You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@felix.apache.org by bu...@apache.org on 2013/04/05 16:38:45 UTC
svn commit: r857408 - in /websites/staging/felix/trunk/content: ./
documentation/subprojects/apache-felix-jaas.html
site/apache-felix-jaas.data/ site/apache-felix-jaas.data/jaas-config.png
Author: buildbot
Date: Fri Apr 5 14:38:45 2013
New Revision: 857408
Log:
Staging update by buildbot for felix
Added:
websites/staging/felix/trunk/content/documentation/subprojects/apache-felix-jaas.html
websites/staging/felix/trunk/content/site/apache-felix-jaas.data/
websites/staging/felix/trunk/content/site/apache-felix-jaas.data/jaas-config.png (with props)
Modified:
websites/staging/felix/trunk/content/ (props changed)
Propchange: websites/staging/felix/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Apr 5 14:38:45 2013
@@ -1 +1 @@
-1464894
+1464990
Added: websites/staging/felix/trunk/content/documentation/subprojects/apache-felix-jaas.html
==============================================================================
--- websites/staging/felix/trunk/content/documentation/subprojects/apache-felix-jaas.html (added)
+++ websites/staging/felix/trunk/content/documentation/subprojects/apache-felix-jaas.html Fri Apr 5 14:38:45 2013
@@ -0,0 +1,193 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+ <head>
+ <title>Apache Felix - Apache Felix JAAS Support</title>
+ <link rel="icon" href="/res/favicon.ico">
+ <link rel="stylesheet" href="/res/site.css" type="text/css" media="all">
+ <link rel="stylesheet" href="/res/codehilite.css" type="text/css" media="all">
+ <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
+ </head>
+ <body>
+ <div class="title">
+ <div class="logo">
+ <a href="http://felix.apache.org/">
+ <img border="0" alt="Apache Felix" src="/res/logo.png">
+ </a>
+ </div>
+ <div class="header">
+ <a href="http://www.apache.org/">
+ <img border="0" alt="Apache" src="/res/apache.png">
+ </a>
+ </div>
+ </div>
+
+ <div class="menu">
+ <p><a href="/news.html">news</a> <br />
+<a href="/license.html">license</a> <br />
+<a href="/downloads.cgi">downloads</a> <br />
+<a href="/documentation.html">documentation</a> <br />
+<a href="/mailinglists.html">mailing lists</a> <br />
+<a href="/documentation/community/contributing.html">contributing</a> <br />
+<a href="/sitemap.html">site map</a> <br />
+<a href="http://www.apache.org/">asf</a> <br />
+<a href="http://www.apache.org/security/">security</a> <br />
+<a href="http://www.apache.org/foundation/sponsorship.html">sponsorship</a> <br />
+<a href="http://www.apache.org/foundation/thanks.html">sponsors</a> <br />
+</p>
+<iframe
+ src="http://www.apache.org/ads/button.html"
+ style="border-width:0; float: left"
+ frameborder="0"
+ scrolling="no"
+ width="135"
+ height="135">
+</iframe>
+ </div>
+
+ <div class="main">
+ <div class="breadcrump" style="font-size: 80%;">
+ <a href="/">Home</a> » <a href="/documentation.html">Documentation</a> » <a href="/documentation/subprojects.html">Apache Felix Subproject Documentation</a>
+ </div>
+
+
+
+ <h1>Apache Felix JAAS Support</h1>
+ <div class="note">
+Work in progress as part of FELIX-3980
+</div>
+
+<p>Apache Felix JAAS support aims to simplify usage of JAAS in OSGi.</p>
+<p>It supports following features</p>
+<ol>
+<li>It can work both in Standalone and AppServer deployments i.e. in those environment where global JAAS configuration might be used by other applications and our usage of JAAS should not affect them</li>
+<li>It enables usage of OSGi Configuration support to dynamically configure the login modules.</li>
+<li>It allows LoginModule instances to be created via factories registered in OSGi Service Registry</li>
+<li>It does not require the client to depend on any OSGi API</li>
+<li>It works well with the dynamic nature of the OSGi env</li>
+<li>Implementation depends only on Core OSGi API and ConfigAdmin (RFC 104)</li>
+</ol>
+<h2 id="the-problem">The Problem</h2>
+<p>The basic problem when using JAAS in OSGi is that it creates the LoginModule instance using reflection. This poses problem in OSGi env as the client bundle does not have the visibility of all the required LoginModule classes.</p>
+<p>A typical use of JAAS login looks like below</p>
+<div class="codehilite"><pre><span class="c1">// let the LoginContext instantiate a new Subject</span>
+<span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">"myApp"</span><span class="o">);</span>
