ace-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r814378 - in /websites/staging/ace/trunk/content: ./ dev-doc/design/ace-authentication.html dev-doc/design/auth_connectionfactory.svg
Date Wed, 25 Apr 2012 11:35:39 GMT
Author: buildbot
Date: Wed Apr 25 11:35:39 2012
New Revision: 814378

Log:
Staging update by buildbot for ace

Modified:
    websites/staging/ace/trunk/content/   (props changed)
    websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
    websites/staging/ace/trunk/content/dev-doc/design/auth_connectionfactory.svg

Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Wed Apr 25 11:35:39 2012
@@ -1 +1 @@
-1330182
+1330212

Modified: websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
==============================================================================
--- websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html (original)
+++ websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html Wed Apr 25 11:35:39
2012
@@ -162,8 +162,8 @@ In this article, the recently added auth
 <p><img alt="Figure 1: Overview of components and communication paths in ACE" src="auth_main_components.svg"
title="Figure 1: Overview of components and communication paths" /></p>
 <p>In figure 1, several communication paths exists (denoted by the circled digits):</p>
 <ol>
-<li>the client communicates to the server by means of both direct calls to its services
as well as remoted calls (by means of HTTP<sup id="fnref:1"><a href="#fn:1" rel="footnote">1</a></sup>);</li>
-<li>a management agent (representing the target) communicates to the management server
through HTTP calls;</li>
+<li>the client communicates to the ACE server by means of both direct calls to its
services as well as remoted calls (by means of HTTP<sup id="fnref:1"><a href="#fn:1"
rel="footnote">1</a></sup>);</li>
+<li>a management agent (representing the target) communicates to the ACE server through
HTTP calls;</li>
 <li>the REST API exposes the entire client API in a RESTful way. Communication to the
client occurs by both direct calls as well as through HTTP;</li>
 <li>the Vaadin Web UI exposes the entire client API as web application. Similar as
the REST API, it communicates both directly as through HTTP with the client.</li>
 </ol>
@@ -264,86 +264,86 @@ In this article, the recently added auth
 <p>To make this more concrete, an example of how the <code>BundleServlet</code>
is to be configured:</p>
 <h4 id="service-configuration">Service configuration</h4>
 <p>The service configuration, located in <code>org.apache.ace.obr.servlet.cfg</code>,
looks like:</p>
-<div class="codehilite"><pre><span class="c1"># Endpoint for this servlet</span>
-<span class="n">org</span><span class="o">.</span><span class="n">apache</span><span
class="o">.</span><span class="n">ace</span><span class="o">.</span><span
class="n">server</span><span class="o">.</span><span class="n">servlet</span><span
class="o">.</span><span class="n">endpoint</span><span class="o">=/</span><span
class="n">obr</span>
-<span class="c1"># Whether or not authentication is to be used</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">enabled</span> <span class="o">=</span> <span class="n">true</span>
+<div class="codehilite"><pre><span class="c"># Endpoint for this servlet</span>
+<span class="na">org.apache.ace.server.servlet.endpoint</span><span class="o">=</span><span
class="s">/obr</span>
+<span class="c"># Whether or not authentication is to be used</span>
+<span class="na">authentication.enabled</span> <span class="o">=</span>
<span class="s">true</span>
 </pre></div>
 
 
 <p>In <code>BundleServlet</code> we add the following code:</p>
-<div class="codehilite"><pre><span class="n">private</span> <span
class="n">volatile</span> <span class="n">boolean</span> <span class="n">m_useAuth</span><span
class="p">;</span>
-<span class="n">private</span> <span class="n">volatile</span> <span
class="n">AuthenticationService</span> <span class="n">m_authService</span><span
class="p">;</span>
+<div class="codehilite"><pre><span class="kd">private</span> <span
class="kd">volatile</span> <span class="kt">boolean</span> <span class="n">m_useAuth</span><span
class="o">;</span>
+<span class="kd">private</span> <span class="kd">volatile</span>
<span class="n">AuthenticationService</span> <span class="n">m_authService</span><span
class="o">;</span>
 
-<span class="sr">//</span> <span class="o">...</span>
+<span class="c1">// ...</span>
 
