You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Valentin Valchev (JIRA)" <ji...@apache.org> on 2009/12/15 09:00:18 UTC

[jira] Commented: (FELIX-959) Use OSGi UserAdmin for access control

    [ https://issues.apache.org/jira/browse/FELIX-959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12790608#action_12790608 ] 

Valentin Valchev commented on FELIX-959:
----------------------------------------

The problem with using the OSGi User Admin is that OSGi doesn't define an authentication mechanism.

This can be solved to some extend with .. let's say AuthenticatorPlugin, to which you pass the user name and the password. This plug-in will verify the credentials and will eventually return an Authorization object. An example implementation may look like:

DefaultAuthenticatorPlugin implements Plugin {
	final String PASS_CREDENTIAL = System.getProperty("org.apache.useradmin.pass.credential", "password");

	public Authorization authenticate(String user, String pass) {
		Role role = userAdmn.getRole(user);
		if( role instanceof User) {
			User user = (User)role;
			if ( user.hasCredential(PASS_CREDENTIAL, sha1(pass)) ) {
				return userAdmin.getAuthorization(user);
			}
		}
		return null; // not authenticated
	}
	
	byte[] sha1(String pass) {
		// we don't want to save plain passwords
		......
	}
	
	public void setPassword(User user, String password) {
		// this method can be used later if "User Admin" plugin is added
		// to allow creation and editing of roles.
	}
}


Unfortunately, the above solution works only for password authentication. OSGi, however, suggests that certificates can also be used. I currently have no idea for implementing such authentication scheme, but I guess that it will work only for HTTPS protocol. Still the above mechanism should work.

> Use OSGi UserAdmin for access control
> -------------------------------------
>
>                 Key: FELIX-959
>                 URL: https://issues.apache.org/jira/browse/FELIX-959
>             Project: Felix
>          Issue Type: Improvement
>          Components: Web Console
>    Affects Versions: webconsole-1.2.2
>            Reporter: Felix Meschberger
>
> Currently the OSGi Web Console has a single locally configured user whose user Id and password may be configured in the console itself. If an OSGi framework provides an OSGi UserAdmin Service implementation, it would probably make sense to use that service for access control to the console.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.