You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2016/04/28 17:27:59 UTC
svn commit: r1741454 [33/41] - in
/karaf/site/production/manual/latest-3.0.x: ./ developer-guide/ images/
user-guide/
Added: karaf/site/production/manual/latest-3.0.x/security-framework.html
URL: http://svn.apache.org/viewvc/karaf/site/production/manual/latest-3.0.x/security-framework.html?rev=1741454&view=auto
==============================================================================
--- karaf/site/production/manual/latest-3.0.x/security-framework.html (added)
+++ karaf/site/production/manual/latest-3.0.x/security-framework.html Thu Apr 28 15:27:56 2016
@@ -0,0 +1,1724 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]-->
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="generator" content="Asciidoctor 1.5.2">
+<title>Security framework</title>
+<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400">
+<style>
+/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */
+/* Remove the comments around the @import statement below when using this as a custom stylesheet */
+/*@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400";*/
+article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}
+audio,canvas,video{display:inline-block}
+audio:not([controls]){display:none;height:0}
+[hidden],template{display:none}
+script{display:none!important}
+html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}
+body{margin:0}
+a{background:transparent}
+a:focus{outline:thin dotted}
+a:active,a:hover{outline:0}
+h1{font-size:2em;margin:.67em 0}
+abbr[title]{border-bottom:1px dotted}
+b,strong{font-weight:bold}
+dfn{font-style:italic}
+hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}
+mark{background:#ff0;color:#000}
+code,kbd,pre,samp{font-family:monospace;font-size:1em}
+pre{white-space:pre-wrap}
+q{quotes:"\201C" "\201D" "\2018" "\2019"}
+small{font-size:80%}
+sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}
+sup{top:-.5em}
+sub{bottom:-.25em}
+img{border:0}
+svg:not(:root){overflow:hidden}
+figure{margin:0}
+fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}
+legend{border:0;padding:0}
+button,input,select,textarea{font-family:inherit;font-size:100%;margin:0}
+button,input{line-height:normal}
+button,select{text-transform:none}
+button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}
+button[disabled],html input[disabled]{cursor:default}
+input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0}
+input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}
+input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}
+button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}
+textarea{overflow:auto;vertical-align:top}
+table{border-collapse:collapse;border-spacing:0}
+*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}
+html,body{font-size:100%}
+body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto}
+a:hover{cursor:pointer}
+img,object,embed{max-width:100%;height:auto}
+object,embed{height:100%}
+img{-ms-interpolation-mode:bicubic}
+#map_canvas img,#map_canvas embed,#map_canvas object,.map_canvas img,.map_canvas embed,.map_canvas object{max-width:none!important}
+.left{float:left!important}
+.right{float:right!important}
+.text-left{text-align:left!important}
+.text-right{text-align:right!important}
+.text-center{text-align:center!important}
+.text-justify{text-align:justify!important}
+.hide{display:none}
+.antialiased,body{-webkit-font-smoothing:antialiased}
+img{display:inline-block;vertical-align:middle}
+textarea{height:auto;min-height:50px}
+select{width:100%}
+p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6}
+.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em}
+div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr}
+a{color:#2156a5;text-decoration:underline;line-height:inherit}
+a:hover,a:focus{color:#1d4b8f}
+a img{border:none}
+p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility}
+p aside{font-size:.875em;line-height:1.35;font-style:italic}
+h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em}
+h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0}
+h1{font-size:2.125em}
+h2{font-size:1.6875em}
+h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em}
+h4,h5{font-size:1.125em}
+h6{font-size:1em}
+hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0}
+em,i{font-style:italic;line-height:inherit}
+strong,b{font-weight:bold;line-height:inherit}
+small{font-size:60%;line-height:inherit}
+code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9)}
+ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit}
+ul,ol,ul.no-bullet,ol.no-bullet{margin-left:1.5em}
+ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em}
+ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit}
+ul.square{list-style-type:square}
+ul.circle{list-style-type:circle}
+ul.disc{list-style-type:disc}
+ul.no-bullet{list-style:none}
+ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0}
+dl dt{margin-bottom:.3125em;font-weight:bold}
+dl dd{margin-bottom:1.25em}
+abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help}
+abbr{text-transform:none}
+blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd}
+blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)}
+blockquote cite:before{content:"\2014 \0020"}
+blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)}
+blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)}
+@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2}
+h1{font-size:2.75em}
+h2{font-size:2.3125em}
+h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em}
+h4{font-size:1.4375em}}table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede}
+table thead,table tfoot{background:#f7f8f7;font-weight:bold}
+table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left}
+table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)}
+table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7}
+table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6}
+h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em}
+h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400}
+.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table}
+.clearfix:after,.float-group:after{clear:both}
+*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;padding:.1em .5ex;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed}
+pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed}
+.keyseq{color:rgba(51,51,51,.8)}
+kbd{display:inline-block;color:rgba(0,0,0,.8);font-size:.75em;line-height:1.4;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:-.15em .15em 0 .15em;padding:.2em .6em .2em .5em;vertical-align:middle;white-space:nowrap}
+.keyseq kbd:first-child{margin-left:0}
+.keyseq kbd:last-child{margin-right:0}
+.menuseq,.menu{color:rgba(0,0,0,.8)}
+b.button:before,b.button:after{position:relative;top:-1px;font-weight:400}
+b.button:before{content:"[";padding:0 3px 0 2px}
+b.button:after{content:"]";padding:0 2px 0 3px}
+p a>code:hover{color:rgba(0,0,0,.9)}
+#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em}
