Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » RWT-OSGI and security
RWT-OSGI and security [message #894692] Tue, 10 July 2012 07:37 Go to next message
Raj Saini is currently offline Raj SainiFriend
Messages: 53
Registered: July 2009
Member
Hi,

I have integrated RWT-OSGI with Apache Karaf and every thing is working
fine. Now I am trying to secure the application using JAAS.

I have looked around and found preferred way to secure RAP applications
is Equinox security integration [1]. Equinox security need extension
registry and I do not want to use the Extension registry Workbench.

I cant use the standard container managed security as RWT-OSGI does not
have a web.xml to configure container managed security.

Apache Karaf provides JAAS security modules and I could use them to
authenticate. However, I see a problem with this method as I see it only
a client side authentication. This security can be easily bypassed by
accessing the server URLs directly using browser or any other web
client/user agent.

Is there is a better way to integrate JAAS security with RWT-OSGI
applications without using extension registry and Workbench?


[1]http://wiki.eclipse.org/RAP/Equinox_Security_Integration

Regards,

Rajbir Saini
Re: RWT-OSGI and security [message #894774 is a reply to message #894692] Tue, 10 July 2012 13:18 Go to previous messageGo to next message
Rüdiger Herrmann is currently offline Rüdiger HerrmannFriend
Messages: 566
Registered: July 2009
Senior Member
Raj,

I can only comment on the Equinox security issue. The extension registry
and the workbench are independent from each other. If you use Equinox
security, you'll depend on the extension registry (core.runtime) but
*not* on the workbench (i.e. org.eclipse.ui).

Thus you should be able to use Equinox security with RWT/OSGi without
the workbench. I would assume however, that Equinox security only works
with the Equinox OSGi implementation. Hence you'd be bound to the
Equinox OSGi implementation.

Regards,
Rüdiger

On 10.07.2012 09:37, Raj Saini wrote:
> Hi,
>
> I have integrated RWT-OSGI with Apache Karaf and every thing is working
> fine. Now I am trying to secure the application using JAAS.
>
> I have looked around and found preferred way to secure RAP applications
> is Equinox security integration [1]. Equinox security need extension
> registry and I do not want to use the Extension registry Workbench.
>
> I cant use the standard container managed security as RWT-OSGI does not
> have a web.xml to configure container managed security.
>
> Apache Karaf provides JAAS security modules and I could use them to
> authenticate. However, I see a problem with this method as I see it only
> a client side authentication. This security can be easily bypassed by
> accessing the server URLs directly using browser or any other web
> client/user agent.
>
> Is there is a better way to integrate JAAS security with RWT-OSGI
> applications without using extension registry and Workbench?
>
>
> [1]http://wiki.eclipse.org/RAP/Equinox_Security_Integration
>
> Regards,
>
> Rajbir Saini
--
Rüdiger Herrmann
http://codeaffine.com
Re: RWT-OSGI and security [message #894778 is a reply to message #894774] Tue, 10 July 2012 13:39 Go to previous messageGo to next message
Raj Saini is currently offline Raj SainiFriend
Messages: 53
Registered: July 2009
Member
Rüdiger,

Thanks for your quick response.

If I use Equinox security, is there a role based authorization (without
using Eclipse Activities)?

Thanks,

Raj

On Tuesday 10 July 2012 06:48 PM, Rüdiger Herrmann wrote:
> Raj,
>
> I can only comment on the Equinox security issue. The extension registry
> and the workbench are independent from each other. If you use Equinox
> security, you'll depend on the extension registry (core.runtime) but
> *not* on the workbench (i.e. org.eclipse.ui).
>
> Thus you should be able to use Equinox security with RWT/OSGi without
> the workbench. I would assume however, that Equinox security only works
> with the Equinox OSGi implementation. Hence you'd be bound to the
> Equinox OSGi implementation.
>
> Regards,
> Rüdiger
>
> On 10.07.2012 09:37, Raj Saini wrote:
>> Hi,
>>
>> I have integrated RWT-OSGI with Apache Karaf and every thing is working
>> fine. Now I am trying to secure the application using JAAS.
>>
>> I have looked around and found preferred way to secure RAP applications
>> is Equinox security integration [1]. Equinox security need extension
>> registry and I do not want to use the Extension registry Workbench.
>>
>> I cant use the standard container managed security as RWT-OSGI does not
>> have a web.xml to configure container managed security.
>>
>> Apache Karaf provides JAAS security modules and I could use them to
>> authenticate. However, I see a problem with this method as I see it only
>> a client side authentication. This security can be easily bypassed by
>> accessing the server URLs directly using browser or any other web
>> client/user agent.
>>
>> Is there is a better way to integrate JAAS security with RWT-OSGI
>> applications without using extension registry and Workbench?
>>
>>
>> [1]http://wiki.eclipse.org/RAP/Equinox_Security_Integration
>>
>> Regards,
>>
>> Rajbir Saini
Re: RWT-OSGI and security [message #894783 is a reply to message #894692] Tue, 10 July 2012 14:05 Go to previous messageGo to next message
Ralf Sternberg is currently offline Ralf SternbergFriend
Messages: 1291
Registered: July 2009
Senior Member

