You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by mgiammarco <mg...@gmail.com> on 2012/02/28 13:03:17 UTC
How can Shiro be used with camel to limit access to a route?
Hello,
I am reading several times shiro documentation and camel docs, but I do not
understand a thing.
The problem I have seems simple: I need that a message is processed by a
component if the authenticated user is in a specified group.
So I setup shiro, is use .policy() in my dsl but what do I put in shiro
configuration to do the thing above?
Thanks,
Mario
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5521623.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Ashwin Karpe <ak...@fusesource.com>.
Hi,
Shiro is applied as a route policy on a camel route. The Producer/Consumer
then has to send an encrypted Shiro token as a Camel header in the Exchange.
This token is then decrypted and the route auth/authz policy applied based
on the token.
http://camel.apache.org/shiro-security.html
http://camel.apache.org/shiro-security.html
Please check out the following links containing jUnit Tests for Camel based
authentication/authorization. This should help you figure out how to use the
camel-shiro component.
https://svn.apache.org/viewvc/camel/trunk/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthenticationTest.java?view=log
https://svn.apache.org/viewvc/camel/trunk/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthenticationTest.java?view=log
https://svn.apache.org/viewvc/camel/trunk/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthorizationTest.java?revision=1222296&view=markup
https://svn.apache.org/viewvc/camel/trunk/components/camel-shiro/src/test/java/org/apache/camel/component/shiro/security/ShiroAuthorizationTest.java?revision=1222296&view=markup
Cheers,
Ashwin...
-----
---------------------------------------------------------
Ashwin Karpe
Apache Camel Committer & Sr Principal Consultant
FUSESource (a Progress Software Corporation subsidiary)
http://fusesource.com
Blog: http://opensourceknowledge.blogspot.com
---------------------------------------------------------
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5525304.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
I have sent a message to the activemq server with shiro token header using
the stomp protocol and the header is correctly present in the camel routing
of my server.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5548185.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
Hi,
I have already looked at shirosecurityinjector source code to find the name
of the header it adds to the message. Here it is:
public ByteSource encrypt() throws Exception {
ByteArrayOutputStream stream = new ByteArrayOutputStream();
ObjectOutput serialStream = new ObjectOutputStream(stream);
serialStream.writeObject(securityToken);
ByteSource byteSource = cipherService.encrypt(stream.toByteArray(),
passPhrase);
serialStream.close();
stream.close();
return byteSource;
}
In effects it returns a "ByteSource" and not a String, but if I log the
message the token is clearly a String, probably because it is called
ByteSource toString().
Anyway I do some other tests and then I file a bug.
Thanks,
Mario
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5528299.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Claus Ibsen <cl...@gmail.com>.
You can use your own messageConverter with the camel-jms component and
do all the to/from JMS yourselves. This is of course too much work.
But that gives you full power.
You can use interceptors to match when sending to jms, where you can
then transform the header to a valid JMS type.
And then have a type converter on the other side to go from
base64/String -> ByteSource
http://camel.apache.org/intercept
On Mon, May 6, 2013 at 7:49 AM, jethwani.bipin@gmail.com
<je...@gmail.com> wrote:
> Thank you for the reply.
> Is there a way to make the type converter work for camel header?
> Currently, I have a camel processor to reset the base64 shiro token to
> ByteSource, on the side where authentication has to be done
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5732055.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
Red Hat, Inc.
FuseSource is now part of Red Hat
Email: cibsen@redhat.com
Web: http://fusesource.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
Re: How can Shiro be used with camel to limit access to a route?
Posted by "jethwani.bipin@gmail.com" <je...@gmail.com>.
Does it makes sense to have alwaysReauthenticate set from shiro.ini [main]
block?
I believe seeing the ShiroSecurityPolicy.java code that it won't pick that
setting from ini file for now.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5732069.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by "jethwani.bipin@gmail.com" <je...@gmail.com>.
Thank you for the reply.
Is there a way to make the type converter work for camel header?
Currently, I have a camel processor to reset the base64 shiro token to
ByteSource, on the side where authentication has to be done
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5732055.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
Yeah we could add a new option to camel-shiro to use base64 as a
String type for the token. Then that header is safely transferable
over JMS.
