Versions Compared

Old Version 5

changes.mady.by.user Guillaume Nodet

Saved on

compared with

New Version 6

changes.mady.by.user Guillaume Nodet

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ServiceMix Kernel supports JAAS with some enhancements to allow JAAS to work nicely in an OSGi environment. This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime.

Overview

This feature allow the deployment at runtime of JAAS based configuration for use in various parts of the application. This includes the remote console login, which uses the RshServer realm, but which is configured with a dummy login module by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in or sending messages into the bus.

In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting up HTTPS connectors or using certificates for WS-Security.

A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.

Schema

To deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a spring xml configuration file.

Code Block
langxml
titleJAAS XSD Schema
<xs:schema elementFormDefault='qualified'
           targetNamespace='http://servicemix.apache.org/jaas'
           xmlns:xs='http://www.w3.org/2001/XMLSchema'
           xmlns:beans="http://www.springframework.org/schema/beans"
           xmlns:tns='http://servicemix.apache.org/jaas'>

    <xs:import namespace="http://www.springframework.org/schema/beans"/>

    <xs:element name="config">
        <xs:complexType>
            <xs:complexContent>
                <xs:extension base="beans:identifiedType">
                    <xs:sequence>
                        <xs:element name="module" minOccurs="0" maxOccurs="unbounded">
                            <xs:complexType mixed="true">
                                <xs:attribute name="className" use="required" type="xs:string" />
                                <xs:attribute name="flags" default="required">
                                    <xs:simpleType>
                                        <xs:restriction base="xs:NMTOKEN">
                                            <xs:enumeration value="required"/>
                                            <xs:enumeration value="requisite"/>
                                            <xs:enumeration value="sufficient"/>
                                            <xs:enumeration value="optional"/>
                                        </xs:restriction>
                                    </xs:simpleType>
                                </xs:attribute>
                            </xs:complexType>
                        </xs:element>
                    </xs:sequence>
                    <xs:attribute name="name" use="optional" type="xs:string" />
                    <xs:attribute name="rank" use="optional" default="0" type="xs:int" />
                    <xs:attribute name="publish" use="optional" default="true" type="xs:boolean" />
                </xs:extension>
            </xs:complexContent>
        </xs:complexType>
    </xs:element>
    
    <xs:element name="keystore">
        <xs:complexType>
            <xs:complexContent>
                <xs:extension base="beans:identifiedType">
                    <xs:attribute name="name" use="optional" type="xs:string" />
                    <xs:attribute name="rank" use="optional" default="0" type="xs:int" />
                    <xs:attribute name="publish" use="optional" default="true" type="xs:boolean" />
                    <xs:attribute name="path" use="required" type="xs:string" />
                    <xs:attribute name="keystorePassword" use="optional" type="xs:string" />
                    <xs:attribute name="keyPasswords" use="optional" type="xs:string" />
                </xs:extension>
            </xs:complexContent>
        </xs:complexType>
    </xs:element>

</xs:schema>

You can find the schema at the following location.

Here is an are two example of using this schema:

Code Block
langxml
titleExampleJAAS realm example
<jaas:config id="realm" xmlns:jaas="http://servicemix.apache.org/jaas">
    <jaas:module className="org.apache.servicemix.kernel.jaas.config.SimpleLoginModule" flags="required">
        key=value
    </jaas:module>
</jaas:config>
Code Block
langxml
titleKeystore example

<jaas:keystore xmlns:jaas="http://sevicemix.apache.org/jaas"
               id="keystore"
               name="ks"
               rank="1"
               path="classpath:privatestore.jks"
               keystorePassword="keyStorePassword"
               keyPasswords="myalias=myAliasPassword">
</jaas:keystore>

The id attribute is the spring id of the bean, but it will be used by default as the name of the realm if no name attribute is specified. Additional attributes on the config elements are a rank, which is an integer. When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus allowing the override of some realms with new values. The last attribute is publish which can be set to false to not publish the realm in the OSGi registry, hereby disabling the use of this realm.

...