You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Hilderich <hi...@yahoo.de> on 2014/10/30 10:41:58 UTC
Adding jaas authentication to a cxf endpoint in karaf
Dear Support Community,
We have in use Apache Karaf 2.3.2 with Apache Camel 2.11.1.
There is a bundle with a Camel Route that creates a Web Service:
This was already running smoothly with not problems. Now there was the
requirement to lock this web service via Basic Authentication.
Therefore I have read something about it how to do it in combination with
Karaf and Jetty and I did it like here:
http://camel.465427.n5.nabble.com/camel-jetty-authentication-JAAS-td3293819.html
I have no bundle conflicts, but what I am facing now when Karaf starts is a
NullpointerException:
It looks like camel-cxf cannot read the URI *jetty:http://...*
In my point of view all requirements are installed:
karaf@root> features:list | grep -i jetty
[installed ] [2.7.6 ] cxf-http-jetty
cxf-2.7.6
[installed ] [2.11.1 ] camel-jetty
camel-2.11.1
[installed ] [7.6.8.v20121106] jetty
karaf-2.3.2 Provide Jetty engine sup
port
Any ideas?
Kind regards,
Hilderich
--
View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Hilderich <hi...@yahoo.de>.
Hello Daniel,
Unfortunately I have worked almost 4 days to incorporate a Basic
Authentication to Karaf, CXF, Camel and Blueprint but with no success.
This Java domain, OSGi and its frameworks, is quite difficult to grasp
though I have read partly OSGi in Action and Enterprise OSGi in Action.
How many years you think I need to get a member of these secret bond of the
known?
Seriously, I have to do it in my leisure time to shift it to Karaf 3.0.2.
However I don't know if it wil help to establish a Basic Authentication.
I will report here next.
Kind regards,
Hilderich
--
View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758494.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Daniel Kulp <dk...@apache.org>.
I’ll let Sergey handle most of this, but…..
> On Nov 3, 2014, at 6:12 AM, Hilderich <hi...@yahoo.de> wrote:
>
>
> Last week I have commenced with an update to Karaf 3.0.2 but so far I am not
> able to start my bundle because cxf bus in blueprint cannot initialized
> (this part in bluprint.xml: <httpj:engine-factory bus="cxf">). Probably this
> has something to do with wrong versions and missing imports. I am very
> discouraged.
>
I’m a bit curious by this one. Do you have a test case for this? I’d really like to know what would cause this.
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 03/11/14 14:42, Hilderich wrote:
> Hello Sergey,
>
> First of all what you have suggested I have done as you can see above. But
> this incorporation of an interceptor has no effect and no one requires a
> login if I do a request to the address in my browser.
> My question about JAAS was intended to get a feedback from you if I have
> grasp JAAS correctly. In Karaf the JAAS login mechanism looks into
> <karaf_home>/etc/users.properties, isn't it?
As far as I recall yes
> I don't know what you mean when you are talking about anonymous users and I
> cannot find any property /allowAnonymous/. I just want to know if one entry
> as stated above in users.propties is enough
> for an authorization?
No, that entry should be enough for populating a security context -
which still needs to be acted upon.
>However this is not the point at the moment because no
> one is asking for any authorization - what a shame.
>
I do not even recall you talking about the authorization in this thread
before so I'm not sure why you are surprised.
What is you plan to enforce the authorization, do you use RBAC rules
like @RolesAllowed
> Do I have to create any web app context file for any other authentication
> stuff beyond /blueprint.xml/ and /users.properties/? Do I have to configure
> <karaf_home>/etc/org.apache.karaf.jaas.cfg ???
>
No idea - ask at the Karaf list. As far as CXF is concerned, please
check the same page I linked to earlier on how to set up simple
authorizing interceptors which can check RolesAllowed.
By the way: sorry if I hijacked the thread - may be the solution
proposed originally should've been explored till the end...