BytesSource has a toBase64 method, and as well a method to create a
BytesSource from a String. So that should be fairly easy to do.
org.apache.shiro.util.ByteSource#toBase64
org.apache.shiro.util.ByteSource.Util#bytes
Fell free to log a JIRA ticket and contributions is always welcome
http://camel.apache.org/contributing.html
On Sun, May 5, 2013 at 1:31 PM, jethwani.bipin@gmail.com
<je...@gmail.com> wrote:
> I doubt if type converter works for camel header.
> Has this camel shiro issue been resolved? It shouldn't actually be
> ByteSource object??
> Let me know I am kind of struck with this.
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5732037.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
Red Hat, Inc.
FuseSource is now part of Red Hat
Email: cibsen@redhat.com
Web: http://fusesource.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
Re: How can Shiro be used with camel to limit access to a route?
Posted by "jethwani.bipin@gmail.com" <je...@gmail.com>.
I doubt if type converter works for camel header.
Has this camel shiro issue been resolved? It shouldn't actually be
ByteSource object??
Let me know I am kind of struck with this.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5732037.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Claus Ibsen <cl...@gmail.com>.
On Fri, Apr 6, 2012 at 10:36 AM, mgiammarco <mg...@gmail.com> wrote:
> 2012/4/6, Claus Ibsen-2 [via Camel] <ml...@n5.nabble.com>:
>>
>>
>> On Thu, Apr 5, 2012 at 8:54 PM, mgiammarco <mg...@gmail.com> wrote:
>>> Ok I have found the bug:
>>>
>>> ShiroSecurityTokenInjector creates a bytearray and puts it in the message
>>> header.
>>>
>>> The bytearray do not pass through openwire...
>>>
>>
>> Ah crap, yeah JMS spec have limitations on what can be transfered over
>> JMS in JMS properties.
>> We have some notes about this at the Camel JMS wiki page
>> http://camel.apache.org/jms
>>
>> I wonder if we can always safely convert the shiro token as a String
>> representation instead of byte[]?
>> A string is always supported.
>>
>> I dont assume we need to base encode the byte array or something? The
>> token may already be representable out of the box in a String.
>>
>> Maybe you could check a bit on Shiro and see about this about the
>> token? And if possible we could maybe adjust the code in camel-shiro.
>
> Ok I was optimist about toString().
>
> To make all things work I do this:
> from ByteSource get byte[]
> encode the token to base64 (using apache commons codec)
> send it to jms
> decode from base64
> new ByteSource( byte[] decoded)
> put it in the shiro token header
> Then all works.
>
Cool. Do you do request/reply over JMS or something?
I noticed there is a toBase64() method on org.apache.shiro.util.ByteSource
so you may have this out of the box.
So it could be a matter of having type converter from String ->
org.apache.shiro.util.ByteSource
and the reverse converter.
> Mario
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5622341.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
CamelOne 2012 Conference, May 15-16, 2012: http://camelone.com
FuseSource
Email: cibsen@fusesource.com
Web: http://fusesource.com
Twitter: davsclaus, fusenews
Blog: http://davsclaus.blogspot.com/
Author of Camel in Action: http://www.manning.com/ibsen/
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
2012/4/6, Claus Ibsen-2 [via Camel] <ml...@n5.nabble.com>:
>
>
> On Thu, Apr 5, 2012 at 8:54 PM, mgiammarco <mg...@gmail.com> wrote:
>> Ok I have found the bug:
>>
>> ShiroSecurityTokenInjector creates a bytearray and puts it in the message
>> header.
>>
>> The bytearray do not pass through openwire...
>>
>
> Ah crap, yeah JMS spec have limitations on what can be transfered over
> JMS in JMS properties.
> We have some notes about this at the Camel JMS wiki page
> http://camel.apache.org/jms
>
> I wonder if we can always safely convert the shiro token as a String
> representation instead of byte[]?
> A string is always supported.
>
> I dont assume we need to base encode the byte array or something? The
> token may already be representable out of the box in a String.
>
> Maybe you could check a bit on Shiro and see about this about the
> token? And if possible we could maybe adjust the code in camel-shiro.
Ok I was optimist about toString().
To make all things work I do this:
from ByteSource get byte[]
encode the token to base64 (using apache commons codec)
send it to jms
decode from base64
new ByteSource( byte[] decoded)
put it in the shiro token header
Then all works.
