You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Sigmund Lee <wu...@gmail.com> on 2016/08/01 06:08:57 UTC
Re: Access control of OSGi Web app?
Hi all,
Thanks for advice and solutions you guys provided.
Seems like they are all proper ways to protect server-side services. But as
I said we are a website, what I need is a solution can integrate frontend &
backend together, provide page-level access control. basically two steps
involved:
1. A externalized access control system to protect access to exposed
services(for example, restful service, web url, etc).
2. After access is permitted, return corresponding respond page to
client(aka, browser), and every button or link on this responded page can
be display or hidden based on permissions of current user.
Basically, what I need is a solution not only free backend engineers from
hard-coded authz code, but also free frontend engineers from hard-coding.
Thanks again!
Bests.
--
Sig
On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bc...@googlemail.com>
wrote:
> yes, as filters without servlets can't be served. They don't have a URI
> binding.
>
> regards, Achim
>
> 2016-07-29 15:33 GMT+02:00 Nick Baker <nb...@pentaho.com>:
>
>> Hey Achim,
>>
>>
>>
>> Thanks for this example. We’re looking part of our ongoing OSGi migration
>> will be URL security as well. We’re using Spring Security in the legacy
>> non-OSGI space. So this is a timely conversation for us J
>>
>>
>>
>> Quick question: are we still working with the limitation that Filters are
>> only invoked if a Servlet or Resource would already serve the URL?
>>
>>
>>
>> -Nick
>>
>>
>>
>> *From: *Achim Nierbeck <bc...@googlemail.com>
>> *Reply-To: *"user@karaf.apache.org" <us...@karaf.apache.org>
>> *Date: *Friday, July 29, 2016 at 8:54 AM
>> *To: *"user@karaf.apache.org" <us...@karaf.apache.org>
>> *Subject: *Re: Access control of OSGi Web app?
>>
>>
>>
>> Hi Sigmund,
>>
>>
>>
>> sorry for being late to the party ... if those solutions above don't work
>> for you you still have the possibility to create a customized filter which
>> you can re-use with your own applications.
>>
>> For this you can either go the "classical" way of using web-fragments, or
>> you can share the httpContext between your osgi bundles. For this you need
>> to declare your httpContext to be sharable and after that you just need to
>> attach your filter bundle to that sharable httpContext.
>>
>>
>>
>> Take a look at the following Sample, or better integration test of Pax
>> Web [1].
>>
>>
>>
>> regards, Achim
>>
>>
>>
>> [1] -
>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95
>>
>>
>>
>> 2016-07-26 16:05 GMT+02:00 Christian Schneider <ch...@die-schneider.net>:
>>
>> In karaf authentication is based on JAAS. Using login modules you can
>> define what source to authenticate against.
>> The karaf web console is protected by this by default. It is also
>> possible to enable JAAS based authentication for CXF e.g. for your REST
>> services.
>> There is also role based and group based authentication out of the box.
>>
>> There is no attribute based access control available but you can create
>> this based on the JAAS authentication.
>>
>> This code can give you an idea of how to get the subject and the
>> principals from JAAS in karaf:
>> https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81
>>
>> You could create your own annotations or OSGi service to handle the
>> attribute based authorization based on the authentication information.
>>
>> Christian
>>
>>
>>
>> On 26.07.2016 08:29, Sigmund Lee wrote:
>>
>> We are a website, using OSGi as microservices implementation. every
>> feature of our site is a standalone osgi-based webapp, and splited into
>> several OSGi bundles(api, impl, webapp, rest, etc).
>>
>>
>>
>> But there are functions that coupled with more that one bundle, for
>> example Access Control & Authorization. Currently our authorization code is
>> hard-coded everywhere and was so hard to maintain.
>>
>>
>>
>> My question is, what's the proper way to handle with access control when
>> using OSGi? Is there any osgi-compatible ABAC(Attribute-based access
>> control, because our authorization model need calculated based on attribute
>> of resource and context/environment) framework?
