 |  |  |  |  |
| | | | |
 |  |
FUSE ESB Kernel supports JAAS with enhancements for an OSGi environment. The security framework allows the deployment at runtime of JAAS-based configuration for use in various parts of an application.
This includes the remote console login, which uses the RshServer
realm, but which is configured with a dummy login module by default. These realms
can also be used by the NMR, JBI components, or a JMX server to authenticate users
logging in or sending messages into the bus.
In addition to JAAS realms, the security framework has an OSGi keystore manager that can deploy new keystores or truststores at runtime. you can deploy keystores and truststores to secure the remote shell console, set up HTTPS connectors, and use certificates for WS-Security.
The security framework uses a simple XML schema for Spring to deploy a new realm or keystore. The JAAS XML schema is supported by a Spring namespace handler and can be defined in a Spring XML configuration file. The schema is available from the Apache web site.
Example 6.1. JAAS XML Schema
<xs:schema elementFormDefault='qualified'
targetNamespace='http://servicemix.apache.org/jaas'
xmlns:xs='http://www.w3.org/2001/XMLSchema'
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:tns='http://servicemix.apache.org/jaas'>
<xs:import namespace="http://www.springframework.org/schema/beans"/>
<xs:element name="config">
<xs:complexType>
<xs:complexContent>
<xs:extension base="beans:identifiedType">
<xs:sequence>
<xs:element name="module" minOccurs="0" maxOccurs="unbounded">
<xs:complexType mixed="true">
<xs:attribute name="className" use="required" type="xs:string" />
<xs:attribute name="flags" default="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="required"/>
<xs:enumeration value="requisite"/>
<xs:enumeration value="sufficient"/>
<xs:enumeration value="optional"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="name" use="optional" type="xs:string" />
<xs:attribute name="rank" use="optional" default="0" type="xs:int" />
<xs:attribute name="publish" use="optional" default="true"
type="xs:boolean" />
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="keystore">
<xs:complexType>
<xs:complexContent>
<xs:extension base="beans:identifiedType">
<xs:attribute name="name" use="optional" type="xs:string" />
<xs:attribute name="rank" use="optional" default="0" type="xs:int" />
<xs:attribute name="publish" use="optional" default="true"
type="xs:boolean" />
<xs:attribute name="path" use="required" type="xs:string" />
<xs:attribute name="keystorePassword" use="optional" type="xs:string" />
<xs:attribute name="keyPasswords" use="optional" type="xs:string" />
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
</xs:schema>Each realm can contain one or more module definitions. Each module
identifies a login module with the className attribute, which must be
set to the class name of the login module to use. This login module must be
available from the bundle class loader. Therefore, it must either be defined in the
bundle itself or the required package must be correctly imported. The content of
the module element is parsed as a properties file and is used to
further configure the login module.
The id attribute is the Spring ID of the bean. It is used by
default as the name of the realm if no name attribute is specified.
The flags attribute can take one of the four values described in
the JAAS documentation.
The rank attribute of the config element is an
integer. When the LoginContext looks for a realm to authenticate a user, the realms
registered in the OSGi registry are matched against the specific name. If more than
one realm is found, the one with the highest rank is used, thus allowing the
overriding of some realms with new values.
You can set the publish attribute to false so the realm is not
published in the OSGi registry, thereby disabling the use of the realm.
Deploying the following code creates a JaasRealm object in the OSGi registry, which is used with the JAAS login module.
<jaas:config id="realm" xmlns:jaas="http://servicemix.apache.org/jaas">
<jaas:module
className="org.apache.servicemix.kernel.jaas.config.SimpleLoginModule"
flags="required">
key=value
</jaas:module>
</jaas:config>Deploying the following code creates a keystore:
<jaas:keystore xmlns:jaas="http://sevicemix.apache.org/jaas" id="keystore" name="ks" rank="1" path="classpath:privatestore.jks" keystorePassword="keyStorePassword" keyPasswords="myalias=myAliasPassword"> </jaas:keystore>
Because of constraints in the JAAS specification, the ProxyLoginModule class must be available for all bundles. This class is a LoginModule that acts as a proxy for an OSGi defined LoginModule. If you plan to integrate this feature into another OSGi runtime, this class must be made available from the system class loader and the related package must be part of the boot delegation classpath (or be deployed as a fragment attached to the system bundle).
The JAAS XML schema allows you to use a simple XML file (leveraging Spring XML extensibility) to configure and register a JAAS configuration for a given realm. This configuration is made available to the OSGi registry as a JaasRealm and the OSGi specific configuration will look for such services. The proxy login module can then use the information provided by the realm to load the class from the bundle containing the actual login module.
| |  | |
 |