Mario
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5622341.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Claus Ibsen <cl...@gmail.com>.
On Thu, Apr 5, 2012 at 8:54 PM, mgiammarco <mg...@gmail.com> wrote:
> Ok I have found the bug:
>
> ShiroSecurityTokenInjector creates a bytearray and puts it in the message
> header.
>
> The bytearray do not pass through openwire...
>
Ah crap, yeah JMS spec have limitations on what can be transfered over
JMS in JMS properties.
We have some notes about this at the Camel JMS wiki page
http://camel.apache.org/jms
I wonder if we can always safely convert the shiro token as a String
representation instead of byte[]?
A string is always supported.
I dont assume we need to base encode the byte array or something? The
token may already be representable out of the box in a String.
Maybe you could check a bit on Shiro and see about this about the
token? And if possible we could maybe adjust the code in camel-shiro.
> But the bytearray content is a string text with only ascii chars! So I
> manually put it as an header of string type.
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5621207.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
CamelOne 2012 Conference, May 15-16, 2012: http://camelone.com
FuseSource
Email: cibsen@fusesource.com
Web: http://fusesource.com
Twitter: davsclaus, fusenews
Blog: http://davsclaus.blogspot.com/
Author of Camel in Action: http://www.manning.com/ibsen/
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
Ok I have found the bug:
ShiroSecurityTokenInjector creates a bytearray and puts it in the message
header.
The bytearray do not pass through openwire...
But the bytearray content is a string text with only ascii chars! So I
manually put it as an header of string type.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5621207.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Ashwin Karpe <ak...@fusesource.com>.
Hi,
I think I know what is happening here.
I found the following information associated with the JMS component at the
following link
http://camel.apache.org/jms.html http://camel.apache.org/jms.html
In the section "Message format when sending" it states the following
For the exchange.in.header, the following rules apply for the
header values:
- The values must be primitives or their counter objects
(such as Integer, Long, Character).
The types, String, CharSequence, Date, BigDecimal and
BigInteger are all converted to
their toString() representation. All other types are
dropped.
I believe this is why the token is possibly being dropped. I will look at
the code more closely and see if this is a Camel thing or JMS spec related.
In any case, I would encourage you to log a bug/enhancement request. I will
investigate whether the token can be flattened or type-converted to make it
easier to propagate over ActiveMQ.
Cheers,
Ashwin...
-----
---------------------------------------------------------
Ashwin Karpe
Apache Camel Committer & Sr Principal Consultant
FUSESource (a Progress Software Corporation subsidiary)
http://fusesource.com
Blog: http://opensourceknowledge.blogspot.com
---------------------------------------------------------
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5526421.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Ashwin Karpe <ak...@fusesource.com>.
Hi,
Yikes, that is indeed an issue if the token is not propagated via ActiveMQ.
I believe Camel headers should be propagated to custom JMS headers and
picked up on the other end by a Camel Route and preserved.
If this is not happening, this is definitely a bug. The bug could be
somewhere between the Shiro and JMS component... Can you please go ahead and
log a Apache JIRA ticket for the same at the following link
https://issues.apache.org/jira/secure/Dashboard.jspa
https://issues.apache.org/jira/secure/Dashboard.jspa
I will also try this out at my end in the next day or two and see what is
going on...
Hope this helps.
Cheers,
Ashwin...
-----
---------------------------------------------------------
Ashwin Karpe
Apache Camel Committer & Sr Principal Consultant
FUSESource (a Progress Software Corporation subsidiary)
http://fusesource.com
Blog: http://opensourceknowledge.blogspot.com
---------------------------------------------------------
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5526376.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
I add another problem, probably more serious.
In my client I insert a shiro security token with process(). I can see in
the log of the headers of the message: SHIRO_SECURITY_TOKEN and the string
with username and password encoded.
Unfortunately when I send it via activemq to the server/broker I log it and
the header with SHIRO_SECURITY_TOKEN has disappeared.
Can you help me?
Thanks,
Mario
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5526199.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
Thank but I see I cannot explain myself. The example you show is also shown
in the camel apache web site.
I cannot understand the syntax of that file expecially:
- can the "role" be linked to an ldap/ad group?