>>
>>
>> Thanks.
>>
>>
>>
>> --
>>
>> Sig
>>
>>
>>
>>
>>
>> --
>>
>> Christian Schneider
>>
>> http://www.liquid-reality.de
>>
>>
>>
>> Open Source Architect
>>
>> http://www.talend.com
>>
>>
>>
>>
>>
>> --
>>
>>
>> Apache Member
>>
>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
>> & Project Lead
>> blog <http://notizblog.nierbeck.de/>
>>
>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>
>>
>>
>> Software Architect / Project Manager / Scrum Master
>>
>>
>>
>>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
Re: Access control of OSGi Web app?
Posted by Tim Ward <ti...@paremus.com>.
This sounds a lot like what you can do with the security services from en Route. You can query for the user's full permission set so that parts of the UI can be disabled - obviously this is not a replacement for actually checking when the APIs are called!
Tim
Sent from my iPhone
> On 1 Aug 2016, at 07:08, Sigmund Lee <wu...@gmail.com> wrote:
>
> Hi all,
>
> Thanks for advice and solutions you guys provided.
>
> Seems like they are all proper ways to protect server-side services. But as I said we are a website, what I need is a solution can integrate frontend & backend together, provide page-level access control. basically two steps involved:
>
> 1. A externalized access control system to protect access to exposed services(for example, restful service, web url, etc).
> 2. After access is permitted, return corresponding respond page to client(aka, browser), and every button or link on this responded page can be display or hidden based on permissions of current user.
>
> Basically, what I need is a solution not only free backend engineers from hard-coded authz code, but also free frontend engineers from hard-coding.
>
> Thanks again!
>
> Bests.
> --
> Sig
>
>
>
>> On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bc...@googlemail.com> wrote:
>> yes, as filters without servlets can't be served. They don't have a URI binding.
>>
>> regards, Achim
>>
>> 2016-07-29 15:33 GMT+02:00 Nick Baker <nb...@pentaho.com>:
>>> Hey Achim,
>>>
>>>
>>>
>>> Thanks for this example. We’re looking part of our ongoing OSGi migration will be URL security as well. We’re using Spring Security in the legacy non-OSGI space. So this is a timely conversation for us J
>>>
>>>
>>>
>>> Quick question: are we still working with the limitation that Filters are only invoked if a Servlet or Resource would already serve the URL?
>>>
>>>
>>>
>>> -Nick
>>>
>>>
>>>
>>> From: Achim Nierbeck <bc...@googlemail.com>
>>> Reply-To: "user@karaf.apache.org" <us...@karaf.apache.org>
>>> Date: Friday, July 29, 2016 at 8:54 AM
>>> To: "user@karaf.apache.org" <us...@karaf.apache.org>
>>> Subject: Re: Access control of OSGi Web app?
>>>
>>>
>>>
>>> Hi Sigmund,
>>>
>>>
>>>
>>> sorry for being late to the party ... if those solutions above don't work for you you still have the possibility to create a customized filter which you can re-use with your own applications.
>>>
>>> For this you can either go the "classical" way of using web-fragments, or you can share the httpContext between your osgi bundles. For this you need to declare your httpContext to be sharable and after that you just need to attach your filter bundle to that sharable httpContext.
>>>
>>>
>>>
>>> Take a look at the following Sample, or better integration test of Pax Web [1].
>>>
>>>
>>>
>>> regards, Achim
>>>
>>>
>>>
>>> [1] - https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95
>>>
>>>
>>>
>>> 2016-07-26 16:05 GMT+02:00 Christian Schneider <ch...@die-schneider.net>:
>>>
>>> In karaf authentication is based on JAAS. Using login modules you can define what source to authenticate against.
>>> The karaf web console is protected by this by default. It is also possible to enable JAAS based authentication for CXF e.g. for your REST services.
>>> There is also role based and group based authentication out of the box.
