ace-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r814539 - in /websites/staging/ace/trunk/content: ./ dev-doc/design/ace-authentication.html dev-doc/design/auth_api.svg dev-doc/design/auth_main_components.svg
Date Thu, 26 Apr 2012 08:10:28 GMT
Author: buildbot
Date: Thu Apr 26 08:10:27 2012
New Revision: 814539

Log:
Staging update by buildbot for ace

Modified:
    websites/staging/ace/trunk/content/   (props changed)
    websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
    websites/staging/ace/trunk/content/dev-doc/design/auth_api.svg
    websites/staging/ace/trunk/content/dev-doc/design/auth_main_components.svg

Propchange: websites/staging/ace/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Apr 26 08:10:27 2012
@@ -1 +1 @@
-1330374
+1330693

Modified: websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html
==============================================================================
--- websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html (original)
+++ websites/staging/ace/trunk/content/dev-doc/design/ace-authentication.html Thu Apr 26 08:10:27
2012
@@ -153,17 +153,20 @@
       <h1>ACE Authentication</h1>
       <div class="clear"></div>
       <div id="content"><p><em>Enabling authentication in ACE</em></p>
-<p>last updated: April 25th, 2012</p>
+<p>Revision 0.9, last updated: April 26th, 2012.</p>
 <div class="toc">
 <ul>
 <li><a href="#introduction">Introduction</a></li>
 <li><a href="#communication-paths">Communication paths</a></li>
-<li><a href="#authentication-design">Authentication design</a></li>
-<li><a href="#configuring-authentication">Configuring authentication</a><ul>
+<li><a href="#authentication-design">Authentication design</a><ul>
 <li><a href="#remote-services">Remote services</a></li>
+</ul>
+</li>
+<li><a href="#configuring-authentication">Configuring authentication</a><ul>
 <li><a href="#configuring-authentication-for-remote-services">Configuring authentication
for remote services</a><ul>
-<li><a href="#service-configuration">Service configuration</a></li>
-<li><a href="#implemention">Implemention</a></li>
+<li><a href="#configuring-the-authentication">Configuring the authentication</a></li>
+<li><a href="#making-use-of-the-service-configuration">Making use of the service
configuration</a></li>
+<li><a href="#implementing-the-authentication-check">Implementing the authentication
check</a></li>
 </ul>
 </li>
 <li><a href="#configuring-the-connection-factory">Configuring the connection
factory</a></li>
@@ -180,22 +183,22 @@
 <p>When provisioning software (partly) to targets, one has to rely upon the trustworthiness
of both the network and the target. Even if everything is under your control and governance,
one cannot entirely be sure that unwanted access takes place. A first step in order to prevent
unwanted access is <em>authentication</em>, which gives you the ability to verify
the identity of someone. Once the identity is known, one can apply <em>authorization</em>
in order to determine what actions are allowed and which are not.
 In this article, the recently added authentication layer of ACE is explained in more depth,
and some details on how extensions can be written for additional mechanisms are given. The
remainder of this article assumes the reader has basic knowledge of the principles behind
ACE, and has sufficient programming skills. For this article, the latest code of ACE (0.8.1-SNAPSHOT,
rev.1329269) was used.</p>
 <h2 id="communication-paths">Communication paths</h2>
-<p>Before going in more depth on the authentication layer of ACE, we first need to
pinpoint all places were authentication is to be applied. The following figure shows the main
components in ACE and their communication paths, providing a global overview of where authentication
is applicable to ACE.</p>
+<p>Before going in more detail on the design and configuration of the authentication
layer in ACE, we first need to pinpoint all places were authentication needs to be applied.