+#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table}
+#header:after,#content:after,#footnotes:after,#footer:after{clear:both}
+#content{margin-top:1.25em}
+#content:before{content:none}
+#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0}
+#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8}
+#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px}
+#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap}
+#header .details span:first-child{margin-left:-.125em}
+#header .details span.email a{color:rgba(0,0,0,.85)}
+#header .details br{display:none}
+#header .details br+span:before{content:"\00a0\2013\00a0"}
+#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)}
+#header .details br+span#revremark:before{content:"\00a0|\00a0"}
+#header #revnumber{text-transform:capitalize}
+#header #revnumber:after{content:"\00a0"}
+#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem}
+#toc{border-bottom:1px solid #efefed;padding-bottom:.5em}
+#toc>ul{margin-left:.125em}
+#toc ul.sectlevel0>li>a{font-style:italic}
+#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0}
+#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none}
+#toc a{text-decoration:none}
+#toc a:active{text-decoration:underline}
+#toctitle{color:#7a2518;font-size:1.2em}
+@media only screen and (min-width:768px){#toctitle{font-size:1.375em}
+body.toc2{padding-left:15em;padding-right:0}
+#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto}
+#toc.toc2 #toctitle{margin-top:0;font-size:1.2em}
+#toc.toc2>ul{font-size:.9em;margin-bottom:0}
+#toc.toc2 ul ul{margin-left:0;padding-left:1em}
+#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em}
+body.toc2.toc-right{padding-left:0;padding-right:15em}
+body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0}
+#toc.toc2{width:20em}
+#toc.toc2 #toctitle{font-size:1.375em}
+#toc.toc2>ul{font-size:.95em}
+#toc.toc2 ul ul{padding-left:1.25em}
+body.toc2.toc-right{padding-left:0;padding-right:20em}}#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
+#content #toc>:first-child{margin-top:0}
+#content #toc>:last-child{margin-bottom:0}
+#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em}
+#footer-text{color:rgba(255,255,255,.8);line-height:1.44}
+.sect1{padding-bottom:.625em}
+@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}.sect1+.sect1{border-top:1px solid #efefed}
+#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
+#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em}
+#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible}
+#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none}
+#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221}
+.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em}
+.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic}
+table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0}
+.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)}
+table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit}
+.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%}
+.admonitionblock>table td.icon{text-align:center;width:80px}
+.admonitionblock>table td.icon img{max-width:none}
+.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase}
+.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)}
+.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0}
+.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px}
+.exampleblock>.content>:first-child{margin-top:0}
+.exampleblock>.content>:last-child{margin-bottom:0}
+.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
+.sidebarblock>:first-child{margin-top:0}
+.sidebarblock>:last-child{margin-bottom:0}
+.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center}
+.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0}
+.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8}
+.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1}
+.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em}
+.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal}
+@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)}
+.listingblock pre.highlightjs{padding:0}
+.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px}
+.listingblock pre.prettyprint{border-width:0}
+.listingblock>.content{position:relative}
+.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999}
+.listingblock:hover code[data-lang]:before{display:block}
+.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999}
+.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"}
+table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none}
+table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0}
+table.pyhltable td.code{padding-left:.75em;padding-right:0}
+pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8}
+pre.pygments .lineno{display:inline-block;margin-right:.25em}
+table.pyhltable .linenodiv{background:none!important;padding-right:0!important}
+.quoteblock{margin:0 1em 1.25em 1.5em;display:table}
+.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em}
+.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify}
+.quoteblock blockquote{margin:0;padding:0;border:0}
+.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)}
+.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0}
+.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right}
+.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)}
+.quoteblock .quoteblock blockquote{padding:0 0 0 .75em}
+.quoteblock .quoteblock blockquote:before{display:none}
+.verseblock{margin:0 1em 1.25em 1em}
+.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility}
+.verseblock pre strong{font-weight:400}
+.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex}
+.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic}
+.quoteblock .attribution br,.verseblock .attribution br{display:none}
+.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.05em;color:rgba(0,0,0,.6)}
+.quoteblock.abstract{margin:0 0 1.25em 0;display:block}
+.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0}
+.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none}
+table.tableblock{max-width:100%;border-collapse:separate}
+table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0}
+table.spread{width:100%}
+table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede}
+table.grid-all th.tableblock,table.grid-all td.tableblock{border-width:0 1px 1px 0}
+table.grid-all tfoot>tr>th.tableblock,table.grid-all tfoot>tr>td.tableblock{border-width:1px 1px 0 0}
+table.grid-cols th.tableblock,table.grid-cols td.tableblock{border-width:0 1px 0 0}
+table.grid-all *>tr>.tableblock:last-child,table.grid-cols *>tr>.tableblock:last-child{border-right-width:0}
+table.grid-rows th.tableblock,table.grid-rows td.tableblock{border-width:0 0 1px 0}
+table.grid-all tbody>tr:last-child>th.tableblock,table.grid-all tbody>tr:last-child>td.tableblock,table.grid-all thead:last-child>tr>th.tableblock,table.grid-rows tbody>tr:last-child>th.tableblock,table.grid-rows tbody>tr:last-child>td.tableblock,table.grid-rows thead:last-child>tr>th.tableblock{border-bottom-width:0}
