| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <html> |
| <!-- |
| |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| https://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <head> |
| <title>Apache Felix - Apache Felix JAAS Support</title> |
| <link rel="icon" href="/res/favicon.ico"> |
| <link rel="stylesheet" href="/res/site.css" type="text/css" media="all"> |
| <link rel="stylesheet" href="/res/codehilite.css" type="text/css" media="all"> |
| <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> |
| </head> |
| <body> |
| <div class="title"> |
| <div class="logo"> |
| <a href="https://felix.apache.org/"> |
| <img border="0" alt="Apache Felix" src="/res/logo.png"> |
| </a> |
| </div> |
| <div class="header"> |
| <a href="https://www.apache.org/"> |
| <img border="0" alt="Apache" src="/res/apache.png"> |
| </a> |
| </div> |
| </div> |
| |
| <div class="menu"> |
| <style type="text/css"> |
| /* The following code is added by mdx_elementid.py |
| It was originally lifted from http://subversion.apache.org/style/site.css */ |
| /* |
| * Hide class="elementid-permalink", except when an enclosing heading |
| * has the :hover property. |
| */ |
| .headerlink, .elementid-permalink { |
| visibility: hidden; |
| } |
| h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style> |
| <p><a href="/news.html">News</a> <br /> |
| <a href="/license.html">License</a> <br /> |
| <a href="/downloads.cgi">Downloads</a> <br /> |
| <a href="/documentation.html">Documentation</a> <br /> |
| <a href="/documentation/community/project-info.html">Project Info</a> <br /> |
| <a href="/documentation/community/contributing.html">Contributing</a> <br /> |
| <a href="/sitemap.html">Site Map</a> <br /> |
| <a href="https://www.apache.org/">ASF</a> <br /> |
| <a href="https://www.apache.org/security/">Security</a> <br /> |
| <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> <br /> |
| <a href="https://www.apache.org/foundation/thanks.html">Sponsors</a> </p> |
| <iframe |
| src="https://www.apache.org/ads/button.html" |
| style="border-width:0; float: left" |
| frameborder="0" |
| scrolling="no" |
| width="135" |
| height="135"> |
| </iframe> |
| </div> |
| |
| <div class="main"> |
| <div class="breadcrump" style="font-size: 80%;"> |
| <a href="/">Home</a> » <a href="/documentation.html">Documentation</a> |
| </div> |
| |
| <h1>Apache Felix JAAS Support</h1> |
| <style type="text/css"> |
| /* The following code is added by mdx_elementid.py |
| It was originally lifted from http://subversion.apache.org/style/site.css */ |
| /* |
| * Hide class="elementid-permalink", except when an enclosing heading |
| * has the :hover property. |
| */ |
| .headerlink, .elementid-permalink { |
| visibility: hidden; |
| } |
| h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style> |
| <style type="text/css"> |
| img { |
| width:auto; |
| } |
| </style> |
| |
| <div class="toc"> |
| <ul> |
| <li><a href="#the-problem">The Problem</a></li> |
| <li><a href="#usage">Usage</a><ul> |
| <li><a href="#loginmodule-registration">LoginModule registration</a><ul> |
| <li><a href="#a-osgi-configuration">A - OSGi Configuration</a><ul> |
| <li><a href="#manifest-header-entry">Manifest Header Entry</a></li> |
| <li><a href="#configuration">Configuration</a></li> |
| </ul> |
| </li> |
| <li><a href="#b-loginmodulefactory">B - LoginModuleFactory</a></li> |
| </ul> |
| </li> |
| <li><a href="#logincontext-creation-patterns">LoginContext creation patterns</a><ul> |
| <li><a href="#logincontextfactory-mode">LoginContextFactory Mode</a></li> |
| <li><a href="#configuration-spi-with-default-policy-mode">Configuration SPI with Default Policy Mode</a></li> |
| <li><a href="#replace-global-configuration-mode">Replace Global Configuration Mode</a></li> |
| <li><a href="#modified-boot-classpath-mode"><a name="boot-classpath"></a>Modified Boot Classpath Mode</a></li> |
| </ul> |
| </li> |
| <li><a href="#jaas-configuration-spi-settings"><a name="configuration-spi"></a>JAAS Configuration SPI Settings</a></li> |
| </ul> |
| </li> |
| <li><a href="#webconsole-plugin">WebConsole Plugin</a></li> |
| <li><a href="#resources">Resources</a></li> |
| </ul> |
| </div> |
| <p>Apache Felix JAAS support aims to simplify usage of JAAS in OSGi.</p> |
| <p>It supports following features</p> |
| <ol> |
| <li>It can work both in Standalone and AppServer deployments i.e. in those environment where global JAAS configuration |
