You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by jliu <je...@gmail.com> on 2010/04/01 11:04:02 UTC

Camel security

Hi, 

I am currently working on Drools (http://www.jboss.org/drools) Camel
integration. One requirement popped up is to provide a secured access to
Drools KnowledgeSession . For those who is not familiar with Drools, Drools
KnowledgeSession is defined as a Camel process or endpoint. Basically this
means an authentication framework and an authorization framework that can be
used to provide service level and method level security. The authorization
part needs to support both role-based authorization and rule-based
authorization. So for example, with this security in place, I can say "only
admin type user can access Drools KnowledgeSession " or  "only admin type
user can call insertFact on Drools KnowledgeSession ".  I can also say "If
the current user has called fireAllRules on Drools KnowledgeSession more
than an average of 5 times in the last minute, then reject the next
invocation, as its possible fraud".

An example of camle route with authorization may look like below (Please
note, this is not a valid configuration, just used to illustrate the idea): 

Service level security:

a camel route without authorization:
<camel:route>
     <camel:from uri="direct:executor" />
     <camel:process ref="DroolsBatchExecutorProcessor"/>
     <camel:to uri="direct:xstreamTransformerResult" />
</camel:route>

a camel route with simple role based authorization using role mappings
stored in property files:
<camel:route>
    <camel:from uri="direct:executor" />
    <camel:process ref="DroolsBatchExecutorProcessor"
authorization-module="role-based-using-property-file" rolesAllowed="admin=,
analysis"/>
    <camel:to uri="direct:xstreamTransformerResult" />
</camel:route>

 a camel route with rule based authorization using Drools:
<camel:route>
     <camel:from uri="direct:executor" />
     <camel:process ref="DroolsBatchExecutorProcessor"
authorization-module="rule-based-using-drools"/>
     <camel:to uri="direct:xstreamTransformerResult" />
</camel:route>

Method level security:
TBD

Does such feature exist in Camel or will be supported in the future?

Thanks,

Jervis Liu
-- 
View this message in context: http://old.nabble.com/Camel-security-tp28106100p28106100.html
Sent from the Camel - Users mailing list archive at Nabble.com.

Re: Camel security

Posted by Willem Jiang <wi...@gmail.com>.

jliu wrote:
> 
> 
> Claus Ibsen-2 wrote:
>> Its important that we do this in a manner so the security framework of
>> choice can easily be plugged in, as many have different needs.
>> And some are forced to use JAAS etc.
>>
>> So it should NOT be a Spring Security that master how we do this in Camel. 
>>
> 
> +1.
> 
>  Ideally the Camel security will be pluggable, so that ppl can plug
> different security implementations into Camel. For example, for Drools
> project, I may want to use Picketlink (http://www.jboss.org/picketlink) as
> the underlying authentication and authorization implementation. Other people
> may prefer Spring security or their own implementations.
> 
> If we dig into technical details a little bit, I believe the authentication
> part should be straightforward. As long as JAAS is used, different
> authentication implementations can always be plugged in easily. The headache
> part is the authorization. There is no standard we can use in this area, and
> I am not sure how easy it is to write a framework that can plug in different
> authorization implementations. For example, it may not be possible to write
> an authorization framework that is flexible enough to switch its underlying
> impl among Picketlink Authz (http://www.jboss.org/picketlink/AuthZ.html) and
> the authorization part in Seam3 Security
> (http://www.seamframework.org/Seam3/SecurityModuleOverview) and the
> authorization part in Spring security. Mostly likely Camel will have to come
> out with its own specific authorization implementation or just choose an
> existing one. 
> 


The reason that I choice Spring Security to implement the authorization 
mechanism supports different kinds of AccessDecisionVoter, and they are 
spring friendly.

In Spring Security, the authorization will be delegate to the 
AccessDecisionManager and you can setup different AccessDecisionVoter on 
it, maybe we can add a layer in Camel to plug the different 
authorization implementation.

Willem

Re: Camel security

Posted by jliu <je...@gmail.com>.

Claus Ibsen-2 wrote:
> 
> Its important that we do this in a manner so the security framework of
> choice can easily be plugged in, as many have different needs.
> And some are forced to use JAAS etc.
> 
> So it should NOT be a Spring Security that master how we do this in Camel. 
> 

+1.

