JAAS authentication and OSGi

I was looking at how to best do JAAS-based authentication in an OSGi environment, but didn’t really find much useful material, so I’m sharing my findings here in the hope that others will jump in and add anything I may have missed.

Basically what I want to achieve is being able to run the following code unmodified in an OSGi bundle, and have the login() call access the set of JAAS authentication services that are currently available in the OSGi environment. I should be able to deploy and undeploy such authentication services without any changes to this code or the configuration of the containing bundle.

LoginContext context = new LoginContext(...);
context.login();
try {
    ...; // do something
} finally {
    context.logout();
}

So far the best thing I’ve found is the JAAS support that Guillaume Nodet described a few years ago. If I understand correctly, the relevant code lives in Apache Karaf nowadays, even though also Apache Felix mentions it and Guillaume’s original post refers to Apache ServiceMix. I’ve given up hope trying to identify which Maven dependency I should use to get this code.

However, the trouble I see with the ProxyLoginModule class, that seems like the core piece of glue in the Karaf JAAS support, is that it requires the login() call in the client code to explicitly pass the name of the bundle and the contained LoginModule class that are to be used for authentication. That breaks my expectation of zero code or configuration changes in the client bundle for adding or removing new authentication services. Also, it looks like only a single authentication service can be used at a time.

A more promising solution is described in a presentation that was apparently given by Stefan Vladov in the OSGi Community Event 2011. However, I couldn’t find any references to actual running code that implements that solution.

Please share any relevant pointers or other information in the comments below!

3 Responses to JAAS authentication and OSGi

  1. Reto Bachmann-Gmür says:

    In Clerezza we use JAAS for authorizarion but not for authentication. For authentication we have a filter that executes the subsequent request handling as a user and performs authentication (without using jaas standard mechanism) if an AccessControlException occurs. The limitation of this approach is that one cannot use standard authenticator, however the application code does normal JAAS permission check.
    A frequent pattern is to check a specific permission with AccessController and then execute code as priviledged so that if a user has a send-mail permission she doesn’t additionally need a netweor-access permission.

    e.g.

    AccessController.checkPermission(new SendMailPermission());
    return AccessController.doPrivileged(new PrivilegedAction() {

    @Override
    public Response run() {
    //do the networking and send the mail
    }
    });

  2. Raman Gupta says:

    Actually, ProxyLoginModule does not require the client code to pass the name of the bundle and LoginModule class… these are options configured on the ProxyLoginModule at initialization time. Specifically for Karaf, this is done automatically when a bundle exposes a Karaf JAAS Config (http://svn.apache.org/repos/asf/karaf/tags/karaf-2.2.8/jaas/config/src/main/java/org/apache/karaf/jaas/config/impl/Config.java) implementing the JaasRealm interface. An example of this: http://svn.apache.org/repos/asf/karaf/tags/karaf-2.2.8/jaas/modules/src/main/resources/OSGI-INF/blueprint/karaf-jaas-module.xml). JaasRealm’s get registered with an OSGi-specific JAAS Configuration extension (http://svn.apache.org/repos/asf/karaf/tags/karaf-2.2.8/jaas/config/src/main/java/org/apache/karaf/jaas/config/impl/OsgiConfiguration.java).

    To use this in client code, you can simply pass the name of the realm configured in the JAAS config in the constructor of LoginContext (easily configured as a property), without having any dependency or knowledge of the implementation bundle.

  3. Chetan says:

    Also have a look at https://github.com/chetanmeh/c/wiki/JAAS-in-OSGi for another approach which is based on Stefan’s presentation above and also borrows some concepts from Karaf JAAS support