karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Lutz <ChristianL...@kreeloo.de>
Subject Re: Access control of OSGi Web app?
Date Tue, 02 Aug 2016 05:04:16 GMT
Hello,

Three months ago, we started to use keycloak for this purpose. In the first step we are using
it only for authentication but in the second step we will also use it with all the rolles
etc. 

Christian

> Am 01.08.2016 um 17:58 schrieb Nick Baker <nbaker@pentaho.com>:
> 
> Is Shiro even active at this point?
>  
> We do some of what you’re looking for, but it’s all custom code. We have the concept
of logical permissions which can be bound to Users and/or Groups. Our UI queries for these
and uses the information to remove/disable UI elements. As was mentioned though, you need
to be doing the same checks on the server-side or you’re going to get hacked.
>  
> -Nick
>  
> From: Jason Pratt <jpratt3000@gmail.com>
> Reply-To: "user@karaf.apache.org" <user@karaf.apache.org>
> Date: Monday, August 1, 2016 at 11:05 AM
> To: "user@karaf.apache.org" <user@karaf.apache.org>
> Subject: Re: Access control of OSGi Web app?
>  
> Take a look at Shiro and JWT. You should be able to string something together from that.
>  
> On Sun, Jul 31, 2016 at 11:08 PM, Sigmund Lee <wuaner@gmail.com> wrote:
> Hi all,
>  
> Thanks for advice and solutions you guys provided.
>  
> Seems like they are all proper ways to protect server-side services. But as I said we
are a website, what I need is a solution can integrate frontend & backend together, provide
page-level access control. basically two steps involved:
>  
> 1. A externalized access control system to protect access to exposed services(for example,
restful service, web url, etc).
> 2. After access is permitted, return corresponding respond page to client(aka, browser),
and every button or link on this responded page can be display or hidden based on permissions
of current user. 
>  
> Basically, what I need is a solution not only free backend engineers from hard-coded
authz code, but also free frontend engineers from hard-coding.
>  
> Thanks again!
>  
> Bests.
> --
> Sig 
>  
>  
>  
> On Fri, Jul 29, 2016 at 10:02 PM, Achim Nierbeck <bcanhome@googlemail.com> wrote:
> yes, as filters without servlets can't be served. They don't have a URI binding. 
>  
> regards, Achim 
>  
> 2016-07-29 15:33 GMT+02:00 Nick Baker <nbaker@pentaho.com>:
> Hey Achim,
>  
> Thanks for this example. We’re looking part of our ongoing OSGi migration will be URL
security as well. We’re using Spring Security in the legacy non-OSGI space. So this is a
timely conversation for us J
>  
> Quick question: are we still working with the limitation that Filters are only invoked
if a Servlet or Resource would already serve the URL?
>  
> -Nick
>  
> From: Achim Nierbeck <bcanhome@googlemail.com>
> Reply-To: "user@karaf.apache.org" <user@karaf.apache.org>
> Date: Friday, July 29, 2016 at 8:54 AM
> To: "user@karaf.apache.org" <user@karaf.apache.org>
> Subject: Re: Access control of OSGi Web app?
>  
> Hi Sigmund, 
>  
> sorry for being late to the party ... if those solutions above don't work for you you
still have the possibility to create a customized filter which you can re-use with your own
applications. 
> For this you can either go the "classical" way of using web-fragments, or you can share
the httpContext between your osgi bundles. For this you need to declare your httpContext to
be sharable and after that you just need to attach your filter bundle to that sharable httpContext.

>  
> Take a look at the following Sample, or better integration test of Pax Web [1]. 
>  
> regards, Achim 
>  
> [1] - https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-itest/pax-web-itest-container/pax-web-itest-container-jetty/src/test/java/org/ops4j/pax/web/itest/jetty/CrossServiceIntegrationTest.java#L59-L95
>  
> 2016-07-26 16:05 GMT+02:00 Christian Schneider <chris@die-schneider.net>:
> In karaf authentication is based on JAAS. Using login modules you can define what source
to authenticate against.
> The karaf web console is protected by this by default. It is also possible to enable
JAAS based authentication for CXF e.g. for your REST services.
> There is also role based  and group based authentication out of the box.
> 
> There is no attribute based access control available but you can create this based on
the JAAS authentication.
> 
> This code can give you an idea of how to get the subject and the principals from JAAS
in karaf: https://github.com/apache/aries/blob/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java#L69-L81
> 
> You could create your own annotations or OSGi service to handle the attribute based authorization
based on the authentication information.
> 
> Christian
> 
> 
> On 26.07.2016 08:29, Sigmund Lee wrote:
> We are a website, using OSGi as microservices implementation. every feature of our site
is a standalone osgi-based webapp, and splited into several OSGi bundles(api, impl, webapp,
rest, etc). 
>  
> But there are functions that coupled with more that one bundle, for example Access Control
& Authorization. Currently our authorization code is hard-coded everywhere and was so
hard to maintain. 
>  
> My question is, what's the proper way to handle with access control when using OSGi?
Is there any osgi-compatible ABAC(Attribute-based access control, because our authorization
model need calculated based on attribute of resource and context/environment) framework?
> 
> 
> Thanks.
>  
> --
> Sig 
>  
>  
> 
> -- 
> Christian Schneider
> http://www.liquid-reality.de
>  
> Open Source Architect
> http://www.talend.com
> 
> 
>  
> --
> 
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project
Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>  
> Software Architect / Project Manager / Scrum Master 
>  
> 
> 
>  
> --
> 
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project
Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>  
> Software Architect / Project Manager / Scrum Master 
>  
>  
>  

Mime
View raw message