Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » scout » Security with JAAS(Security with JAAS)
Security with JAAS [message #735946] Thu, 13 October 2011 07:35 Go to next message
Bertin Kiekebosch is currently offline Bertin Kiekebosch
Messages: 306
Registered: August 2011
Senior Member
Hi,

is there any example or documentation on how to set up security with JAAS and users in a database

Regards Bertin
Re: Security with JAAS [message #738934 is a reply to message #735946] Sun, 16 October 2011 23:40 Go to previous messageGo to next message
Daniel Wiehl is currently offline Daniel Wiehl
Messages: 24
Registered: April 2010
Junior Member
Hi Bertin

Scout security actually relies on concepts of the JAAS framework by representing the source of a request as a subject with principals associated. In turn, any action is performed on behalf of that subject in a respective doAs-call.
Instead of using the core JAAS classes for authentication (LoginContext, LoginModule, CallbackHandler and Callback), we authenticate users directly in so called SecurityFilters. Those filters are chainable, meaning that you might have several filters knowing of how to authenticate user credentials against database (DataSourceSecurityFilter), LDAP directory (LDAPSecurityFilter) or whatever you like. Those filters are registered as an extension to the extension point 'org.eclipse.scout.http.servletfilter.filters'. If a filter can authenticate the user successfully, the request is passed within a doAs call to the endpoint servlet (ServiceTunnelServlet) to dispatch the call to the requested OSGi service.

Because we are not using the LoginContext for authentication and do not want to be based on the static policy configuration files for principal-based granting (Policy API), permission loading is done by Scout AccessControlService. There are gathered all the permissions that belong to the authenticated subject and are maintained in Scout AccessControlStore. In consequence, authorization cannot be delegated to JAAS AccessController, but is done in a very convenient way by Scout AccessControlService itself. For more information on that topic of how to load permissions and do access control checks, please refer to the forum post on http://www.eclipse.org/forums/index.php/t/243966/.

Let us have a look on how the system prompts for authentication.
First you have to know, that all code on client is run within a doAs call with the user's account name as subject. By default, authentication is only triggered by calling the backend. That means that if you have a standalone client application without a server running, you are never prompted for authentication.
So when doing your first backend call, a connection to the server is established. In the application's life cycle, this typically occurs if initializing the client session which is quite the first thing done. Thereby, the security filter on server side intercepts the call. Because no subject is associated yet, a 401 Unauthorized error code is sent back to the client. On client side, before being propagated back to the caller, this 401 is intercepted by the installed net authenticator. By default, the installed authenticator first looks in the Eclipse secure preference store for credentials. If not available, a login dialog is presented to the user to enter username and password. In turn, those are sent back to the server to continue authentication.
Please note, that the authenticator mechanism can be installed in your Swing application by calling NetActivator.install().

@Override
protected Object startInSubject(IApplicationContext context) throws Exception {
   NetActivator.install();
   return super.startInSubject(context);
}

Thereby, the default Scout authenticator InternalNetAuthenticator is installed. This can be easily overwritten by registering an OSGi service with the name java.net.Authenticator and a ranking higher than -2. Alternatively, you can register an extension to the Eclipse extension point org.eclipse.core.net.authenticator that contains your custom java.net.Authenticator.

If you have any further questions, please feel free and let us know.

[Updated on: Mon, 17 October 2011 05:44]

Report message to a moderator

Re: Security with JAAS [message #753052 is a reply to message #735946] Wed, 26 October 2011 16:08 Go to previous message
Claudio Guglielmo is currently offline Claudio Guglielmo
Messages: 127
Registered: March 2010
Senior Member
Hi Dani

Great explained as usual!

I merged your text with the wiki: http://wiki.eclipse.org/Scout/Concepts/Security

Cheers
Claudio

[Updated on: Tue, 01 November 2011 19:39]

Report message to a moderator

Previous Topic:Remote Service Call / ServiceTunnel
Next Topic:create permission
Goto Forum:
  


Current Time: Wed Oct 22 08:18:18 GMT 2014

Powered by FUDForum. Page generated in 0.03151 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software