2 Replies Latest reply on Apr 23, 2012 9:18 AM by Serge Redchuk

    Accessing HttpServlet Request/Response in custom Login Module

    Serge Redchuk Newbie

      Hi!

      I'm new to servicemix, JAAS and OSGI

      I'm using apache-servicemix-4.4.1-fuse-03-06.

       

      I've created a custom Login Module and successfully deployed it within a blueprint bundle using <jaas:config> configuration as described here

      It works well and authorises me to access the Karaf Web Console with test login and password.

       

      Now I'm digging how could I access HttpServletRequest in my Login Module.

       

      I'm not talking about WS security yet. I'm just researching of using the custom Login Module while log-in into the Karaf Web Console.

       

      I found that I have only 2 Callbacks available: for username and password.

      And the callbacks handled in anonymous Callback Handler created inside

      org.apache.karaf.webconsole.JaasSecurityProvider (lines 79-90)

       

      I figured out that the karaf JaasSecurityProvider is a part of Karaf's Web Console Branding and it cames from certain bundle after I issued

      karaf@root> features:install webconsole

       

      For now, my idea is to create a bundle with my own implementation of WebConsoleSecurityProvider2 instead of org.apache.karaf.webconsole.JaasSecurityProvider to be able to handle my own Callback to pass HttpServletRequest to my Login Module.

      Something like:

      public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        for (int i = 0; i < callbacks.length; i++) {

          if (...) {

            ...

          } else if (callbacks[i] instanceof HttpRequestCallback) {

            ((HttpRequestCallback) callbacks[i]).setRequest(request);

            ...

       

      And I'm thinking of the bundle as a replacement of the Karaf's security extension.

      I mean the following scenario:

      a) I install the Karaf's webconsole;

      b) I install my bundled implementation of WebConsoleSecurityProvider2 and it will be used by servicemix instead of Karaf's.

       

      Is that possible?

      What should I write in blueprint.xml and/or MANIFEST.MF to achieve that?

       

      Or it is not possible and I need to patch the Karaf's source code and build my whole version of the Web Console Karaf branding?

       

      Thanks in advance!

       

      Edited by: bitl on Apr 20, 2012 4:29 PM

       

      Edited by: bitl on Apr 20, 2012 4:32 PM

       

      Edited by: bitl on Apr 23, 2012 8:51 AM

       

      Edited by: bitl on Apr 23, 2012 8:53 AM

       

      Edited by: bitl on Apr 23, 2012 8:57 AM

       

      Edited by: bitl on Apr 23, 2012 9:13 AM

       

      Edited by: bitl on Apr 23, 2012 9:20 AM

        • 1. Re: Accessing HttpServlet Request/Response in custom Login Module
          Ioannis Canellos Newbie

          Hi,

           

           

          There is no need to implement security providers of your own. It's much simpler.

           

          Once you have your custom login module installed and your jaas realm registered, all you need to to is to change the webconsole configuration and tell it which realm to use.

           

          The pid of the webconsole is org.apache.karaf.webconsole.

          The properties that interest you are: realm and maybe role.

          • 2. Re: Accessing HttpServlet Request/Response in custom Login Module
            Serge Redchuk Newbie

            Hi Iocanel,

            thanks for your response.

            I already tried to use my login module with the standard realm 'karaf'.

            You suggest me to change the webconsole configuration to use a custom realm.

            Could you please explain me how the use of a custom realm will help to access HttpServletRequest/Response from my login module?

             

            P.S: I edited my questions above to be more clear and avoid confusing naming similarity of Karaf's implementation of WebConsoleSecurityProvider2 called JaasSecurityProvider and JAAS java.security.Provider.

             

            Edited by: bitl on Apr 23, 2012 9:07 AM

             

            Edited by: bitl on Apr 23, 2012 1:18 PM