+table.grid-rows tfoot>tr>th.tableblock,table.grid-rows tfoot>tr>td.tableblock{border-width:1px 0 0 0}
+table.frame-all{border-width:1px}
+table.frame-sides{border-width:0 1px}
+table.frame-topbot{border-width:1px 0}
+th.halign-left,td.halign-left{text-align:left}
+th.halign-right,td.halign-right{text-align:right}
+th.halign-center,td.halign-center{text-align:center}
+th.valign-top,td.valign-top{vertical-align:top}
+th.valign-bottom,td.valign-bottom{vertical-align:bottom}
+th.valign-middle,td.valign-middle{vertical-align:middle}
+table thead th,table tfoot th{font-weight:bold}
+tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7}
+tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold}
+p.tableblock>code:only-child{background:none;padding:0}
+p.tableblock{font-size:1em}
+td>div.verse{white-space:pre}
+ol{margin-left:1.75em}
+ul li ol{margin-left:1.5em}
+dl dd{margin-left:1.125em}
+dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0}
+ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em}
+ul.unstyled,ol.unnumbered,ul.checklist,ul.none{list-style-type:none}
+ul.unstyled,ol.unnumbered,ul.checklist{margin-left:.625em}
+ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1em;font-size:.85em}
+ul.checklist li>p:first-child>input[type="checkbox"]:first-child{width:1em;position:relative;top:1px}
+ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden}
+ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block}
+ul.inline>li>*{display:block}
+.unstyled dl dt{font-weight:400;font-style:normal}
+ol.arabic{list-style-type:decimal}
+ol.decimal{list-style-type:decimal-leading-zero}
+ol.loweralpha{list-style-type:lower-alpha}
+ol.upperalpha{list-style-type:upper-alpha}
+ol.lowerroman{list-style-type:lower-roman}
+ol.upperroman{list-style-type:upper-roman}
+ol.lowergreek{list-style-type:lower-greek}
+.hdlist>table,.colist>table{border:0;background:none}
+.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none}
+td.hdlist1{padding-right:.75em;font-weight:bold}
+td.hdlist1,td.hdlist2{vertical-align:top}
+.literalblock+.colist,.listingblock+.colist{margin-top:-.5em}
+.colist>table tr>td:first-of-type{padding:0 .75em;line-height:1}
+.colist>table tr>td:last-of-type{padding:.25em 0}
+.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd}
+.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0}
+.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em}
+.imageblock>.title{margin-bottom:0}
+.imageblock.thumb,.imageblock.th{border-width:6px}
+.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em}
+.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0}
+.image.left{margin-right:.625em}
+.image.right{margin-left:.625em}
+a.image{text-decoration:none}
+span.footnote,span.footnoteref{vertical-align:super;font-size:.875em}
+span.footnote a,span.footnoteref a{text-decoration:none}
+span.footnote a:active,span.footnoteref a:active{text-decoration:underline}
+#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em}
+#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0}
+#footnotes .footnote{padding:0 .375em;line-height:1.3;font-size:.875em;margin-left:1.2em;text-indent:-1.2em;margin-bottom:.2em}
+#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none}
+#footnotes .footnote:last-of-type{margin-bottom:0}
+#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0}
+.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0}
+.gist .file-data>table td.line-data{width:99%}
+div.unbreakable{page-break-inside:avoid}
+.big{font-size:larger}
+.small{font-size:smaller}
+.underline{text-decoration:underline}
+.overline{text-decoration:overline}
+.line-through{text-decoration:line-through}
+.aqua{color:#00bfbf}
+.aqua-background{background-color:#00fafa}
+.black{color:#000}
+.black-background{background-color:#000}
+.blue{color:#0000bf}
+.blue-background{background-color:#0000fa}
+.fuchsia{color:#bf00bf}
+.fuchsia-background{background-color:#fa00fa}
+.gray{color:#606060}
+.gray-background{background-color:#7d7d7d}
+.green{color:#006000}
+.green-background{background-color:#007d00}
+.lime{color:#00bf00}
+.lime-background{background-color:#00fa00}
+.maroon{color:#600000}
+.maroon-background{background-color:#7d0000}
+.navy{color:#000060}
+.navy-background{background-color:#00007d}
+.olive{color:#606000}
+.olive-background{background-color:#7d7d00}
+.purple{color:#600060}
+.purple-background{background-color:#7d007d}
+.red{color:#bf0000}
+.red-background{background-color:#fa0000}
+.silver{color:#909090}
+.silver-background{background-color:#bcbcbc}
+.teal{color:#006060}
+.teal-background{background-color:#007d7d}
+.white{color:#bfbfbf}
+.white-background{background-color:#fafafa}
+.yellow{color:#bfbf00}
+.yellow-background{background-color:#fafa00}
+span.icon>.fa{cursor:default}
+.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default}
+.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c}
+.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111}
+.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900}
+.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400}
+.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000}
+.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold}
+.conum[data-value] *{color:#fff!important}
+.conum[data-value]+b{display:none}
+.conum[data-value]:after{content:attr(data-value)}
+pre .conum[data-value]{position:relative;top:-.125em}
+b.conum *{color:inherit!important}
+.conum:not([data-value]):empty{display:none}
+h1,h2{letter-spacing:-.01em}
+dt,th.tableblock,td.content{text-rendering:optimizeLegibility}
+p,td.content{letter-spacing:-.01em}
+p strong,td.content strong{letter-spacing:-.005em}
+p,blockquote,dt,td.content{font-size:1.0625rem}
+p{margin-bottom:1.25rem}
+.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em}
+.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc}
+.print-only{display:none!important}
+@media print{@page{margin:1.25cm .75cm}
+*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important}
+a{color:inherit!important;text-decoration:underline!important}
+a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important}
+a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em}
+abbr[title]:after{content:" (" attr(title) ")"}
+pre,blockquote,tr,img{page-break-inside:avoid}
+thead{display:table-header-group}
+img{max-width:100%!important}
+p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3}
+h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid}
+#toc,.sidebarblock,.exampleblock>.content{background:none!important}
+#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important}
+.sect1{padding-bottom:0!important}
+.sect1+.sect1{border:0!important}
+#header>h1:first-child{margin-top:1.25rem}
+body.book #header{text-align:center}
+body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0}
+body.book #header .details{border:0!important;display:block;padding:0!important}
+body.book #header .details span:first-child{margin-left:0!important}
+body.book #header .details br{display:block}
+body.book #header .details br+span:before{content:none!important}
