You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ace.apache.org by bu...@apache.org on 2012/04/25 13:35:39 UTC
svn commit: r814378 - in /websites/staging/ace/trunk/content: ./
dev-doc/design/ace-authentication.html
dev-doc/design/auth_connectionfactory.svg
Author: buildbot
Date: Wed Apr 25 11:35:39 2012
New Revision: 814378
Log:
Staging update by buildbot for ace
Modified:
websites/staging/ace/trunk/content/ (props changed)
websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
websites/staging/ace/trunk/content/dev-doc/design/auth_connectionfactory.svg
Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Wed Apr 25 11:35:39 2012
@@ -1 +1 @@
-1330182
+1330212
Modified: websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
==============================================================================
--- websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html (original)
+++ websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html Wed Apr 25 11:35:39 2012
@@ -162,8 +162,8 @@ In this article, the recently added auth
<p><img alt="Figure 1: Overview of components and communication paths in ACE" src="auth_main_components.svg" title="Figure 1: Overview of components and communication paths" /></p>
<p>In figure 1, several communication paths exists (denoted by the circled digits):</p>
<ol>
-<li>the client communicates to the server by means of both direct calls to its services as well as remoted calls (by means of HTTP<sup id="fnref:1"><a href="#fn:1" rel="footnote">1</a></sup>);</li>
-<li>a management agent (representing the target) communicates to the management server through HTTP calls;</li>
+<li>the client communicates to the ACE server by means of both direct calls to its services as well as remoted calls (by means of HTTP<sup id="fnref:1"><a href="#fn:1" rel="footnote">1</a></sup>);</li>
+<li>a management agent (representing the target) communicates to the ACE server through HTTP calls;</li>
<li>the REST API exposes the entire client API in a RESTful way. Communication to the client occurs by both direct calls as well as through HTTP;</li>
<li>the Vaadin Web UI exposes the entire client API as web application. Similar as the REST API, it communicates both directly as through HTTP with the client.</li>
</ol>
@@ -264,86 +264,86 @@ In this article, the recently added auth
<p>To make this more concrete, an example of how the <code>BundleServlet</code> is to be configured:</p>
<h4 id="service-configuration">Service configuration</h4>
<p>The service configuration, located in <code>org.apache.ace.obr.servlet.cfg</code>, looks like:</p>
-<div class="codehilite"><pre><span class="c1"># Endpoint for this servlet</span>
-<span class="n">org</span><span class="o">.</span><span class="n">apache</span><span class="o">.</span><span class="n">ace</span><span class="o">.</span><span class="n">server</span><span class="o">.</span><span class="n">servlet</span><span class="o">.</span><span class="n">endpoint</span><span class="o">=/</span><span class="n">obr</span>
-<span class="c1"># Whether or not authentication is to be used</span>
-<span class="n">authentication</span><span class="o">.</span><span class="n">enabled</span> <span class="o">=</span> <span class="n">true</span>
+<div class="codehilite"><pre><span class="c"># Endpoint for this servlet</span>
+<span class="na">org.apache.ace.server.servlet.endpoint</span><span class="o">=</span><span class="s">/obr</span>
+<span class="c"># Whether or not authentication is to be used</span>
+<span class="na">authentication.enabled</span> <span class="o">=</span> <span class="s">true</span>
</pre></div>
<p>In <code>BundleServlet</code> we add the following code:</p>
-<div class="codehilite"><pre><span class="n">private</span> <span class="n">volatile</span> <span class="n">boolean</span> <span class="n">m_useAuth</span><span class="p">;</span>
-<span class="n">private</span> <span class="n">volatile</span> <span class="n">AuthenticationService</span> <span class="n">m_authService</span><span class="p">;</span>
+<div class="codehilite"><pre><span class="kd">private</span> <span class="kd">volatile</span> <span class="kt">boolean</span> <span class="n">m_useAuth</span><span class="o">;</span>
+<span class="kd">private</span> <span class="kd">volatile</span> <span class="n">AuthenticationService</span> <span class="n">m_authService</span><span class="o">;</span>
-<span class="sr">//</span> <span class="o">...</span>
+<span class="c1">// ...</span>
-<span class="n">public</span> <span class="n">void</span> <span class="n">updated</span><span class="p">(</span><span class="n">Dictionary</span> <span class="n">settings</span><span class="p">)</span> <span class="n">throws</span> <span class="n">ConfigurationException</span> <span class="p">{</span>
- <span class="k">if</span> <span class="p">(</span><span class="n">settings</span> <span class="o">!=</span> <span class="n">null</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">String</span> <span class="n">useAuthString</span> <span class="o">=</span> <span class="p">(</span><span class="n">String</span><span class="p">)</span> <span class="n">settings</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s">"authentication.enabled"</span><span class="p">);</span>