-<span class="n">public</span> <span class="n">void</span> <span
class="n">updated</span><span class="p">(</span><span class="n">Dictionary</span>
<span class="n">settings</span><span class="p">)</span> <span class="n">throws</span>
<span class="n">ConfigurationException</span> <span class="p">{</span>
-    <span class="k">if</span> <span class="p">(</span><span class="n">settings</span>
<span class="o">!=</span> <span class="n">null</span><span class="p">)</span>
<span class="p">{</span>
-        <span class="n">String</span> <span class="n">useAuthString</span>
<span class="o">=</span> <span class="p">(</span><span class="n">String</span><span
class="p">)</span> <span class="n">settings</span><span class="o">.</span><span
class="n">get</span><span class="p">(</span><span class="s">&quot;authentication.enabled&quot;</span><span
class="p">);</span>
-        <span class="k">if</span> <span class="p">(</span><span
class="n">useAuthString</span> <span class="o">==</span> <span class="n">null</span>
<span class="o">||</span> <span class="o">!</span><span class="p">(</span><span
class="s">&quot;true&quot;</span><span class="o">.</span><span
class="n">equalsIgnoreCase</span><span class="p">(</span><span class="n">useAuthString</span><span
class="p">)</span> <span class="o">||</span> <span class="s">&quot;false&quot;</span><span
class="o">.</span><span class="n">equalsIgnoreCase</span><span class="p">(</span><span
class="n">useAuthString</span><span class="p">)))</span> <span class="p">{</span>
-            <span class="n">throw</span> <span class="k">new</span>
<span class="n">ConfigurationException</span><span class="p">(</span><span
class="s">&quot;authentication.enabled&quot;</span><span class="p">,</span>
<span class="s">&quot;Missing or invalid value!&quot;</span><span class="p">);</span>
-        <span class="p">}</span>
-        <span class="n">boolean</span> <span class="n">useAuth</span>
<span class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span
class="n">parseBoolean</span><span class="p">(</span><span class="n">useAuthString</span><span
class="p">);</span>
-
-        <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="n">useAuth</span><span class="p">;</span>
-    <span class="p">}</span>
-    <span class="k">else</span> <span class="p">{</span>
-        <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="n">false</span><span class="p">;</span>
-    <span class="p">}</span>
-<span class="p">}</span>
-
-<span class="sr">//</span> <span class="o">...</span>
-
-<span class="o">/**</span>
- <span class="o">*</span> <span class="n">Called</span> <span
class="n">by</span> <span class="n">Dependency</span> <span class="n">Manager</span>
<span class="n">upon</span> <span class="n">initialization</span>
<span class="n">of</span> <span class="n">this</span> <span class="n">component</span><span
class="o">.</span>
- <span class="o">*/</span>
-<span class="n">protected</span> <span class="n">void</span> <span
class="n">init</span><span class="p">(</span><span class="n">Component</span>
<span class="n">comp</span><span class="p">)</span> <span class="p">{</span>
-    <span class="n">comp</span><span class="o">.</span><span class="n">add</span><span
class="p">(</span><span class="n">m_dm</span><span class="o">.</span><span
class="n">createServiceDependency</span><span class="p">()</span>
-        <span class="o">.</span><span class="n">setService</span><span
class="p">(</span><span class="n">AuthenticationService</span><span
class="o">.</span><span class="n">class</span><span class="p">)</span>
-        <span class="o">.</span><span class="n">setRequired</span><span
class="p">(</span><span class="n">m_useAuth</span><span class="p">)</span>
-        <span class="o">.</span><span class="n">setInstanceBound</span><span
class="p">(</span><span class="n">true</span><span class="p">)</span>
-        <span class="p">);</span>
-<span class="p">}</span>
+<span class="kd">public</span> <span class="kt">void</span> <span
class="nf">updated</span><span class="o">(</span><span class="n">Dictionary</span>
<span class="n">settings</span><span class="o">)</span> <span class="kd">throws</span>
<span class="n">ConfigurationException</span> <span class="o">{</span>
+    <span class="k">if</span> <span class="o">(</span><span class="n">settings</span>
<span class="o">!=</span> <span class="kc">null</span><span class="o">)</span>
<span class="o">{</span>
+        <span class="n">String</span> <span class="n">useAuthString</span>
<span class="o">=</span> <span class="o">(</span><span class="n">String</span><span
class="o">)</span> <span class="n">settings</span><span class="o">.</span><span
class="na">get</span><span class="o">(</span><span class="s">&quot;authentication.enabled&quot;</span><span
class="o">);</span>
+        <span class="k">if</span> <span class="o">(</span><span
class="n">useAuthString</span> <span class="o">==</span> <span class="kc">null</span>
<span class="o">||</span> <span class="o">!(</span><span class="s">&quot;true&quot;</span><span
class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span
class="n">useAuthString</span><span class="o">)</span> <span class="o">||</span>
<span class="s">&quot;false&quot;</span><span class="o">.</span><span
class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">useAuthString</span><span
class="o">)))</span> <span class="o">{</span>
+            <span class="k">throw</span> <span class="k">new</span>
<span class="nf">ConfigurationException</span><span class="o">(</span><span
class="s">&quot;authentication.enabled&quot;</span><span class="o">,</span>
<span class="s">&quot;Missing or invalid value!&quot;</span><span class="o">);</span>
+        <span class="o">}</span>
+        <span class="kt">boolean</span> <span class="n">useAuth</span>
<span class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span
class="na">parseBoolean</span><span class="o">(</span><span class="n">useAuthString</span><span
class="o">);</span>
+
+        <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="n">useAuth</span><span class="o">;</span>
+    <span class="o">}</span>
+    <span class="k">else</span> <span class="o">{</span>
+        <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="kc">false</span><span class="o">;</span>
+    <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="c1">// ...</span>
+
+<span class="cm">/**</span>
+<span class="cm"> * Called by Dependency Manager upon initialization of this component.</span>
+<span class="cm"> */</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">init</span><span class="o">(</span><span class="n">Component</span>
<span class="n">comp</span><span class="o">)</span> <span class="o">{</span>
+    <span class="n">comp</span><span class="o">.</span><span class="na">add</span><span
class="o">(</span><span class="n">m_dm</span><span class="o">.</span><span
class="na">createServiceDependency</span><span class="o">()</span>
+        <span class="o">.</span><span class="na">setService</span><span
class="o">(</span><span class="n">AuthenticationService</span><span
class="o">.</span><span class="na">class</span><span class="o">)</span>
+        <span class="o">.</span><span class="na">setRequired</span><span
class="o">(</span><span class="n">m_useAuth</span><span class="o">)</span>
+        <span class="o">.</span><span class="na">setInstanceBound</span><span
class="o">(</span><span class="kc">true</span><span class="o">)</span>
+        <span class="o">);</span>
+<span class="o">}</span>
 </pre></div>
 