>>>
>>> There is no attribute based access control available but you can create this based on the JAAS authentication.
>>>
>>> This code can give you an idea of how to get the subject and the principals from JAAS in karaf: https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81
>>>
>>> You could create your own annotations or OSGi service to handle the attribute based authorization based on the authentication information.
>>>
>>> Christian
>>>
>>>
>>>
>>> On 26.07.2016 08:29, Sigmund Lee wrote:
>>>
>>> We are a website, using OSGi as microservices implementation. every feature of our site is a standalone osgi-based webapp, and splited into several OSGi bundles(api, impl, webapp, rest, etc).
>>>
>>>
>>>
>>> But there are functions that coupled with more that one bundle, for example Access Control & Authorization. Currently our authorization code is hard-coded everywhere and was so hard to maintain.
>>>
>>>
>>>
>>> My question is, what's the proper way to handle with access control when using OSGi? Is there any osgi-compatible ABAC(Attribute-based access control, because our authorization model need calculated based on attribute of resource and context/environment) framework?
>>>
>>>
>>> Thanks.
>>>
>>>
>>>
>>> --
>>>
>>> Sig
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Christian Schneider
>>> http://www.liquid-reality.de
>>>
>>> Open Source Architect
>>> http://www.talend.com
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Apache Member
>>>
>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
>>> blog <http://notizblog.nierbeck.de/>
>>>
>>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>>
>>>
>>>
>>> Software Architect / Project Manager / Scrum Master
>>>
>>
>>
>>
>> --
>>
>> Apache Member
>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
>> blog <http://notizblog.nierbeck.de/>
>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>
>> Software Architect / Project Manager / Scrum Master
>
Re: Access control of OSGi Web app?
Posted by Christian Lutz <Ch...@kreeloo.de>.
Hello,
Three months ago, we started to use keycloak for this purpose. In the first step we are using it only for authentication but in the second step we will also use it with all the rolles etc.
Christian
> Am 01.08.2016 um 17:58 schrieb Nick Baker <nb...@pentaho.com>:
>
> Is Shiro even active at this point?
>
> We do some of what you’re looking for, but it’s all custom code. We have the concept of logical permissions which can be bound to Users and/or Groups. Our UI queries for these and uses the information to remove/disable UI elements. As was mentioned though, you need to be doing the same checks on the server-side or you’re going to get hacked.
>
> -Nick
>
> From: Jason Pratt <jp...@gmail.com>
> Reply-To: "user@karaf.apache.org" <us...@karaf.apache.org>
> Date: Monday, August 1, 2016 at 11:05 AM
> To: "user@karaf.apache.org" <us...@karaf.apache.org>
> Subject: Re: Access control of OSGi Web app?
>
> Take a look at Shiro and JWT. You should be able to string something together from that.
>
> On Sun, Jul 31, 2016 at 11:08 PM, Sigmund Lee <wu...@gmail.com> wrote:
> Hi all,
>
> Thanks for advice and solutions you guys provided.
>
> Seems like they are all proper ways to protect server-side services. But as I said we are a website, what I need is a solution can integrate frontend & backend together, provide page-level access control. basically two steps involved:
>
> 1. A externalized access control system to protect access to exposed services(for example, restful service, web url, etc).
> 2. After access is permitted, return corresponding respond page to client(aka, browser), and every button or link on this responded page can be display or hidden based on permissions of current user.
>
> Basically, what I need is a solution not only free backend engineers from hard-coded authz code, but also free frontend engineers from hard-coding.
>
> Thanks again!
>
> Bests.
> --
> Sig
>
>
>
> On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bc...@googlemail.com> wrote:
> yes, as filters without servlets can't be served. They don't have a URI binding.
>
> regards, Achim
>
> 2016-07-29 15:33 GMT+02:00 Nick Baker <nb...@pentaho.com>:
> Hey Achim,
>
> Thanks for this example. We’re looking part of our ongoing OSGi migration will be URL security as well. We’re using Spring Security in the legacy non-OSGI space. So this is a timely conversation for us J
>
> Quick question: are we still working with the limitation that Filters are only invoked if a Servlet or Resource would already serve the URL?
