I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices.
Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard #RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.
I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .
It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs
In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (#RolesAllowed, #PermitAll, #DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.
So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.
I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.
Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See
http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html
Related
I've started learning Spring Boot coming from a NodeJS/Express background and I'm wondering what's the difference between the server that we create ourselves in an express app that listens on a certain port, and the Tomcat server in a spring application also called a container ? Why can't we do the same in a spring boot application where we create the server ourselves ?
const app = express();
app.listen(3000, () => console.log("Server listening on port 3000"));
Welcome to the Spring Ecosystem. We hope you enjoy your stay!
My first bit of advice, forget everything you know about Express because Spring is very different. I have not used Express in a while, but I remember it had a very programmatic approach. While that is possible in Spring, the most popular approach is declarative with annotations. Or, if you are old and like old technology, you can configure everything with XML.
What's Tomcat? Tomcat is a implementation of various Jakarta EE (formally Java EE) specifications. Depending on the Spring Boot version, you may see packages that start with jakarta or javax. Tomcat implements, Jakarta Servlet, Server Pages, Expression Language, WebSocket, Annotations, and Authentications. You can read more about each specification here. Note: Spring Boot by itself does not necessary use all of these modules and mostly Spring has many abstraction layers on top of them anyway, so you rarely will work with Tomcat directly. Specifically, spring-boot-starter-tomcat is the Spring module that uses Tomcat, and is most often included as a transitive dependency through spring-boot-starter-web.
Now, to answer your question...
Spring Boot Web configures Tomcat for you. You can definitely override this behavior! One basic way is through configuration properties. Anything under server.tomcat. A good IDE should autocomplete and show you the options. You can also change the address and port of the Tomcat server with server.address and server.port. Another popular property developers change is server.error.whitelabel.enabled. They set it to false and provide their own error page. Here is a great example. By the way, Baeldung offers a lot of free Spring tutorials and guides. It is a great place to get started. They also offer paid courses with certifications.
FYI, you do not have to use Tomcat. Read more here.
I want to create a REST web service using Jersey. I also want to use Spring in the project. Now, my questions is the following:
I don't see any reason for integrating these 2 together in my application. So, I should be able to use Spring for bean management and Jersey for creating the web service. Am I correct, or Spring and Jersey somehow have to be integrated.
I see that there is a jersey-spring maven project, and so, I assume that this is for the purpose of integrating jersey and spring together. My question here is do I get any benefit of using this integrated form rather than simply use Jersey and Spring separately each for its own functionality?
Thanks,
Cyrus
You can absolutely combine the two projects. However, I would encourage you to look at Spring-MVC for doing REST as it is very powerful and easy to use. If memory serves, the jersey-spring project was helpful in integration of JAXB and other touch points. Again, this is all built into Spring. And if you use Spring-Boot it is amazingly simple to get running.
The jersey-spring project provides integration between Jersey and Spring. It allows you to wire in any beans in your Spring context into Jersey and vice-versa.
For instance, if you are using spring-security, it will provide your spring-security principal when wiring the Jersey specific SecurityContext into any of your REST resources.
If you want to access Spring beans from your Jersey REST endpoints (or use Spring Beans as implementations for your JAX-RS interfaces) you need to integrate Spring and Jersey, otherwise it won't work. If you don't have any connections between Spring beans and your REST endpoints, then it is not necessary.
I think your first statement is correct. I have used Jersey and Sprint as separate entities.
Jersey is really awesome to create a web server.
Spring is useful for dependency injection (beans) and other cools stuff.
About your second statement, I do not know anything jersey-spring maven project.
My suggestion/opinion is to do as your first comment. Use them in a separate way. You will have the best of both worlds. Using jersey-spring maven project might be a complication and maybe it is not what you want. Libraries usually are intend to be independent.
I am trying to change Dropwizard to support Shiro.
I have read documentation and am little puzzled. I would like to utilize Shiro in conjunction with form login authentication and Apache Shiro Annotations. I think that I need to use Jersey Filters to support Shiro.
Is this the correct way to support Shiro annotations at Jersey instead of classic Shiro Filter approach?
Since Jersey Filters have decent access to resources with annotations, it seems perfect for me to use annotations.
I rather not use the AOP approach, and It could be really great to have on the fly integration with JAX-RS as a separated module.
Someone has already created a solution for what you are asking.
Shiro with Jersey.
https://github.com/javajack/shiro-jersey
Shiro For Dropwizard
https://github.com/javajack/shiro-jdbi-realm
Dropwizard Shiro Budle Example
https://github.com/javajack/dw-shiro-bundle
I'm trying to integrate Web SSO via JAAS in my web application under Apache Tomcat.
I've worked through Apache documentation and other stuff to get inside.
Common approach is to implement login module, configure web application (web.xml to be exact), configure server (jaas.config, server.xml) as described at http://jakarta.apache.org/slide/howto-jaas.html.
On my company environment I've faced issue with configuring server. Configuring environment variables as proposed by Apache is even worse.
Is there any way to make all configuration inside my web application?
PS. I do know about Spring security framework.
Thanks.
You are looking for http://spnego.sourceforge.net. There is a filter which does true SSO and JAAS.
There is a way to implement all security inside web app, except the security realm properties files (or LDAP / DB if you prefer). Read up on Java security. Also about tomcat's SSO valve
This is related to Tomcat 6 with JAASRealm and a custom JAAS module for security.
Other Application Servers seem to support the mapping of application role names (in web.xml) to actual groups of the underlying security realm by using with server specific deployment descriptors - as mentioned in the Java EE 5 Tutorial.
Does Tomcat have a similar mechanism?
Edit: This thread seems to talk of the same requirement, but unfortunately doesn't have a definitive answer.
A request for enhancement to JBoss Web (with tomcat under the hood) has been made to address this same issue.
you can check $CATALINA_HOME/conf/tomcat-users.xml there you can add and manage roles .. you can use the GUI provided by tomcat you can check
GUI Administration
and Tomcat Roles Management