...
ServiceMix Kernel supports JAAS with some enhancements to allow JAAS to work nicely in an OSGi environment. This framework also features an OSGi keystore manager with the ability to deploy new keystores or truststores at runtime.
Overview
This feature allow the deployment at runtime of JAAS based configuration for use in various parts of the application. This includes the remote console login, which uses the RshServer
realm, but which is configured with a dummy login module by default. These realms can also be used by the NMR, JBI components or the JMX server to authenticate users logging in or sending messages into the bus.
In addition to JAAS realms, you can also deploy keystores and truststores to secure the remote shell console, setting up HTTPS connectors or using certificates for WS-Security.
A very simple XML schema for spring has been defined, allowing the deployment of a new realm or a new keystore very easily.
Schema
To deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a spring xml configuration file.
Code Block | ||||
---|---|---|---|---|
| ||||
<xs:schema elementFormDefault='qualified' targetNamespace='http://servicemix.apache.org/jaas' xmlns:xs='http://www.w3.org/2001/XMLSchema' xmlns:beans="http://www.springframework.org/schema/beans" xmlns:tns='http://servicemix.apache.org/jaas'> <xs:import namespace="http://www.springframework.org/schema/beans"/> <xs:element name="config"> <xs:complexType> <xs:complexContent> <xs:extension base="beans:identifiedType"> <xs:sequence> <xs:element name="module" minOccurs="0" maxOccurs="unbounded"> <xs:complexType mixed="true"> <xs:attribute name="className" use="required" type="xs:string" /> <xs:attribute name="flags" default="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="required"/> <xs:enumeration value="requisite"/> <xs:enumeration value="sufficient"/> <xs:enumeration value="optional"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="name" use="optional" type="xs:string" /> <xs:attribute name="rank" use="optional" default="0" type="xs:int" /> <xs:attribute name="publish" use="optional" default="true" type="xs:boolean" /> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="keystore"> <xs:complexType> <xs:complexContent> <xs:extension base="beans:identifiedType"> <xs:attribute name="name" use="optional" type="xs:string" /> <xs:attribute name="rank" use="optional" default="0" type="xs:int" /> <xs:attribute name="publish" use="optional" default="true" type="xs:boolean" /> <xs:attribute name="path" use="required" type="xs:string" /> <xs:attribute name="keystorePassword" use="optional" type="xs:string" /> <xs:attribute name="keyPasswords" use="optional" type="xs:string" /> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> </xs:schema> |
You can find the schema at the following location.
Here is an are two example of using this schema:
Code Block | ||||
---|---|---|---|---|
| ||||
<jaas:config id="realm" xmlns:jaas="http://servicemix.apache.org/jaas">
<jaas:module className="org.apache.servicemix.kernel.jaas.config.SimpleLoginModule" flags="required">
key=value
</jaas:module>
</jaas:config>
|
Code Block | ||||
---|---|---|---|---|
| ||||
<jaas:keystore xmlns:jaas="http://sevicemix.apache.org/jaas"
id="keystore"
name="ks"
rank="1"
path="classpath:privatestore.jks"
keystorePassword="keyStorePassword"
keyPasswords="myalias=myAliasPassword">
</jaas:keystore>
|
The id
attribute is the spring id of the bean, but it will be used by default as the name of the realm if no name
attribute is specified. Additional attributes on the config
elements are a rank
, which is an integer. When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus allowing the override of some realms with new values. The last attribute is publish
which can be set to false to not publish the realm in the OSGi registry, hereby disabling the use of this realm.
...