+<span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span>
+</pre></div>
+
+
+<p>In this mode the <code>LoginContext</code> would access the global JAAS <code>Configuration</code> internally via <code>Configuration.getConfiguration()</code>. It would then instantiate the LoginModule instance based on the configuration value. It uses the Thread Context ClassLoader (TCCL) to create the instance. This approach fails to work when used in OSGi</p>
+<ol>
+<li>The Thread Context ClassLoader is not defined in general in an OSGi context. It can and has to be set by the caller and OSGi cannot generally enforce that.</li>
+<li>Instantiating a LoginModule generally requires access to internal implementation classes, by exporting these classes an implementing bundle would break its encapsulation.</li>
+<li>Even if an implementation class was exported, importing this class in a consumer bundle would bind it to the specific implementation package provided, which violates the principle of loose coupling.</li>
+</ol>
+<h2 id="making-it-work">Making it work</h2>
+<p>In order to make JAAS work under OSGi following</p>
+<h2 id="usage">Usage</h2>
+<p>The JAAS support involves following parts</p>
+<ol>
+<li>LoginContext Creation - Refers to the client code which constructs the LoginContext and then perform login operation</li>
+<li>LoginModule Registration - Mechanism by which LoginModule is registered with a given <code>realm</code>.</li>
+</ol>
+<h3 id="loginmodule-registration">LoginModule registration</h3>
+<p>The login modules can be registered via two mechanism</p>
+<ul>
+<li>OSGi Configuration</li>
+<li>LoginModuleFactory registered with the OSGi ServiceRegistry</li>
+</ul>
+<h4 id="osgi-configuration">OSGi Configuration</h4>
+<p>LoginModules can also be configured via configuration which is somewhat similar to the file based configuration. It consist of two parts</p>
+<ul>
+<li>Information around which bundle provides a specific LoginModule module</li>
+<li>Configuration required to be passed to that LoginModule</li>
+</ul>
+<h5 id="manifest-header-entry">Manifest Header Entry</h5>
+<p>Any bundle which provides a LoginModule class needs to provide this information via <em>Jaas-ModuleClass</em> manifest header.</p>
+<div class="codehilite"><pre><span class="nt"><Jaas-ModuleClass></span>org.apache.felix.example.jaas.config.internal.SampleConfigLoginModule<span class="nt"></Jaas-ModuleClass></span>
+</pre></div>
+
+
+<h5 id="osgi-configuration_1">OSGi Configuration</h5>
+<p>JAAS module depends on OSGi Configuration for managing the LoginModule configuration. The configuration factory PID is <code>org.apache.felix.jaas.Configuration.factory</code>.It provides the required metatype descriptor thus enabling configuration via via "Configuration" tab of Felix WebConsole</p>
+<p>!jaas-config.png!</p>
+<p>Configuration properties
+<em> <code>jaas.classname</code> - Fully qualified name of the LoginModule class
+</em> <code>jaas.controlFlag</code> - LoginControlFlag to use like required, optional, requisite, sufficient. Default is set to required
+<em> <code>jaas.realmName</code> - JAAS Realm name. If specified then LoginModule would be registered against given realm otherwise it is bound to a 'other' realm
+</em> <code>jaas.ranking</code> - Ranking for the LoginModule. It would be used to order the various login modules</p>
+<p>For an example refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/launcher/src/main/config/org.apache.felix.jaas.Configuration.factory-simple.cfg">Sample Confiuration</a>. It configures a SampleConfigLoginModule for <code>sample</code> realm</p>
+<h4 id="loginmodulefactory">LoginModuleFactory</h4>
+<p>Any bundle which want to provide a LoginModule implementation would need to provide a factory service which implements the <a href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> interface. The factory needs to be registeredwith following optional properties</p>
+<ul>
+<li><code>jaas.controlFlag</code> - LoginControlFlag to use like required, optional, requisite, sufficient. Default is set to required</li>
+<li><code>jaas.realmName</code> - JAAS Realm name. If specified then LoginModule would be registered against given realm otherwise it is bound to a 'other' realm</li>
+<li>
+<p><code>service.ranking</code> - Ranking for the LoginModule. It would be used to order the various login modules</p>
+<p>:::java
+/<strong>
+ * A factory for creating {@link LoginModule} instances.