The following figure shows the main components in ACE and their communication paths, providing
a global overview of where authentication is applicable to ACE.</p>
 <p><img alt="Figure 1: Overview of components and communication paths in ACE" src="auth_main_components.svg"
title="Figure 1: Overview of components and communication paths" /><br />
 Figure 1: Overview of components and communication paths.</p>
-<p>In figure 1, several communication paths exists (denoted by the circled digits):</p>
+<p>Figure 1 represents several of the communication paths that can be identified (denoted
by the circled digits):</p>
 <ol>
-<li>the client communicates to the ACE server by means of both direct calls to its
services as well as remoted calls (by means of HTTP<sup id="fnref:1"><a href="#fn:1"
rel="footnote">1</a></sup>);</li>
-<li>a management agent (representing the target) communicates to the ACE server through
HTTP calls;</li>
-<li>the REST API exposes the entire client API in a RESTful way. Communication to the
client occurs by both direct calls as well as through HTTP;</li>
-<li>the Vaadin Web UI exposes the entire client API as web application. Similar as
the REST API, it communicates both directly as through HTTP with the client.</li>
+<li>the client communicates to the ACE server by means of both direct calls to its
services as well as remote (HTTP<sup id="fnref:1"><a href="#fn:1" rel="footnote">1</a></sup>)
calls;</li>
+<li>a management agent (representing the target) communicates to the ACE server through
remote calls;</li>
+<li>the REST API exposes the entire client and server APIs in a RESTful way. Communication
to the client occurs by both direct and remote calls;</li>
+<li>the Vaadin Web UI exposes the entire client API as web application. Similar as
the REST API, it communicates both directly as remotely with the client.</li>
 </ol>
-<p>As can be seen from the above figure, most of the communication paths are based
on HTTP. The reason for this is twofold:</p>
+<p>As can be seen from the above figure, most of the communication paths are remoted.
The reason for this is twofold:</p>
 <ol>
 <li>It allows reuse of components; for example access to the OBR-servlet is used by
the both the client-API as well the web UI to upload new artifacts;</li>
-<li>it allows components to be deployed on different machines; for example, one does
not need to run the client on the same machine as the server. This could be useful for working
on high-latency networks.</li>
+<li>it enables scalability by allowing components to be deployed on different machines;
for example, one does not need to run the client on the same machine as the server. This could
be useful for working on high-latency networks.</li>
 </ol>
-<p>All direct communication paths do not need to be authenticated, as they require
that both caller and callee run in the same virtual machine, making it impossible to be used
outside the virtual machine<sup id="fnref:2"><a href="#fn:2" rel="footnote">2</a></sup>.
Hence, we only need to add an authentication layer to the HTTP endpoints. However, adding
authentication to all HTTP endpoints poses us with the challenge to let the internal communication
paths that rely on HTTP to authenticate themselves as well. Not doing so would prevent ACE
from functioning correctly. A disadvantage of this approach is that it is an all-or-nothing
approach, either all users of the HTTP endpoints use authentication, or none of them. However,
the way users authenticate themselves can be different, meaning that one set of users can
use HTTP basic authentication to identify themselves, while another set uses client certificates
to identify themselves.</p>
+<p>All direct (i.e., non remoted) communication paths do not need to be authenticated,
as they require that both caller and callee run in the same virtual machine, making it impossible
to be used outside the virtual machine<sup id="fnref:2"><a href="#fn:2" rel="footnote">2</a></sup>.