+body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important}
+body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always}
+.listingblock code[data-lang]:before{display:block}
+#footer{background:none!important;padding:0 .9375em}
+#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em}
+.hide-on-print{display:none!important}
+.print-only{display:block!important}
+.hide-for-print{display:none!important}
+.show-for-print{display:inherit!important}}
+</style>
+<style>
+/* Stylesheet for CodeRay to match GitHub theme | MIT License | http://foundation.zurb.com */
+/*pre.CodeRay {background-color:#f7f7f8;}*/
+.CodeRay .line-numbers{border-right:1px solid #d8d8d8;padding:0 0.5em 0 .25em}
+.CodeRay span.line-numbers{display:inline-block;margin-right:.5em;color:rgba(0,0,0,.3)}
+.CodeRay .line-numbers strong{font-weight: normal}
+table.CodeRay{border-collapse:separate;border-spacing:0;margin-bottom:0;border:0;background:none}
+table.CodeRay td{vertical-align: top}
+table.CodeRay td.line-numbers{text-align:right}
+table.CodeRay td.line-numbers>pre{padding:0;color:rgba(0,0,0,.3)}
+table.CodeRay td.code{padding:0 0 0 .5em}
+table.CodeRay td.code>pre{padding:0}
+.CodeRay .debug{color:#fff !important;background:#000080 !important}
+.CodeRay .annotation{color:#007}
+.CodeRay .attribute-name{color:#000080}
+.CodeRay .attribute-value{color:#700}
+.CodeRay .binary{color:#509}
+.CodeRay .comment{color:#998;font-style:italic}
+.CodeRay .char{color:#04d}
+.CodeRay .char .content{color:#04d}
+.CodeRay .char .delimiter{color:#039}
+.CodeRay .class{color:#458;font-weight:bold}
+.CodeRay .complex{color:#a08}
+.CodeRay .constant,.CodeRay .predefined-constant{color:#008080}
+.CodeRay .color{color:#099}
+.CodeRay .class-variable{color:#369}
+.CodeRay .decorator{color:#b0b}
+.CodeRay .definition{color:#099}
+.CodeRay .delimiter{color:#000}
+.CodeRay .doc{color:#970}
+.CodeRay .doctype{color:#34b}
+.CodeRay .doc-string{color:#d42}
+.CodeRay .escape{color:#666}
+.CodeRay .entity{color:#800}
+.CodeRay .error{color:#808}
+.CodeRay .exception{color:inherit}
+.CodeRay .filename{color:#099}
+.CodeRay .function{color:#900;font-weight:bold}
+.CodeRay .global-variable{color:#008080}
+.CodeRay .hex{color:#058}
+.CodeRay .integer,.CodeRay .float{color:#099}
+.CodeRay .include{color:#555}
+.CodeRay .inline{color:#00}
+.CodeRay .inline .inline{background:#ccc}
+.CodeRay .inline .inline .inline{background:#bbb}
+.CodeRay .inline .inline-delimiter{color:#d14}
+.CodeRay .inline-delimiter{color:#d14}
+.CodeRay .important{color:#555;font-weight:bold}
+.CodeRay .interpreted{color:#b2b}
+.CodeRay .instance-variable{color:#008080}
+.CodeRay .label{color:#970}
+.CodeRay .local-variable{color:#963}
+.CodeRay .octal{color:#40e}
+.CodeRay .predefined{color:#369}
+.CodeRay .preprocessor{color:#579}
+.CodeRay .pseudo-class{color:#555}
+.CodeRay .directive{font-weight:bold}
+.CodeRay .type{font-weight:bold}
+.CodeRay .predefined-type{color:inherit}
+.CodeRay .reserved,.CodeRay .keyword {color:#000;font-weight:bold}
+.CodeRay .key{color:#808}
+.CodeRay .key .delimiter{color:#606}
+.CodeRay .key .char{color:#80f}
+.CodeRay .value{color:#088}
+.CodeRay .regexp .delimiter{color:#808}
+.CodeRay .regexp .content{color:#808}
+.CodeRay .regexp .modifier{color:#808}
+.CodeRay .regexp .char{color:#d14}
+.CodeRay .regexp .function{color:#404;font-weight:bold}
+.CodeRay .string{color:#d20}
+.CodeRay .string .string .string{background:#ffd0d0}
+.CodeRay .string .content{color:#d14}
+.CodeRay .string .char{color:#d14}
+.CodeRay .string .delimiter{color:#d14}
+.CodeRay .shell{color:#d14}
+.CodeRay .shell .delimiter{color:#d14}
+.CodeRay .symbol{color:#990073}
+.CodeRay .symbol .content{color:#a60}
+.CodeRay .symbol .delimiter{color:#630}
+.CodeRay .tag{color:#008080}
+.CodeRay .tag-special{color:#d70}
+.CodeRay .variable{color:#036}
+.CodeRay .insert{background:#afa}
+.CodeRay .delete{background:#faa}
+.CodeRay .change{color:#aaf;background:#007}
+.CodeRay .head{color:#f8f;background:#505}
+.CodeRay .insert .insert{color:#080}
+.CodeRay .delete .delete{color:#800}
+.CodeRay .change .change{color:#66f}
+.CodeRay .head .head{color:#f4f}
+</style>
+</head>
+<body class="article">
+<div id="header">
+<div id="toc" class="toc">
+<div id="toctitle">Table of Contents</div>
+<ul class="sectlevel2">
+<li><a href="#_security_framework">Security framework</a></li>
+</ul>
+</div>
+</div>
+<div id="content">
+<div class="sect2">
+<h3 id="_security_framework">Security framework</h3>
+<div class="paragraph">
+<p>Karaf supports <a href="http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a> with some enhancements to allow JAAS to work nicely in an OSGi environment.
+This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime.</p>
+</div>
+<div class="sect3">
+<h4 id="_overview">Overview</h4>
+<div class="paragraph">
+<p>This feature allows runtime deployment of JAAS based configuration for use in various parts of the application. This
+includes the remote console login, which uses the <code>karaf</code> realm, but which is configured with a dummy login module
+by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in
+or sending messages into the bus.</p>
+</div>
+<div class="paragraph">
+<p>In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting up HTTPS connectors or using certificates for WS-Security.</p>
+</div>
+<div class="paragraph">
+<p>A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_schema">Schema</h4>
+<div class="paragraph">
+<p>To override or deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a Spring xml configuration file.</p>
+</div>
+<div class="paragraph">
+<p>Following is the XML Schema to use when defining Karaf realms.</p>
+</div>
+<div class="paragraph">
+<p>You can find the schema at the following location: <a href="http://karaf.apache.org/xmlns/jaas/v1.1.0" class="bare">http://karaf.apache.org/xmlns/jaas/v1.1.0</a></p>
+</div>
+<div class="paragraph">
+<p>Here are two examples using this schema:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><?xml version="1.0" encoding="UTF-8"?>
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
+ xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
+
+ <!-- Bean to allow the $[karaf.base] property to be correctly resolved -->
+ <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
+
+ <jaas:config name="myrealm">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = $[karaf.base]/etc/users.properties
+ </jaas:module>
+ </jaas:config>
+
+</blueprint></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
+ name="ks"
+ rank="1"
+ path="classpath:privatestore.jks"
+ keystorePassword="keyStorePassword"
+ keyPasswords="myalias=myAliasPassword">
+</jaas:keystore></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The <code>id</code> attribute is the blueprint id of the bean, but it will be used by default as the name of the realm if no
+<code>name</code> attribute is specified. Additional attributes on the <code>config</code> elements are a <code>rank</code>, which is an integer.
