You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Cristiano Costantini <cr...@gmail.com> on 2017/05/02 08:27:08 UTC
Re: Simply Protect HTTP servlet
Hi all!
Yes! I've followed the both advices and it works!
I've been able to turn basic authentication on simply and quickly by
dropping a web.xml into the jar of my wab.
I'm trying to find a satisfying project setup to deploy a Polymer web
application in Karaf, if I get good results I'll then share some hints.
Thank you again,
Cristiano
Il giorno sab 29 apr 2017 alle 09:39 Achim Nierbeck <bc...@googlemail.com>
ha scritto:
> Hi Christiano,
>
> you could try with a servlet filter, though since you already have a
> Web-ContextPath you are actually already using the WAB approach.
> With Pax-Web the file-extension actually doesn't matter. So if you just
> add a web.xml to it you should be safe to use the default jaas mechanism
> provided by karaf and pax-web/jetty at that point.
>
> regards, Achim
>
>
> 2017-04-29 9:17 GMT+02:00 Cristiano Costantini <
> cristiano.costantini@gmail.com>:
>
>> Hello Jean-Baptiste an thank you for the reply!
>>
>> your approach would be great as I just need the quickest way to protect
>> the access with a username and password.
>>
>> The problem is that the application is not a WAR, it is just a bundle
>> with the <Web-ContextPath> that publish HTML/Javascript/CSS resources
>> plus a Servlet registered via spring.xml with <osgi:service
>> interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't have
>> a web.xml
>>
>> For the moment I will try to enable http basic auth for the urls by
>> changing the main karaf's jetty.xml file, this is ok to satisfy my short
>> term needs.
>>
>> If you have in mind any idea to enable security-constraint from within
>> the bundle (without touching the karaf's jetty.xml) when you don't have a
>> web.xml, I'll be glad to know it as I would prefer not to touch the
>> configuration of karaf.
>>
>> Thank you
>> Cristiano
>>
>>
>> Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
>> jb@nanthrax.net> ha scritto:
>>
>>> Hi Cristiano,
>>>
>>> It depends if you want to use leverage the authentication/authorization
>>> to
>>> access to a pattern/url or if you want to use JAAS internally to your
>>> application with a subject.
>>>
>>> Basically, imagine you have your servlet where you defined the pattern
>>> to /foo
>>> (via the service properties if you use the http-whiteboard for instance).
>>>
>>> Then, you can define the security constraint in jetty.xml or in your
>>> configuration.
>>>
>>> If you package as a war, you can use a web.xml similar to:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
>>> <display-name>cristiano_application</display-name>
>>> <welcome-file-list>
>>> <welcome-file>index.jsp</welcome-file>
>>> </welcome-file-list>
>>> <security-constraint>
>>> <display-name>authenticated</display-name>
>>> <web-resource-collection>
>>> <web-resource-name>All files</web-resource-name>
>>> <description/>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <description/>
>>> <role-name>user</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>BASIC</auth-method>
>>> <realm-name>karaf</realm-name>
>>> </login-config>
>>> <security-role>
>>> <description/>
>>> <role-name>user</role-name>
>>> </security-role>
>>> </web-app>
>>>
>>> Then, the access to any servlet (/*) in your application will be secure
>>> using
>>> the karaf JAAS realm.
>>>
>>> Regards
>>> JB
>>>
>>> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
>>> > Hello All,
>>> >
>>> > How can I implement a Basic HTTP Authentication similar to the one use
>>> by Karaf
>>> > WebConsole (which I understand uses Jaas) to protect access to HTTP
>>> resources in
>>> > Karaf?
>>> >
>>> > thanks
>>> > Cristiano
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>>
>>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
Re: Simply Protect HTTP servlet
Posted by cooshal <ku...@gmail.com>.
Hi:
I have similar concerns. I wanted to protect a particular endpoint. Here's
what I have done, so far:
// pom file
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<version>3.3.0</version>
<inherited>true</inherited>
<extensions>true</extensions>
<configuration>
<instructions>
<Web-ContextPath>/management</Web-ContextPath>
<Private-Package>*</Private-Package>
<Include-Resource>src</Include-Resource>
<_wab>src/main/webapp</_wab>
</instructions>
</configuration>
</plugin>
</plugins>
</build>
and, as per the suggestion from JB in previous post on this thread, I added
following in src/main/webapp/WEB-INF/web.xml. I am trying to protect
http://localhost:8181/management/ endpoint.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>PRS-EAI Monitoring Console</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>authenticated</display-name>
<web-resource-collection>
<web-resource-name>management</web-resource-name>
<description/>
<url-pattern>/management/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>karaf</realm-name>
</login-config>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
</web-app>
I checked few examples from pax-web as well. Did I do something wrong?
Regards,
Cooshal.
--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html