:service
>> interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't have
>> a web.xml
>>
>> For the moment I will try to enable http basic auth for the urls by
>> changing the main karaf's jetty.xml file, this is ok to satisfy my short
>> term needs.
>>
>> If you have in mind any idea to enable security-constraint from within
>> the bundle (without touching the karaf's jetty.xml) when you don't have a
>> web.xml, I'll be glad to know it as I would prefer not to touch the
>> configuration of karaf.
>>
>> Thank you
>> Cristiano
>>
>>
>> Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
>> jb@nanthrax.net> ha scritto:
>>
>>> Hi Cristiano,
>>>
>>> It depends if you want to use leverage the authentication/authorization
>>> to
>>> access to a pattern/url or if you want to use JAAS internally to your
>>> application with a subject.
>>>
>>> Basically, imagine you have your servlet where you defined the pattern
>>> to /foo
>>> (via the service properties if you use the http-whiteboard for instance).
>>>
>>> Then, you can define the security constraint in jetty.xml or in your
>>> configuration.
>>>
>>> If you package as a war, you can use a web.xml similar to:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
>>> <display-name>cristiano_application</display-name>
>>> <welcome-file-list>
>>> <welcome-file>index.jsp</welcome-file>
>>> </welcome-file-list>
>>> <security-constraint>
>>> <display-name>authenticated</display-name>
>>> <web-resource-collection>
>>> <web-resource-name>All files</web-resource-name>
>>> <description/>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <description/>
>>> <role-name>user</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>BASIC</auth-method>
>>> <realm-name>karaf</realm-name>
>>> </login-config>
>>> <security-role>
>>> <description/>
>>> <role-name>user</role-name>
>>> </security-role>
>>> </web-app>
>>>
>>> Then, the access to any servlet (/*) in your application will be secure
>>> using
>>> the karaf JAAS realm.
>>>
>>> Regards
>>> JB
>>>
>>> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
>>> > Hello All,
>>> >
>>> > How can I implement a Basic HTTP Authentication similar to the one use
>>> by Karaf
>>> > WebConsole (which I understand uses Jaas) to protect access to HTTP
>>> resources in
>>> > Karaf?
>>> >
>>> > thanks
>>> > Cristiano
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>>
>>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
Re: Simply Protect HTTP servlet
Posted by Achim Nierbeck <bc...@googlemail.com>.
Hi Christiano,
you could try with a servlet filter, though since you already have a
Web-ContextPath you are actually already using the WAB approach.
With Pax-Web the file-extension actually doesn't matter. So if you just add
a web.xml to it you should be safe to use the default jaas mechanism
provided by karaf and pax-web/jetty at that point.
regards, Achim
2017-04-29 9:17 GMT+02:00 Cristiano Costantini <
cristiano.costantini@gmail.com>:
> Hello Jean-Baptiste an thank you for the reply!
>
> your approach would be great as I just need the quickest way to protect
> the access with a username and password.
>
> The problem is that the application is not a WAR, it is just a bundle with
> the <Web-ContextPath> that publish HTML/Javascript/CSS resources plus a
> Servlet registered via spring.xml with <osgi:service
> interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't
> have a web.xml
>
> For the moment I will try to enable http basic auth for the urls by
> changing the main karaf's jetty.xml file, this is ok to satisfy my short
> term needs.
>
> If you have in mind any idea to enable security-constraint from within
> the bundle (without touching the karaf's jetty.xml) when you don't have a
> web.xml, I'll be glad to know it as I would prefer not to touch the
> configuration of karaf.
>
> Thank you
> Cristiano
>
>
> Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
> jb@nanthrax.net> ha scritto:
>
>> Hi Cristiano,
>>
>> It depends if you want to use leverage the authentication/authorization to
>> access to a pattern/url or if you want to use JAAS internally to your
>> application with a subject.
>>
>> Basically, imagine you have your servlet where you defined the pattern to
>> /foo
>> (via the service properties if you use the http-whiteboard for instance).
>>
>> Then, you can define the security constraint in jetty.xml or in your
>> configuration.