| might be used by other applications and our usage of JAAS should not affect them</li> |
| <li>It enables usage of OSGi Configuration support to dynamically configure the login modules.</li> |
| <li>It allows LoginModule instances to be created via factories registered in OSGi Service Registry</li> |
| <li>It does not require the client to depend on any OSGi API</li> |
| <li>It works well with the dynamic nature of the OSGi env</li> |
| <li>Implementation depends only on Core OSGi API and ConfigAdmin (RFC 104)</li> |
| </ol> |
| <h2 id="the-problem">The Problem<a class="headerlink" href="#the-problem" title="Permanent link">¶</a></h2> |
| <p>The basic problem when using JAAS in OSGi is that it creates the LoginModule instance using reflection. This poses |
| problem in OSGi env as the client bundle does not have the visibility of all the required LoginModule classes.</p> |
| <p>A typical use of JAAS login looks like below</p> |
| <div class="codehilite"><pre><span class="c1">// let the LoginContext instantiate a new Subject</span> |
| <span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">"myApp"</span><span class="o">);</span> |
| <span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span> |
| </pre></div> |
| |
| |
| <p>In this mode the <code>LoginContext</code> would access the global JAAS <code>Configuration</code> internally via <code>Configuration.getConfiguration()</code>. |
| It would then instantiate the LoginModule instance based on the configuration value. It uses the Thread Context ClassLoader (TCCL) |
| to create the instance. This approach fails to work when used in OSGi</p> |
| <ol> |
| <li>The Thread Context ClassLoader is not defined in general in an OSGi context. It can and has to be set by the caller |
| and OSGi cannot generally enforce that.</li> |
| <li>Instantiating a LoginModule generally requires access to internal implementation classes, by exporting these classes |
| an implementing bundle would break its encapsulation.</li> |
| <li>Even if an implementation class was exported, importing this class in a consumer bundle would bind it to the specific |
| implementation package provided, which violates the principle of loose coupling.</li> |
| </ol> |
| <h2 id="usage">Usage<a class="headerlink" href="#usage" title="Permanent link">¶</a></h2> |
| <p>The JAAS support involves following parts</p> |
| <ol> |
| <li>LoginModule Registration - Mechanism by which LoginModule is registered with a given <code>realm</code>.</li> |
| <li>LoginContext Creation - Refers to the client code which constructs the LoginContext and then perform login operation</li> |
| </ol> |
| <p>In section below we would first provide details on various ways by which a <code>LoginModule</code> would be configured so that |
| it can participate in JAAS flow and then about various ways in which the client code can invoke the JAAS logic</p> |
| <h3 id="loginmodule-registration">LoginModule registration<a class="headerlink" href="#loginmodule-registration" title="Permanent link">¶</a></h3> |
| <p>The login modules can be registered via two mechanism</p> |
| <ul> |
| <li>OSGi Configuration - LoginModule are registered via OSGi configuration</li> |
| <li>LoginModuleFactory - LoginModule are registered with the OSGi ServiceRegistry via <code>LoginModuleFactory</code></li> |
| </ul> |
| <h4 id="a-osgi-configuration">A - OSGi Configuration<a class="headerlink" href="#a-osgi-configuration" title="Permanent link">¶</a></h4> |
| <p>LoginModules can also be configured via configuration which is somewhat similar to the file based configuration. It consist of two parts</p> |
| <ul> |
| <li>Information around which bundle provides a specific LoginModule module</li> |
| <li>Configuration required to be passed to that LoginModule</li> |
| </ul> |
| <h5 id="manifest-header-entry">Manifest Header Entry<a class="headerlink" href="#manifest-header-entry" title="Permanent link">¶</a></h5> |
| <p>Any bundle which provides a LoginModule class needs to provide this information via <em>Jaas-ModuleClass</em> manifest header.</p> |
| <div class="codehilite"><pre><span class="nt"><Jaas-ModuleClass></span>org.apache.felix.example.jaas.config.internal.SampleConfigLoginModule<span class="nt"></Jaas-ModuleClass></span> |
| </pre></div> |
| |
| |
| <h5 id="configuration">Configuration<a class="headerlink" href="#configuration" title="Permanent link">¶</a></h5> |
| <p>JAAS module depends on OSGi Configuration for managing the LoginModule configuration. The configuration factory PID is |
