felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Meschberger (JIRA)" <j...@apache.org>
Subject [jira] Commented: (FELIX-651) Access to password protected OBR
Date Sat, 30 Aug 2008 20:11:44 GMT

    [ https://issues.apache.org/jira/browse/FELIX-651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12627243#action_12627243
] 

Felix Meschberger commented on FELIX-651:
-----------------------------------------

Having a private OBR makes absolutely sense to me. Yet, your proposed approach has some drawbacks
in my opinion:

(1) It uses a JVM wide setting to enable password transfer. I don't think such an approach
is suitable for a bundle in an OSGi framework. All the more considering the framework may
be started as part of a web application in a servlet container or even as a bundle in an OSGi
capable application server, which already has set the default authenticator. Yes, you also
note this, but I rather see the problems than the advantages.

(2) I personally am not a fan of URLs with user name and password in it. Because this is certainly
not very secure. All the more as the URLs on which the bundle repository bundle operates can
be queried.

(3) And then, you "secured" the URL to the repository.xml file. How about the URLs in the
repository.xml file itself ? Do they bear some user name and password, too ?

(4) To really do a secure OBR, I would rather suggest, as you also do, to use HTTPS. Yet I
think, this would probably also require more on the bundlerepository part in terms of key
management.

In fact, using HTTPS with client keys even enables per-user settings and controls...

Another solution might be to use Apache HttpComponents to be able to fully control credentials
processing and to use user/password setting out of band of the URL.

> Access to password protected OBR
> --------------------------------
>
>                 Key: FELIX-651
>                 URL: https://issues.apache.org/jira/browse/FELIX-651
>             Project: Felix
>          Issue Type: Improvement
>          Components: Bundle Repository (OBR)
>            Reporter: Remco Poortinga - van Wijnen
>            Priority: Trivial
>         Attachments: UrlEmbeddedCredentialsAuthenticator.java
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> For a project I would like to configure a 'private' OBR (somewhat against the federated
idea of OBR I guess, but anyway). In other words: username/password protected access. Https
OBR are possible, but I have no idea if there is an 'official' way (from Felix' point of view)
for specifying credentials for the specified OBR URLs.
> Just to see whether it would work I created a test version where username/password can
be specified in a RFC1738 compliant way, e.g. https://user:password@server:port/rest and added
an Authenticator to the bundlerepository bundle, which gets the username/password from the
URL if it is set (see http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo()).
> This seems to work OK; would this be interesting for others as well?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message