>>
>> If you package as a war, you can use a web.xml similar to:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
>> <display-name>cristiano_application</display-name>
>> <welcome-file-list>
>> <welcome-file>index.jsp</welcome-file>
>> </welcome-file-list>
>> <security-constraint>
>> <display-name>authenticated</display-name>
>> <web-resource-collection>
>> <web-resource-name>All files</web-resource-name>
>> <description/>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <description/>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>karaf</realm-name>
>> </login-config>
>> <security-role>
>> <description/>
>> <role-name>user</role-name>
>> </security-role>
>> </web-app>
>>
>> Then, the access to any servlet (/*) in your application will be secure
>> using
>> the karaf JAAS realm.
>>
>> Regards
>> JB
>>
>> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
>> > Hello All,
>> >
>> > How can I implement a Basic HTTP Authentication similar to the one use
>> by Karaf
>> > WebConsole (which I understand uses Jaas) to protect access to HTTP
>> resources in
>> > Karaf?
>> >
>> > thanks
>> > Cristiano
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>>
>
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
Re: Simply Protect HTTP servlet
Posted by Cristiano Costantini <cr...@gmail.com>.
Hello Jean-Baptiste an thank you for the reply!
your approach would be great as I just need the quickest way to protect the
access with a username and password.
The problem is that the application is not a WAR, it is just a bundle with
the <Web-ContextPath> that publish HTML/Javascript/CSS resources plus a
Servlet registered via spring.xml with <osgi:service
interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't have
a web.xml
For the moment I will try to enable http basic auth for the urls by
changing the main karaf's jetty.xml file, this is ok to satisfy my short
term needs.
If you have in mind any idea to enable security-constraint from within the
bundle (without touching the karaf's jetty.xml) when you don't have a
web.xml, I'll be glad to know it as I would prefer not to touch the
configuration of karaf.
Thank you
Cristiano
Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
jb@nanthrax.net> ha scritto:
> Hi Cristiano,
>
> It depends if you want to use leverage the authentication/authorization to
> access to a pattern/url or if you want to use JAAS internally to your
> application with a subject.
>
> Basically, imagine you have your servlet where you defined the pattern to
> /foo
> (via the service properties if you use the http-whiteboard for instance).
>
> Then, you can define the security constraint in jetty.xml or in your
> configuration.
>
> If you package as a war, you can use a web.xml similar to:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
> <display-name>cristiano_application</display-name>
> <welcome-file-list>
> <welcome-file>index.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <display-name>authenticated</display-name>
> <web-resource-collection>
> <web-resource-name>All files</web-resource-name>
> <description/>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>karaf</realm-name>
> </login-config>
> <security-role>
> <description/>
> <role-name>user</role-name>
> </security-role>
> </web-app>
>
> Then, the access to any servlet (/*) in your application will be secure
> using
> the karaf JAAS realm.
>
> Regards
> JB
>
> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
> > Hello All,
> >
> > How can I implement a Basic HTTP Authentication similar to the one use
> by Karaf
> > WebConsole (which I understand uses Jaas) to protect access to HTTP
> resources in
> > Karaf?
> >
> > thanks
> > Cristiano
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>
Re: Simply Protect HTTP servlet
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Cristiano,
It depends if you want to use leverage the authentication/authorization to
access to a pattern/url or if you want to use JAAS internally to your
application with a subject.
Basically, imagine you have your servlet where you defined the pattern to /foo
(via the service properties if you use the http-whiteboard for instance).
Then, you can define the security constraint in jetty.xml or in your configuration.
If you package as a war, you can use a web.xml similar to:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>cristiano_application</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>authenticated</display-name>
<web-resource-collection>
<web-resource-name>All files</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>karaf</realm-name>
</login-config>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
</web-app>
Then, the access to any servlet (/*) in your application will be secure using
the karaf JAAS realm.
Regards
JB
On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
> Hello All,
>
> How can I implement a Basic HTTP Authentication similar to the one use by Karaf
> WebConsole (which I understand uses Jaas) to protect access to HTTP resources in
> Karaf?
>
> thanks
> Cristiano
--
Jean-Baptiste Onofr
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com