 Ideally the Camel security will be pluggable, so that ppl can plug
different security implementations into Camel. For example, for Drools
project, I may want to use Picketlink (http://www.jboss.org/picketlink) as
the underlying authentication and authorization implementation. Other people
may prefer Spring security or their own implementations.

If we dig into technical details a little bit, I believe the authentication
part should be straightforward. As long as JAAS is used, different
authentication implementations can always be plugged in easily. The headache
part is the authorization. There is no standard we can use in this area, and
I am not sure how easy it is to write a framework that can plug in different
authorization implementations. For example, it may not be possible to write
an authorization framework that is flexible enough to switch its underlying
impl among Picketlink Authz (http://www.jboss.org/picketlink/AuthZ.html) and
the authorization part in Seam3 Security
(http://www.seamframework.org/Seam3/SecurityModuleOverview) and the
authorization part in Spring security. Mostly likely Camel will have to come
out with its own specific authorization implementation or just choose an
existing one. 

-- 
View this message in context: http://old.nabble.com/Camel-security-tp28106100p28116119.html
Sent from the Camel - Users mailing list archive at Nabble.com.

Re: Camel security

Posted by Richard Kettelerij <ri...@gmail.com>.

@maximilien, as far as I know there currently no support available or
underway for JBoss Picketlink. But we welcome contributions at Apache
(http://camel.apache.org/contributing.html).

--
View this message in context: http://camel.465427.n5.nabble.com/Camel-security-tp479006p4314230.html
Sent from the Camel - Users mailing list archive at Nabble.com.

Re: Camel security

Posted by Willem Jiang <wi...@gmail.com>.

Claus Ibsen wrote:
> On Thu, Apr 1, 2010 at 4:20 PM, Willem Jiang <wi...@gmail.com> wrote:
>> Hi Jervis
>>
>> I'm planing to work on Spring security and Camel integration[1] in the
>> coming up few week.
>> If everything goes well, I think you can try out the basic security
>> implementation with Role based authorization then we can try to integrate
>> the Drools part.
>>
>> [1] https://issues.apache.org/activemq/browse/CAMEL-2579
>>
> 
> Willem please hold with making major changes into the 2.3 codebase.
> We have the features we need for 2.3 and want to use the next 2-3
> weeks to get the last pieces done so we can get a 2.3 release out the
> door.
> 
> And I believe we need to discuss and design the security framework to
> be added into Camel in the public.
> I think you can start with creating a wiki page at the developer
> section at Camel wiki and then we can all take a look and help design
> it.

Sure, I will work on the design document first.

