common security services. consolidation patterns for legacy components - stefan vladov
DESCRIPTION
The concept of interface and implementation is not a new idea, but when you need to unify a number of server components that have been developed and refined for years, it might become a difficult pattern to follow. The talk is about the approach Software AG took in consolidating JAAS-based server components including dynamic loading of login modules and dynamic domain configurations. The login modules are bundles or POJO legacy implementations.TRANSCRIPT
COPYRIGHT © 2008-2011 OSGi Alliance. All Rights Reserved
Common Security Services –
Consolidation Patterns for Legacy
Components
Stefan VLADOV
SOFTWARE AG
20.09.2011
OSGi Alliance Marketing © 2008-2010 .
All Rights Reserved
Page 1
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 2
OSGi Server platform
• Our focus: • Enterprise JAVA applications and servers
• Migrating heavy legacy components to OSGi
• Components are tightly bound to core JAVA APIs
• Not well suited for the OSGi world
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 3
Speaking of JAVA APIs…
• Java Authentication and Authorization Service
• JAAS class loading problems
• Key points
• Plugging login module bundles
• Preserving backward compatibility
• Configuration challenges
• RFP 123 – JAAS Integration
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 4
JAAS Core functionality
• Focus on the authentication part of JAAS
• Frontend • Consumers of login capabilities
• Backend • Providers of login capabilities
• Configuration • Exposing dynamic JAAS configuration
• Retain backward compatibility
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 5
General design
• We are focusing on the following JAAS framework
artifacts
• Login modules
• Ensure dynamic OSGi disposal of login module bundles
• Proxy loading mechanism to cope with JAAS limitations
• Login contexts
• Control of login context creation
• Try to facilitate login module classloading
• Configuration
• Provide own JAAS configuration implementation tied to wrapped login
modules
• Expose the configuration through standard OSGi API
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 6
Overview
Configurator
Login Consumer
Configuration
Admin Service Managed Service
Factory
Login Context
Factory Service
LoginContextFactoryImpl
Managed Configuration
(Realms)
Login Module Factory
JAAS Extender
(Generic Login Module
Factory Implementations)
Login Module Libraries
True OSGi Login Module Bundle
Login Module
Factory Impl
Login Module
Implementation
Login Provider
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 7
Login Consumer
• Access the JAAS through a LoginContextFactory:
interface LoginContextFactory {
LoginContext createLoginContext(String realm, Subject subject, CallbackHandler handler);
}
• Benefits: • Control and influence the creation of login contexts
• It really feels like to OSGi way communication between modules
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 8
Login Consumer
• Legacy support:
LoginContext context = new LoginContext(…);
• Notes:
• Products are used to this API
• The proxy login module should be on the bootstrap classpath or on the thread
context classpath when the context is created by the JAAS framework
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 9
Login Module Provider
• Login Module Factory
interface LoginModuleFactory {
LoginModule createLoginModule();
}
• Notes:
• Allows creation of custom login module implementations through the whiteboard
architectural pattern
• OSGi aware providers may implement and register own login module factories and
have full control over the instantiation of login modules
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 10
Login Module Provider
• Login Module Libraries:
• Login module extender bundle will automatically register declared login modules
in bundle manifests (under the Jaas-ModuleClass header)
• Convenience for providers that wish to restrain from dependencies to the OSGi
API.
• Using Extender pattern to plug libraries into the Whiteboard (cool eh?)
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 11
Configuration
• JAAS Realm configuration
• Realm name
• List of module entries. Each entry consists of:
• Module name
• Flag: required, sufficient, requisite, optional
• Set of key=value options.
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 12
Configuration
• Managed JAAS configuration:
• Replace the standard JAAS configuration
• Exposed through the OSGi service registry
• Merge with standard JAAS configuration file (using central configuration)
• Wrap configured login modules in proxy login modules (ClassLoader aware about
delegates)
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 13
Configuration
• Using the Configuration Admin service to provide access
to the JAAS configuration dynamically, through OSGi API
• JAAS application configuration entries are pushed to the Managed configuration
when they have the „jaas.config.pid “ persistent identificator
• Although the Configuration Admin service offers very basic API for managing the
JAAS configuration it has its benefits – Configuration will be available through any
generic tool / UI that supports the Configuration Admin
• A dedicated Realm configuration service should be evaluated in the future.
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 14
Bundle structure
JAAS API BUNDLE
- LoginContextFactory <iface>
- LoginModuleFactory <iface>
JAAS BUNDLE
Implementations
Login module registry (Whiteboard)
Managed Configuration
JAAS EXTENDER BUNDLE
- LoginModuleBundleTracker
JAAS PARSER BUNDLE
- ConfigurationAdmin Service Tracker
Confi
gure
JAAS PROXY
- ProxyLoginModule
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 15
Out of scope
• User Admin service – We want to stay focused only on the
pure JAAS API. Adopters are free to use whatever
security component they want, on top of JAAS.
• We are currently working on providing a common SSO
service in an OSGi server environment.
• Prototyping with OpenID and SAML
OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved Page 16
Q&A