 
 <p>As almost all of the services in ACE are managed by the Dependency Manager, we can
leverage its dynamics to inject our <code>BundleServlet</code> with an instance
of the <code>AuthenticationService</code> and provide us with a configuration<sup
id="fnref:5"><a href="#fn:5" rel="footnote">5</a></sup>. </p>
 <h4 id="implemention">Implemention</h4>
 <p>The actual authentication implementation itself is rather trivial: we simply intercept
all incoming requests in our servlet and verify whether it resolves to a valid user:</p>
-<div class="codehilite"><pre><span class="nv">@Override</span>
-<span class="n">protected</span> <span class="n">void</span> <span
class="n">service</span><span class="p">(</span><span class="n">HttpServletRequest</span>
<span class="n">req</span><span class="p">,</span> <span class="n">HttpServletResponse</span>
<span class="n">resp</span><span class="p">)</span> <span class="n">throws</span>
<span class="n">ServletException</span><span class="p">,</span> <span
class="n">IOException</span> <span class="p">{</span>
-    <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span
class="n">authenticate</span><span class="p">(</span><span class="n">req</span><span
class="p">))</span> <span class="p">{</span>
-        <span class="sr">//</span> <span class="n">Authentication</span>
<span class="n">failed</span><span class="p">;</span> <span class="n">don</span><span
class="err">&#39;</span><span class="n">t</span> <span class="n">proceed</span>
<span class="n">with</span> <span class="n">the</span> <span class="n">original</span>
<span class="n">request</span><span class="o">...</span>
-        <span class="n">resp</span><span class="o">.</span><span
class="n">sendError</span><span class="p">(</span><span class="n">SC_UNAUTHORIZED</span><span
class="p">);</span>
-    <span class="p">}</span> <span class="k">else</span> <span
class="p">{</span>
-        <span class="sr">//</span> <span class="n">Authentication</span>
<span class="n">successful</span><span class="p">,</span> <span
class="n">proceed</span> <span class="n">with</span> <span class="n">original</span>
<span class="n">request</span><span class="o">...</span>
-        <span class="n">super</span><span class="o">.</span><span
class="n">service</span><span class="p">(</span><span class="n">req</span><span
class="p">,</span> <span class="n">resp</span><span class="p">);</span>
-    <span class="p">}</span>
-<span class="p">}</span>
-
-<span class="n">private</span> <span class="n">boolean</span> <span
class="n">authenticate</span><span class="p">(</span><span class="n">HttpServletRequest</span>
<span class="n">request</span><span class="p">)</span> <span class="p">{</span>
-    <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">null</span><span class="p">;</span>
-    <span class="k">if</span> <span class="p">(</span><span class="n">m_useAuth</span><span
class="p">)</span> <span class="p">{</span>
-        <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">m_authService</span><span class="o">.</span><span
class="n">authenticate</span><span class="p">(</span><span class="n">request</span><span
class="p">);</span>
-    <span class="p">}</span>
-    <span class="k">if</span> <span class="p">(</span><span class="n">user</span>
<span class="o">==</span> <span class="n">null</span><span class="p">)</span>
<span class="p">{</span>
-        <span class="n">m_log</span><span class="o">.</span><span
class="nb">log</span><span class="p">(</span><span class="n">LogService</span><span
class="o">.</span><span class="n">LOG_INFO</span><span class="p">,</span>
<span class="s">&quot;Authentication failure!&quot;</span><span class="p">);</span>
-    <span class="p">}</span>
-    <span class="k">return</span> <span class="p">(</span><span
class="n">user</span> <span class="o">!=</span> <span class="n">null</span><span
class="p">);</span>
-<span class="p">}</span>
+<div class="codehilite"><pre><span class="nd">@Override</span>
+<span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">service</span><span class="o">(</span><span class="n">HttpServletRequest</span>
<span class="n">req</span><span class="o">,</span> <span class="n">HttpServletResponse</span>
<span class="n">resp</span><span class="o">)</span> <span class="kd">throws</span>
<span class="n">ServletException</span><span class="o">,</span> <span
class="n">IOException</span> <span class="o">{</span>
+    <span class="k">if</span> <span class="o">(!</span><span class="n">authenticate</span><span
class="o">(</span><span class="n">req</span><span class="o">))</span>
<span class="o">{</span>
+        <span class="c1">// Authentication failed; don&#39;t proceed with the original
request...</span>
+        <span class="n">resp</span><span class="o">.</span><span
class="na">sendError</span><span class="o">(</span><span class="n">SC_UNAUTHORIZED</span><span
class="o">);</span>
+    <span class="o">}</span> <span class="k">else</span> <span
class="o">{</span>
+        <span class="c1">// Authentication successful, proceed with original request...</span>
+        <span class="kd">super</span><span class="o">.</span><span
class="na">service</span><span class="o">(</span><span class="n">req</span><span
class="o">,</span> <span class="n">resp</span><span class="o">);</span>
+    <span class="o">}</span>
+<span class="o">}</span>
+
+<span class="kd">private</span> <span class="kt">boolean</span> <span
class="nf">authenticate</span><span class="o">(</span><span class="n">HttpServletRequest</span>
<span class="n">request</span><span class="o">)</span> <span class="o">{</span>
+    <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="kc">null</span><span class="o">;</span>
+    <span class="k">if</span> <span class="o">(</span><span class="n">m_useAuth</span><span
class="o">)</span> <span class="o">{</span>
+        <span class="n">User</span> <span class="n">user</span> <span
class="o">=</span> <span class="n">m_authService</span><span class="o">.</span><span
class="na">authenticate</span><span class="o">(</span><span class="n">request</span><span
class="o">);</span>
+    <span class="o">}</span>
+    <span class="k">if</span> <span class="o">(</span><span class="n">user</span>
<span class="o">==</span> <span class="kc">null</span><span class="o">)</span>
<span class="o">{</span>
+        <span class="n">m_log</span><span class="o">.</span><span
class="na">log</span><span class="o">(</span><span class="n">LogService</span><span
class="o">.</span><span class="na">LOG_INFO</span><span class="o">,</span>
<span class="s">&quot;Authentication failure!&quot;</span><span class="o">);</span>
+    <span class="o">}</span>
+    <span class="k">return</span> <span class="o">(</span><span
class="n">user</span> <span class="o">!=</span> <span class="kc">null</span><span
class="o">);</span>
+<span class="o">}</span>
 </pre></div>
 