+When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are
+matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus
+allowing the override of some realms with new values. The last attribute is <code>publish</code> which can be set to false to
+not publish the realm in the OSGi registry, thereby disabling the use of this realm.</p>
+</div>
+<div class="paragraph">
+<p>Each realm can contain one or more module definitions. Each module identifies a LoginModule and the <code>className</code>
+attribute must be set to the class name of the login module to use. Note that this login module must be available from
+the bundle classloader, so either it has to be defined in the bundle itself, or the needed package needs to be correctly
+imported.
+The content of the <code>module</code> element is parsed as a properties file and will be used to further configure the login module.</p>
+</div>
+<div class="paragraph">
+<p>Deploying such a code will lead to a JaasRealm object in the OSGi registry, which will then be used when using the JAAS login module.</p>
+</div>
+<div class="sect4">
+<h5 id="_configuration_override_and_use_of_the_code_rank_code_attribute">Configuration override and use of the <code>rank</code> attribute</h5>
+<div class="paragraph">
+<p>The <code>rank</code> attribute on the <code>config</code> element is tied to the ranking of the underlying OSGi service. When the JAAS
+framework performs an authentication, it will use the realm name to find a matching JAAS configuration. If multiple
+configurations are used, the one with the highest <code>rank</code> attribute will be used.
+So if you want to override the default security configuration in Karaf (which is used by the ssh shell, web console and
+JMX layer), you need to deploy a JAAS configuration with the name <code>name="karaf"</code> and <code>rank="1"</code>.</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><?xml version="1.0" encoding="UTF-8"?>
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
+ xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
+
+ <!-- Bean to allow the $[karaf.base] property to be correctly resolved -->
+ <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
+
+ <type-converters>
+ <bean class="org.apache.karaf.jaas.modules.properties.PropertiesConverter"/>
+ </type-converters>
+
+ <jaas:config name="karaf" rank="1">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = $[karaf.base]/etc/users.properties
+ ...
+ </jaas:module>
+ </jaas:config>
+
+</blueprint></pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_architecture">Architecture</h4>
+<div class="paragraph">
+<p>Due to constraints in the JAAS specification, one class has to be available for all bundles.
+This class is called ProxyLoginModule and is a LoginModule that acts as a proxy for an OSGi defines LoginModule.
+If you plan to integrate this feature into another OSGi runtime, this class must be made available from the system classloader and the related package be part of the boot delegation classpath (or be deployed as a fragment attached to the system bundle).</p>
+</div>
+<div class="paragraph">
+<p>The xml schema defined above allows the use of a simple xml (leveraging spring xml extensibility) to configure and
+register a JAAS configuration for a given realm. This configuration will be made available into the OSGi registry as a
+JaasRealm and the OSGi specific Configuration will look for such services.
+Then the proxy login module will be able to use the information provided by the realm to actually load the class from
+the bundle containing the real login module.</p>
+</div>
+<div class="paragraph">
+<p>Karaf itself provides a set of login modules ready to use, depending of the authentication backend that you need.</p>
+</div>
+<div class="paragraph">
+<p>In addition of the login modules, Karaf also support backend engine. The backend engine is coupled to a login module and
+allows you to manipulate users and roles directly from Karaf (adding a new user, delete an existing user, etc).
+The backend engine is constructed by a backend engine factory, registered as an OSGi service.
+Some login modules (for security reason for instance) don’t provide backend engine.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_available_realm_and_login_modules">Available realm and login modules</h4>
+<div class="paragraph">
+<p>Karaf comes with a default realm named "karaf" using login modules.</p>
+</div>
+<div class="paragraph">
+<p>Karaf also provides a set of login modules and backend engines to handle authentication needs for your environment.</p>
+</div>
+<div class="sect4">
+<h5 id="_propertiesloginmodule">PropertiesLoginModule</h5>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">LoginModule</th>
+<th class="tableblock halign-left valign-top">BackendEngineFactory</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.properties.PropertiesLoginModule</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.properties.PropertiesBackendEngineFactory</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>This login module is the one configured by default. It uses a properties text file to load the users, passwords and roles.</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>users</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">location of the properties file</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>This file uses the <a href="http://download.oracle.com/javase/6/docs/api/java/util/Properties.html#load(java.io.Reader)">properties file format</a>.
+The format of the properties is as follows, with each line defining a user, its password and associated roles:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>user=password[,role][,role]...</pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = ${karaf.etc}/users.properties
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The PropertiesLoginModule provides a backend engine allowing:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>add a new user</p>
+</li>
+<li>
+<p>delete an existing user</p>
+</li>
+<li>
+<p>list the users, groups, and roles</p>
+</li>
+<li>
+<p>add a new role to an user</p>
+</li>
+<li>
+<p>delete a role from an user</p>
+</li>
+<li>
+<p>add an user into a group</p>
+</li>
+<li>
+<p>remove an user from a group</p>
+</li>
+<li>
+<p>add a role to a group</p>
+</li>
+<li>
+<p>delete a role from a group</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>To enable the backend engine, you have to register the corresponding OSGi service. For instance, the following blueprint
+shows how to register the PropertiesLoginModule and the corresponding backend engine:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><?xml version="1.0" encoding="UTF-8"?>
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
+ xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
+
+ <jaas:config name="karaf" rank="-1">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = ${karaf.etc}/users.properties
+ </jaas:module>
+ </jaas:config>
+
+ <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
+ <bean class="org.apache.karaf.jaas.modules.properties.PropertiesBackingEngineFactory"/>
+ </service>
+
+</blueprint></pre>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_osgiconfigloginmodule">OsgiConfigLoginModule</h5>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">LoginModule</th>
+<th class="tableblock halign-left valign-top">BackendEngineFactory</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">N/A</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>The OsgiConfigLoginModule uses the OSGi ConfigurationAdmin service to provide the users, passwords and roles.</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>pid</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">the PID of the configuration containing user definitions</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>The format of the configuration is the same than for the <code>PropertiesLoginModule</code> with properties prefixed with <code>user.</code>.</p>
+</div>
+<div class="paragraph">
+<p>For instance, in the Karaf etc folder, we create a file <code>org.apache.karaf.authentication.cfg</code> containing:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>user.karaf=karaf,admin
+user.user=password,role</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The following blueprint shows how to use this configuration:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><?xml version="1.0" encoding="UTF-8"?>
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0">
+
+ <jaas:config name="karaf" rank="-1">
+ <jaas:module className="org.apache.karaf.jaas.modules.osgi.OsgiConfigLoginModule"
+ flags="required">
+ pid = org.apache.karaf.authentication
+ </jaas:module>
+ </jaas:config>
+
+</blueprint></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The OsgiConfigLoginModule doesn’t provide a backend engine.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_jdbcloginmodule">JDBCLoginModule</h5>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">LoginModule</th>
+<th class="tableblock halign-left valign-top">BackendEngineFactory</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.jdbc.JDBCBackendEngineFactory</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>The JDBCLoginModule uses a database to load the users, passwords and roles from a provided data source <em>(normal or XA)</em>.