Hence, we only need to add an authentication layer to the remote endpoints. However, adding
authentication to all remote endpoints poses us with the challenge to let the "internal" communication
paths that use remote calls to authenticate themselves as well. Not doing so would prevent
ACE from functioning correctly. A disadvantage of this approach is that it is an all-or-nothing
approach, either all users of the remote endpoints use authentication, or none of them. However,
the way users authenticate themselves can be different, meaning that one set of users can
use basic authentication to identify themselves, while another set uses client certificates
to identify themselves.</p>
 <h2 id="authentication-design">Authentication design</h2>
 <p>The high-level design for security in ACE is explained in the <a href="/dev-doc/design/remote-interfaces.html">remote
interface design</a>. From this design, we can derive several requirements for the design
of ACE's authentication layer:</p>
 <ol>
@@ -206,32 +209,30 @@ Figure 1: Overview of components and com
 <p>Based on these requirements, the design of the authentication layer is represented
in the following figure:</p>
 <p><img alt="Figure 2: Authentication layer class diagram" src="auth_api.svg" title="Figure
2: Authentication layer class diagram" /><br />
 Figure 2: Authentication layer class diagram.</p>
-<p>The <tt>AuthenticationService</tt> is responsible for authenticating
a user based on some piece of information. This piece of information can be a username/password
combination, a <tt>HttpServletRequest</tt> containing authentication request headers,
or any other set of information capable of uniquely identifying a user. The actual authentication
itself is delegated to one or more <tt>AuthenticationProcessor</tt>s, which know
how to handle  a given set of information (e.g., <tt>HttpServletRequest</tt>)
and can map this information to a particular user. In more detail, the calling sequence of
<tt>AuthenticationService#authenticate</tt> would be:</p>
+<p>The <tt>AuthenticationService</tt> is responsible for authenticating
a user based on some piece of information. This piece of information can be an array containing
a username/password combination, a <tt>HttpServletRequest</tt> containing authentication
request headers, or any other type of information capable of uniquely identifying a user.
The actual authentication itself is delegated to one or more <tt>AuthenticationProcessor</tt>s,
which know how to handle  a given set of information (e.g., <tt>HttpServletRequest</tt>)
and can map this information to a particular user. In more detail, the calling sequence of
<tt>AuthenticationService#authenticate</tt> would be:</p>
 <ol>
-<li><tt>AuthenticationService#authenticate</tt> is called with a blob of
data, for example the <tt>HttpServletRequest</tt>;</li>
+<li><tt>AuthenticationService#authenticate</tt> is called with a blob of
data, for example a <tt>HttpServletRequest</tt>;</li>
 <li>for each known <tt>AuthenticationProcessor</tt>:<ul>
-<li><tt>AuthenticationProcessor#canHandle</tt> is called with that blob
of data. An authentication processor can decide whether the given blob is something it can
handle or not;</li>
-<li>if it can be handled, the <tt>AuthenticationProcessor#authenticate</tt>
is called with that blob of data, along with an instance of the UserAdmin service. The authentication
processor is now responsible for converting the blob of data to an authenticated user, if
possible.</li>
+<li><tt>AuthenticationProcessor#canHandle</tt> is called with that blob
of data. In this method, an authentication processor can decide whether the given blob is
something it can handle or not;</li>
+<li>if it can be handled, the <tt>AuthenticationProcessor#authenticate</tt>
is called with that blob of data, along with an instance of the <tt>UserAdmin</tt>
service. The authentication processor is now responsible for converting the blob of data to
an authenticated user, if possible.</li>
 </ul>
 </li>
 <li>if a <tt>User</tt> object is returned from the authentication service<sup
id="fnref:3"><a href="#fn:3" rel="footnote">3</a></sup>, the authentication
phase will be regarded as successful. If <em>no</em> <tt>User</tt>
object is returned, the authentication phase will be regarded unsuccessful.</li>
 </ol>
-<p>This is only half the story for authentication. As stated before, ACE internally
also communicates through HTTP to access certain services. Without any changes, all those
remote calls will fail due to missing credentials. If we want to leave those means of communications
as-is, we would need to track down all places where remote calls are being made and inject
the proper credentials at those places. However, doing this is not only <em>very</em>
invasive and error prone but also not very developer friendly from a service-oriented perspective.
Alternatively, we could try to include the credentials in the URL itself, making it self-contained.
