You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Remco Poortinga - van Wijnen (JIRA)" <ji...@apache.org> on 2008/07/29 20:21:31 UTC

[jira] Created: (FELIX-651) Access to password protected OBR

Access to password protected OBR
--------------------------------

                 Key: FELIX-651
                 URL: https://issues.apache.org/jira/browse/FELIX-651
             Project: Felix
          Issue Type: Improvement
          Components: Bundle Repository (OBR)
            Reporter: Remco Poortinga - van Wijnen
            Priority: Trivial


For a project I would like to configure a 'private' OBR (somewhat against the federated idea of OBR I guess, but anyway). In other words: username/password protected access. Https OBR are possible, but I have no idea if there is an 'official' way (from Felix' point of view) for specifying credentials for the specified OBR URLs.

Just to see whether it would work I created a test version where username/password can be specified in a RFC1738 compliant way, e.g. https://user:password@server:port/rest and added an Authenticator to the bundlerepository bundle, which gets the username/password from the URL if it is set (see http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo()).

This seems to work OK; would this be interesting for others as well?


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (FELIX-651) Access to password protected OBR

Posted by "Remco Poortinga - van Wijnen (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/FELIX-651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Remco Poortinga - van Wijnen updated FELIX-651:
-----------------------------------------------

    Attachment: UrlEmbeddedCredentialsAuthenticator.java

This UrlEmbeddedCredentialsAuthenticator extends Authenticator from Java and on call just checks whether a username:password is present in the URL.
If there is it is returned, otherwise null is returned.
See also http://java.sun.com/javase/6/docs/api/java/net/Authenticator.html

I tested this by placing it in org.apache.felix.bundlerepository package and then calling Authenticator.setDefault(new UrlEmbeddedCredentialsAuthenticator()); from the start method of org.apache.felix.bundlerepository.Activator.

Possible 'gotcha': using Authenticator.setDefault makes it a 'system' thingy. Which may be a good thing (then works for all URLs throughout Felix), or a bad thing (might cause other issues? Not sure which, I'm not really familiar with the internals of Felix).



> Access to password protected OBR
> --------------------------------
>
>                 Key: FELIX-651
>                 URL: https://issues.apache.org/jira/browse/FELIX-651
>             Project: Felix
>          Issue Type: Improvement
>          Components: Bundle Repository (OBR)
>            Reporter: Remco Poortinga - van Wijnen
>            Priority: Trivial
>         Attachments: UrlEmbeddedCredentialsAuthenticator.java
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> For a project I would like to configure a 'private' OBR (somewhat against the federated idea of OBR I guess, but anyway). In other words: username/password protected access. Https OBR are possible, but I have no idea if there is an 'official' way (from Felix' point of view) for specifying credentials for the specified OBR URLs.
> Just to see whether it would work I created a test version where username/password can be specified in a RFC1738 compliant way, e.g. https://user:password@server:port/rest and added an Authenticator to the bundlerepository bundle, which gets the username/password from the URL if it is set (see http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo()).
> This seems to work OK; would this be interesting for others as well?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (FELIX-651) Access to password protected OBR

Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/FELIX-651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12627243#action_12627243 ] 

Felix Meschberger commented on FELIX-651:
-----------------------------------------

Having a private OBR makes absolutely sense to me. Yet, your proposed approach has some drawbacks in my opinion:

(1) It uses a JVM wide setting to enable password transfer. I don't think such an approach is suitable for a bundle in an OSGi framework. All the more considering the framework may be started as part of a web application in a servlet container or even as a bundle in an OSGi capable application server, which already has set the default authenticator. Yes, you also note this, but I rather see the problems than the advantages.

(2) I personally am not a fan of URLs with user name and password in it. Because this is certainly not very secure. All the more as the URLs on which the bundle repository bundle operates can be queried.

(3) And then, you "secured" the URL to the repository.xml file. How about the URLs in the repository.xml file itself ? Do they bear some user name and password, too ?

(4) To really do a secure OBR, I would rather suggest, as you also do, to use HTTPS. Yet I think, this would probably also require more on the bundlerepository part in terms of key management.

In fact, using HTTPS with client keys even enables per-user settings and controls...

Another solution might be to use Apache HttpComponents to be able to fully control credentials processing and to use user/password setting out of band of the URL.

> Access to password protected OBR
> --------------------------------
>
>                 Key: FELIX-651
>                 URL: https://issues.apache.org/jira/browse/FELIX-651
>             Project: Felix
>          Issue Type: Improvement
>          Components: Bundle Repository (OBR)
>            Reporter: Remco Poortinga - van Wijnen
>            Priority: Trivial
>         Attachments: UrlEmbeddedCredentialsAuthenticator.java
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> For a project I would like to configure a 'private' OBR (somewhat against the federated idea of OBR I guess, but anyway). In other words: username/password protected access. Https OBR are possible, but I have no idea if there is an 'official' way (from Felix' point of view) for specifying credentials for the specified OBR URLs.
> Just to see whether it would work I created a test version where username/password can be specified in a RFC1738 compliant way, e.g. https://user:password@server:port/rest and added an Authenticator to the bundlerepository bundle, which gets the username/password from the URL if it is set (see http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo()).
> This seems to work OK; would this be interesting for others as well?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.