karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cristiano Costantini <cristiano.costant...@gmail.com>
Subject Re: Simply Protect HTTP servlet
Date Tue, 02 May 2017 08:27:08 GMT
Hi all!
Yes! I've followed the both advices and it works!
I've been able to turn basic authentication on simply and quickly by
dropping a web.xml into the jar of my wab.

I'm trying to find a satisfying project setup to deploy a Polymer web
application in Karaf, if I get good results I'll then share some hints.

Thank you again,
Cristiano

Il giorno sab 29 apr 2017 alle 09:39 Achim Nierbeck <bcanhome@googlemail.com>
ha scritto:

> Hi Christiano,
>
> you could try with a servlet filter, though since you already have a
> Web-ContextPath you are actually already using the WAB approach.
> With Pax-Web the file-extension actually doesn't matter. So if you just
> add a web.xml to it you should be safe to use the default jaas mechanism
> provided by karaf and pax-web/jetty at that point.
>
> regards, Achim
>
>
> 2017-04-29 9:17 GMT+02:00 Cristiano Costantini <
> cristiano.costantini@gmail.com>:
>
>> Hello Jean-Baptiste an thank you for the reply!
>>
>> your approach would be great as I just need the quickest way to protect
>> the access with a username and password.
>>
>> The problem is that the application is not a WAR, it is just a bundle
>> with the <Web-ContextPath> that publish  HTML/Javascript/CSS resources
>> plus a Servlet registered via spring.xml with <osgi:service
>> interface="javax.servlet.http.HttpServlet" ref="myServlet"> so I don't have
>> a web.xml
>>
>> For the moment I will try to enable http basic auth for the urls by
>> changing the main karaf's jetty.xml file, this is ok to satisfy my short
>> term needs.
>>
>> If you have in mind any idea to enable security-constraint from within
>> the bundle (without touching the karaf's jetty.xml) when you don't have a
>> web.xml, I'll be glad to know it as I would prefer not to touch the
>> configuration of karaf.
>>
>> Thank you
>> Cristiano
>>
>>
>> Il giorno sab 29 apr 2017 alle ore 06:54 Jean-Baptiste Onofré <
>> jb@nanthrax.net> ha scritto:
>>
>>> Hi Cristiano,
>>>
>>> It depends if you want to use leverage the authentication/authorization
>>> to
>>> access to a pattern/url or if you want to use JAAS internally to your
>>> application with a subject.
>>>
>>> Basically, imagine you have your servlet where you defined the pattern
>>> to /foo
>>> (via the service properties if you use the http-whiteboard for instance).
>>>
>>> Then, you can define the security constraint in jetty.xml or in your
>>> configuration.
>>>
>>> If you package as a war, you can use a web.xml similar to:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
>>>      <display-name>cristiano_application</display-name>
>>>      <welcome-file-list>
>>>          <welcome-file>index.jsp</welcome-file>
>>>      </welcome-file-list>
>>>      <security-constraint>
>>>          <display-name>authenticated</display-name>
>>>          <web-resource-collection>
>>>              <web-resource-name>All files</web-resource-name>
>>>              <description/>
>>>              <url-pattern>/*</url-pattern>
>>>          </web-resource-collection>
>>>          <auth-constraint>
>>>              <description/>
>>>              <role-name>user</role-name>
>>>          </auth-constraint>
>>>      </security-constraint>
>>>      <login-config>
>>>          <auth-method>BASIC</auth-method>
>>>          <realm-name>karaf</realm-name>
>>>      </login-config>
>>>      <security-role>
>>>          <description/>
>>>          <role-name>user</role-name>
>>>      </security-role>
>>> </web-app>
>>>
>>> Then, the access to any servlet (/*) in your application will be secure
>>> using
>>> the karaf JAAS realm.
>>>
>>> Regards
>>> JB
>>>
>>> On 04/28/2017 12:58 PM, Cristiano Costantini wrote:
>>> > Hello All,
>>> >
>>> > How can I implement a Basic HTTP Authentication similar to the one use
>>> by Karaf
>>> > WebConsole (which I understand uses Jaas) to protect access to HTTP
>>> resources in
>>> > Karaf?
>>> >
>>> > thanks
>>> > Cristiano
>>>
>>> --
>>> Jean-Baptiste Onofré
>>> jbonofre@apache.org
>>> http://blog.nanthrax.net
>>> Talend - http://www.talend.com
>>>
>>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>

Mime
View raw message