Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ecf-dev] RFC 119 Distributed OSGi authentication

Hi Saul,

Saul Goode wrote:
Is it possible to establish some kind of authentication between the
provider of a DOSGi remote service (exposed via ECF) and its client?

There's no specification of authentication or authorization as part of RFC119 itself (which is moving to be 'remote services' in the forthcoming OSGi spec).

What I'm looking for is a way to authenticate one DOSGi/ECF instance to
another one to be able to restrict access on certain services. The
authentication should be transparent, i.e. the bundles which provide or
use the services shouldn't be changed.

Because it's not specified in the spec, it depends upon what the rfc119 implementer makes available in terms of authentication and authorization. For authentication, ECF's remote services API (that is used by the ECF RFC 119 impl) does have a notion of providing/getting authentication information from the client (i.e. the org.eclipse.ecf.remoteservice.IRemoteServiceContainerAdapter.setConnectContextForAuthentication(IConnectContext)), and this can be used by the provider to authenticate (and subsequently authorize based upon that authentication). Because rfc119 doesn't say anything about passing of credentials, it's necessary to call the setConnectContextForAuthentication directly (by getting the IRemoteServiceContainerAdapter and calling that method).

The various ECF remote service providers use/handle the connectContext in different ways. r-OSGi does not use it (currently). ECF generic does use it for passing password to server/service host. The new REST provider does not use it (although probably should...that would be a good enhancement Holger).

On the service host side (to evaluate the auth information and allow/disallow access)...again because nothing is specified in the spec it depends upon the provider. AFAIK, r-osgi doesn't allow customization of the access control...but Jan will/should correct me if I'm wrong. See below for a brief explanation of how to programmatically set the connect handling for the ECF generic service host.

So the main points are: 1) rfc119 and the forthcoming remote services spec (I believe) doesn't define authentication and authorization for remote services. 2) ECF has api for authentication; 3) the existing ECF remote services providers support that api to varying degrees (and new providers, or extensions of existing providers can certanly support this).



Setting the connect handling policy on the ECF generic service host:

ECF generic allows such customization via the setting of a callback implementing this method on ISharedObjectContainerGroupManager.setConnectPolicy(IConnectHandlerPolicy). The ISharedObjectContainerGroupManager can be accessed (e.g.)

ISharedObjectContainerGroupManager sogroupManager = (ISharedObjectContainerGroupManager) container.getAdapter(ISharedObjectContainerGroupManager.class);

Back to the top