Not only would this approach limit our ability to use any kind of authentication mechanism
(it only works for username/password combos), it also required us to supply the credentials
manually each and every time we want to create a remote connection. Instead, we would like
to refrain from passing around credentials, and leverage the ser
 vice oriented aspects of OSGi to create remote connections for us. This service could then
be responsible for adding the right credentials for us, leaving the calling party totally
unaware about the fact authentication might be used. Such a service is denoted in the following
figure:</p>
+<p>This is only half the story for authentication. As stated before, ACE internally
also communicates through remote endpoints to access certain services. Without any changes,
all those remote calls will fail due to missing credentials. If we would leave those means
of communications as-is, we need to track down all places where remote calls are being made
and inject the proper credentials at each of those places. However, doing this is not only
<em>very</em> invasive and error prone but also not very developer friendly from
a service-oriented perspective. Alternatively, we could try to include the credentials in
the URL itself, making it self-contained. Not only would this approach limit our ability to
use any kind of authentication mechanism (it only works for username/password combos), it
also required us to supply the credentials manually each and every time we want to create
a remote connection. Instead, we would like to refrain from passing around credentials, and
leve
 rage the service oriented aspects of OSGi to create remote connections for us. This service
could then be responsible for adding the right credentials for us, leaving the calling party
totally unaware about the fact authentication might be used (or not). Such a service is denoted
in the following figure:</p>
 <p><img alt="Figure 3: Connection Factory class diagram" src="auth_connectionfactory.svg"
title="Figure 3: Connection Factory class diagram" /><br />
 Figure 3: Connection Factory class diagram.</p>
-<p>The <tt>ConnectionFactory</tt> is responsible for creating <tt>URLConnection</tt>s,
given a "plain" URL. So, instead of calling <tt>URL#openConnection()</tt> or <tt>URL#openStream()</tt>,
we'll now have to call <tt>ConnectionFactory#createConnection(url)</tt> instead.
But, what advantage does this bring us? In order to allow the connection factory to supply
the credentials to <tt>URLConnection</tt>s, it is also registered as <tt>ManagedServiceFactory</tt>
that enables us to provide multiple configurations of which credentials should be supplied
to what (sets of) URLs. The introduction of the connection factory allows us to abstract the
creation of a connection and passing of credentials to it from the URL. Internally, the connection
factory will match each URL given in <tt>createConnection</tt> with the URLs it
is configured with. If a matching URL is found, it will use the credentials in that configuration
to supply to the <tt>URLConnection</tt>.</p>
-<p>We've now closed the circle: we not only have defined how remote endpoints can apply
authentication, but also how all calling parties can remain using these remote endpoints without
having to be aware of authentication. </p>
-<h2 id="configuring-authentication">Configuring authentication</h2>
-<p>Before continuing on the details of configuring authentication for ACE, we first
identify what remote services are available, and how they can be configured.</p>
+<p>The <tt>ConnectionFactory</tt> is responsible for creating <tt>URLConnection</tt>s,
given a "plain" URL. So, instead of calling <tt>URL#openConnection()</tt> or <tt>URL#openStream()</tt>,
we'll now have to call <tt>ConnectionFactory#createConnection(url)</tt> instead.
But what advantage does this give us? In order to allow the connection factory to supply the
credentials to <tt>URLConnection</tt>s, it is also registered as <tt>ManagedServiceFactory</tt>
that enables us to provide multiple configurations of which credentials should be supplied
to what (sets of) URLs. The introduction of the connection factory thus allows us to abstract
the creation of a connection and passing of credentials to it from the URL. Internally, the
connection factory will match each URL given in <tt>createConnection</tt> with
the URLs it is configured with. If a matching URL is found, it will use the credentials in