Thanks, Sergey
> Kind regards,
> Hilderich
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758462.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Hilderich <hi...@yahoo.de>.
Hello Sergey,
First of all what you have suggested I have done as you can see above. But
this incorporation of an interceptor has no effect and no one requires a
login if I do a request to the address in my browser.
My question about JAAS was intended to get a feedback from you if I have
grasp JAAS correctly. In Karaf the JAAS login mechanism looks into
<karaf_home>/etc/users.properties, isn't it?
I don't know what you mean when you are talking about anonymous users and I
cannot find any property /allowAnonymous/. I just want to know if one entry
as stated above in users.propties is enough
for an authorization? However this is not the point at the moment because no
one is asking for any authorization - what a shame.
Do I have to create any web app context file for any other authentication
stuff beyond /blueprint.xml/ and /users.properties/? Do I have to configure
<karaf_home>/etc/org.apache.karaf.jaas.cfg ???
Kind regards,
Hilderich
--
View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758462.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 03/11/14 14:09, Hilderich wrote:
> Hello Sergey,
>
> Thank your for your help. I've tried as here:
>
>
>
> In /<karaf_home>/etc/users.properties/ is one entry:
>
> *karaf=karaf,admin*
>
> I think this should be okay, isn't it?
>
> If I understand JAAS correctly any login is referenced to users.properties
> and if a match exist you are authorized.
> However so far no login is required at the moment and that is the problem at
> all.
>
Do you mean that anonymous users are still accepted ? if so then the
interceptor's allowAnonymous property should be set to false
Cheers, Sergey
> Kind regards,
> Hilderich
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758455.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Hilderich <hi...@yahoo.de>.
Hello Sergey,
Thank your for your help. I've tried as here:
In /<karaf_home>/etc/users.properties/ is one entry:
*karaf=karaf,admin*
I think this should be okay, isn't it?
If I understand JAAS correctly any login is referenced to users.properties
and if a match exist you are authorized.
However so far no login is required at the moment and that is the problem at
all.
Kind regards,
Hilderich
--
View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758455.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Can CXF JAASLoginInterceptor help ?
CXF endpoint declaration in Spring or Blueprint with its interceptors
section referencing JAASLoginInterceptor (with one or two properties
set) is all what is needed to have a user authenticated against JAAS, be
it in Karaf or Tomcat.
http://cxf.apache.org/docs/security.html#Security-JAASLoginInterceptor
Thanks, Sergey
On 03/11/14 11:12, Hilderich wrote:
> Hello Christian,
>
> I did exactly as you described above but no authentication mechanism is
> triggered. I have tried your two approaches as well and no authentication
> mechanism ever came into action. Maybe there is something wrong with my
> versions:
>
> Apache Karaf 2.3.2
> Apache CXF 2.7.6
> Apache Camel 2.11.1
>
> I have read this
>
> https://issues.apache.org/jira/browse/CXF-5863
>
> but I am not sure if this is the reason.
>
> Last week I have commenced with an update to Karaf 3.0.2 but so far I am not
> able to start my bundle because cxf bus in blueprint cannot initialized
> (this part in bluprint.xml: <httpj:engine-factory bus="cxf">). Probably this
> has something to do with wrong versions and missing imports. I am very
> discouraged.
>
> Kind regards,
> Hilderich
>
>
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758448.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Hilderich <hi...@yahoo.de>.
Hello Christian,
I did exactly as you described above but no authentication mechanism is
triggered. I have tried your two approaches as well and no authentication
mechanism ever came into action. Maybe there is something wrong with my
versions:
Apache Karaf 2.3.2
Apache CXF 2.7.6
Apache Camel 2.11.1
I have read this
https://issues.apache.org/jira/browse/CXF-5863
but I am not sure if this is the reason.