- <span class="k">if</span> <span class="p">(</span><span class="n">useAuthString</span> <span class="o">==</span> <span class="n">null</span> <span class="o">||</span> <span class="o">!</span><span class="p">(</span><span class="s">"true"</span><span class="o">.</span><span class="n">equalsIgnoreCase</span><span class="p">(</span><span class="n">useAuthString</span><span class="p">)</span> <span class="o">||</span> <span class="s">"false"</span><span class="o">.</span><span class="n">equalsIgnoreCase</span><span class="p">(</span><span class="n">useAuthString</span><span class="p">)))</span> <span class="p">{</span>
- <span class="n">throw</span> <span class="k">new</span> <span class="n">ConfigurationException</span><span class="p">(</span><span class="s">"authentication.enabled"</span><span class="p">,</span> <span class="s">"Missing or invalid value!"</span><span class="p">);</span>
- <span class="p">}</span>
- <span class="n">boolean</span> <span class="n">useAuth</span> <span class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span class="n">parseBoolean</span><span class="p">(</span><span class="n">useAuthString</span><span class="p">);</span>
-
- <span class="n">m_useAuth</span> <span class="o">=</span> <span class="n">useAuth</span><span class="p">;</span>
- <span class="p">}</span>
- <span class="k">else</span> <span class="p">{</span>
- <span class="n">m_useAuth</span> <span class="o">=</span> <span class="n">false</span><span class="p">;</span>
- <span class="p">}</span>
-<span class="p">}</span>
-
-<span class="sr">//</span> <span class="o">...</span>
-
-<span class="o">/**</span>
- <span class="o">*</span> <span class="n">Called</span> <span class="n">by</span> <span class="n">Dependency</span> <span class="n">Manager</span> <span class="n">upon</span> <span class="n">initialization</span> <span class="n">of</span> <span class="n">this</span> <span class="n">component</span><span class="o">.</span>
- <span class="o">*/</span>
-<span class="n">protected</span> <span class="n">void</span> <span class="n">init</span><span class="p">(</span><span class="n">Component</span> <span class="n">comp</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">comp</span><span class="o">.</span><span class="n">add</span><span class="p">(</span><span class="n">m_dm</span><span class="o">.</span><span class="n">createServiceDependency</span><span class="p">()</span>
- <span class="o">.</span><span class="n">setService</span><span class="p">(</span><span class="n">AuthenticationService</span><span class="o">.</span><span class="n">class</span><span class="p">)</span>
- <span class="o">.</span><span class="n">setRequired</span><span class="p">(</span><span class="n">m_useAuth</span><span class="p">)</span>
- <span class="o">.</span><span class="n">setInstanceBound</span><span class="p">(</span><span class="n">true</span><span class="p">)</span>
- <span class="p">);</span>
-<span class="p">}</span>
+<span class="kd">public</span> <span class="kt">void</span> <span class="nf">updated</span><span class="o">(</span><span class="n">Dictionary</span> <span class="n">settings</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">ConfigurationException</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(</span><span class="n">settings</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">String</span> <span class="n">useAuthString</span> <span class="o">=</span> <span class="o">(</span><span class="n">String</span><span class="o">)</span> <span class="n">settings</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"authentication.enabled"</span><span class="o">);</span>
+ <span class="k">if</span> <span class="o">(</span><span class="n">useAuthString</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">||</span> <span class="o">!(</span><span class="s">"true"</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">useAuthString</span><span class="o">)</span> <span class="o">||</span> <span class="s">"false"</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">useAuthString</span><span class="o">)))</span> <span class="o">{</span>
+ <span class="k">throw</span> <span class="k">new</span> <span class="nf">ConfigurationException</span><span class="o">(</span><span class="s">"authentication.enabled"</span><span class="o">,</span> <span class="s">"Missing or invalid value!"</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="kt">boolean</span> <span class="n">useAuth</span> <span class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span class="na">parseBoolean</span><span class="o">(</span><span class="n">useAuthString</span><span class="o">);</span>
+
+ <span class="n">m_useAuth</span> <span class="o">=</span> <span class="n">useAuth</span><span class="o">;</span>
+ <span class="o">}</span>
+ <span class="k">else</span> <span class="o">{</span>
+ <span class="n">m_useAuth</span> <span class="o">=</span> <span class="kc">false</span><span class="o">;</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="c1">// ...</span>
+
+<span class="cm">/**</span>
+<span class="cm"> * Called by Dependency Manager upon initialization of this component.</span>
+<span class="cm"> */</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">(</span><span class="n">Component</span> <span class="n">comp</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">comp</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="n">m_dm</span><span class="o">.</span><span class="na">createServiceDependency</span><span class="o">()</span>
+ <span class="o">.</span><span class="na">setService</span><span class="o">(</span><span class="n">AuthenticationService</span><span class="o">.</span><span class="na">class</span><span class="o">)</span>
+ <span class="o">.</span><span class="na">setRequired</span><span class="o">(</span><span class="n">m_useAuth</span><span class="o">)</span>