Hi,

Equinox security is just one possible way to secure RAP applications,
but I wouldn't say that this is generally the preferred way. I fully
agree that in an Apache Karaf environment, there should be a solution
that does not involve dependencies to Equinox.

Unfortunately, I have hardly any experience with this setup yet, so I
can't point you to a solution. But I'm interested in learning about JAAS
and Karaf.

> Apache Karaf provides JAAS security modules and I could use them to
> authenticate.

Using the security modules provided by the container sounds like the
ways to go, doesn't it? Does this already include a login web UI?

> However, I see a problem with this method as I see it only
> a client side authentication. This security can be easily bypassed by
> accessing the server URLs directly using browser or any other web

I don't fully understand this. If you define your users, roles, and
login modules in Karaf, can't you access the security context in your
application and enforce that the user has sufficient permissions? I'm
thinking about something like this:

LoginContext context = new LoginContext("karaf", handler);
Subject subject = context.getSubject();
subject.getPrincipals()
....

The Karaf security framework documentation [1] has some more detailed
examples.

Best regards,
Ralf


[1]
http://karaf.apache.org/manual/2.2.8/developers-guide/security-framework.html

--
Ralf Sternberg

Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: RWT-OSGI and security [message #894953 is a reply to message #894783] Wed, 11 July 2012 08:40 Go to previous messageGo to next message
Raj Saini is currently offline Raj SainiFriend
Messages: 53
Registered: July 2009
Member
Hi Ralf,

Please see inline:

On Tuesday 10 July 2012 07:35 PM, Ralf Sternberg wrote:
> Hi,
>
> Equinox security is just one possible way to secure RAP applications,
> but I wouldn't say that this is generally the preferred way. I fully
> agree that in an Apache Karaf environment, there should be a solution
> that does not involve dependencies to Equinox.
>
> Unfortunately, I have hardly any experience with this setup yet, so I
> can't point you to a solution. But I'm interested in learning about JAAS
> and Karaf.
Karaf realms are created using custom blueprint artefacts. As Karaf
realms are available system wide, multiple applications can make use of
same Realms. For example, in my application, ActiveMQ and Jetty utilises
same realm.
>
> > Apache Karaf provides JAAS security modules and I could use them to
> > authenticate.
>
> Using the security modules provided by the container sounds like the
> ways to go, doesn't it? Does this already include a login web UI?
Karaf Login modules do not provide any login web UI. Like any other Jaas
Login module, Karaf uses Callback handler to get the login credentials.
>
> > However, I see a problem with this method as I see it only
> > a client side authentication. This security can be easily bypassed by
> > accessing the server URLs directly using browser or any other web
>
> I don't fully understand this. If you define your users, roles, and
> login modules in Karaf, can't you access the security context in your
> application and enforce that the user has sufficient permissions? I'm
> thinking about something like this:
>
> LoginContext context = new LoginContext("karaf", handler);
> Subject subject = context.getSubject();
> subject.getPrincipals()
> ...

I think my confusion is due to lack of knowledge about RAP. I was
thinking RAP generated different URLs for each request. I debugged the
http request/response communication and it looks all the requests go to
the single URL. Therefore, I do not see a need to protect multiple URLs
as we generally do with standard Java EE applications.


Thanks again for your help.