| <code>org.apache.felix.jaas.Configuration.factory</code>.It provides the required metatype descriptor thus enabling configuration |
| via "Configuration" tab of Felix WebConsole</p> |
| <p><img src="jaas-config.png" /></p> |
| <p>Configuration properties</p> |
| <ul> |
| <li><code>jaas.classname</code> - Fully qualified name of the LoginModule class</li> |
| <li><code>jaas.controlFlag</code> - LoginControlFlag to use like required, optional, requisite, sufficient. Default is set to required</li> |
| <li><code>jaas.realmName</code> - JAAS Realm name. If specified then LoginModule would be registered against given realm otherwise it |
| is bound to a 'other' realm</li> |
| <li><code>jaas.ranking</code> - Ranking for the LoginModule. It would be used to order the various login modules. The entries are sorted |
| in a descending order (i.e. higher value ranked configurations come first)</li> |
| </ul> |
| <p>For an example refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/launcher/src/main/config/org.apache.felix.jaas.Configuration.factory-simple.cfg">Sample Configuration</a>. It configures a SampleConfigLoginModule for <code>sample</code> realm</p> |
| <h4 id="b-loginmodulefactory">B - LoginModuleFactory<a class="headerlink" href="#b-loginmodulefactory" title="Permanent link">¶</a></h4> |
| <p>Any bundle which want to provide a LoginModule implementation would need to provide a factory service which implements the |
| <a href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> interface. The factory needs to be registeredwith following optional properties</p> |
| <ul> |
| <li><code>jaas.controlFlag</code> - LoginControlFlag to use like required, optional, requisite, sufficient. Default is set to required</li> |
| <li><code>jaas.realmName</code> - JAAS Realm name. If specified then LoginModule would be registered against given realm otherwise it |
| is bound to a 'other' realm.</li> |
| <li><code>service.ranking</code> - Ranking for the LoginModule. It would be used to order the various login modules.</li> |
| </ul> |
| <p>Interface</p> |
| <div class="codehilite"><pre><span class="cm">/**</span> |
| <span class="cm"> * A factory for creating {@link LoginModule} instances.</span> |
| <span class="cm"> */</span> |
| <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">LoginModuleFactory</span> |
| <span class="o">{</span> |
| <span class="cm">/**</span> |
| <span class="cm"> * Property name specifying whether or not a <code>LoginModule</code> is</span> |
| <span class="cm"> * REQUIRED, REQUISITE, SUFFICIENT or OPTIONAL. Refer to {@link javax.security.auth.login.Configuration}</span> |
| <span class="cm"> * for more details around the meaning of these flags</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * By default the value is set to REQUIRED</span> |
| <span class="cm"> */</span> |
| <span class="n">String</span> <span class="n">JAAS_CONTROL_FLAG</span> <span class="o">=</span> <span class="s">"jaas.controlFlag"</span><span class="o">;</span> |
| |
| <span class="cm">/**</span> |
| <span class="cm"> * Property name specifying the Realm name (or application name) against which the</span> |
| <span class="cm"> * LoginModule would be registered.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * <p>If no realm name is provided then LoginModule would registered with a default realm</span> |
| <span class="cm"> * as configured</span> |
| <span class="cm"> */</span> |
| <span class="n">String</span> <span class="n">JAAS_REALM_NAME</span> <span class="o">=</span> <span class="s">"jaas.realmName"</span><span class="o">;</span> |
| |
| <span class="cm">/**</span> |
| <span class="cm"> * Creates the LoginModule instance</span> |
| <span class="cm"> * @return loginModule instance</span> |
| <span class="cm"> */</span> |
| <span class="n">LoginModule</span> <span class="nf">createLoginModule</span><span class="o">();</span> |
| <span class="o">}</span> |
| </pre></div> |
| |
| |
| <p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/lm-jdbc/src/main/java/org/apache/felix/example/jaas/jdbc/JdbcLoginModuleFactory.java">JdbcLoginModuleFactory</a> for one example of its usage. It constructs a JdbcLoginModule based on the |
| configuration and passes on the datasource.</p> |
| <h3 id="logincontext-creation-patterns">LoginContext creation patterns<a class="headerlink" href="#logincontext-creation-patterns" title="Permanent link">¶</a></h3> |
