Home » Eclipse Projects » Remote Application Platform (RAP) » RWT-OSGI and security
| |
Re: RWT-OSGI and security [message #894778 is a reply to message #894774] |
Tue, 10 July 2012 13:39 |
Raj Saini Messages: 53 Registered: July 2009 |
Member |
|
|
Rüdiger,
Thanks for your quick response.
If I use Equinox security, is there a role based authorization (without
using Eclipse Activities)?
Thanks,
Raj
On Tuesday 10 July 2012 06:48 PM, Rüdiger Herrmann wrote:
> Raj,
>
> I can only comment on the Equinox security issue. The extension registry
> and the workbench are independent from each other. If you use Equinox
> security, you'll depend on the extension registry (core.runtime) but
> *not* on the workbench (i.e. org.eclipse.ui).
>
> Thus you should be able to use Equinox security with RWT/OSGi without
> the workbench. I would assume however, that Equinox security only works
> with the Equinox OSGi implementation. Hence you'd be bound to the
> Equinox OSGi implementation.
>
> Regards,
> Rüdiger
>
> On 10.07.2012 09:37, Raj Saini wrote:
>> Hi,
>>
>> I have integrated RWT-OSGI with Apache Karaf and every thing is working
>> fine. Now I am trying to secure the application using JAAS.
>>
>> I have looked around and found preferred way to secure RAP applications
>> is Equinox security integration [1]. Equinox security need extension
>> registry and I do not want to use the Extension registry Workbench.
>>
>> I cant use the standard container managed security as RWT-OSGI does not
>> have a web.xml to configure container managed security.
>>
>> Apache Karaf provides JAAS security modules and I could use them to
>> authenticate. However, I see a problem with this method as I see it only
>> a client side authentication. This security can be easily bypassed by
>> accessing the server URLs directly using browser or any other web
>> client/user agent.
>>
>> Is there is a better way to integrate JAAS security with RWT-OSGI
>> applications without using extension registry and Workbench?
>>
>>
>> [1]http://wiki.eclipse.org/RAP/Equinox_Security_Integration
>>
>> Regards,
>>
>> Rajbir Saini
|
|
|
Re: RWT-OSGI and security [message #894783 is a reply to message #894692] |
Tue, 10 July 2012 14:05 |
|
Hi,
Equinox security is just one possible way to secure RAP applications,
but I wouldn't say that this is generally the preferred way. I fully
agree that in an Apache Karaf environment, there should be a solution
that does not involve dependencies to Equinox.
Unfortunately, I have hardly any experience with this setup yet, so I
can't point you to a solution. But I'm interested in learning about JAAS
and Karaf.
> Apache Karaf provides JAAS security modules and I could use them to
> authenticate.
Using the security modules provided by the container sounds like the
ways to go, doesn't it? Does this already include a login web UI?
> However, I see a problem with this method as I see it only
> a client side authentication. This security can be easily bypassed by
> accessing the server URLs directly using browser or any other web
I don't fully understand this. If you define your users, roles, and
login modules in Karaf, can't you access the security context in your
application and enforce that the user has sufficient permissions? I'm
thinking about something like this:
LoginContext context = new LoginContext("karaf", handler);
Subject subject = context.getSubject();
subject.getPrincipals()
....
The Karaf security framework documentation [1] has some more detailed
examples.
Best regards,
Ralf
[1]
http://karaf.apache.org/manual/2.2.8/developers-guide/security-framework.html
--
Ralf Sternberg
Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/
Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
|
|
|
Re: RWT-OSGI and security [message #894953 is a reply to message #894783] |
Wed, 11 July 2012 08:40 |
Raj Saini Messages: 53 Registered: July 2009 |
Member |
|
|
Hi Ralf,
Please see inline:
On Tuesday 10 July 2012 07:35 PM, Ralf Sternberg wrote:
> Hi,
>
> Equinox security is just one possible way to secure RAP applications,
> but I wouldn't say that this is generally the preferred way. I fully
> agree that in an Apache Karaf environment, there should be a solution
> that does not involve dependencies to Equinox.
>
> Unfortunately, I have hardly any experience with this setup yet, so I
> can't point you to a solution. But I'm interested in learning about JAAS
> and Karaf.