Regards,

Raj
>
> The Karaf security framework documentation [1] has some more detailed
> examples.
>
> Best regards,
> Ralf
>
>
> [1]
> http://karaf.apache.org/manual/2.2.8/developers-guide/security-framework.html
>
>
Re: RWT-OSGI and security [message #895048 is a reply to message #894953] Wed, 11 July 2012 14:15 Go to previous messageGo to next message
Ralf Sternberg is currently offline Ralf SternbergFriend
Messages: 1291
Registered: July 2009
Senior Member

Hi Raj,

> Karaf Login modules do not provide any login web UI. Like any other Jaas
> Login module, Karaf uses Callback handler to get the login credentials.

I think it shouldn't be too hard to come up with a login dialog built
with RWT that does the login with JAAS. The equinox security UI might
serve as an example.

> I think my confusion is due to lack of knowledge about RAP. I was
> thinking RAP generated different URLs for each request. I debugged the
> http request/response communication and it looks all the requests go to
> the single URL. Therefore, I do not see a need to protect multiple URLs
> as we generally do with standard Java EE applications.

There's only one single URL per entrypoint. So it seems there are two
ways to combine RAP and JAAS: either you create a standard HTML-based
login UI and protect the URL to your entrypoint, or you do everything in
directly RAP using the APIs described in the Karaf docs. Let us know how
you solved it, or if you need further help.

Best regards, Ralf

--
Ralf Sternberg

Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: RWT-OSGI and security [message #895094 is a reply to message #895048] Wed, 11 July 2012 16:40 Go to previous messageGo to next message
Raj Saini is currently offline Raj SainiFriend
Messages: 53
Registered: July 2009
Member
Hi Ralf,

I have attached the code of my implementation. I am doing every thing in
RAP using the JAAS API and in fact there is no reference to Karaf APIs.
JAAS Realm is defined and deployed in a separate bundle using OSGi
blueprint. Authentication UI and JAAS related code is within the Dialog
box.

Kindly, let me know if this looks good.

Regards,

Raj

On Wednesday 11 July 2012 07:45 PM, Ralf Sternberg wrote:
> Hi Raj,
>
>> Karaf Login modules do not provide any login web UI. Like any other Jaas
>> Login module, Karaf uses Callback handler to get the login credentials.
>
> I think it shouldn't be too hard to come up with a login dialog built
> with RWT that does the login with JAAS. The equinox security UI might
> serve as an example.
>
>> I think my confusion is due to lack of knowledge about RAP. I was
>> thinking RAP generated different URLs for each request. I debugged the
>> http request/response communication and it looks all the requests go to
>> the single URL. Therefore, I do not see a need to protect multiple URLs
>> as we generally do with standard Java EE applications.
>
> There's only one single URL per entrypoint. So it seems there are two
> ways to combine RAP and JAAS: either you create a standard HTML-based
> login UI and protect the URL to your entrypoint, or you do everything in
> directly RAP using the APIs described in the Karaf docs. Let us know how
> you solved it, or if you need further help.
>
> Best regards, Ralf
>
Re: RWT-OSGI and security [message #895098 is a reply to message #895048] Wed, 11 July 2012 16:41 Go to previous message
Raj Saini is currently offline Raj SainiFriend
Messages: 53
Registered: July 2009
Member
BTW, most of the code in LoginDialog class is copied form RAP examples.


On Wednesday 11 July 2012 07:45 PM, Ralf Sternberg wrote:
> Hi Raj,
>
>> Karaf Login modules do not provide any login web UI. Like any other Jaas
>> Login module, Karaf uses Callback handler to get the login credentials.
>
> I think it shouldn't be too hard to come up with a login dialog built
> with RWT that does the login with JAAS. The equinox security UI might
> serve as an example.
>
>> I think my confusion is due to lack of knowledge about RAP. I was
>> thinking RAP generated different URLs for each request. I debugged the
>> http request/response communication and it looks all the requests go to
>> the single URL. Therefore, I do not see a need to protect multiple URLs
>> as we generally do with standard Java EE applications.
>
> There's only one single URL per entrypoint. So it seems there are two
> ways to combine RAP and JAAS: either you create a standard HTML-based
> login UI and protect the URL to your entrypoint, or you do everything in
> directly RAP using the APIs described in the Karaf docs. Let us know how
> you solved it, or if you need further help.
>
> Best regards, Ralf
>
Previous Topic:Access WEB-INF/classes from within OSGi/Bundle Activator
Next Topic:Moveable Views/Editors
Goto Forum:
  


Current Time: Wed Nov 26 08:09:05 GMT 2014

Powered by FUDForum. Page generated in 0.02123 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software