You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by Rob Walker <ro...@ascert.com> on 2007/12/10 09:50:20 UTC
Re: [Fwd: Re: Jetty, Security and OSGi?]
Richard
I haven't really looked into authentication as yet - although the Felix
HTTP service does at the very least include the API calls for this.
What I did in this area was to include the HTTPS listener support, which
I'd have to think would also be a part of anyone's
security/authentication since it protects the underlying transport.
From what I remember, OSGi supports a basic authentication via the
following method on the HttpContext
public boolean handleSecurity(HttpServletRequest request,
HttpServletResponse response)
This then leaves it open to an individual application to add whatever
authentication checks they like by creating one or more custom security
contexts. I'm no expert in this area, but I'd assume the Servlet session
objects would typically be used to manage security details across calls.
I suspect I may have to learn more about this area next year as our
fledgling GWT application sits on top of the Felix HTTP service and we
have user's wanting logon style auth checks
Regards
-- Rob
Richard S. Hall wrote:
> Rob,
>
> Didn't you deal with some of these issues?
>
> -> richard
>
> -------- Original Message --------
> Subject: Re: Jetty, Security and OSGi?
> Date: Mon, 26 Nov 2007 08:16:04 -0800 (PST)
> From: kitplummer <ki...@gmail.com>
> Reply-To: users@felix.apache.org
> To: users@felix.apache.org
> References: <C3...@blackholelogic.com>
>
>
>
> Any pointers at all, on setting up Basic authentication for Jetty? I
> know
> that the HttpService specifies that the implementation must handle
> security
> - but, I'm just not sure where to begin.
>
> Kit
>
>
> Kit Plummer-4 wrote:
>>
>> Looking for any ideas on how to best handle security (user
>> authentication/HTTPS) with embedded Jetty. We've moved to using Pax Web
>> recently, so are at Jetty 6.1.3.
>>
>> We are launching a few Servlets programmtically...via the HttpService.
>>
>> Any thoughts, ideas?
>>
>> TIA,
>> Kit
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>> For additional commands, e-mail: users-help@felix.apache.org
>>
>>
>>
>
--
Ascert - Taking systems to the Edge
robw@ascert.com
+44 (0)20 7488 3470
www.ascert.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: [Fwd: Re: Jetty, Security and OSGi?]
Posted by Stuart McCulloch <st...@jayway.net>.
On 10/12/2007, Felix Meschberger <fm...@gmail.com> wrote:
>
> Hi Rob,
>
> Am Montag, den 10.12.2007, 08:50 +0000 schrieb Rob Walker:
> > From what I remember, OSGi supports a basic authentication via the
> > following method on the HttpContext
> >
> > public boolean handleSecurity(HttpServletRequest request,
> > HttpServletResponse response)
> >
> > This then leaves it open to an individual application to add whatever
> > authentication checks they like by creating one or more custom security
> > contexts. I'm no expert in this area, but I'd assume the Servlet session
> > objects would typically be used to manage security details across calls.
>
> Interesting that you mention this, because I just stumbled upon an
> issue with this: As per the spec (if I read it correctly) the
> handleSecurity method should set request attribtues for the user and the
> authentication method if true is returned. These two attributes should
> be used by the HttpService implementation to provide the return values
> for the HttpServletRequest.getRemoteUser() and getAuthType() methods.
wow... so much synchronicity, it's freaky! - I also just discovered this
(separately)
today when running the Pax-Web implementation against the OSGi TCK for HTTP
Unfortunately at the moment the http.jetty project does not do that. I
> will create an issue and provide a patch for this.
>
> Regards
> Felix
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
--
Cheers, Stuart
Re: [Fwd: Re: Jetty, Security and OSGi?]
Posted by Felix Meschberger <fm...@gmail.com>.
Hi Rob,
Am Montag, den 10.12.2007, 08:50 +0000 schrieb Rob Walker:
> From what I remember, OSGi supports a basic authentication via the
> following method on the HttpContext
>
> public boolean handleSecurity(HttpServletRequest request,
> HttpServletResponse response)
>
> This then leaves it open to an individual application to add whatever
> authentication checks they like by creating one or more custom security
> contexts. I'm no expert in this area, but I'd assume the Servlet session
> objects would typically be used to manage security details across calls.
Interesting that you mention this, because I just stumbled upon an
issue with this: As per the spec (if I read it correctly) the
handleSecurity method should set request attribtues for the user and the
authentication method if true is returned. These two attributes should
be used by the HttpService implementation to provide the return values
for the HttpServletRequest.getRemoteUser() and getAuthType() methods.
Unfortunately at the moment the http.jetty project does not do that. I
will create an issue and provide a patch for this.
Regards
Felix
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org