+ <span class="o">.</span><span class="na">setInstanceBound</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span>
+ <span class="o">);</span>
+<span class="o">}</span>
</pre></div>
<p>As almost all of the services in ACE are managed by the Dependency Manager, we can leverage its dynamics to inject our <code>BundleServlet</code> with an instance of the <code>AuthenticationService</code> and provide us with a configuration<sup id="fnref:5"><a href="#fn:5" rel="footnote">5</a></sup>. </p>
<h4 id="implemention">Implemention</h4>
<p>The actual authentication implementation itself is rather trivial: we simply intercept all incoming requests in our servlet and verify whether it resolves to a valid user:</p>
-<div class="codehilite"><pre><span class="nv">@Override</span>
-<span class="n">protected</span> <span class="n">void</span> <span class="n">service</span><span class="p">(</span><span class="n">HttpServletRequest</span> <span class="n">req</span><span class="p">,</span> <span class="n">HttpServletResponse</span> <span class="n">resp</span><span class="p">)</span> <span class="n">throws</span> <span class="n">ServletException</span><span class="p">,</span> <span class="n">IOException</span> <span class="p">{</span>
- <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">authenticate</span><span class="p">(</span><span class="n">req</span><span class="p">))</span> <span class="p">{</span>
- <span class="sr">//</span> <span class="n">Authentication</span> <span class="n">failed</span><span class="p">;</span> <span class="n">don</span><span class="err">'</span><span class="n">t</span> <span class="n">proceed</span> <span class="n">with</span> <span class="n">the</span> <span class="n">original</span> <span class="n">request</span><span class="o">...</span>
- <span class="n">resp</span><span class="o">.</span><span class="n">sendError</span><span class="p">(</span><span class="n">SC_UNAUTHORIZED</span><span class="p">);</span>
- <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
- <span class="sr">//</span> <span class="n">Authentication</span> <span class="n">successful</span><span class="p">,</span> <span class="n">proceed</span> <span class="n">with</span> <span class="n">original</span> <span class="n">request</span><span class="o">...</span>
- <span class="n">super</span><span class="o">.</span><span class="n">service</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">resp</span><span class="p">);</span>
- <span class="p">}</span>
-<span class="p">}</span>
-
-<span class="n">private</span> <span class="n">boolean</span> <span class="n">authenticate</span><span class="p">(</span><span class="n">HttpServletRequest</span> <span class="n">request</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">null</span><span class="p">;</span>
- <span class="k">if</span> <span class="p">(</span><span class="n">m_useAuth</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">m_authService</span><span class="o">.</span><span class="n">authenticate</span><span class="p">(</span><span class="n">request</span><span class="p">);</span>
- <span class="p">}</span>
- <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="o">==</span> <span class="n">null</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">m_log</span><span class="o">.</span><span class="nb">log</span><span class="p">(</span><span class="n">LogService</span><span class="o">.</span><span class="n">LOG_INFO</span><span class="p">,</span> <span class="s">"Authentication failure!"</span><span class="p">);</span>
- <span class="p">}</span>
- <span class="k">return</span> <span class="p">(</span><span class="n">user</span> <span class="o">!=</span> <span class="n">null</span><span class="p">);</span>
-<span class="p">}</span>
+<div class="codehilite"><pre><span class="nd">@Override</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">service</span><span class="o">(</span><span class="n">HttpServletRequest</span> <span class="n">req</span><span class="o">,</span> <span class="n">HttpServletResponse</span> <span class="n">resp</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">ServletException</span><span class="o">,</span> <span class="n">IOException</span> <span class="o">{</span>
+ <span class="k">if</span> <span class="o">(!</span><span class="n">authenticate</span><span class="o">(</span><span class="n">req</span><span class="o">))</span> <span class="o">{</span>
+ <span class="c1">// Authentication failed; don't proceed with the original request...</span>
+ <span class="n">resp</span><span class="o">.</span><span class="na">sendError</span><span class="o">(</span><span class="n">SC_UNAUTHORIZED</span><span class="o">);</span>
+ <span class="o">}</span> <span class="k">else</span> <span class="o">{</span>
+ <span class="c1">// Authentication successful, proceed with original request...</span>
+ <span class="kd">super</span><span class="o">.</span><span class="na">service</span><span class="o">(</span><span class="n">req</span><span class="o">,</span> <span class="n">resp</span><span class="o">);</span>
+ <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">authenticate</span><span class="o">(</span><span class="n">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">User</span> <span class="n">user</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span>
+ <span class="k">if</span> <span class="o">(</span><span class="n">m_useAuth</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">m_authService</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">request</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">if</span> <span class="o">(</span><span class="n">user</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