 
 <p>Note that this implementation does not tell <em>how</em> the authentication
should occur, only that it should occur. How the authentication is performed, is determined
internally by the <code>AuthenticationService</code>, with the help of the registered
<code>AuthenticationProcessor</code>s.</p>
 <h3 id="configuring-the-connection-factory">Configuring the connection factory</h3>
 <p>Now that the remote service itself is no longer accepting unauthenticated requests,
we need to supply the credentials to access this service to the <code>ConnectionFactory</code>
service. This service can be configured using the PID <code>org.apache.ace.connectionfactory</code>
(<em>note that it is a configuration factory!</em>), which would result in the
following configuration for accessing our <code>BundleServlet</code>:</p>
-<div class="codehilite"><pre><span class="c1"># What kind of authentication
should we supply</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">type</span> <span class="o">=</span> <span class="n">basic</span>
-<span class="c1"># The actual credentials for basic authentication</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">user</span><span class="o">.</span><span class="n">name</span>
<span class="o">=</span> <span class="n">d</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">user</span><span class="o">.</span><span class="n">password</span>
<span class="o">=</span> <span class="n">f</span>
-<span class="c1"># What is the base URL that these credentials apply to:</span>
-<span class="n">authentication</span><span class="o">.</span><span
class="n">baseURL</span> <span class="o">=</span> <span class="n">http:</span><span
class="sr">//</span><span class="n">localhost:8080</span><span class="sr">/obr/</span>
+<div class="codehilite"><pre><span class="c"># What kind of authentication
should we supply</span>
+<span class="na">authentication.type</span> <span class="o">=</span>
<span class="s">basic</span>
+<span class="c"># The actual credentials for basic authentication</span>
+<span class="na">authentication.user.name</span> <span class="o">=</span>
<span class="s">d</span>
+<span class="na">authentication.user.password</span> <span class="o">=</span>
<span class="s">f</span>
+<span class="c"># What is the base URL that these credentials apply to:</span>
+<span class="na">authentication.baseURL</span> <span class="o">=</span>
<span class="s">http://localhost:8080/obr/</span>
 </pre></div>
 