that configuration to supply to the <tt>URLConnection</tt>.</p>
 <h3 id="remote-services">Remote services</h3>
-<p>All remote services in ACE are configurable with respect to the endpoint they can
be accessed. The following table shows an overview of the remote services, including the default
endpoint they use:</p>
+<p>We've now closed the circle: we not only have defined how remote endpoints can apply
authentication, but also how all calling parties can remain using these remote endpoints without
having to be aware of authentication. The only thing left, is a summary of which remote endpoints
currently exist in ACE.<br />
+All remote services are configurable with respect to the endpoint they can be accessed. The
following table shows an overview of the remote services, including the default endpoint they
use:</p>
 <table>
 <thead>
 <tr>
 <th>Name</th>
 <th>Description</th>
 <th>Endpoint</th>
-<th>Configuration PID</th>
+<th>Configuration PID<sup id="fnref:4"><a href="#fn:4" rel="footnote">4</a></sup></th>
 </tr>
 </thead>
 <tbody>
@@ -250,7 +251,7 @@ Figure 3: Connection Factory class diagr
 <tr>
 <td><tt>LogServlet</tt></td>
 <td>allows any number of logs for a target to be synchronized and accessed</td>
-<td><tt>/auditlog</tt><sup id="fnref:4"><a href="#fn:4" rel="footnote">4</a></sup></td>
+<td><tt>/auditlog</tt><sup id="fnref:5"><a href="#fn:5" rel="footnote">5</a></sup></td>
 <td><tt>o.a.a.server.log.servlet.factory</tt><br/><strong>note:
this is a configuration factory!</strong></td>
 </tr>
 <tr>
@@ -279,25 +280,28 @@ Figure 3: Connection Factory class diagr
 </tr>
 </tbody>
 </table>
-<p>Table 1: Remote services overview. Common prefix of configuration PIDs are abbreviated,
so <tt>o.a.a</tt> stands for <tt>org.apache.ace</tt>.</p>
+<h2 id="configuring-authentication">Configuring authentication</h2>
+<p>Now we have discussed the design of the authentication layer in ACE in rather detail,
lets continue with how we can configure the authentication. Note that in order to make use
of this functionality, you need to use the latest TRUNK of ACE, as explained in the introduction.</p>
 <h3 id="configuring-authentication-for-remote-services">Configuring authentication
for remote services</h3>
 <p>In the section on the design of the authentication layer, we've mentioned that if
a remote service wants to make use of authentication, it can make use of the <tt>AuthenticationService</tt>.
However, one of the design requirements was that authentication should be optional as well.
In order to enable or disable authentication, each remote service needs to do the following:</p>
 <ol>
 <li>add a <strong>mandatory</strong> configuration property <tt>authentication.enabled
= false|true</tt> to their configuration. Although any kind of name for this configuration
property can be used, it is <em>strongly</em> advised to stick to the same name
for all services;</li>
-<li>when the configuration of a remote service is updated, it should add a service
dependency to the <tt>AuthenticationService</tt>. By making this service <em>required</em>
when authentication is enabled, and <em>optional</em> when authentication is disabled,
we can adhere to the requirement of optionality for authentication;</li>
+<li>when the configuration of a remote service is updated, it should add a service
dependency to the <tt>AuthenticationService</tt>. By making this service <strong>required</strong>
if authentication is <em>enabled</em>, and <strong>optional</strong>
when authentication is <em>disabled</em>, we can adhere to the requirement of
optionality for authentication;</li>
 <li>in case authentication is <em>enabled</em>, each request the service
obtains needs to be passed to the <tt>AuthenticationService</tt> first, and depending
on its outcome, the request can continue or not.</li>
 </ol>
-<p>To make this more concrete, an example of how the <tt>BundleServlet</tt>
is to be configured:</p>
-<h4 id="service-configuration">Service configuration</h4>
-<p>The service configuration, located in <tt>org.apache.ace.obr.servlet.cfg</tt>,
looks like:</p>
+<p>To make this more concrete, we walk through an example of how the <tt>BundleServlet</tt>
is to be configured. As this is a servlet (as almost all other remote endpoints in ACE), we
can intercept all service requests by overriding the <tt>Servlet#service()</tt>
method and perform our authentication check there. If this check is successful, we continue
passing the service request, and return a "401 - Unauthorized" when the check is unsuccessful.