| <p>There are various ways through which a JAAS Client can invoke the JAAS login.</p> |
| <h4 id="logincontextfactory-mode">LoginContextFactory Mode<a class="headerlink" href="#logincontextfactory-mode" title="Permanent link">¶</a></h4> |
| <p>In this mode the client logic obtains a reference to the <code>org.apache.felix.jaas.LoginContextFactory</code> service |
| and then creates a <code>LoginContext</code> instance</p> |
| <div class="codehilite"><pre><span class="p">:</span><span class="n">java</span> |
| <span class="n">LoginContextFactory</span> <span class="n">loginContextFactory</span> <span class="p">=</span> <span class="p">...</span> |
| <span class="n">CallbackHandler</span> <span class="n">handler</span> <span class="p">=</span> <span class="p">...;</span> |
| <span class="n">Subject</span> <span class="n">subject</span> <span class="p">=</span> <span class="n">new</span> <span class="n">Subject</span><span class="p">();</span> |
| <span class="k">try</span> |
| <span class="p">{</span> |
| <span class="n">LoginContext</span> <span class="n">lc</span> <span class="p">=</span> <span class="n">loginContextFactory</span><span class="p">.</span><span class="n">createLoginContext</span><span class="p">(</span>"<span class="n">sample</span>"<span class="p">,</span><span class="n">subject</span><span class="p">,</span><span class="n">handler</span><span class="p">);</span> |
| <span class="n">lc</span><span class="p">.</span><span class="n">login</span><span class="p">();</span> |
| <span class="p">...</span> |
| <span class="p">}</span> |
| <span class="k">catch</span> <span class="p">(</span><span class="n">LoginException</span> <span class="n">e</span><span class="p">)</span> |
| <span class="p">{</span> |
| <span class="n">handleAuthenticationFailure</span><span class="p">(</span><span class="n">e</span><span class="p">);</span> |
| <span class="p">}</span> |
| </pre></div> |
| |
| |
| <p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/FactoryDemoServlet.java">FactoryDemoServlet</a> for an example. Following points to be noted for this usage pattern</p> |
| <ul> |
| <li>Client code needs to depend on Apache Felix JAAS Support API</li> |
| <li>No need to manage Thread Context Classloader while invoking <code>LoginContext</code></li> |
| <li>No need to import LoginModule related packages</li> |
| </ul> |
| <h4 id="configuration-spi-with-default-policy-mode">Configuration SPI with Default Policy Mode<a class="headerlink" href="#configuration-spi-with-default-policy-mode" title="Permanent link">¶</a></h4> |
| <p>In this mode the client logic explicitly fetch the JAAS Configuration and then pass it on to the LoginContext. In this |
| mode the <a href="#configuration-spi">JAAS Configuration Policy</a> is set to <code>Default</code>.</p> |
| <div class="codehilite"><pre><span class="n">CallbackHandler</span> <span class="n">handler</span> <span class="o">=</span> <span class="o">...;</span> |
| |
| <span class="n">Subject</span> <span class="n">subject</span> <span class="o">=</span> <span class="k">new</span> <span class="n">Subject</span><span class="o">();</span> |
| <span class="kd">final</span> <span class="n">ClassLoader</span> <span class="n">cl</span> <span class="o">=</span> <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">getContextClassLoader</span><span class="o">();</span> |
| <span class="k">try</span> |
| <span class="o">{</span> |
| <span class="n">Configuration</span> <span class="n">config</span> <span class="o">=</span> <span class="n">Configuration</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span> |
| <span class="err">'</span><span class="n">JavaLoginConfig</span><span class="err">'</span><span class="o">,</span> <span class="c1">//Algorithm name</span> |
| <span class="kc">null</span><span class="o">,</span> <span class="c1">//Extra params to be passed. For this impl its null</span> |
| <span class="err">'</span><span class="n">FelixJaasProvider</span><span class="err">'</span> <span class="c1">//Name of the config provider</span> |
| <span class="o">);</span> |
| <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">());</span> |
| <span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">"sample"</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span> <span class="n">handler</span><span class="o">,</span> <span class="n">config</span><span class="o">);</span> |
| <span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span> |
