Description
Add a mechanism to Karaf by which OSGi services can be secured.
It should check the (JAAS-provided) roles of the user associated with the current thread with the roles required to invoke the OSGi service.
The service-roles should be configurable and should not require modification of the service code, although there might be a mechanism by which services provide information about the default roles required for invocation themselves (e.g. as an annotation).
The current user's roles are obtained using standard JSE code that obtains the current Subject from the AccessControlContext as in:
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
At this point you can get all the Principals from the subject, e.g. all the
roles:
Set<RolePrincipal> roles = subject.getPrincipals(RolePrincipal.class);
If the user doesn't have the required roles, the service invocation should not proceed and throw a SecurityException instead.
For full discussion see: http://mail-archives.apache.org/mod_mbox/karaf-dev/201308.mbox/%3CCAMit8SpUqwPsMQE4S9DHsPrO7Y9D3RkV6goEZy6WK-jc78o%2Bow%40mail.gmail.com%3E
Attachments
Issue Links
- depends upon
-
KARAF-2435 Add Role-based access to JMX
-
- Resolved
-
- is depended upon by
-
-
- Resolved
-
- links to