</p>
+<h4 id="configuring-the-authentication">Configuring the authentication</h4>
+<p>The service configuration, denoted by the <tt>org.apache.ace.obr.servlet.cfg</tt>
in the stock ACE distribution, looks like:</p>
 <div class="codehilite"><pre><span class="c"># Endpoint for this servlet</span>
-<span class="na">org.apache.ace.server.servlet.endpoint</span><span class="o">=</span><span
class="s">/obr</span>
+<span class="na">org.apache.ace.server.servlet.endpoint</span> <span class="o">=</span>
<span class="s">/obr</span>
 <span class="c"># Whether or not authentication is to be used</span>
 <span class="na">authentication.enabled</span> <span class="o">=</span>
<span class="s">true</span>
 </pre></div>
 
 
-<p>In <tt>BundleServlet</tt> we add the following code:</p>
+<p>Note that we've added the <tt>authentication.enabled</tt> property that
allows us to enable or disable the authentication check for this servlet.</p>
+<h4 id="making-use-of-the-service-configuration">Making use of the service configuration</h4>
+<p>To let the servlet pick up our configuration, it should be registered as <tt>ManagedService(Factory)</tt>.
To make use of the configuration, we need to add the following code to our <tt>BundleServlet</tt>:</p>
 <div class="codehilite"><pre><span class="kd">private</span> <span
class="kd">volatile</span> <span class="kt">boolean</span> <span class="n">m_useAuth</span><span
class="o">;</span>
 <span class="kd">private</span> <span class="kd">volatile</span>
<span class="n">AuthenticationService</span> <span class="n">m_authService</span><span
class="o">;</span>
 
@@ -309,9 +313,8 @@ Figure 3: Connection Factory class diagr
         <span class="k">if</span> <span class="o">(</span><span
class="n">useAuthString</span> <span class="o">==</span> <span class="kc">null</span>
<span class="o">||</span> <span class="o">!(</span><span class="s">&quot;true&quot;</span><span
class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span
class="n">useAuthString</span><span class="o">)</span> <span class="o">||</span>
<span class="s">&quot;false&quot;</span><span class="o">.</span><span
class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">useAuthString</span><span
class="o">)))</span> <span class="o">{</span>
             <span class="k">throw</span> <span class="k">new</span>
<span class="nf">ConfigurationException</span><span class="o">(</span><span
class="s">&quot;authentication.enabled&quot;</span><span class="o">,</span>
<span class="s">&quot;Missing or invalid value!&quot;</span><span class="o">);</span>
         <span class="o">}</span>
-        <span class="kt">boolean</span> <span class="n">useAuth</span>
<span class="o">=</span> <span class="n">Boolean</span><span class="o">.</span><span
class="na">parseBoolean</span><span class="o">(</span><span class="n">useAuthString</span><span
class="o">);</span>
 
-        <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="n">useAuth</span><span class="o">;</span>
+        <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="n">Boolean</span><span class="o">.</span><span class="na">parseBoolean</span><span
class="o">(</span><span class="n">useAuthString</span><span class="o">);</span>
     <span class="o">}</span>
     <span class="k">else</span> <span class="o">{</span>
         <span class="n">m_useAuth</span> <span class="o">=</span>
<span class="kc">false</span><span class="o">;</span>
@@ -333,8 +336,8 @@ Figure 3: Connection Factory class diagr
 </pre></div>
 
 
-<p>As almost all of the services in ACE are managed by the Dependency Manager, we can
leverage its dynamics to inject our <tt>BundleServlet</tt> with an instance of
the <tt>AuthenticationService</tt> and provide us with a configuration<sup
id="fnref:5"><a href="#fn:5" rel="footnote">5</a></sup>. </p>
-<h4 id="implemention">Implemention</h4>
+<p>As almost all of the services in ACE are managed by the Dependency Manager, we can
leverage its dynamics to inject our <tt>BundleServlet</tt> with an instance of
the <tt>AuthenticationService</tt> and provide us with a configuration<sup
id="fnref:6"><a href="#fn:6" rel="footnote">6</a></sup>. In the <tt>updated()</tt>
method, we perform a check whether the prior mentioned <tt>authentication.enabled</tt>