| |
| <span class="o">...</span> |
| <span class="o">}</span> |
| <span class="k">finally</span> |
| <span class="o">{</span> |
| <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">cl</span><span class="o">);</span> |
| <span class="o">}</span> |
| </pre></div> |
| |
| |
| <p>In above flow the <code>Configuration</code> instance is explicitly fetched and passed on to the</p> |
| <p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/TCCLDemoServlet.java">TCCLDemoServlet</a> for an example. Following points to be noted for this usage pattern</p> |
| <ul> |
| <li>Client code needs to be aware of the name of the config provider.</li> |
| <li>Client bundle would need to have an import for package <code>org.apache.felix.jaas.boot</code>. |
| Refer to <a href="#boot-classpath">Boot classpath</a> section for more details</li> |
| <li>Global configuration is not modified so other users of JAAS are not affected</li> |
| </ul> |
| <h4 id="replace-global-configuration-mode">Replace Global Configuration Mode<a class="headerlink" href="#replace-global-configuration-mode" title="Permanent link">¶</a></h4> |
| <p>In this mode the JAAS bundle would replace the Global configuration through Configuration.setConfiguration call. In this |
| mode the client code would use the normal LoginContext creation and the <a href="#configuration-spi">JAAS Configuration Policy</a> |
| is set to <code>Replace Global Configuration</code>.</p> |
| <div class="codehilite"><pre><span class="kd">final</span> <span class="n">ClassLoader</span> <span class="n">cl</span> <span class="o">=</span> <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">getContextClassLoader</span><span class="o">();</span> |
| <span class="k">try</span> |
| <span class="o">{</span> |
| <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">());</span> |
| |
| <span class="c1">// let the LoginContext instantiate a new Subject</span> |
| <span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">"appName"</span><span class="o">);</span> |
| <span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span> |
| <span class="o">}</span> |
| <span class="k">finally</span> |
| <span class="o">{</span> |
| <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">cl</span><span class="o">);</span> |
| <span class="o">}</span> |
| </pre></div> |
| |
| |
| <p>Following points need to be considered this mode</p> |
| <ul> |
| <li>Client code is not aware of the provider name</li> |
| <li>Client bundle would need to have an import for package <code>org.apache.felix.jaas.boot</code>. |
| Refer to <a href="#boot-classpath">Boot classpath</a> section for more details</li> |
| <li>Global configuration is modified. So it might cause issue while running in co deployed scenarios like Application Server.</li> |
| </ul> |
| <p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/GlobalConfigDemoServlet.java">GlobalConfigDemoServlet</a> for an example</p> |
| <h4 id="modified-boot-classpath-mode"><a name="boot-classpath"></a>Modified Boot Classpath Mode<a class="headerlink" href="#modified-boot-classpath-mode" title="Permanent link">¶</a></h4> |
| <p>In previous modes (except the LoginContextFactory mode) the client code needs to switch the Thread Context Classloader (TCCL). |
| This is due the way JAAS logic instantiates the <code>LoginModule</code>. The Felix JAAS Support provides a <code>ProxyLoginModule</code> which |
| takes care of routing the LoginModule calls properly. However for this class to be visible to JAAS logic one of the |
| two approaches can be used</p> |
| <p><strong>Manage TCCL Explicitly</strong></p> |
| <p>The client bundle would need to</p> |
| <ol> |
| <li>Have an explicit import for <code>org.apache.felix.jaas.boot</code> package and</li> |
| <li>Manage TCCL explicitly which making JAAS related calls.<div class="codehilite"><pre><span class="kd">final</span> <span class="n">Thread</span> <span class="n">current</span> <span class="o">=</span> <span class="n">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">();</span> |
| <span class="kd">final</span> <span class="n">ClassLoader</span> <span class="n">orig</span> <span class="o">=</span> <span class="n">current</span><span class="o">.</span><span class="na">getContextClassLoader</span><span class="o">();</span> |
| <span class="k">try</span> <span class="o">{</span> |
| <span class="n">current</span><span class="o">.</span><span class="na">setContextClassLoader</span><span class="o">(</span><span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">());</span> |