+ <span class="n">m_log</span><span class="o">.</span><span class="na">log</span><span class="o">(</span><span class="n">LogService</span><span class="o">.</span><span class="na">LOG_INFO</span><span class="o">,</span> <span class="s">"Authentication failure!"</span><span class="o">);</span>
+ <span class="o">}</span>
+ <span class="k">return</span> <span class="o">(</span><span class="n">user</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">);</span>
+<span class="o">}</span>
</pre></div>
<p>Note that this implementation does not tell <em>how</em> the authentication should occur, only that it should occur. How the authentication is performed, is determined internally by the <code>AuthenticationService</code>, with the help of the registered <code>AuthenticationProcessor</code>s.</p>
<h3 id="configuring-the-connection-factory">Configuring the connection factory</h3>
<p>Now that the remote service itself is no longer accepting unauthenticated requests, we need to supply the credentials to access this service to the <code>ConnectionFactory</code> service. This service can be configured using the PID <code>org.apache.ace.connectionfactory</code> (<em>note that it is a configuration factory!</em>), which would result in the following configuration for accessing our <code>BundleServlet</code>:</p>
-<div class="codehilite"><pre><span class="c1"># What kind of authentication should we supply</span>
-<span class="n">authentication</span><span class="o">.</span><span class="n">type</span> <span class="o">=</span> <span class="n">basic</span>
-<span class="c1"># The actual credentials for basic authentication</span>
-<span class="n">authentication</span><span class="o">.</span><span class="n">user</span><span class="o">.</span><span class="n">name</span> <span class="o">=</span> <span class="n">d</span>
-<span class="n">authentication</span><span class="o">.</span><span class="n">user</span><span class="o">.</span><span class="n">password</span> <span class="o">=</span> <span class="n">f</span>
-<span class="c1"># What is the base URL that these credentials apply to:</span>
-<span class="n">authentication</span><span class="o">.</span><span class="n">baseURL</span> <span class="o">=</span> <span class="n">http:</span><span class="sr">//</span><span class="n">localhost:8080</span><span class="sr">/obr/</span>
+<div class="codehilite"><pre><span class="c"># What kind of authentication should we supply</span>
+<span class="na">authentication.type</span> <span class="o">=</span> <span class="s">basic</span>
+<span class="c"># The actual credentials for basic authentication</span>
+<span class="na">authentication.user.name</span> <span class="o">=</span> <span class="s">d</span>
+<span class="na">authentication.user.password</span> <span class="o">=</span> <span class="s">f</span>
+<span class="c"># What is the base URL that these credentials apply to:</span>
+<span class="na">authentication.baseURL</span> <span class="o">=</span> <span class="s">http://localhost:8080/obr/</span>
</pre></div>
@@ -357,13 +357,13 @@ In this article, the recently added auth
<p>Other communication protocols could be used as well. However, currently, only HTTP is natively supported by ACE. For the remainder of this article, we'll assume HTTP as protocol. <a href="#fnref:1" rev="footnote" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:2">
-<p>Assuming that all components in the management server are trusted and obtained from trusted sources. If untrusted components would be allowed, we need to add authentication to these communication paths as well. <a href="#fnref:2" rev="footnote" title="Jump back to footnote 2 in the text">↩</a></p>
+<p>Assuming that all components in the ACE server are trusted and obtained from trusted sources. If untrusted components would be allowed, we need to add authentication to these communication paths as well. <a href="#fnref:2" rev="footnote" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:3">
<p>It is up to the implementation of <code>AuthenticationService</code> whether the <em>first</em> found user is returned, or whether it checks if all authentication processors yield the <em>same</em> user, or any other strategy that is desired. <a href="#fnref:3" rev="footnote" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
<li id="fn:4">
-<p>Amongst others, any number of log-endpoints can be defined, at least one is needed for the audit log to be synchronized between target and management server. <a href="#fnref:4" rev="footnote" title="Jump back to footnote 4 in the text">↩</a></p>
+<p>Amongst others, any number of log-endpoints can be defined, at least one is needed for the audit log to be synchronized between target and ACE server. <a href="#fnref:4" rev="footnote" title="Jump back to footnote 4 in the text">↩</a></p>
</li>
<li id="fn:5">
<p>Note that we're using a configuration dependency for this service. This way, the configuration <strong>must</strong> be present before the service itself is registered, which allows us to determine if authentication should be used or not. <a href="#fnref:5" rev="footnote" title="Jump back to footnote 5 in the text">↩</a></p>
Modified: websites/staging/ace/trunk/content/dev-doc/design/auth_connectionfactory.svg
==============================================================================
Binary files - no diff available.