property is present in the given configuration, and if so, whether it represents a valid boolean
value. The actual boolean value itself will be held in a field (<tt>m_useAuth</tt>)
for later use.</p>
+<h4 id="implementing-the-authentication-check">Implementing the authentication check</h4>
 <p>The actual authentication implementation itself is rather trivial: we simply intercept
all incoming requests in our servlet and verify whether it resolves to a valid user:</p>
 <div class="codehilite"><pre><span class="nd">@Override</span>
 <span class="kd">protected</span> <span class="kt">void</span> <span
class="nf">service</span><span class="o">(</span><span class="n">HttpServletRequest</span>
<span class="n">req</span><span class="o">,</span> <span class="n">HttpServletResponse</span>
<span class="n">resp</span><span class="o">)</span> <span class="kd">throws</span>
<span class="n">ServletException</span><span class="o">,</span> <span
class="n">IOException</span> <span class="o">{</span>
@@ -360,9 +363,11 @@ Figure 3: Connection Factory class diagr
 </pre></div>
 
 
-<p>Note that this implementation does not tell <em>how</em> the authentication
should occur, only that it should occur. How the authentication is performed, is determined
internally by the <tt>AuthenticationService</tt>, with the help of the registered
<tt>AuthenticationProcessor</tt>s.</p>
+<p>Note that this implementation does not tell <em>how</em> the authentication
should occur, only that it should occur. How the authentication is performed, is determined
internally by the <tt>AuthenticationService</tt>, with the help of the registered
<tt>AuthenticationProcessor</tt>s.<br />
+Also note that the <tt>authenticate</tt> method itself uses the previously defined
field (<tt>m_useAuth</tt>) to determine whether or not the authentication check
should be performed. If it is <em>not</em> performed, we consider the request
to be always authenticated, in order to obtain the same semantics as we would have without
this check.</p>
 <h3 id="configuring-the-connection-factory">Configuring the connection factory</h3>
-<p>Now that the remote service itself is no longer accepting unauthenticated requests,
we need to supply the credentials to access this service to the <tt>ConnectionFactory</tt>
service. This service can be configured using the PID <tt>org.apache.ace.connectionfactory</tt>
(<em>note that it is a configuration factory!</em>), which would result in the
following configuration for accessing our <tt>BundleServlet</tt>:</p>
+<p>Now that the remote service itself is no longer accepting unauthenticated requests,
we need to supply the credentials to access this service to the <tt>ConnectionFactory</tt>
service. This service can be configured using the PID <tt>org.apache.ace.connectionfactory</tt>.
Note that it is a configuration factory, accepting multiple configurations!<br />
+For accessing our <tt>BundleServlet</tt>, we need to supply it the following
configuration:</p>
 <div class="codehilite"><pre><span class="c"># What kind of authentication
should we supply</span>
 <span class="na">authentication.type</span> <span class="o">=</span>
<span class="s">basic</span>
 <span class="c"># The actual credentials for basic authentication</span>
@@ -373,13 +378,13 @@ Figure 3: Connection Factory class diagr
 </pre></div>
 
 
-<p>When this configuration is supplied to the <tt>ConnectionFactory</tt>,
it will provide a basic HTTP authentication header to each connection created for any URL
starting with "<tt>http://localhost:8080/obr/</tt>"<sup id="fnref:6"><a
href="#fn:6" rel="footnote">6</a></sup>. </p>
+<p>When this configuration is supplied to the <tt>ConnectionFactory</tt>,
it will provide a basic HTTP authentication header to each connection created for any URL
starting with "<tt>http://localhost:8080/obr/</tt>"<sup id="fnref:7"><a
href="#fn:7" rel="footnote">7</a></sup>. </p>
 <h3 id="configuring-the-management-agent">Configuring the management agent</h3>
-<p>The management agent itself also needs to use authentication to communicate with
the remote services of the ACE server. It reuses the <tt>ConnectionFactory</tt>
