Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{scrollbar}

Anchor
top

5. Security

The NMR provides a security layer that allows authentication of users and authorizing endpoint access.

Authentication

The authentication service is exposed in OSGi and can be used by any bundle by retrieving the service from the registry.

Code Block
package org.apache.servicemix.nmr.api.security;

import java.security.GeneralSecurityException;

import javax.security.auth.Subject;

/**
 * Interface for the authentication service.
 *
 */
public interface AuthenticationService {

    /**
     * Authenticate a user given its name and credentials.
     * Upon sucessfull completion, the subject should be populated
     * with the user known principals, including, but not limited to
     * a UserPrincipal and the GroupPrincipal that this user belongs
     * to.
     *
     * @param subject the subject to populate
     * @param domain the security domain to use
     * @param user the user name
     * @param credentials the user credntials
     * @throws GeneralSecurityException if the user can not be authenticated
     */
    void authenticate(Subject subject, String domain, String user, Object credentials) throws GeneralSecurityException;

}

The default implementation of this service delegates to JAAS, leveraging ServiceMix Kernel JAAS support. This means that new JAAS realms can be deployed along with your application at runtime.

Authorization

The authentication feature is provided by the AuthenticationService which is also registered in the OSGi registry.

Code Block
package org.apache.servicemix.nmr.api.security;

import java.security.Principal;
import java.util.Set;

import javax.xml.namespace.QName;

/**
 * The AuthorizationService interface allows the NMR to retrieve the
 * Access Control List for a given combination of endpoint / operation.
 *
 * This is used to secure access to a given endpoint. 
 *  
 */
public interface AuthorizationService {

    /**
     * Retrieve the Access Control List for a given endpoint and operation.
     * The endpoint is identified by its ID (usually a combination of
     * service QName and endpoint in the JBI case).
     * 
     * @param endpoint the endpoint identifier
     * @param operation the operation invoked or null
     * @return a set of GroupPrincipal allowed to invoke the endpoint / operation
     */
    Set<GroupPrincipal> getAcls(String endpoint, QName operation);

}

Configuration

Access to endpoints in the NMR can be checked against some authorizations entries that can be easily deployed at runtime. The NMR will check the target endpoint against the authorized roles for the user (if any user has been authenticated) and reject the exchange is no endpoint matches the security rules.

The default implementation looks for these entries in the OSGi registry, so that you can also deploy your authorization entries along with your endpoints.

Here is a simple xml configuration file that contains and export the default authorization entry:

Code Block
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:osgi="http://www.springframework.org/schema/osgi"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/osgi
                           http://www.springframework.org/schema/osgi/spring-osgi.xsd">
    <osgi:service interface="org.apache.servicemix.nmr.api.security.AuthorizationEntry">
        <bean class="org.apache.servicemix.nmr.core.security.DefaultAuthorizationEntry">
            <property name="endpoint" value="*" />
            <property name="rank" value="-2147483648" />
            <property name="roles" value="*" />
            <property name="type" value="Set" />
        </bean>
    </osgi:service>
</beans>

Property

Type

Default

Description

endpoint

String

(required)

The regexp pattern used to match against the target endpoint. "*" is a special value to match all endpoints

operation

QName

(no default)

The QName of the operation that need to match the exchange operation

type

Add, Set, Remove

Add

The logical operation to perform with this entry

roles

Comma separated list of string

(required)

List or roles authorized to access the matching endpoints / operations

rank

Integer

0

The rank, or order, associated with this entry

Resolution

Multiple entries can be deployed and some of them can be conflicting or have wildcards to match several endpoints. Therefore, the need to order them when resolving the list of roles authorized is important. This is what the rank and type properties do. When computing the list of roles, the entries are sorted from the smallest rank to the greatest rank and for each of these entries, the type is used to compute the new list of roles with respect to the previously computed list and the list associated to the entry.

  • Add: add the list of roles on this entry to the list of authorized roles
  • Set: the list of authorized roles becomes the the list configured on this entry
  • Remove: remove the roles on this entry from the list of authorized roles

#top

Wiki Markup
{scrollbar}