You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Ioannis Canellos (JIRA)" <ji...@apache.org> on 2010/08/26 15:35:56 UTC
[jira] Created: (KARAF-172) Implement a mechanism that would allow
a karaf application to distingush between UserPrincipal & RolePrincipal
without depending from Karaf JAAS Modules
Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
--------------------------------------------------------------------------------------------------------------------------------------------------------
Key: KARAF-172
URL: https://issues.apache.org/jira/browse/KARAF-172
Project: Karaf
Issue Type: New Feature
Reporter: Ioannis Canellos
A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (KARAF-172) Implement a mechanism that would allow
a karaf application to distingush between UserPrincipal & RolePrincipal
without depending from Karaf JAAS Modules
Posted by "Ioannis Canellos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ioannis Canellos updated KARAF-172:
-----------------------------------
Attachment: KARAF-172-patch.txt
I am uploading a patch that does the following:
a) Introduces KarafAbstractLoginModule which handles RolePolicies if any (the rest login modules inherit from that).
b) Introduces a group policy GROUP_ROLES. This policy creates a Group Object with a configurable name and adds all RolesPrincipals into that Group (JBoss-like approach).
c) Introduces a group policy PREFIXED_ROLES which discriminates RolePricipals by adding a configurable prefix.
Some policy examples:
GROUP_ROLES:
<jaas:config name="example">
<jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" flags="required">
users = $[karaf.base]/etc/users.properties
rolePolicy = group
roleDisciriminator = ROLES
</jaas:module>
</jaas:config>
PREFIXED_ROLES:
<jaas:config name="example">
<jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" flags="required">
users = $[karaf.base]/etc/users.properties
rolePolicy = prefix
roleDisciriminator = ROLE_
</jaas:module>
</jaas:config>
> Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-172
> URL: https://issues.apache.org/jira/browse/KARAF-172
> Project: Karaf
> Issue Type: New Feature
> Reporter: Ioannis Canellos
> Attachments: KARAF-172-patch.txt
>
>
> A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (KARAF-172) Implement a mechanism that would allow
a karaf application to distingush between UserPrincipal & RolePrincipal
without depending from Karaf JAAS Modules
Posted by "Ioannis Canellos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ioannis Canellos updated KARAF-172:
-----------------------------------
Fix Version/s: 2.2.0
> Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-172
> URL: https://issues.apache.org/jira/browse/KARAF-172
> Project: Karaf
> Issue Type: New Feature
> Reporter: Ioannis Canellos
> Assignee: Ioannis Canellos
> Fix For: 2.2.0
>
> Attachments: KARAF-172-patch.txt
>
>
> A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (KARAF-172) Implement a mechanism that would allow
a karaf application to distingush between UserPrincipal & RolePrincipal
without depending from Karaf JAAS Modules
Posted by "Ioannis Canellos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ioannis Canellos reassigned KARAF-172:
--------------------------------------
Assignee: Ioannis Canellos
> Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-172
> URL: https://issues.apache.org/jira/browse/KARAF-172
> Project: Karaf
> Issue Type: New Feature
> Reporter: Ioannis Canellos
> Assignee: Ioannis Canellos
> Attachments: KARAF-172-patch.txt
>
>
> A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-172) Implement a mechanism that would
allow a karaf application to distingush between UserPrincipal &
RolePrincipal without depending from Karaf JAAS Modules
Posted by "Ioannis Canellos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12905880#action_12905880 ]
Ioannis Canellos commented on KARAF-172:
----------------------------------------
Adding jaas/modules/src/main/java/org/apache/karaf/jaas/modules/AbstractKarafLoginModule.java
Adding jaas/modules/src/main/java/org/apache/karaf/jaas/modules/GroupPrincipal.java
Adding jaas/modules/src/main/java/org/apache/karaf/jaas/modules/RolePolicy.java
Sending jaas/modules/src/main/java/org/apache/karaf/jaas/modules/osgi/OsgiConfigLoginModule.java
Sending jaas/modules/src/main/java/org/apache/karaf/jaas/modules/properties/PropertiesLoginModule.java
Transmitting file data .....
Committed revision 992286.
> Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-172
> URL: https://issues.apache.org/jira/browse/KARAF-172
> Project: Karaf
> Issue Type: New Feature
> Reporter: Ioannis Canellos
> Assignee: Ioannis Canellos
> Attachments: KARAF-172-patch.txt
>
>
> A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (KARAF-172) Implement a mechanism that would
allow a karaf application to distingush between UserPrincipal &
RolePrincipal without depending from Karaf JAAS Modules
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12902865#action_12902865 ]
Guillaume Nodet commented on KARAF-172:
---------------------------------------
+1 for that. That always struck me as odd that one had to depend on a specific implementation classes for that. I actually did not investigate how others had fixed that :-( A pluggable (or configurable) mechanism would be awesome.
> Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-172
> URL: https://issues.apache.org/jira/browse/KARAF-172
> Project: Karaf
> Issue Type: New Feature
> Reporter: Ioannis Canellos
>
> A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (KARAF-172) Implement a mechanism that would allow
a karaf application to distingush between UserPrincipal & RolePrincipal
without depending from Karaf JAAS Modules
Posted by "Ioannis Canellos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ioannis Canellos resolved KARAF-172.
------------------------------------
Resolution: Fixed
> Implement a mechanism that would allow a karaf application to distingush between UserPrincipal & RolePrincipal without depending from Karaf JAAS Modules
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-172
> URL: https://issues.apache.org/jira/browse/KARAF-172
> Project: Karaf
> Issue Type: New Feature
> Reporter: Ioannis Canellos
> Assignee: Ioannis Canellos
> Attachments: KARAF-172-patch.txt
>
>
> A karaf application that makes use of JAAS for authentication and authorization will obtain a LoginContext that contains UserPrincipal and RolePrincipal objects (both classes are inside org.apache.karaf.jaas:org.apache.karaf.jaas.modules).
> If such application needs to distinguish between those two(e.g role based authorization), will have to depend from org.apache.karaf.jaas:org.apache.karaf.jaas.modules.
> I think that the application needs to be decoupled from Karaf JAAS Modules and this is why I think that an alternative needs to be provided to the user.
> Such alternative could be the use of a convention (maybe like having a prefix on Roles, or goruping roles under a Group with a fixed name (jboss approach)). This mechanism could be implemented by Karaf Login Modules and even better could be pluggable.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.