Karaf realms are created using custom blueprint artefacts. As Karaf
realms are available system wide, multiple applications can make use of
same Realms. For example, in my application, ActiveMQ and Jetty utilises
same realm.
>
> > Apache Karaf provides JAAS security modules and I could use them to
> > authenticate.
>
> Using the security modules provided by the container sounds like the
> ways to go, doesn't it? Does this already include a login web UI?
Karaf Login modules do not provide any login web UI. Like any other Jaas
Login module, Karaf uses Callback handler to get the login credentials.
>
> > However, I see a problem with this method as I see it only
> > a client side authentication. This security can be easily bypassed by
> > accessing the server URLs directly using browser or any other web
>
> I don't fully understand this. If you define your users, roles, and
> login modules in Karaf, can't you access the security context in your
> application and enforce that the user has sufficient permissions? I'm
> thinking about something like this:
>
> LoginContext context = new LoginContext("karaf", handler);
> Subject subject = context.getSubject();
> subject.getPrincipals()
> ...
I think my confusion is due to lack of knowledge about RAP. I was
thinking RAP generated different URLs for each request. I debugged the
http request/response communication and it looks all the requests go to
the single URL. Therefore, I do not see a need to protect multiple URLs
as we generally do with standard Java EE applications.
Thanks again for your help.
Regards,
Raj
>
> The Karaf security framework documentation [1] has some more detailed
> examples.
>
> Best regards,
> Ralf
>
>
> [1]
> http://karaf.apache.org/manual/2.2.8/developers-guide/security-framework.html
>
>
|
|
|
Re: RWT-OSGI and security [message #895048 is a reply to message #894953] |
Wed, 11 July 2012 14:15 |
|
Hi Raj,
> Karaf Login modules do not provide any login web UI. Like any other Jaas
> Login module, Karaf uses Callback handler to get the login credentials.
I think it shouldn't be too hard to come up with a login dialog built
with RWT that does the login with JAAS. The equinox security UI might
serve as an example.
> I think my confusion is due to lack of knowledge about RAP. I was
> thinking RAP generated different URLs for each request. I debugged the
> http request/response communication and it looks all the requests go to
> the single URL. Therefore, I do not see a need to protect multiple URLs
> as we generally do with standard Java EE applications.
There's only one single URL per entrypoint. So it seems there are two
ways to combine RAP and JAAS: either you create a standard HTML-based
login UI and protect the URL to your entrypoint, or you do everything in
directly RAP using the APIs described in the Karaf docs. Let us know how
you solved it, or if you need further help.
Best regards, Ralf
--
Ralf Sternberg
Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/
Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
|
|
|
Re: RWT-OSGI and security [message #895094 is a reply to message #895048] |
Wed, 11 July 2012 16:40 |
Raj Saini Messages: 53 Registered: July 2009 |
Member |
|
|
Hi Ralf,
I have attached the code of my implementation. I am doing every thing in
RAP using the JAAS API and in fact there is no reference to Karaf APIs.
JAAS Realm is defined and deployed in a separate bundle using OSGi
blueprint. Authentication UI and JAAS related code is within the Dialog
box.
Kindly, let me know if this looks good.
Regards,
Raj
On Wednesday 11 July 2012 07:45 PM, Ralf Sternberg wrote:
> Hi Raj,
>
>> Karaf Login modules do not provide any login web UI. Like any other Jaas
>> Login module, Karaf uses Callback handler to get the login credentials.
>
> I think it shouldn't be too hard to come up with a login dialog built
> with RWT that does the login with JAAS. The equinox security UI might
> serve as an example.
>
>> I think my confusion is due to lack of knowledge about RAP. I was
>> thinking RAP generated different URLs for each request. I debugged the
>> http request/response communication and it looks all the requests go to
>> the single URL. Therefore, I do not see a need to protect multiple URLs
>> as we generally do with standard Java EE applications.
>
> There's only one single URL per entrypoint. So it seems there are two
> ways to combine RAP and JAAS: either you create a standard HTML-based
> login UI and protect the URL to your entrypoint, or you do everything in
> directly RAP using the APIs described in the Karaf docs. Let us know how
> you solved it, or if you need further help.
>
> Best regards, Ralf
>
|
|
| | |
Goto Forum:
Current Time: Thu Jan 23 05:26:15 GMT 2025
Powered by FUDForum. Page generated in 0.03564 seconds
|