JAAS in Karaf4/5

[Bernd <ec...@zusammenkunft.net>]

Hello,

I noticed that Karaf provides quite useful principals for Roles, Groups and
Client. But if I want to consume or create those principals in my own code,
I have to depend on the karaf-boot bundle.

I wonder:

a) would it make sense for Karaf5 to move the classes to a more focused API
jar. That would be helpful if I want to build a Microservice Servlet which
should also run in other containers or if I just dont want to depend on the
-boot bunfle.

b) would it make sense to provide utilities (JAASContext.getClientIP() or
something)

c) would it make sense to add this to the logger so that it can add this
(subject/ip) to all log lines generated with active JAAS context.

d) if I have my own http listener, is there a filter I can use to establish
the JAAS login and especially also attach the http-client IP principal?

e) we are using Felix RSA/fastbin, I wonder if somebody has experience with
adding instance-level authentication to something like this (and to RMI)?

Gruss
Bernd

Re: JAAS in Karaf4/5

[Romain Manni-Bucau <rm...@gmail.com>]

Hi



Le mer. 19 mai 2021 à 11:31, Bernd <ec...@zusammenkunft.net> a écrit :

> Hello,
>
> I noticed that Karaf provides quite useful principals for Roles, Groups and
> Client. But if I want to consume or create those principals in my own code,
> I have to depend on the karaf-boot bundle.
>
> I wonder:
>
> a) would it make sense for Karaf5 to move the classes to a more focused API
> jar. That would be helpful if I want to build a Microservice Servlet which
> should also run in other containers or if I just dont want to depend on the
> -boot bunfle.
>

For karaf 5 I don't know but a reusable module makes sense to me.
TomEE got some but not being released independently makes it poorly
reusable/perceived.
Maybe a neutral home can help (subproject or incubator?).


>
> b) would it make sense to provide utilities (JAASContext.getClientIP() or
> something)
>
> c) would it make sense to add this to the logger so that it can add this
> (subject/ip) to all log lines generated with active JAAS context.
>

guess it is already supported with attributes or things like that in access
valve or alike (mdc for ex)


>
> d) if I have my own http listener, is there a filter I can use to establish
> the JAAS login and especially also attach the http-client IP principal?
>

attributes, subjects and friends should enable that, main trick is to
authenticate in the used context for the request to attach it to the right
context AFAIK - but you still use a single jaas context


>
> e) we are using Felix RSA/fastbin, I wonder if somebody has experience with
> adding instance-level authentication to something like this (and to RMI)?
>


f) do an optimized jaas context (a lot an be speed up in most cases ;)) in
a "home"


>
> Gruss
> Bernd
>

Re: JAAS in Karaf4/5

[Васил Зорев <va...@gmail.com>]

>
> BTW: let us know if we can help with the actual doing. I think Vasil is
> currently looking for opportunity for contributions :)


Sounds good for me :)

На ср, 19.05.2021 г. в 13:32 ч. Bernd <ec...@zusammenkunft.net> написа:

> Hello,
>
> Am Mi., 19. Mai 2021 um 11:38 Uhr schrieb Jean-Baptiste Onofre <
> jb@nanthrax.net>:
>
> > Karaf5 service could be a nice location, but keep in mind that Karaf5
> > service are not OSGi service (the osgi application manager is itself a K5
> > service).
> >
>
> I guess for normal client code it doesnt matter what component establishes
> the context and who provides the implementation, but the packages for the
> principals should be available as a bundle (possibly system bundle?) and as
> a compile dependency. (Not so sure about the container SPI if I want to
> write a login handler or popularte the session context in OSGi or pure
> Java)
>
>
> > Let me think about the roadmap/target.
> >
>
> I was a bit tied up lately, but you remeber we had planned to have a call
> with you. Maybe specifically for Karaf5 it would be good to look into that
> again. The last time an app server used a different internal module system
> we moved away from it. I really hope the OSGi layer in K5 stays a first
> class citizen.
>
> BTW: let us know if we can help with the actual doing. I think Vasil is
> currently looking for opportunity for contributions :)
>
> Gruss
> Bernd
> --
> www.seeburger.de
>
> >
> >
>

Re: JAAS in Karaf4/5

[Bernd <ec...@zusammenkunft.net>]

Hello,

Am Mi., 19. Mai 2021 um 11:38 Uhr schrieb Jean-Baptiste Onofre <
jb@nanthrax.net>:

> Karaf5 service could be a nice location, but keep in mind that Karaf5
> service are not OSGi service (the osgi application manager is itself a K5
> service).
>

I guess for normal client code it doesnt matter what component establishes
the context and who provides the implementation, but the packages for the
principals should be available as a bundle (possibly system bundle?) and as
a compile dependency. (Not so sure about the container SPI if I want to
write a login handler or popularte the session context in OSGi or pure Java)


> Let me think about the roadmap/target.
>

I was a bit tied up lately, but you remeber we had planned to have a call
with you. Maybe specifically for Karaf5 it would be good to look into that
again. The last time an app server used a different internal module system
we moved away from it. I really hope the OSGi layer in K5 stays a first
class citizen.

BTW: let us know if we can help with the actual doing. I think Vasil is
currently looking for opportunity for contributions :)

Gruss
Bernd
-- 
www.seeburger.de

>
>

Re: JAAS in Karaf4/5

[Jean-Baptiste Onofre <jb...@nanthrax.net>]

Hi Bernd,

Thanks for your feedback and proposal.

Generally speaking I agree with the proposal.

Karaf5 service could be a nice location, but keep in mind that Karaf5 service are not OSGi service (the osgi application manager is itself a K5 service).

So, I think we can already prepare some stuff for Karaf 4.4/4.5.

Let me think about the roadmap/target.

Thanks again !
Regards
JB

> Le 19 mai 2021 à 11:31, Bernd <ec...@zusammenkunft.net> a écrit :
> 
> Hello,
> 
> I noticed that Karaf provides quite useful principals for Roles, Groups and
> Client. But if I want to consume or create those principals in my own code,
> I have to depend on the karaf-boot bundle.
> 
> I wonder:
> 
> a) would it make sense for Karaf5 to move the classes to a more focused API
> jar. That would be helpful if I want to build a Microservice Servlet which
> should also run in other containers or if I just dont want to depend on the
> -boot bunfle.
> 
> b) would it make sense to provide utilities (JAASContext.getClientIP() or
> something)
> 
> c) would it make sense to add this to the logger so that it can add this
> (subject/ip) to all log lines generated with active JAAS context.
> 
> d) if I have my own http listener, is there a filter I can use to establish
> the JAAS login and especially also attach the http-client IP principal?
> 
> e) we are using Felix RSA/fastbin, I wonder if somebody has experience with
> adding instance-level authentication to something like this (and to RMI)?
> 
> Gruss
> Bernd