>
> -Nick
>
> From: Achim Nierbeck <bc...@googlemail.com>
> Reply-To: "user@karaf.apache.org" <us...@karaf.apache.org>
> Date: Friday, July 29, 2016 at 8:54 AM
> To: "user@karaf.apache.org" <us...@karaf.apache.org>
> Subject: Re: Access control of OSGi Web app?
>
> Hi Sigmund,
>
> sorry for being late to the party ... if those solutions above don't work for you you still have the possibility to create a customized filter which you can re-use with your own applications.
> For this you can either go the "classical" way of using web-fragments, or you can share the httpContext between your osgi bundles. For this you need to declare your httpContext to be sharable and after that you just need to attach your filter bundle to that sharable httpContext.
>
> Take a look at the following Sample, or better integration test of Pax Web [1].
>
> regards, Achim
>
> [1] - https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95
>
> 2016-07-26 16:05 GMT+02:00 Christian Schneider <ch...@die-schneider.net>:
> In karaf authentication is based on JAAS. Using login modules you can define what source to authenticate against.
> The karaf web console is protected by this by default. It is also possible to enable JAAS based authentication for CXF e.g. for your REST services.
> There is also role based and group based authentication out of the box.
>
> There is no attribute based access control available but you can create this based on the JAAS authentication.
>
> This code can give you an idea of how to get the subject and the principals from JAAS in karaf: https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81
>
> You could create your own annotations or OSGi service to handle the attribute based authorization based on the authentication information.
>
> Christian
>
>
> On 26.07.2016 08:29, Sigmund Lee wrote:
> We are a website, using OSGi as microservices implementation. every feature of our site is a standalone osgi-based webapp, and splited into several OSGi bundles(api, impl, webapp, rest, etc).
>
> But there are functions that coupled with more that one bundle, for example Access Control & Authorization. Currently our authorization code is hard-coded everywhere and was so hard to maintain.
>
> My question is, what's the proper way to handle with access control when using OSGi? Is there any osgi-compatible ABAC(Attribute-based access control, because our authorization model need calculated based on attribute of resource and context/environment) framework?
>
>
> Thanks.
>
> --
> Sig
>
>
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Open Source Architect
> http://www.talend.com
>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
>
Re: Access control of OSGi Web app?
Posted by Nick Baker <nb...@pentaho.com>.
Is Shiro even active at this point?
We do some of what you’re looking for, but it’s all custom code. We have the concept of logical permissions which can be bound to Users and/or Groups. Our UI queries for these and uses the information to remove/disable UI elements. As was mentioned though, you need to be doing the same checks on the server-side or you’re going to get hacked.
-Nick
From: Jason Pratt <jp...@gmail.com>
Reply-To: "user@karaf.apache.org" <us...@karaf.apache.org>
Date: Monday, August 1, 2016 at 11:05 AM
To: "user@karaf.apache.org" <us...@karaf.apache.org>
Subject: Re: Access control of OSGi Web app?
Take a look at Shiro and JWT. You should be able to string something together from that.
On Sun, Jul 31, 2016 at 11:08 PM, Sigmund Lee <wu...@gmail.com>> wrote:
Hi all,
Thanks for advice and solutions you guys provided.
Seems like they are all proper ways to protect server-side services. But as I said we are a website, what I need is a solution can integrate frontend & backend together, provide page-level access control. basically two steps involved:
1. A externalized access control system to protect access to exposed services(for example, restful service, web url, etc).
2. After access is permitted, return corresponding respond page to client(aka, browser), and every button or link on this responded page can be display or hidden based on permissions of current user.
Basically, what I need is a solution not only free backend engineers from hard-coded authz code, but also free frontend engineers from hard-coding.