| <span class="n">loginContext</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="n">appName</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span><span class="n">callbackHandler</span><span class="o">,</span> <span class="n">config</span><span class="o">);</span> |
| </pre></div> |
| |
| |
| <p>} finally{ |
| current.setContextClassLoader(orig); |
| }</p> |
| </li> |
| </ol> |
| <p>Note that in above flow the TCCL is managed explicitly</p> |
| <p><strong>Modify Boot Classpath</strong></p> |
| <p>Another way would involve modifying the boot classpath.</p> |
| <ol> |
| <li>Place the <code>org.apache.felix.jaas-xxx-boot.jar</code> in the boot classpath via <code>-Xbootclasspath:bootclasspath</code> option</li> |
| <li>Make the <code>org.apache.felix.jaas.boot</code> part of boot delegation list<div class="codehilite"><pre><span class="n">LoginContext</span> <span class="n">lc</span> <span class="o">=</span> <span class="k">new</span> <span class="n">LoginContext</span><span class="o">(</span><span class="s">"sample"</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span> <span class="n">handler</span><span class="o">);</span> |
| <span class="n">lc</span><span class="o">.</span><span class="na">login</span><span class="o">();</span> |
| </pre></div> |
| |
| |
| </li> |
| </ol> |
| <p>Note that in above code we do not have to manage TCCL and neither add an import to <code>org.apache.felix.jaas.boot</code> package</p> |
| <p>Refer to <a href="http://svn.apache.org/repos/asf/felix/trunk/examples/jaas/app/src/main/java/org/apache/felix/example/jaas/app/internal/BootClasspathDemoServlet.java">BootClasspathDemoServlet</a> for code sample</p> |
| <h3 id="jaas-configuration-spi-settings"><a name="configuration-spi"></a>JAAS Configuration SPI Settings<a class="headerlink" href="#jaas-configuration-spi-settings" title="Permanent link">¶</a></h3> |
| <p>There are various ways in which LoginContext can be created depending on the usage mode. The JAAS support exposes |
| following properties</p> |
| <p><img src="jaas-spi-config.png" align="center" /></p> |
| <ul> |
| <li><code>Default JAAS Realm</code> - Name of the realm to use in case a LoginModule does not provide an explicit realmName. |
| This is useful for single application mode where all LoginModule in an OSGi container are to be used. Usage of realm |
| help in global settings because same config file is used to capture settings for all applications running on same JVM</li> |
| <li><code>JAAS Config Provider name</code> - Name against which the Configuration SPI provider should register</li> |
| <li><code>Configuration Policy</code> - This would be explained in next section<ul> |
| <li><code>Default</code> - Global configuration is not touched. Client code are expected to use the Configuration Spi mode</li> |
| <li><code>Replace Global Configuration</code> - In this the global configuration is replaced with OSGi configuration. Client code |
| need not perform any special configuration handling. At most they need to switch the Thread Context Classloader</li> |
| <li><code>Proxy Global Configuration</code> - Similar to previous one but it saves the default configuration and does a fallback |
| check on that also. This should minimize any disruption in shared mode</li> |
| </ul> |
| </li> |
| </ul> |
| <h2 id="webconsole-plugin">WebConsole Plugin<a class="headerlink" href="#webconsole-plugin" title="Permanent link">¶</a></h2> |
| <p>The runtime JAAS realm is exposed via a WebConsole Plugin.</p> |
| <p><img src="jaas-plugin.png" align="center"/></p> |
| <h2 id="resources">Resources<a class="headerlink" href="#resources" title="Permanent link">¶</a></h2> |
| <ol> |
| <li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">Java JAAS Reference Guide</a></li> |
| <li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html">JAAS Login Configuration File</a></li> |
| </ol> |
| <div class="timestamp" style="margin-top: 30px; font-size: 80%; text-align: right;"> |
| Rev. 1599411 by chetanm on Tue, 3 Jun 2014 05:34:14 +0000 |
| </div> |
| <div class="trademarkFooter"> |
| Apache Felix, Felix, Apache, the Apache feather logo, and the Apache Felix project |
| logo are trademarks of The Apache Software Foundation. All other marks mentioned |
| may be trademarks or registered trademarks of their respective owners. |
| </div> |
| </div> |
| </body> |
| </html> |