karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steinar Bang ...@dod.no>
Subject [Announce] Shiro-based "poor man's SSO" for Apache Karaf applications
Date Mon, 15 Apr 2019 06:43:28 GMT

I wrote this to cover my own usecase, which was to have the same login
for nginx itself, as well as a couple of web whiteboard webapps running
in the same apache karaf, behind the nginx server through a reverse
proxy setup.

Cross-webapp SSO works by providing the shiro interfaces Realm[1] and
SessionDAO[2] as OSGi services to shiro web sessionmanagers.  

Nginx authentication is handled by providing an nginx with a URL
suitable for the nginx auth_request module[3], that shares Realm and
SessionDAO with the karaf webapps.

Authservice is based on Shiro 1.3.1 (I can't remember why it isn't
1.3.2.  I will try with 1.3.2 and if it works, release a new version of
authservice to maven central shortly), and it will be upgraded to the
first OSGi-friendly 1.4.x or 1.5 version released by Francois Papon.

The authservice license is Apache v2, and authservice has been deployed
to maven central.

To try it out:
 1. From a karaf console, give the following commands:
     feature:repo-add mvn:no.priv.bang.authservice/authservice/LATEST/xml/features
     feature:install authservice-with-derby-dbrealm-and-session
 2. Open the URL http://localhost:8181/authservice in a web browser and
    log in with username/password: jad/1ad
 3. Verify that the "User administration UI" is inaccessible and use the
    back button in the browser to get back to the main authservice page
 4. Click on the "Change your own password" link and try changing the
 5. After changing the password click on the back button in the browser
    to get back to the main authservice page
    Note: don't use the "Back to top" link because that links to two
    levels up
 6. Click on the "Change your own email and real name" and try changing
 7. Click on the back button in the browser to get back to the main
    authservice page (here also "Back to top" link, links two levelse
    up, because both of these URLs are intended as self service URLs
    linked to from the main nginx page)
 8. Click on "Logout" and then login again as username/password:
 9. Click on the "User administration UI" and try giving user jad the
    useradmin role
10. Click on the "Up to authservice top" link and then click the
    "Logout" link
11. Log in with username/password: jad/1ad
12. Verify that user jad now can use the "User administration UI"

The authservice-with-derby-dbrealm-and-session feature uses an in-memory
database that will disappear when karaf is stopped and restarted.

"Production" authservice uses PostgreSQL.

Authservice feature summary
 - Based on Apache Shiro
 - Apache Karaf application based on pax web whiteboard and OSGi Declarative
   Services (DS)
 - Plain HTML "self-service" pages for letting users change their
   passwords and personal information 
 - A small user administration UI written in react and styled with
   bootstrap v4
 - A Shiro JDBC realm that supports base64 encoded password salt
 - JDBC database schema and initial data setup provided by a liquibase
   script, which means that in theory any JDBC database supported by
   liquibase can be used to replace PosgreSQL (some code required, the
   README has suggestions)

 [1] <http://shiro.apache.org/static/1.3.1/apidocs/org/apache/shiro/realm/Realm.html>
 [2] <http://shiro.apache.org/static/1.3.1/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html>
 [3] <http://nginx.org/en/docs/http/ngx_http_auth_request_module.html>

View raw message