THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
4.5. Security framework
Karaf supports JAAS with some enhancements to allow JAAS to work nicely in an OSGi environment. This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime.
Overview
This feature allow the deployment at runtime of JAAS based configuration for use in various parts of the application. This includes the remote console login, which uses the karaf realm, but which is configured with a dummy login module by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in or sending messages into the bus.
In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting up HTTPS connectors or using certificates for WS-Security.
A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.
Schema
To deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a spring xml configuration file.
JAAS XSD Schema
<xs:schema elementFormDefault='qualified'
targetNamespace='http://karaf.apache.org/xmlns/jaas/v1.0.0'
xmlns:xs='http://www.w3.org/2001/XMLSchema'
xmlns:bp="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:tns='http://karaf.apache.org/xmlns/jaas/v1.0.0'>
<xs:import namespace="http://www.osgi.org/xmlns/blueprint/v1.0.0"/>
<xs:element name="config">
<xs:complexType>
<xs:sequence>
<xs:element name="module" minOccurs="0" maxOccurs="unbounded">
<xs:complexType mixed="true">
<xs:attribute name="className" use="required" type="xs:string" />
<xs:attribute name="flags" default="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="required"/>
<xs:enumeration value="requisite"/>
<xs:enumeration value="sufficient"/>
<xs:enumeration value="optional"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="name" use="required" type="xs:string" />
<xs:attribute name="rank" use="optional" default="0" type="xs:int" />
</xs:complexType>
</xs:element>
<xs:element name="keystore">
<xs:complexType>
<xs:attribute name="name" use="required" type="xs:string" />
<xs:attribute name="rank" use="optional" default="0" type="xs:int" />
<xs:attribute name="path" use="required" type="xs:string" />
<xs:attribute name="keystorePassword" use="optional" type="xs:string" />
<xs:attribute name="keyPasswords" use="optional" type="xs:string" />
</xs:complexType>
</xs:element>
</xs:schema>
You can find the schema at the following location.
Here are two example using this schema:
JAAS realm example
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<!-- Bean to allow the $[karaf.base] property to be correctly resolved -->
<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
<jaas:config name="karaf">
<jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" flags="required">
users = $[karaf.base]/etc/users.properties
</jaas:module>
</jaas:config>
</blueprint>
Keystore example
<jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
id="keystore"
name="ks"
rank="1"
path="classpath:privatestore.jks"
keystorePassword="keyStorePassword"
keyPasswords="myalias=myAliasPassword">
</jaas:keystore>
The id attribute is the blueprint id of the bean, but it will be used by default as the name of the realm if no name attribute is specified. Additional attributes on the config elements are a rank, which is an integer. When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus allowing the override of some realms with new values. The last attribute is publish which can be set to false to not publish the realm in the OSGi registry, hereby disabling the use of this realm.
Each realm can contain one or more module definition. Each module identify a LoginModule and the className attribute must be set to the class name of the login module to use. Note that this login module must be available from the bundle classloader, so either it has to be defined in the bundle itself, or the needed package needs to be correctly imported. The flags attribute can take one of four values that are explained on the JAAS documentation.
The content of the module element is parsed as a properties file and will be used to further configure the login module.
Deploying such a code will lead to a JaasRealm object in the OSGi registry, which will then be used when using the JAAS login module.
Architecture
Due to constraints in the JAAS specification, one class has to be available for all bundles. This class is called ProxyLoginModule and is a LoginModule that acts as a proxy for an OSGi defines LoginModule. If you plan to integrate this feature into another OSGi runtime, this class must be made available from the system classloader and the related package be part of the boot delegation classpath (or be deployed as a fragment attached to the system bundle).
The xml schema defined above allow the use of a simple xml (leveraging spring xml extensibility) to configure and register a JAAS configuration for a given realm. This configuration will be made available into the OSGi registry as a JaasRealm and the OSGi specific Configuration will look for such services. Then the proxy login module will be able to use the information provided by the realm to actually load the class from the bundle containing the real login module.