+The data source and the queries for password and role retrieval are configurable using the following parameters.</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>datasource</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The datasource as on OSGi ldap filter or as JDNI name</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>query.password</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The SQL query that retries the password of the user</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>query.role</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The SQL query that retries the roles of the user</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p><strong>Passing a data source as an OSGi ldap filter</strong></p>
+</div>
+<div class="paragraph">
+<p>To use an OSGi ldap filter, the prefix osgi: needs to be provided, as shown below:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"
+ flags="required">
+ datasource = osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
+ query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
+ query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="paragraph">
+<p><strong>Passing a data source as a JNDI name</strong></p>
+</div>
+<div class="paragraph">
+<p>To use an JNDI name, the prefix jndi: needs to be provided. The example below assumes the use of Aries jndi to expose
+services via JNDI.</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"
+ flags="required">
+ datasource = jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
+ query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
+ query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The JDBCLoginModule provides a backend engine allowing:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>add a new user</p>
+</li>
+<li>
+<p>delete an user</p>
+</li>
+<li>
+<p>list users, roles</p>
+</li>
+<li>
+<p>add a new role to an user</p>
+</li>
+<li>
+<p>remove a role from an user</p>
+</li>
+</ul>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The groups are not fully supported by the JDBCBackingEngine.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>The following blueprint shows how to define the JDBCLoginModule with the corresponding backend engine:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><?xml version="1.0" encoding="UTF-8"?>
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0">
+
+ <jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"
+ flags="required">
+ datasource = jndi:aries:services/javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
+ query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
+ query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
+ insert.user = INSERT INTO USERS(USERNAME,PASSWORD) VALUES(?,?)
+ insert.role = INSERT INTO ROLES(ROLE,USERNAME) VALUES(?,?)
+ delete.user = DELETE FROM USERS WHERE USERNAME=?
+ </jaas:module>
+ </jaas:config>
+
+ <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
+ <bean class="org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactory"/>
+ </service>
+
+</blueprint></pre>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_ldaploginmodule">LDAPLoginModule</h5>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">LoginModule</th>
+<th class="tableblock halign-left valign-top">BackendEngineFactory</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.ldap.LDAPLoginModule</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">N/A</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>The LDAPLoginModule uses LDAP to load the users and roles and bind the users on the LDAP to check passwords.</p>
+</div>
+<div class="paragraph">
+<p>The LDAPLoginModule supports the following parameters:</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>connection.url</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP connection URL, e.g. ldap://hostname</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>connection.username</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Admin username to connect to the LDAP. This parameter is optional, if it’s not provided, the LDAP connection will be anonymous.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>connection.password</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Admin password to connect to the LDAP. Only used if the <code>connection.username</code> is specified.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>user.base.dn</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP base DN used to looking for user, e.g. ou=user,dc=apache,dc=org</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>user.filter</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP filter used to looking for user, e.g. (uid=%u) where %u will be replaced by the username.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>user.search.subtree</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">If "true", the user lookup will be recursive (SUBTREE). If "false", the user lookup will be performed only at the first level (ONELEVEL).</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.base.dn</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP base DN used to looking for roles, e.g. ou=role,dc=apache,dc=org</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.filter</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP filter used to looking for user’s role, e.g. (member:=uid=%u)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.name.attribute</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The LDAP role attribute containing the role string used by Karaf, e.g. cn</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.search.subtree</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL).</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.mapping</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Define a mapping between roles defined in the LDAP directory for the user, and corresponding roles in Karaf. The format is ldapRole1=karafRole1,karafRole2;ldapRole2=karafRole3,karafRole4.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>authentication</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Define the authentication backend used on the LDAP server. The default is simple.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>initial.context.factory</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">`ssl</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">If "true" or if the protocol on the <code>connection.url</code> is <code>ldaps</code>, an SSL connection will be used</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.provider</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The provider name to use for SSL</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.protocol</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The protocol name to use for SSL (SSL for example)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.algorithm</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The algorithm to use for the KeyManagerFactory and TrustManagerFactory (PKIX for example)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.keystore</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The key store name to use for SSL. The key store must be deployed using a <code>jaas:keystore</code> configuration.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.keyalias</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The key alias to use for SSL</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ssl.truststore</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The trust store name to use for SSL. The trust store must be deployed using a <code>jaas:keystore</code> configuration.</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>A example of LDAPLoginModule usage follows:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
+ connection.url = ldap://localhost:389
+ user.base.dn = ou=user,dc=apache,dc=org
+ user.filter = (cn=%u)
+ user.search.subtree = true
+ role.base.dn = ou=group,dc=apache,dc=org
+ role.filter = (member:=uid=%u)
+ role.name.attribute = cn
+ role.search.subtree = true
+ authentication = simple
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>If you wish to use an SSL connection, the following configuration can be used as an example:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><ext:property-placeholder />
+
+<jaas:config name="karaf" rank="1">
+ <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
+ connection.url = ldaps://localhost:10636
