Role based security for OSGi

Asked 31/3, 2013 at 11:43 Answered 18/7, 2014 at 19:36

Solved java security osgi blueprint-osgi

I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices. Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard @RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.

Averill answered 31/3, 2013 at 11:43 Comment(4)

I configured Shiro in my application, running on Karaf. I manage to configure the security manager, so I can login/logout, using credentials stored in a DB. Now I'm struggling to find a way to use those annotations. Did you found a solution? – Decastyle 15/9, 2016 at 15:55

I did not use shiro in the end. Instead I used the CXF JaasLoginFeature. It does a jaas login using the credentials which can then be retrieved from the same thread. For example the aries blueprint-authz module uses the jaas login. – Averill 15/9, 2016 at 16:32

does CXF Jaas also supports a feature similar to the Session provided by Shiro? – Decastyle 15/9, 2016 at 16:36

CXF provides sessions coupled to cookies but it is not at the same level as a shiro Session – Averill 15/9, 2016 at 17:44

I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .

It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs

Mccomas answered 2/4, 2013 at 14:13 Comment(1)

Shiro is on the list of frameworks I am investigating. Is there some documentation how to set it up for OSGi? Especially I am searching for some samples / hints on how to use it for plain OSGi services and for CXF services. The examples I found are always refering to java web (servlet) applications. So for example if I create an OSGi service how do I enable shiro on it and how do I make it honour the RolesAllowed annotations? Or if I call the OSGi service how do I authenticate. I guess there will be some thread local to hold my auth infos. – Averill 2/4, 2013 at 14:32

In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (@RolesAllowed, @PermitAll, @DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.

So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.

I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.

Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html

Averill answered 18/7, 2014 at 19:36 Comment(2)

Christian, do you have a link for what you've done, as i would be interested in doing essentially the same as this (meaning your blueprint extension) Thanks. – Monniemono 16/8, 2016 at 20:43

This should help github.com/cschneider/Karaf-Tutorial/blob/master/cxf/… . The commented out configs would activate the authz module to allow @RolesAllowed and the JAASAuthenticationFeature takes care of the login. – Averill 17/8, 2016 at 7:11

Recommended topics

Hot tags