Thanks again!
Bests.
--
Sig
On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bc...@googlemail.com>> wrote:
yes, as filters without servlets can't be served. They don't have a URI binding.
regards, Achim
2016-07-29 15:33 GMT+02:00 Nick Baker <nb...@pentaho.com>>:
Hey Achim,
Thanks for this example. We’re looking part of our ongoing OSGi migration will be URL security as well. We’re using Spring Security in the legacy non-OSGI space. So this is a timely conversation for us ☺
Quick question: are we still working with the limitation that Filters are only invoked if a Servlet or Resource would already serve the URL?
-Nick
From: Achim Nierbeck <bc...@googlemail.com>>
Reply-To: "user@karaf.apache.org<ma...@karaf.apache.org>" <us...@karaf.apache.org>>
Date: Friday, July 29, 2016 at 8:54 AM
To: "user@karaf.apache.org<ma...@karaf.apache.org>" <us...@karaf.apache.org>>
Subject: Re: Access control of OSGi Web app?
Hi Sigmund,
sorry for being late to the party ... if those solutions above don't work for you you still have the possibility to create a customized filter which you can re-use with your own applications.
For this you can either go the "classical" way of using web-fragments, or you can share the httpContext between your osgi bundles. For this you need to declare your httpContext to be sharable and after that you just need to attach your filter bundle to that sharable httpContext.
Take a look at the following Sample, or better integration test of Pax Web [1].
regards, Achim
[1] - https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95
2016-07-26 16:05 GMT+02:00 Christian Schneider <ch...@die-schneider.net>>:
In karaf authentication is based on JAAS. Using login modules you can define what source to authenticate against.
The karaf web console is protected by this by default. It is also possible to enable JAAS based authentication for CXF e.g. for your REST services.
There is also role based and group based authentication out of the box.
There is no attribute based access control available but you can create this based on the JAAS authentication.
This code can give you an idea of how to get the subject and the principals from JAAS in karaf: https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81
You could create your own annotations or OSGi service to handle the attribute based authorization based on the authentication information.
Christian
On 26.07.2016 08:29, Sigmund Lee wrote:
We are a website, using OSGi as microservices implementation. every feature of our site is a standalone osgi-based webapp, and splited into several OSGi bundles(api, impl, webapp, rest, etc).
But there are functions that coupled with more that one bundle, for example Access Control & Authorization. Currently our authorization code is hard-coded everywhere and was so hard to maintain.
My question is, what's the proper way to handle with access control when using OSGi? Is there any osgi-compatible ABAC(Attribute-based access control, because our authorization model need calculated based on attribute of resource and context/environment) framework?
Thanks.
--
Sig
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
Re: Access control of OSGi Web app?
Posted by Jason Pratt <jp...@gmail.com>.
Take a look at Shiro and JWT. You should be able to string something
together from that.
On Sun, Jul 31, 2016 at 11:08 PM, Sigmund Lee <wu...@gmail.com> wrote:
> Hi all,
>
> Thanks for advice and solutions you guys provided.
>
> Seems like they are all proper ways to protect server-side services. But
> as I said we are a website, what I need is a solution can integrate
> frontend & backend together, provide page-level access control. basically
> two steps involved:
>
> 1. A externalized access control system to protect access to exposed
> services(for example, restful service, web url, etc).
> 2. After access is permitted, return corresponding respond page to
> client(aka, browser), and every button or link on this responded page can
> be display or hidden based on permissions of current user.
>
> Basically, what I need is a solution not only free backend engineers from
> hard-coded authz code, but also free frontend engineers from hard-coding.
>
> Thanks again!
>
> Bests.
> --
> Sig
>
>
>
> On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bc...@googlemail.com>
> wrote:
>
>> yes, as filters without servlets can't be served. They don't have a URI
>> binding.