+ user.base.dn = ou=users,ou=system
+ user.filter = (uid=%u)
+ user.search.subtree = true
+ role.base.dn = ou=groups,ou=system
+ role.filter = (uniqueMember=uid=%u)
+ role.name.attribute = cn
+ role.search.subtree = true
+ authentication = simple
+ ssl.protocol=SSL
+ ssl.truststore=ks
+ ssl.algorithm=PKIX
+ </jaas:module>
+</jaas:config>
+
+<jaas:keystore name="ks"
+ path="file:///${karaf.home}/etc/trusted.ks"
+ keystorePassword="secret" /></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The LDAPLoginModule supports the following patterns that you can use in the filter (user and role filters):</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><code>%u</code> is replaced by the user</p>
+</li>
+<li>
+<p><code>%dn</code> is replaced by the user DN</p>
+</li>
+<li>
+<p><code>%fqdn</code> is replaced by the user full qualified DN (<code>userDNNamespace</code>).</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>For instance, the following configuration will work properly with ActiveDirectory (adding the ActiveDirectory to the
+default <code>karaf</code> realm):</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf" rank="2">
+ <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
+ initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+ connection.username=admin
+ connection.password=xxxxxxx
+ connection.protocol=
+ connection.url=ldap://activedirectory_host:389
+ user.base.dn=ou=Users,ou=there,DC=local
+ user.filter=(sAMAccountName=%u)
+ user.search.subtree=true
+ role.base.dn=ou=Groups,ou=there,DC=local
+ role.name.attribute=cn
+ role.filter=(member=%nsdn)
+ role.search.subtree=true
+ authentication=simple
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The LDAPLoginModule doesn’t provide backend engine. It means that the administration of the users and roles should be
+performed directly on the LDAP backend.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_syncopeloginmodule">SyncopeLoginModule</h5>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">LoginModule</th>
+<th class="tableblock halign-left valign-top">BackendEngineFactory</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>org.apache.karaf.jaas.modules.syncope.SyncopeBackendEngineFactory</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>The Syncope login module uses the Syncope REST API to authenticate users and retrieve the roles.</p>
+</div>
+<div class="paragraph">
+<p>The Syncope login module just requires one parameter:</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>address</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Location of the Syncope REST API</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>admin.user</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Admin username to administrate Syncope (only required by the backend engine)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>admin.password</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Admin password to administrate Syncope (only required by the backend engine)</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>The following snippet shows how to use Syncope with the karaf realm:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf" rank="2">
+ <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule" flags="required">
+ address=http://localhost:9080/syncope/cxf
+ admin.user=admin
+ admin.password=password
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>SyncopeLoginModule comes with a backend engine allowing to manipulate users and roles. You have to register the
+SyncopeBackendEngineFactory service.</p>
+</div>
+<div class="paragraph">
+<p>For security reason, the SyncopeLoginModule backend engine allows only to list users and roles. You can’t create or delete
+users and roles directly from Karaf. To do it, you have to use the Syncope web console.</p>
+</div>
+<div class="paragraph">
+<p>For instance, the following blueprint descriptor enables the SyncopeLoginModule and the backend engine factory:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><?xml version="1.0" encoding="UTF-8"?>
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
+ xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
+
+ <jaas:config name="karaf" rank="2">
+ <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule"
+ flags="required">
+ address=http://localhost:9080/syncope/cxf
+ admin.user=admin
+ admin.password=password
+ </jaas:module>
+ </jaas:config>
+
+ <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
+ <bean class="org.apache.karaf.jaas.modules.syncope.SyncopeBackingEngineFactory"/>
+ </service>
+
+</blueprint></pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_encryption_service">Encryption service</h4>
+<div class="paragraph">
+<p>The EncryptionService is a service registered in the OSGi registry providing means to encrypt and check encrypted passwords.
+This service acts as a factory for Encryption objects actually performing the encryption.</p>
+</div>
+<div class="paragraph">
+<p>This service is used in all Karaf login modules to support encrypted passwords.</p>
+</div>
+<div class="sect4">
+<h5 id="_configuring_properties">Configuring properties</h5>
+<div class="paragraph">
+<p>Each login module supports the following additional set of properties:</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.name</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the encryption service registered in OSGi</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.enabled</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Boolean used to turn on encryption</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.prefix</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Prefix for encrypted passwords</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.suffix</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Suffix for encrypted passwords</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.algorithm</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Name of an algorithm to be used for hashing, like "MD5" or "SHA-1"</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>encryption.encoding</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Encrypted passwords encoding (can be <code>hexadecimal</code> or <code>base64</code>)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.policy</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">A policy for identifying roles (can be <code>prefix</code> or <code>group</code>)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>role.discriminator</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">A discriminator value to be used by the role policy</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>A simple example follows:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = $[karaf.base]/etc/users.properties
+ encryption.enabled = true
+ encryption.algorithm = MD5
+ encryption.encoding = hexadecimal
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_prefix_and_suffix">Prefix and suffix</h5>
+<div class="paragraph">
+<p>The login modules have the ability to support both encrypted and plain passwords at the same time.
+In some cases, some login modules may be able to encrypt the passwords on the fly and save them back in an encrypted form.</p>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_jasypt">Jasypt</h5>
+<div class="paragraph">
+<p>Karaf default installation comes with a simple encryption service which usually fullfill simple needs. However, in some
+cases, you may want to install the <a href="http://www.jasypt.org/">Jasypt</a> library which provides stronger encryption algorithms
+and more control over them.</p>
+</div>
+<div class="paragraph">
+<p>To install the Jasypt library, the easiest way is to install the available feature:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>karaf@root> features:install jasypt-encryption</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>It will download and install the required bundles and also register an <code>EncryptionService</code> for Jasypt in the OSGi registry.</p>
+</div>
+<div class="paragraph">
+<p>When configuring a login module to use Jasypt, you need to specify the <code>encryption.name</code> property and set it to a value of <code>jasypt</code> to make sure the Jasypt encryption service will be used.</p>
+</div>
+<div class="paragraph">
+<p>In addition to the standard properties above, the Jasypt service provides the following parameters:</p>
