ServiceMix
  1. ServiceMix
  2. SM-812

[patch] JAAS Login for Batch Processes

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: servicemix-components
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Hi

      the attached patch includes a PassThroughJAASLoginComponent which forwards a
      Message through the NMR and performs a JAAS login. The JAAS Subject is added to
      the message properties ("javax.jbi.security.subject").

      This component can be used if you have a batch process which should call an JAAS
      secured component (for example a EJB service called with JSR-181). The
      attached StaticValueCallbackHandler for example enables you to configure static
      login information.

      Sample Config:

      — 8< (start) —

      ...
      <sm:activationSpec componentName="login" service="foo:login">
      <sm:component>
      <bean class="org.apache.servicemix.components.security.PassThroughJAASLoginComponent">
      <property name="loginContext" ref="loginContext" />
      </bean>
      </sm:component>
      </sm:activationSpec>
      ...

      <bean id="loginContext"
      class="javax.security.auth.login.LoginContext">
      <constructor-arg>
      <value>servicemix-domain</value>
      </constructor-arg>
      <constructor-arg>
      <ref local="callbackHandler" />
      </constructor-arg>
      </bean>

      <bean id="callbackHandler"
      class="org.apache.servicemix.components.security.StaticValueCallbackHandler">
      <property name="name" value="first" />
      <property name="password" value="secret" />
      </bean>
      ...

      — 8< (end) —

      After the PassThroughJAASLoginComponent is invoked and the login could be
      performed you can call JAAS secured endpoints.

      The patch includes test cases for the component.

      Kristian

      1. patch.zip
        8 kB
        Kristian Koehler
      2. ASF.LICENSE.NOT.GRANTED--patch.zip
        8 kB
        Kristian Koehler

        Activity

        Kristian Koehler created issue -
        Kristian Koehler made changes -
        Field Original Value New Value
        Attachment patch.zip [ 15284 ]
        Hide
        Guillaume Nodet added a comment -

        Cool

        Just a question: did you handle the case where the EJB itself is secured in the J2EE server ? If so, how ?
        I think this component only solves the case where the jsr181 endpoint is secured by servicemix, right ?

        Show
        Guillaume Nodet added a comment - Cool Just a question: did you handle the case where the EJB itself is secured in the J2EE server ? If so, how ? I think this component only solves the case where the jsr181 endpoint is secured by servicemix, right ?
        Hide
        Kristian Koehler added a comment -

        I our case the EJB itself is secured within the EJB Server (JBoss).
        The JSR-181 endpoint isn't secured by servicemix at all.

        It just works

        Show
        Kristian Koehler added a comment - I our case the EJB itself is secured within the EJB Server (JBoss). The JSR-181 endpoint isn't secured by servicemix at all. It just works
        Hide
        Guillaume Nodet added a comment -

        Do you use ST flow, acegi ?
        What happen if you dont set the subject property on the exchange,
        but only perfom the login call in the component ?
        I don't really understand who / how / when the subject is given to the
        EJB container ....

        Show
        Guillaume Nodet added a comment - Do you use ST flow, acegi ? What happen if you dont set the subject property on the exchange, but only perfom the login call in the component ? I don't really understand who / how / when the subject is given to the EJB container ....
        Hide
        Kristian Koehler added a comment -

        OK. I think it's a little JBoss specific in our case.

        We use a JBoss Login Module (configured through configuration file (auth.conf) - which is specified via a sm:systemProperties element).

        — 8< —

        <sm:systemProperties>
        <property name="properties">
        <map>
        <entry key="java.security.auth.login.config">
        <bean class="org.springframework.util.ResourceUtils"
        factory-method="getFile">
        <constructor-arg value="classpath:auth.conf"/>
        </bean>
        </entry>
        </map>
        </property>
        </sm:systemProperties>

        — 8< —

        The configured LoginModule stores the Subject in a org.jboss.security.SecurityAssociation Object. This class uses a ThreadLocal Object to store the data. (I'm not sure if we tested st und seda flow - I think did both)

        When we call our secured EJB service these information is send to the JBoss server through a JBoss SecurityInterceptor. The interceptor uses a Subject which was set within the org.jboss.security.SecurityAssociation Object.

        I think that's it

        Kristian

        Show
        Kristian Koehler added a comment - OK. I think it's a little JBoss specific in our case. We use a JBoss Login Module (configured through configuration file (auth.conf) - which is specified via a sm:systemProperties element). — 8< — <sm:systemProperties> <property name="properties"> <map> <entry key="java.security.auth.login.config"> <bean class="org.springframework.util.ResourceUtils" factory-method="getFile"> <constructor-arg value="classpath:auth.conf"/> </bean> </entry> </map> </property> </sm:systemProperties> — 8< — The configured LoginModule stores the Subject in a org.jboss.security.SecurityAssociation Object. This class uses a ThreadLocal Object to store the data. (I'm not sure if we tested st und seda flow - I think did both) When we call our secured EJB service these information is send to the JBoss server through a JBoss SecurityInterceptor. The interceptor uses a Subject which was set within the org.jboss.security.SecurityAssociation Object. I think that's it Kristian
        Jeff Turner made changes -
        Project Import Sat Nov 27 00:46:19 EST 2010 [ 1290836779991 ]
        Hide
        Gert Vanthienen added a comment -

        Bulk-closing older issues for Apache ServiceMix 3.x since we're no longer actively working on these at the moment.

        Show
        Gert Vanthienen added a comment - Bulk-closing older issues for Apache ServiceMix 3.x since we're no longer actively working on these at the moment.
        Gert Vanthienen made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Won't Fix [ 2 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Kristian Koehler
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development