+ */
+public interface LoginModuleFactory
+{
+ /</strong>
+ * Property name specifying whether or not a <code>LoginModule</code> is
+ * REQUIRED, REQUISITE, SUFFICIENT or OPTIONAL. Refer to {@link javax.security.auth.login.Configuration}
+ * for more details around the meaning of these flags
+ <em>
+ * By default the value is set to REQUIRED
+ </em>/
+ String JAAS_CONTROL_FLAG = "jaas.controlFlag";</p>
+<div class="codehilite"><pre><span class="o">/**</span>
+ <span class="o">*</span> <span class="n">Property</span> <span class="n">name</span> <span class="n">specifying</span> <span class="n">the</span> <span class="n">Realm</span> <span class="n">name</span> <span class="p">(</span><span class="ow">or</span> <span class="n">application</span> <span class="n">name</span><span class="p">)</span> <span class="n">against</span> <span class="n">which</span> <span class="n">the</span>
+ <span class="o">*</span> <span class="n">LoginModule</span> <span class="n">would</span> <span class="n">be</span> <span class="n">registered</span><span class="o">.</span>
+ <span class="o">*</span>
+ <span class="o">*</span> <span class="sr"><p></span><span class="n">If</span> <span class="nb">no</span> <span class="n">realm</span> <span class="n">name</span> <span class="n">is</span> <span class="n">provided</span> <span class="k">then</span> <span class="n">LoginModule</span> <span class="n">would</span> <span class="n">registered</span> <span class="n">with</span> <span class="n">a</span> <span class="n">default</span> <span class="n">realm</span>
+ <span class="o">*</span> <span class="n">as</span> <span class="n">configured</span>
+ <span class="o">*/</span>
+<span class="n">String</span> <span class="n">JAAS_REALM_NAME</span> <span class="o">=</span> <span class="s">"jaas.realmName"</span><span class="p">;</span>
+
+<span class="o">/**</span>
+ <span class="o">*</span> <span class="n">Creates</span> <span class="n">the</span> <span class="n">LoginModule</span> <span class="n">instance</span>
+ <span class="o">*</span> <span class="nv">@return</span> <span class="n">loginModule</span> <span class="n">instance</span>
+ <span class="o">*/</span>
+<span class="n">LoginModule</span> <span class="n">createLoginModule</span><span class="p">();</span>
+</pre></div>
+
+
+<p>}</p>
+</li>
+</ul>
+<p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/lm-jdbc/src/main/java/org/apache/felix/example/jaas/jdbc/JdbcLoginModuleFactory.java">JdbcLoginModuleFactory</a> for one example of its usage. It constructs a JdbcLoginModule based on the configuration and passes on the datasource.</p>
+<h2 id="resources">Resources</h2>
+<ol>
+<li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">Java JAAS Reference Guide</a></li>
+<li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html">JAAS Login Configuration File</a></li>
+</ol>
+ <div class="timestamp" style="margin-top: 30px; font-size: 80%; text-align: right;">
+ Rev. 1464990 by chetanm on Fri, 5 Apr 2013 14:38:36 +0000
+ </div>
+ <div class="trademarkFooter">
+ Apache Felix, Felix, Apache, the Apache feather logo, and the Apache Felix project
+ logo are trademarks of The Apache Software Foundation. All other marks mentioned
+ may be trademarks or registered trademarks of their respective owners.
+ </div>
+ </div>
+ </body>
+</html>
Added: websites/staging/felix/trunk/content/site/apache-felix-jaas.data/jaas-config.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/felix/trunk/content/site/apache-felix-jaas.data/jaas-config.png
------------------------------------------------------------------------------
svn:mime-type = image/png