When defining a JAAS realm in the OSGi container, you cannot put
the definitions in a conventional JAAS
login configuration file.
Instead, the OSGi container uses a special jaas:config element
for defining JAAS realms in a blueprint configuration file. The JAAS realms defined in
this way are made available to all of the application bundles
deployed in the container, making it possible to share the JAAS security infrastructure
across the whole container.
The jaas:config element is defined in the
http://karaf.apache.org/xmlns/jaas/v1.0.0 namespace. When
defining a JAAS realm you will need to include the line shown in
Example 2.1.
The syntax for the jaas:config element is shown in
Example 2.2.
Example 2.2. Defining a JAAS Realm in Blueprint XML
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"> <jaas:config name="JaasRealmName" [rank="IntegerRank"]> <jaas:module className="LoginModuleClassName" [flags="[required|requisite|sufficient|optional]"]>Property=Value... </jaas:module> ... <!-- Can optionally define multiple modules --> ... </jaas:config> </blueprint>
The elements are used as follows:
jaas:configDefines the JAAS realm. It has the following attributes:
name—specifies the name of the JAAS realm.rank—specifies an optional rank for resolving naming conflicts between JAAS realms . When two or more JAAS realms are registered under the same name, the OSGi container always picks the realm instance with the highest rank.
jaas:moduleDefines a JAAS login module in the current realm.
jaas:modulehas the following attributes:className—the fully-qualified class name of a JAAS login module. The specified class must be available from the bundle classloader.flags—determines what happens upon success or failure of the login operation. Table 2.1 describes the valid values.Table 2.1. Flags for Defining a JAAS Module
Value Description requiredAuthentication of this login module must succeed. Always proceed to the next login module in this entry, irrespective of success or failure. requisiteAuthentication of this login module must succeed. If success, proceed to the next login module; if failure, return immediately without processing the remaining login modules. sufficientAuthentication of this login module is not required to succeed. If success, return immediately without processing the remaining login modules; if failure, proceed to the next login module. optionalAuthentication of this login module is not required to succeed. Always proceed to the next login module in this entry, irrespective of success or failure.
The contents of a
jaas:moduleelement is a space separated list of property settings, which are used to initialize the JAAS login module instance. The specific properties are determined by the JAAS login module and must be put into the proper format.![[Note]](imagesdb/note.gif)
Note You can define multiple login modules in a realm.
Fuse ESB uses the same properties as a standard Java login configuration file, however
Fuse ESB requires that they are specified slightly differently. To see how the Fuse ESB
approach to defining JAAS realms compares with the standard Java login configuration file
approach, consider how to convert the following login configuration, which defines the
PropertiesLogin realm using the Fuse Message Broker properties login module class,
PropertiesLoginModule:
PropertiesLogin {
org.apache.activemq.jaas.PropertiesLoginModule required
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};The equivalent JAAS realm definition, using the jaas:config
element in a blueprint file, is as follows:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="PropertiesLogin"> <jaas:module className="org.apache.activemq.jaas.PropertiesLoginModule" flags="required"> org.apache.activemq.jaas.properties.user=users.properties org.apache.activemq.jaas.properties.group=groups.properties </jaas:module> </jaas:config> </blueprint>
![[Important]](imagesdb/important.gif) | Important |
|---|---|
You do not use double quotes for JAAS properties in the blueprint configuration. |
Fuse ESB also provides an adapter that enables you to store JAAS authentication data in
an X.500 server. Example 2.3 defines the
LDAPLogin realm uses Fuse ESB's LDAPLoginModule class, which
connects to the LDAP server located at ldap://localhost:10389.
Example 2.3. Configuring a JAAS Realm
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="LDAPLogin" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=secret connection.protocol= connection.url = ldap://localhost:10389 user.base.dn = ou=users,ou=system user.filter = (uid=%u) user.search.subtree = true role.base.dn = ou=users,ou=system role.filter = (uid=%u) role.name.attribute = ou role.search.subtree = true authentication = simple </jaas:module> </jaas:config> </blueprint>
For a detailed description and example of using the LDAP login module, see Enabling LDAP Authentication.
 |  |  |
 |