> 
> Its important that we do this in a manner so the security framework of
> choice can easily be plugged in, as many have different needs.
> And some are forced to use JAAS etc.
> 
> So it should NOT be a Spring Security that master how we do this in Camel.
> 
> 
>> Willem
>>
>> Claus Ibsen wrote:
>>> Hi
>>>
>>> Sounds great with Drools integration with Camel.
>>>
>>> No there is not a general security module in Camel.
>>> Its something that we will work on and provide in the future.
>>> At present time its not on the roadmap short term.
>>>
>>> Each individual camel component often have their own security settings
>>> which you leverage, such as Jetty etc.
>>>
>>>
>>>
>>> On Thu, Apr 1, 2010 at 11:04 AM, jliu <je...@gmail.com> wrote:
>>>> Hi,
>>>>
>>>> I am currently working on Drools (http://www.jboss.org/drools) Camel
>>>> integration. One requirement popped up is to provide a secured access to
>>>> Drools KnowledgeSession . For those who is not familiar with Drools,
>>>> Drools
>>>> KnowledgeSession is defined as a Camel process or endpoint. Basically
>>>> this
>>>> means an authentication framework and an authorization framework that can
>>>> be
>>>> used to provide service level and method level security. The
>>>> authorization
>>>> part needs to support both role-based authorization and rule-based
>>>> authorization. So for example, with this security in place, I can say
>>>> "only
>>>> admin type user can access Drools KnowledgeSession " or  "only admin type
>>>> user can call insertFact on Drools KnowledgeSession ".  I can also say
>>>> "If
>>>> the current user has called fireAllRules on Drools KnowledgeSession more
>>>> than an average of 5 times in the last minute, then reject the next
>>>> invocation, as its possible fraud".
>>>>
>>>> An example of camle route with authorization may look like below (Please
>>>> note, this is not a valid configuration, just used to illustrate the
>>>> idea):
>>>>
>>>> Service level security:
>>>>
>>>> a camel route without authorization:
>>>> <camel:route>
>>>>    <camel:from uri="direct:executor" />
>>>>    <camel:process ref="DroolsBatchExecutorProcessor"/>
>>>>    <camel:to uri="direct:xstreamTransformerResult" />
>>>> </camel:route>
>>>>
>>>> a camel route with simple role based authorization using role mappings
>>>> stored in property files:
>>>> <camel:route>
>>>>   <camel:from uri="direct:executor" />
>>>>   <camel:process ref="DroolsBatchExecutorProcessor"
>>>> authorization-module="role-based-using-property-file"
>>>> rolesAllowed="admin=,
>>>> analysis"/>
>>>>   <camel:to uri="direct:xstreamTransformerResult" />
>>>> </camel:route>
>>>>
>>>>  a camel route with rule based authorization using Drools:
>>>> <camel:route>
>>>>    <camel:from uri="direct:executor" />
>>>>    <camel:process ref="DroolsBatchExecutorProcessor"
>>>> authorization-module="rule-based-using-drools"/>
>>>>    <camel:to uri="direct:xstreamTransformerResult" />
>>>> </camel:route>
>>>>
>>>> Method level security:
>>>> TBD
>>>>
>>>> Does such feature exist in Camel or will be supported in the future?
>>>>
>>>> Thanks,
>>>>
>>>> Jervis Liu
>>>> --
>>>> View this message in context:
>>>> http://old.nabble.com/Camel-security-tp28106100p28106100.html
>>>> Sent from the Camel - Users mailing list archive at Nabble.com.
>>>>
>>>>
>>>
>>>
>>
> 
> 
>

Re: Camel security

Posted by Claus Ibsen <cl...@gmail.com>.

On Thu, Apr 1, 2010 at 4:20 PM, Willem Jiang <wi...@gmail.com> wrote:
> Hi Jervis
>
> I'm planing to work on Spring security and Camel integration[1] in the
> coming up few week.
> If everything goes well, I think you can try out the basic security
> implementation with Role based authorization then we can try to integrate
> the Drools part.
>
> [1] https://issues.apache.org/activemq/browse/CAMEL-2579
>

Willem please hold with making major changes into the 2.3 codebase.
We have the features we need for 2.3 and want to use the next 2-3
weeks to get the last pieces done so we can get a 2.3 release out the
door.

And I believe we need to discuss and design the security framework to
be added into Camel in the public.
I think you can start with creating a wiki page at the developer
section at Camel wiki and then we can all take a look and help design
it.

Its important that we do this in a manner so the security framework of
choice can easily be plugged in, as many have different needs.
And some are forced to use JAAS etc.

So it should NOT be a Spring Security that master how we do this in Camel.