>>
>> regards, Achim
>>
>> 2016-07-29 15:33 GMT+02:00 Nick Baker <nb...@pentaho.com>:
>>
>>> Hey Achim,
>>>
>>>
>>>
>>> Thanks for this example. We’re looking part of our ongoing OSGi
>>> migration will be URL security as well. We’re using Spring Security in the
>>> legacy non-OSGI space. So this is a timely conversation for us J
>>>
>>>
>>>
>>> Quick question: are we still working with the limitation that Filters
>>> are only invoked if a Servlet or Resource would already serve the URL?
>>>
>>>
>>>
>>> -Nick
>>>
>>>
>>>
>>> *From: *Achim Nierbeck <bc...@googlemail.com>
>>> *Reply-To: *"user@karaf.apache.org" <us...@karaf.apache.org>
>>> *Date: *Friday, July 29, 2016 at 8:54 AM
>>> *To: *"user@karaf.apache.org" <us...@karaf.apache.org>
>>> *Subject: *Re: Access control of OSGi Web app?
>>>
>>>
>>>
>>> Hi Sigmund,
>>>
>>>
>>>
>>> sorry for being late to the party ... if those solutions above don't
>>> work for you you still have the possibility to create a customized filter
>>> which you can re-use with your own applications.
>>>
>>> For this you can either go the "classical" way of using web-fragments,
>>> or you can share the httpContext between your osgi bundles. For this you
>>> need to declare your httpContext to be sharable and after that you just
>>> need to attach your filter bundle to that sharable httpContext.
>>>
>>>
>>>
>>> Take a look at the following Sample, or better integration test of Pax
>>> Web [1].
>>>
>>>
>>>
>>> regards, Achim
>>>
>>>
>>>
>>> [1] -
>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95
>>>
>>>
>>>
>>> 2016-07-26 16:05 GMT+02:00 Christian Schneider <chris@die-schneider.net
>>> >:
>>>
>>> In karaf authentication is based on JAAS. Using login modules you can
>>> define what source to authenticate against.
>>> The karaf web console is protected by this by default. It is also
>>> possible to enable JAAS based authentication for CXF e.g. for your REST
>>> services.
>>> There is also role based and group based authentication out of the box.
>>>
>>> There is no attribute based access control available but you can create
>>> this based on the JAAS authentication.
>>>
>>> This code can give you an idea of how to get the subject and the
>>> principals from JAAS in karaf:
>>> https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81
>>>
>>> You could create your own annotations or OSGi service to handle the
>>> attribute based authorization based on the authentication information.
>>>
>>> Christian
>>>
>>>
>>>
>>> On 26.07.2016 08:29, Sigmund Lee wrote:
>>>
>>> We are a website, using OSGi as microservices implementation. every
>>> feature of our site is a standalone osgi-based webapp, and splited into
>>> several OSGi bundles(api, impl, webapp, rest, etc).
>>>
>>>
>>>
>>> But there are functions that coupled with more that one bundle, for
>>> example Access Control & Authorization. Currently our authorization code is
>>> hard-coded everywhere and was so hard to maintain.
>>>
>>>
>>>
>>> My question is, what's the proper way to handle with access control when
>>> using OSGi? Is there any osgi-compatible ABAC(Attribute-based access
>>> control, because our authorization model need calculated based on attribute
>>> of resource and context/environment) framework?
>>>
>>>
>>> Thanks.
>>>
>>>
>>>
>>> --
>>>
>>> Sig
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Christian Schneider
>>>
>>> http://www.liquid-reality.de
>>>
>>>
>>>
>>> Open Source Architect
>>>
>>> http://www.talend.com
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Apache Member
>>>
>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
>>> & Project Lead
>>> blog <http://notizblog.nierbeck.de/>
>>>
>>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>>
>>>
>>>
>>> Software Architect / Project Manager / Scrum Master
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Apache Member
>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
>> & Project Lead
>> blog <http://notizblog.nierbeck.de/>
>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>
>> Software Architect / Project Manager / Scrum Master
>>
>>
>