Reputation: 2049
How to use JAAS with permission based authorization in OSGi
I am looking into creating a secure application, which will run on Karaf. Being someone who has never used JAAS (having only worked with Shiro), i am having a lot of trouble getting my head around how to actually implement anything in JAAS. Google is not helping much, since it favors Spring, JavaEE and Struts every time it sees anything that even rimes with JAAS :) I think i have figured out how to manage realms and login modules with Karaf, but i do have some questions to the rest of the task:
How do i actually a session for my application? Part of the application will be using CXF REST services to communicate, which seems pretty straightforward, but i will also be building a Wicket-backed web-frontend(I am guessing through pax-web). How do i make JAAS use sessions in this case to avoid constant logins?
Permission-based security using JAAS in Karaf. Using Shiro, i have grown accustomed to permission-based(or action-based) authorization where a subject has a number of roles, and those have the permissions that you actually validate. It seems that JAAS does not support this out of the box. Is there some way to implement this, again using JAAS in Karaf. Where would i specify which permissions go with each role?
This might seem like a silly question, but please try not to snicker too badly, i really feel like i am drowning in JAAS at the moment. What is the correct way to perform authentication checks? I see AccessController and Subject.doAsPriviledged used in different contexts and i am having trouble spotting what the difference is, if any.
Upvotes: 1
Views: 500
Answers (1)
Reputation: 19626
You can use the CXF JAAS Login Feature. It does a JAAS login against the karaf JAAS backend without any additional config. The result is a login on the current thread.
The subject can be retrieved using:
Subject subject = Subject.getSubject(AccessController.getContext());
You can then retrieve the principals from the subject. Typically on of the principals is the user and the others are the roles.
So using this you can write your own code to check permissions or integrate with shiro I think.
Aries also has the blueprint authz module which allows to do role based auth using @RolesAllowed. In the background it uses the roles of the JAAS subject.
I also found an example for a complete little application.
Upvotes: 1
Related Questions
- How to upgrade groovy-all from 2.4 to 2.5 when running in OSGi?
- Getting problems in adding cutom JAAS Login module in Servicemix
- How can I delegate JAAS authorization checks to Shiro?
- JAAS for human beings
- How to ask external backend for permissions?
- Shiro with SAML2 in Karaf with JAX-RS (Jersey)
- How to integrate windows authentication (SSO) in my custom web server Java based?
- JAAS : on Callback ( Interesting based on HTTP headers )
- Using JaaS with Jersey on Grizzly