> Willem
>
> Claus Ibsen wrote:
>>
>> Hi
>>
>> Sounds great with Drools integration with Camel.
>>
>> No there is not a general security module in Camel.
>> Its something that we will work on and provide in the future.
>> At present time its not on the roadmap short term.
>>
>> Each individual camel component often have their own security settings
>> which you leverage, such as Jetty etc.
>>
>>
>>
>> On Thu, Apr 1, 2010 at 11:04 AM, jliu <je...@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> I am currently working on Drools (http://www.jboss.org/drools) Camel
>>> integration. One requirement popped up is to provide a secured access to
>>> Drools KnowledgeSession . For those who is not familiar with Drools,
>>> Drools
>>> KnowledgeSession is defined as a Camel process or endpoint. Basically
>>> this
>>> means an authentication framework and an authorization framework that can
>>> be
>>> used to provide service level and method level security. The
>>> authorization
>>> part needs to support both role-based authorization and rule-based
>>> authorization. So for example, with this security in place, I can say
>>> "only
>>> admin type user can access Drools KnowledgeSession " or  "only admin type
>>> user can call insertFact on Drools KnowledgeSession ".  I can also say
>>> "If
>>> the current user has called fireAllRules on Drools KnowledgeSession more
>>> than an average of 5 times in the last minute, then reject the next
>>> invocation, as its possible fraud".
>>>
>>> An example of camle route with authorization may look like below (Please
>>> note, this is not a valid configuration, just used to illustrate the
>>> idea):
>>>
>>> Service level security:
>>>
>>> a camel route without authorization:
>>> <camel:route>
>>>    <camel:from uri="direct:executor" />
>>>    <camel:process ref="DroolsBatchExecutorProcessor"/>
>>>    <camel:to uri="direct:xstreamTransformerResult" />
>>> </camel:route>
>>>
>>> a camel route with simple role based authorization using role mappings
>>> stored in property files:
>>> <camel:route>
>>>   <camel:from uri="direct:executor" />
>>>   <camel:process ref="DroolsBatchExecutorProcessor"
>>> authorization-module="role-based-using-property-file"
>>> rolesAllowed="admin=,
>>> analysis"/>
>>>   <camel:to uri="direct:xstreamTransformerResult" />
>>> </camel:route>
>>>
>>>  a camel route with rule based authorization using Drools:
>>> <camel:route>
>>>    <camel:from uri="direct:executor" />
>>>    <camel:process ref="DroolsBatchExecutorProcessor"
>>> authorization-module="rule-based-using-drools"/>
>>>    <camel:to uri="direct:xstreamTransformerResult" />
>>> </camel:route>
>>>
>>> Method level security:
>>> TBD
>>>
>>> Does such feature exist in Camel or will be supported in the future?
>>>
>>> Thanks,
>>>
>>> Jervis Liu
>>> --
>>> View this message in context:
>>> http://old.nabble.com/Camel-security-tp28106100p28106100.html
>>> Sent from the Camel - Users mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>>
>
>



-- 
Claus Ibsen
Apache Camel Committer

Author of Camel in Action: http://www.manning.com/ibsen/
Open Source Integration: http://fusesource.com
Blog: http://davsclaus.blogspot.com/
Twitter: http://twitter.com/davsclaus

Re: Camel security

Posted by Willem Jiang <wi...@gmail.com>.

Hi Jervis

I'm planing to work on Spring security and Camel integration[1] in the 
coming up few week.
If everything goes well, I think you can try out the basic security 
implementation with Role based authorization then we can try to 
integrate the Drools part.

[1] https://issues.apache.org/activemq/browse/CAMEL-2579

Willem

Claus Ibsen wrote:
> Hi
> 
> Sounds great with Drools integration with Camel.
> 
> No there is not a general security module in Camel.
> Its something that we will work on and provide in the future.
> At present time its not on the roadmap short term.
> 
> Each individual camel component often have their own security settings
> which you leverage, such as Jetty etc.
> 
> 
> 
> On Thu, Apr 1, 2010 at 11:04 AM, jliu <je...@gmail.com> wrote:
>> Hi,
>>
>> I am currently working on Drools (http://www.jboss.org/drools) Camel
>> integration. One requirement popped up is to provide a secured access to
>> Drools KnowledgeSession . For those who is not familiar with Drools, Drools
>> KnowledgeSession is defined as a Camel process or endpoint. Basically this
>> means an authentication framework and an authorization framework that can be
>> used to provide service level and method level security. The authorization
>> part needs to support both role-based authorization and rule-based
>> authorization. So for example, with this security in place, I can say "only
>> admin type user can access Drools KnowledgeSession " or  "only admin type
>> user can call insertFact on Drools KnowledgeSession ".  I can also say "If
>> the current user has called fireAllRules on Drools KnowledgeSession more
>> than an average of 5 times in the last minute, then reject the next
>> invocation, as its possible fraud".
>>
>> An example of camle route with authorization may look like below (Please
>> note, this is not a valid configuration, just used to illustrate the idea):
>>
>> Service level security:
>>
>> a camel route without authorization:
>> <camel:route>
>>     <camel:from uri="direct:executor" />
>>     <camel:process ref="DroolsBatchExecutorProcessor"/>
>>     <camel:to uri="direct:xstreamTransformerResult" />
>> </camel:route>
>>
>> a camel route with simple role based authorization using role mappings
>> stored in property files:
>> <camel:route>
>>    <camel:from uri="direct:executor" />
>>    <camel:process ref="DroolsBatchExecutorProcessor"
>> authorization-module="role-based-using-property-file" rolesAllowed="admin=,
>> analysis"/>
>>    <camel:to uri="direct:xstreamTransformerResult" />
>> </camel:route>
>>
>>  a camel route with rule based authorization using Drools:
>> <camel:route>
>>     <camel:from uri="direct:executor" />
>>     <camel:process ref="DroolsBatchExecutorProcessor"
>> authorization-module="rule-based-using-drools"/>
>>     <camel:to uri="direct:xstreamTransformerResult" />
>> </camel:route>
>>
>> Method level security:
>> TBD
>>
>> Does such feature exist in Camel or will be supported in the future?
>>
>> Thanks,
>>
>> Jervis Liu
>> --
>> View this message in context: http://old.nabble.com/Camel-security-tp28106100p28106100.html
>> Sent from the Camel - Users mailing list archive at Nabble.com.
>>
>>
> 
> 
>