Last week I have commenced with an update to Karaf 3.0.2 but so far I am not
able to start my bundle because cxf bus in blueprint cannot initialized
(this part in bluprint.xml: <httpj:engine-factory bus="cxf">). Probably this
has something to do with wrong versions and missing imports. I am very
discouraged.
Kind regards,
Hilderich
--
View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758448.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Christian Müller <ch...@gmail.com>.
The keystore configuration is only needed for HTTPS.
You can use BASIC AUTH without HTTPS.
If you want to leverage on the OSGI HTTP service (it looks so, because you
are using address="/externalWarehouse"), you have to configure BASIC AUTH
in your jetty.xml like:
<Configure class="org.eclipse.jetty.server.Server">
<!-- =========================================================== -->
<!-- Set connectors -->
<!-- =========================================================== -->
<!-- One of each type! -->
<!-- =========================================================== -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.BlockingChannelConnector">
<Set name="host">
<Property name="jetty.host" />
</Set>
<Set name="port">
<Property name="jetty.port" default="8181" />
</Set>
<Set name="maxIdleTime">300000</Set>
<Set name="Acceptors">1</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
</New>
</Arg>
</Call>
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">karaf</Set>
<Set name="loginModuleName">karaf</Set>
<Set name="roleClassNames">
<Array type="java.lang.String">
<Item>org.apache.karaf.jaas.boot.principal.RolePrincipal</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">default</Set>
<Set name="loginModuleName">karaf</Set>
<Set name="roleClassNames">
<Array type="java.lang.String">
<Item>org.apache.karaf.jaas.boot.principal.RolePrincipal</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
</Configure>
If you want to start up a new Jetty instance to expose your web service,
your configuration looks good. As Willem already explained, you has to
configure a complete URL like address="
http://127.0.0.1:9000/externalWarehouse". And you can remove the keystore
configuration if you are using HTTP.
<httpj:engine-factory bus=*"cxf"*>
<httpj:engine port=*"9000"*>
<httpj:threadingParameters minThreads=*"5"* maxThreads=*"20"* />
<httpj:handlers>
<!-- BASIC AUTHENTICATION configuration -->
<ref bean=*"securityHandler"*/>
</httpj:handlers>
</httpj:engine>
</httpj:engine-factory>
<bean id=*"securityHandler"* class=
*"org.eclipse.jetty.security.ConstraintSecurityHandler"*>
<property name=*"authenticator"*>
<bean class=
*"org.eclipse.jetty.security.authentication.BasicAuthenticator"*/>
</property>
<property name=*"constraintMappings"*>
<list>
<bean class=*"org.eclipse.jetty.security.ConstraintMapping"*
>
<property name=*"constraint"*>
<bean class=
*"org.eclipse.jetty.http.security.Constraint"*>
<property name=*"name"* value=*"BASIC"*/>
<property name=*"roles"* value=*"yourRole"*/>
<property name=*"authenticate"* value=*"true"*/>
</bean>
</property>
<property name=*"pathSpec"* value=*"/*"*/>
</bean>
</list>
</property>
<property name=*"loginService"*>
<bean class=*"org.eclipse.jetty.security.HashLoginService"*>
<property name=*"name"* value=*"karaf"* />
<property name=*"config"* value=
*"src/test/resources/jetty-realm.properties"* />
</bean>
</property>
<property name=*"strict"* value=*"false"*/>
</bean>
Best,
Christian
-----------------
Software Integration Specialist
Apache Member
V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer
Apache Incubator PMC Member
https://www.linkedin.com/pub/christian-mueller/11/551/642
On Fri, Oct 31, 2014 at 9:44 AM, Hilderich <hi...@yahoo.de> wrote:
> Hello Willem,
>
> Many thanks for that crucial hint. I did as you said but no Basic
> Authentication was requested. What I am not understand so far is the
> keystore stuff in <httpj:tlsServerParameters ...