 
@@ -357,13 +357,13 @@ In this article, the recently added auth
 <p>Other communication protocols could be used as well. However, currently, only HTTP
is natively supported by ACE. For the remainder of this article, we'll assume HTTP as protocol.&#160;<a
href="#fnref:1" rev="footnote" title="Jump back to footnote 1 in the text">&#8617;</a></p>
 </li>
 <li id="fn:2">
-<p>Assuming that all components in the management server are trusted and obtained from
trusted sources. If untrusted components would be allowed, we need to add authentication to
these communication paths as well.&#160;<a href="#fnref:2" rev="footnote" title="Jump
back to footnote 2 in the text">&#8617;</a></p>
+<p>Assuming that all components in the ACE server are trusted and obtained from trusted
sources. If untrusted components would be allowed, we need to add authentication to these
communication paths as well.&#160;<a href="#fnref:2" rev="footnote" title="Jump back
to footnote 2 in the text">&#8617;</a></p>
 </li>
 <li id="fn:3">
 <p>It is up to the implementation of <code>AuthenticationService</code>
whether the <em>first</em> found user is returned, or whether it checks if all
authentication processors yield the <em>same</em> user, or any other strategy
that is desired.&#160;<a href="#fnref:3" rev="footnote" title="Jump back to footnote
3 in the text">&#8617;</a></p>
 </li>
 <li id="fn:4">
-<p>Amongst others, any number of log-endpoints can be defined, at least one is needed
for the audit log to be synchronized between target and management server.&#160;<a
href="#fnref:4" rev="footnote" title="Jump back to footnote 4 in the text">&#8617;</a></p>
+<p>Amongst others, any number of log-endpoints can be defined, at least one is needed
for the audit log to be synchronized between target and ACE server.&#160;<a href="#fnref:4"
rev="footnote" title="Jump back to footnote 4 in the text">&#8617;</a></p>
 </li>
 <li id="fn:5">
 <p>Note that we're using a configuration dependency for this service. This way, the
configuration <strong>must</strong> be present before the service itself is registered,
which allows us to determine if authentication should be used or not.&#160;<a href="#fnref:5"
rev="footnote" title="Jump back to footnote 5 in the text">&#8617;</a></p>

Modified: websites/staging/ace/trunk/content/dev-doc/design/auth_connectionfactory.svg
==============================================================================
Binary files - no diff available.



Mime
View raw message