karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Bosschaert (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KARAF-2455) Role-based security for OSGi Services
Date Mon, 26 Aug 2013 09:14:51 GMT

     [ https://issues.apache.org/jira/browse/KARAF-2455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Bosschaert updated KARAF-2455:
------------------------------------

    Description: 
Add a mechanism to Karaf by which OSGi services can be secured.
It should check the (JAAS-provided) roles of the user associated with the current thread with
the roles required to invoke the OSGi service. 
The service-roles should be configurable and should not require modification of the service
code, although there might be a mechanism by which services provide information about the
default roles required for invocation themselves (e.g. as an annotation). 

The current user's roles are obtained using standard JSE code that obtains the current Subject
from the AccessControlContext as in:
{code}  AccessControlContext acc = AccessController.getContext();
  Subject subject = Subject.getSubject(acc);
At this point you can get all the Principals from the subject, e.g. all the
roles:
  Set<RolePrincipal> roles = subject.getPrincipals(RolePrincipal.class);
{code}

If the user doesn't have the required roles, the service invocation should not proceed and
throw a SecurityException instead.

For full discussion see: http://mail-archives.apache.org/mod_mbox/karaf-dev/201308.mbox/%3CCAMit8SpUqwPsMQE4S9DHsPrO7Y9D3RkV6goEZy6WK-jc78o%2Bow%40mail.gmail.com%3E

  was:
Add a mechanism to Karaf by which OSGi services can be secured.
It should check the (JAAS-provided) roles of the user associated with the current thread with
the roles required to invoke the OSGi service. 
The service-roles should be configurable and should not required modification of the service
code, although there might be a mechanism by which services provide information about the
default roles required for invocation themselves (e.g. as an annotation). 

The current user's roles are obtained using standard JSE code that obtains the current Subject
from the AccessControlContext as in:
{code}  AccessControlContext acc = AccessController.getContext();
  Subject subject = Subject.getSubject(acc);
At this point you can get all the Principals from the subject, e.g. all the
roles:
  Set<RolePrincipal> roles = subject.getPrincipals(RolePrincipal.class);
{code}

If the user doesn't have the required roles, the service invocation should not proceed and
throw a SecurityException instead.

For full discussion see: http://mail-archives.apache.org/mod_mbox/karaf-dev/201308.mbox/%3CCAMit8SpUqwPsMQE4S9DHsPrO7Y9D3RkV6goEZy6WK-jc78o%2Bow%40mail.gmail.com%3E

    
> Role-based security for OSGi Services
> -------------------------------------
>
>                 Key: KARAF-2455
>                 URL: https://issues.apache.org/jira/browse/KARAF-2455
>             Project: Karaf
>          Issue Type: New Feature
>          Components: karaf-osgi
>            Reporter: David Bosschaert
>
> Add a mechanism to Karaf by which OSGi services can be secured.
> It should check the (JAAS-provided) roles of the user associated with the current thread
with the roles required to invoke the OSGi service. 
> The service-roles should be configurable and should not require modification of the service
code, although there might be a mechanism by which services provide information about the
default roles required for invocation themselves (e.g. as an annotation). 
> The current user's roles are obtained using standard JSE code that obtains the current
Subject from the AccessControlContext as in:
> {code}  AccessControlContext acc = AccessController.getContext();
>   Subject subject = Subject.getSubject(acc);
> At this point you can get all the Principals from the subject, e.g. all the
> roles:
>   Set<RolePrincipal> roles = subject.getPrincipals(RolePrincipal.class);
> {code}
> If the user doesn't have the required roles, the service invocation should not proceed
and throw a SecurityException instead.
> For full discussion see: http://mail-archives.apache.org/mod_mbox/karaf-dev/201308.mbox/%3CCAMit8SpUqwPsMQE4S9DHsPrO7Y9D3RkV6goEZy6WK-jc78o%2Bow%40mail.gmail.com%3E

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message