> As I interpret it correctly this has something to do with SSL/https but I
> have no intentions to switch to https. As a result I have in the meantime
> <httpj ... section in blueprint modified to:
>
> <httpj:engine-factory bus="cxf">
> <httpj:engine port="9000">
> <httpj:threadingParameters minThreads="5"
> maxThreads="20" />
> <httpj:handlers>
> <ref component-id="securityHandler" />
> </httpj:handlers>
> </httpj:engine>
> </httpj:engine-factory>
>
>
> Do I have get something wrong? Is Basic Auth inevitably connected with
> SSL/http???
>
> Could you please help me once again to establish BASIC Auth via http and
> how
> jetty has properly configured in blueprint.xml?
>
> Kind regards,
> Hilderich
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758360.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Hilderich <hi...@yahoo.de>.
Hello Willem,
Many thanks for that crucial hint. I did as you said but no Basic
Authentication was requested. What I am not understand so far is the
keystore stuff in <httpj:tlsServerParameters ...
As I interpret it correctly this has something to do with SSL/https but I
have no intentions to switch to https. As a result I have in the meantime
<httpj ... section in blueprint modified to:
<httpj:engine-factory bus="cxf">
<httpj:engine port="9000">
<httpj:threadingParameters minThreads="5"
maxThreads="20" />
<httpj:handlers>
<ref component-id="securityHandler" />
</httpj:handlers>
</httpj:engine>
</httpj:engine-factory>
Do I have get something wrong? Is Basic Auth inevitably connected with
SSL/http???
Could you please help me once again to establish BASIC Auth via http and how
jetty has properly configured in blueprint.xml?
Kind regards,
Hilderich
--
View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340p5758360.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: Adding jaas authentication to a cxf endpoint in karaf
Posted by Willem Jiang <wi...@gmail.com>.
Hi
<camelcxf:cxfEndpoint id="warehouseService"
wsdlURL="wsdl/externalWarehouseService.wsdl"
serviceClass="de.company.production.externalwarehouse.ws.ExternalWarehousePortTypeImpl"
address="/externalWarehouse" loggingFeatureEnabled="true”>
means you leverage the pax web instead the Jetty engine which is embedded to CXF endpoint to publish the service.
You just need to change the address to “http://localhost:9000/externalWarehouse” and update the <httpj:engine port=“9000”> , then your jetty configuration should work now.
--
Willem Jiang
Red Hat, Inc.
Web: http://www.redhat.com
Blog: http://willemjiang.blogspot.com (English)
http://jnn.iteye.com (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem
On October 30, 2014 at 5:42:25 PM, Hilderich (hilde.schwed@yahoo.de) wrote:
> Dear Support Community,
>
> We have in use Apache Karaf 2.3.2 with Apache Camel 2.11.1.
>
> There is a bundle with a Camel Route that creates a Web Service:
>
>
>
> This was already running smoothly with not problems. Now there was the
> requirement to lock this web service via Basic Authentication.
> Therefore I have read something about it how to do it in combination with
> Karaf and Jetty and I did it like here:
>
> http://camel.465427.n5.nabble.com/camel-jetty-authentication-JAAS-td3293819.html
>
> I have no bundle conflicts, but what I am facing now when Karaf starts is a
> NullpointerException:
>
>
>
> It looks like camel-cxf cannot read the URI *jetty:http://...*
>
> In my point of view all requirements are installed:
> karaf@root> features:list | grep -i jetty
> [installed ] [2.7.6 ] cxf-http-jetty
> cxf-2.7.6
> [installed ] [2.11.1 ] camel-jetty
> camel-2.11.1
> [installed ] [7.6.8.v20121106] jetty
> karaf-2.3.2 Provide Jetty engine sup
> port
>
> Any ideas?
>
> Kind regards,
> Hilderich
>
>
>
>
>
>
>
> --
> View this message in context: http://camel.465427.n5.nabble.com/Adding-jaas-authentication-to-a-cxf-endpoint-in-karaf-tp5758340.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>