Re: Camel security

Posted by Claus Ibsen <cl...@gmail.com>.

Hi

Sounds great with Drools integration with Camel.

No there is not a general security module in Camel.
Its something that we will work on and provide in the future.
At present time its not on the roadmap short term.

Each individual camel component often have their own security settings
which you leverage, such as Jetty etc.



On Thu, Apr 1, 2010 at 11:04 AM, jliu <je...@gmail.com> wrote:
>
> Hi,
>
> I am currently working on Drools (http://www.jboss.org/drools) Camel
> integration. One requirement popped up is to provide a secured access to
> Drools KnowledgeSession . For those who is not familiar with Drools, Drools
> KnowledgeSession is defined as a Camel process or endpoint. Basically this
> means an authentication framework and an authorization framework that can be
> used to provide service level and method level security. The authorization
> part needs to support both role-based authorization and rule-based
> authorization. So for example, with this security in place, I can say "only
> admin type user can access Drools KnowledgeSession " or  "only admin type
> user can call insertFact on Drools KnowledgeSession ".  I can also say "If
> the current user has called fireAllRules on Drools KnowledgeSession more
> than an average of 5 times in the last minute, then reject the next
> invocation, as its possible fraud".
>
> An example of camle route with authorization may look like below (Please
> note, this is not a valid configuration, just used to illustrate the idea):
>
> Service level security:
>
> a camel route without authorization:
> <camel:route>
>     <camel:from uri="direct:executor" />
>     <camel:process ref="DroolsBatchExecutorProcessor"/>
>     <camel:to uri="direct:xstreamTransformerResult" />
> </camel:route>
>
> a camel route with simple role based authorization using role mappings
> stored in property files:
> <camel:route>
>    <camel:from uri="direct:executor" />
>    <camel:process ref="DroolsBatchExecutorProcessor"
> authorization-module="role-based-using-property-file" rolesAllowed="admin=,
> analysis"/>
>    <camel:to uri="direct:xstreamTransformerResult" />
> </camel:route>
>
>  a camel route with rule based authorization using Drools:
> <camel:route>
>     <camel:from uri="direct:executor" />
>     <camel:process ref="DroolsBatchExecutorProcessor"
> authorization-module="rule-based-using-drools"/>
>     <camel:to uri="direct:xstreamTransformerResult" />
> </camel:route>
>
> Method level security:
> TBD
>
> Does such feature exist in Camel or will be supported in the future?
>
> Thanks,
>
> Jervis Liu
> --
> View this message in context: http://old.nabble.com/Camel-security-tp28106100p28106100.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
>



-- 
Claus Ibsen
Apache Camel Committer

Author of Camel in Action: http://www.manning.com/ibsen/
Open Source Integration: http://fusesource.com
Blog: http://davsclaus.blogspot.com/
Twitter: http://twitter.com/davsclaus