service for this, so it needs to obtain the same set of configurations as described in the
previous section. The only thing we need to do is tell the management agent were it can find
those configuration files:</p>
+<p>The management agent itself also needs to use authentication to communicate with
the remote services of the ACE server. It reuses the <tt>ConnectionFactory</tt>
service for this, so it needs to obtain the same set of configurations as described in the
previous section. The only thing we need to do is tell the management agent were it can find
those configuration file(s):</p>
 <div class="codehilite"><pre><span class="o">[</span>localhost:~/<span
class="o">]</span><span class="nv">$ </span>java -jar org.apache.ace.launcher-0.8.1-SNAPSHOT.jar
<span class="se">\</span>
  <span class="nv">discovery</span><span class="o">=</span>http://localhost:8080/
<span class="se">\</span>
  <span class="nv">identification</span><span class="o">=</span>MyTarget
<span class="se">\</span>
- <span class="nv">auth</span><span class="o">=</span>/path/to/connectionfactory/config/files
+ <span class="nv">auth</span><span class="o">=</span>/path/to/connectionfactory/config/file<span
class="o">(</span>s<span class="o">)</span>
 </pre></div>
 
 
@@ -402,13 +407,16 @@ Figure 3: Connection Factory class diagr
 <p>It is up to the implementation of <tt>AuthenticationService</tt> whether
the <em>first</em> found user is returned, or whether it checks if all authentication
processors yield the <em>same</em> user, or any other strategy that is desired.&#160;<a
href="#fnref:3" rev="footnote" title="Jump back to footnote 3 in the text">&#8617;</a></p>
 </li>
 <li id="fn:4">
-<p>Amongst others, any number of log-endpoints can be defined, at least one is needed
for the audit log to be synchronized between target and ACE server.&#160;<a href="#fnref:4"
rev="footnote" title="Jump back to footnote 4 in the text">&#8617;</a></p>
+<p>The common prefix of the shown configuration PIDs are abbreviated, so "<tt>o.a.a</tt>"
stands for "<tt>org.apache.ace</tt>".&#160;<a href="#fnref:4" rev="footnote"
title="Jump back to footnote 4 in the text">&#8617;</a></p>
 </li>
 <li id="fn:5">
-<p>Note that we're using a configuration dependency for this service. This way, the
configuration <strong>must</strong> be present before the service itself is registered,
which allows us to determine if authentication should be used or not.&#160;<a href="#fnref:5"
rev="footnote" title="Jump back to footnote 5 in the text">&#8617;</a></p>
+<p>Amongst others, any number of log-endpoints can be defined, at least one is needed
for the audit log to be synchronized between target and ACE server.&#160;<a href="#fnref:5"
rev="footnote" title="Jump back to footnote 5 in the text">&#8617;</a></p>
 </li>
 <li id="fn:6">
-<p>Currently, a simple <tt>String#startsWith()</tt> is used to determine
whether or not a URL matches a configuration. This might change in the future when a more
sophisticated URL-matching strategy is needed.&#160;<a href="#fnref:6" rev="footnote"
title="Jump back to footnote 6 in the text">&#8617;</a></p>
+<p>Note that we're using a configuration dependency for this service. This way, the
configuration <strong>must</strong> be present before the service itself is registered,
which allows us to determine if authentication should be used or not.&#160;<a href="#fnref:6"
rev="footnote" title="Jump back to footnote 6 in the text">&#8617;</a></p>
+</li>
+<li id="fn:7">
+<p>Currently, a simple <tt>String#startsWith()</tt> is used to determine
whether or not a URL matches a configuration. This might change in the future when a more
sophisticated URL-matching strategy is needed.&#160;<a href="#fnref:7" rev="footnote"
title="Jump back to footnote 7 in the text">&#8617;</a></p>
 </li>
 </ol>
 </div></div>

Modified: websites/staging/ace/trunk/content/dev-doc/design/auth_api.svg
==============================================================================
Binary files - no diff available.

Modified: websites/staging/ace/trunk/content/dev-doc/design/auth_main_components.svg
==============================================================================
Binary files - no diff available.



Mime
View raw message