Versions Compared

Old Version 5

changes.mady.by.user Ashwin J. Karpe

Saved on

compared with

New Version Current

changes.mady.by.user Ashwin J. Karpe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Camel Security

Camel offers robust & comprehensive security on routes at the

  • Payload Level (XMLSecurity, Crypto)
  • Component Level (Jetty, CXF, Netty, MINA, CometD, JMS)
  • Route Level (Shiro and Spring Security)

For more details on the various security options, please check out

Design Notes for Camel Security

There are some requirements about implementing a security mechanism in camel, in this way we can make sure the authenticated exchange can be sent to a certain authorized endpoints.

User story

As camel route may not provides GUI or other interface for user to type their username and password, camel doesn't implement the authentication itself. We just delegate the authentication to other framework, and make sure the exchange is set with authenticated information. User can use JAAS or other security framework to implement the authentication himself.

Here are lots of security framework which supports different kind of authorizations, we should support different kind of configuration about setting the access control on the security check point. In camel we can provide DSL to set the authorization policy on the endpoints, when the authenticated exchange send to the endpoint, camel just checks the authenticated information with the authorization policy to determine if the exchange has the right to access this endpoint. If not, the exchange will be rejected with a security exception.

Authentication

Before sending the exchange into the camel route, we need to make sure the authentication information is stored into the exchange property. We could add the authentication on the Jetty consumer with basic http authentication, but in most case we just implement the authentication on the camel route client, and the client should store the authentication instance into the exchange before sending it to the endpoints of camel route.

To support Spring Security framework we can store the authentication instance of Spring security with Exchange.AUTHENTICATION as the key into the exchange property, if we want to support other security framework, we could also store other framework's authentication information into the exchange .

Authorization

To provide the access control on the endpoint, we can leverage the Policy Definition to inject the AuthorizationPolicy instance with the access control configuration at the runtime. In this way user can configure the different authorizationPolicy which based on different security framework with Spring or Java DSL easily.

Lets take the spring security as an example, authorizationPolicy will be used to verify exchange with the authentication information to check if the exchange authentication has the right role to access the endpoint.

Code Block
    
<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:security="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://camel.apache.org/schema/spring
          http://camel.apache.org/schema/spring/camel-spring.xsd
          http://camel.apache.org/schema/spring/security
          http://camel.apache.org/schema/spring/security/camel-spring-security.xsd
          http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security.xsd
                        http://camel.apache.org/schema/security
                        http://camel.apache.org/schema/security/camel-security.xsd">

        <security:authentication-manager id=authenticationManager>
            <security:authentication-provider>
                <security:user-service>
		    <security:user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN"/>
		    <security:user name="bob" password="bobspassword" authorities="ROLE_USER"/>
	        </security:user-service>
            </security:authentication-provider>
        </security:authentication-manager

	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="true"/>
		<property name="decisionVoters">
			<list>
				<bean class="org.springframework.security.vote.RoleVoter"/>
			</list>
		</property>
	</bean>

        <authorizationPolicy id="admin" access="ROLE_ADMIN" 
          authenticationManager="authenticationManager"
          accessDecisionManage="accessDecisionManager"
           xmlns="http://camel.apache.org/schema/spring/security"/>

       <camelContext id="camel" xmlns="http://camel.apache.org/schema/spring">
         <route>
           <from uri="direct:start"/>
           <policy ref="admin"/>
           <to uri="direct:security-endpoint"/>
         </route>
      </camelContext>
        
</beans>

Spring Security integration

camel-core should know nothing about Spring Security, the AuthorizationPolicy and the spring customer parser are the part of camel-spring-security module, we just need to implement the access control with the help of Spring Security framework in the AuthorizationPolicy.

TODOs

We could configure the policy on camel endpoint with regular express
More friendly authentication API which can plugin to the other endpoint