+</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 50%;">
+<col style="width: 50%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>providerName</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Name of the <code>java.security.Provider</code> name to use for obtaining the digest algorithm</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>providerClassName</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Class name for the security provider to be used for obtaining the digest algorithm</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>iterations</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Number of times the hash function will be applied recursively</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>saltSizeBytes</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Size of the salt to be used to compute the digest</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>saltGeneratorClassName</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Class name of the salt generator</p></td>
+</tr>
+</tbody>
+</table>
+<div class="paragraph">
+<p>A typical realm definition using Jasypt encryption service would look like:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = $[karaf.base]/etc/users.properties
+ encryption.enabled = true
+ encryption.name = jasypt
+ encryption.algorithm = SHA-256
+ encryption.encoding = base64
+ encryption.iterations = 100000
+ encryption.saltSizeBytes = 16
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_using_encrypted_property_placeholders">Using encrypted property placeholders</h5>
+<div class="paragraph">
+<p>When using blueprint framework for OSGi for configuring devices that requires passwords like JDBC datasources,
+it is undesirable to use plain text passwords in configuration files. To avoid this problem it is good to store database
+passwords in encrypted format and use encrypted property placeholders when ever possible.</p>
+</div>
+<div class="paragraph">
+<p>Encrypted properties can be stored in plain properties files. The encrypted content is wrapped by an ENC() function.</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>#db.cfg / db.properties
+db.url=localhost:9999
+db.username=admin
+db.password=ENC(zRM7Pb/NiKyCalroBz8CKw==)</pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The encrypted property placeholders can be used either by defining Apache Aries ConfigAdmin <code>property-placeholder</code>
+or by directly using the Apache Karaf <code>property-placeholder</code>. It has one child element <code>encryptor</code> that contains
+the actual Jasypt configuration. For detailed information on how to configure the different Jasypt encryptors, see the
+<a href="http://www.jasypt.org/general-usage.html">Jasypt documentation</a>.</p>
+</div>
+<div class="paragraph">
+<p>A typical definition using Jasypt encryption would look like:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"
+ xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"
+ xmlns:enc="http://karaf.apache.org/xmlns/jasypt/v1.0.0">
+
+ <!-- Configuration via ConfigAdmin property-placeholder -->
+ <!-- the etc/*.cfg can contain encrypted values with ENC() function -->
+ <cm:property-placeholder persistent-id="db" update-strategy="reload">
+ <cm:default-properties>
+ <cm:property name="encoded" value="ENC(${foo})"/>
+ </cm:default-properties>
+ </cm:property-placeholder>
+
+ <!-- Configuration via properties file -->
+ <!-- Instead of ConfigAdmin, we can load "regular" properties file from a location -->
+ <!-- Again, the db.properties file can contain encrypted values with ENC() function -->
+ <ext:property-placeholder>
+ <ext:location>file:etc/db.properties</ext:location>
+ </ext:property-placeholder>
+
+ <enc:property-placeholder>
+ <enc:encryptor class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
+ <property name="config">
+ <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
+ <property name="algorithm" value="PBEWithMD5AndDES"/>
+ <property name="passwordEnvName" value="ENCRYPTION_PASSWORD"/>
+ </bean>
+ </property>
+ </enc:encryptor>
+ </enc:property-placeholder>
+
+ <!-- ... -->
+
+</blueprint></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Don’t forget to install the jasypt feature to add the support of the enc namespace:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>karaf@root()> feature:install jasypt-encryption</pre>
+</div>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_role_discovery_policies">Role discovery policies</h4>
+<div class="paragraph">
+<p>The JAAS specification does not provide means to distinguish between User and Role Principals without referring to the
+specification classes. In order to provide means to the application developer to decouple the application from Karaf
+JAAS implementation role policies have been created.</p>
+</div>
+<div class="paragraph">
+<p>A role policy is a convention that can be adopted by the application in order to identify Roles, without depending from the implementation.
+Each role policy can be cofigured by setting a "role.policy" and "role.discriminator" property to the login module configuration.
+Currently, Karaf provides two policies that can be applied to all Karaf Login Modules.</p>
+</div>
+<div class="olist arabic">
+<ol class="arabic">
+<li>
+<p>Prefixed Roles</p>
+</li>
+<li>
+<p>Grouped Roles</p>
+</li>
+</ol>
+</div>
+<div class="paragraph">
+<p><strong>Prefixed Roles</strong></p>
+</div>
+<div class="paragraph">
+<p>When the prefixed role policy is used the login module applies a configurable prefix <code>(property role.discriminator)</code> to
+the role, so that the application can identify the role’s principals by its prefix. Example:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = $[karaf.base]/etc/users.properties
+ role.policy = prefix
+ role.discriminator = ROLE_
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>The application can identify the role principals using a snippet like this:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>LoginContext ctx = new LoginContext("karaf", handler);
+ctx.login();
+authenticated = true;
+subject = ctx.getSubject();
+for (Principal p : subject.getPrincipals()) {
+ if (p.getName().startsWith("ROLE_")) {
+ roles.add((p.getName().substring("ROLE_".length())));
+ }
+}</pre>
+</div>
+</div>
+<div class="paragraph">
+<p><strong>Grouped Roles</strong></p>
+</div>
+<div class="paragraph">
+<p>When the group role policy is used the login module provides all roles as members of a group with a configurable name <code>(property role.discriminator)</code>. Example:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre><jaas:config name="karaf">
+ <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
+ flags="required">
+ users = $[karaf.base]/etc/users.properties
+ role.policy = group
+ role.discriminator = ROLES
+ </jaas:module>
+</jaas:config></pre>
+</div>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>LoginContext ctx = new LoginContext("karaf", handler);
+ctx.login();
+authenticated = true;
+subject = ctx.getSubject();
+for (Principal p : subject.getPrincipals()) {
+ if ((p instanceof Group) && ("ROLES".equalsIgnoreCase(p.getName()))) {
+ Group g = (Group) p;
+ Enumeration<? extends Principal> members = g.members();
+ while (members.hasMoreElements()) {
+ Principal member = members.nextElement();
+ roles.add(member.getName());
+ }
+ }
+}</pre>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_default_role_policies">Default role policies</h4>
+<div class="paragraph">
+<p>The previous section describes how to leverage role policies. However, Karaf provides a default role policy, based on the following class names:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>org.apache.karaf.jaas.modules.UserPrincipal</p>
+</li>
+<li>
+<p>org.apache.karaf.jaas.modules.RolePrincipal</p>
+</li>
+<li>
+<p>org.apache.karaf.jaas.modules.GroupPrincipal</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>It allows you to directly handling the role class:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre>String rolePrincipalClass = "org.apache.karaf.jaas.modules.RolePrincipal";
+
+for (Principal p : subject.getPrincipals()) {
+ if (p.getClass().getName().equals(rolePrincipalClass)) {
+ roles.add(p.getName());
+ }
+}</pre>
+</div>
+</div>
+</div>
+</div>
+</div>
+<div id="footer">
+<div id="footer-text">
+Last updated 2016-04-28 17:06:42 CEST
+</div>
+</div>
+</body>
+</html>
\ No newline at end of file