- when I am ringo in sec-level1 what does it mean that can I access "zone1"
readonly? How can it be related to a camel route? I need simpy a message of
ringo user with role foo can travel on route x and cannot travel on route y.
I really not able to do it. Really.
I thank you again for your help and interest.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5551999.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Ashwin Karpe <ak...@fusesource.com>.
Hi,
Here it is...
https://svn.apache.org/viewvc/camel/trunk/components/camel-shiro/src/test/resources/securityconfig.ini?view=markup
https://svn.apache.org/viewvc/camel/trunk/components/camel-shiro/src/test/resources/securityconfig.ini?view=markup
Cheers,
Ashwin...
-----
---------------------------------------------------------
Ashwin Karpe
Apache Camel Committer & Sr Principal Consultant
FUSESource (a Progress Software Corporation subsidiary)
http://fusesource.com
Blog: http://opensourceknowledge.blogspot.com
---------------------------------------------------------
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5550455.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
Can you please show me the shiro.ini config of your example because it is the
most difficult thing to understand for me.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5548182.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Ashwin Karpe <ak...@fusesource.com>.
Hi,
You do not need 5 ShiroConfiguration.ini files. You use a single file to
keep the 5 different authorization policies tied to a given authentication
principal. The policy is simply an enforcement point for information using
rules in the config file.
By applying different policy sets on different route segments, I mean the
following
from("seda:a")
.choice()
.when(header("foo").isEqualTo("bar"))
.policy(MyTimeSensitivePolicy)
.to("seda:b")
.when(header("foo").isEqualTo("cheese"))
.policy(MyCostSensitivePolicy)
.to("seda:c")
.otherwise()
.policy(MyDistancePolicy)
.to("seda:d");
Each of the Policy sets simply reflects a potentially different set of rules
and may share a single config file.
Cheers,
Ashwin...
PS: Shiro rocks!!!...
-----
---------------------------------------------------------
Ashwin Karpe
Apache Camel Committer & Sr Principal Consultant
FUSESource (a Progress Software Corporation subsidiary)
http://fusesource.com
Blog: http://opensourceknowledge.blogspot.com
---------------------------------------------------------
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5526359.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by mgiammarco <mg...@gmail.com>.
First thanks for your replies. Infact I have read documentation but now
I go deeper in detail to see if I understand well.
Imagine that I have five destinations where I send my message with
multicast().
Now before each destination I put a policy(). But I have five authorization
groups (one for each destination). If a principal is in group X can access
to destination X.
So have I to build five differents shiroconfiguration.ini and five
different policy objects to put in the five policy() dsl commands?
It seems not pratical to me, but perhaps I am wrong.
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5525938.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: How can Shiro be used with camel to limit access to a route?
Posted by Ashwin Karpe <ak...@fusesource.com>.
Hi,
As a quick follow-up to my earlier post, this is how the Shiro component
works (Check out the tests in ShiroAuthorizationTest.java).
In Camel Route
-----------------
from(XXX)
.policy(MyAuthZPolicy)
.to(YYY)
Note MyAuthZPolicy reads the ShiroConfiguration.ini file to figure out the
auth/authz rules to apply when messages/exchanges are received.
In Client sending an exchange to Camel Route Consumer XXX
---------------------------------------------------------------------
a> First, Create a ShiroSecurityToken...
b> Inject the token into an Exchange along with the message being sent to
the endpoint. This token is matched against the configuration to figure out
authentication and authorization to access the route or route segments. Note
that you can have multiple policies on different route segments (in case of
choices in DSL) and the permission sets & token sent dictate the messages
continuing forward on a route segment.
c> Send the token to the consumer.
In any case, the unit tests attached in the link above should help greatly
in figuring out how to use the shire component and any lingering questions
you have.
In any case, if you run into questions/issues, please post a follow-on
question.
Cheers,
Ashwin...
-----
---------------------------------------------------------
Ashwin Karpe
Apache Camel Committer & Sr Principal Consultant
FUSESource (a Progress Software Corporation subsidiary)
http://fusesource.com
Blog: http://opensourceknowledge.blogspot.com
---------------------------------------------------------
--
View this message in context: http://camel.465427.n5.nabble.com/How-can-Shiro-be-used-with-camel-to-limit-access-to-a-route-tp5521623p5525360.html
Sent from the Camel - Users mailing list archive at Nabble.com.