• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Common Security Services. Consolidation patterns for legacy components - Stefan Vladov
 

Common Security Services. Consolidation patterns for legacy components - Stefan Vladov

on

  • 2,385 views

The concept of interface and implementation is not a new idea, but when you need to unify a number of server components that have been developed and refined for years, it might become a difficult ...

The concept of interface and implementation is not a new idea, but when you need to unify a number of server components that have been developed and refined for years, it might become a difficult pattern to follow. The talk is about the approach Software AG took in consolidating JAAS-based server components including dynamic loading of login modules and dynamic domain configurations. The login modules are bundles or POJO legacy implementations.

Statistics

Views

Total Views
2,385
Views on SlideShare
2,385
Embed Views
0

Actions

Likes
0
Downloads
74
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Common Security Services. Consolidation patterns for legacy components - Stefan Vladov Common Security Services. Consolidation patterns for legacy components - Stefan Vladov Presentation Transcript

    • Common Security Services –Consolidation Patterns for LegacyComponentsStefan VLADOVSOFTWARE AG20.09.2011 OSGi Alliance Marketing © 2008-2010 . 1 PageCOPYRIGHT © 2008-2011 OSGi Alliance. All Rights Reserved All Rights Reserved
    • OSGi Server platform• Our focus: • Enterprise JAVA applications and servers • Migrating heavy legacy components to OSGi • Components are tightly bound to core JAVA APIs • Not well suited for the OSGi world Page 2 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Speaking of JAVA APIs…• Java Authentication and Authorization Service • JAAS class loading problems • Key points • Plugging login module bundles • Preserving backward compatibility • Configuration challenges • RFP 123 – JAAS Integration Page 3 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • JAAS Core functionality• Focus on the authentication part of JAAS• Frontend • Consumers of login capabilities• Backend • Providers of login capabilities• Configuration • Exposing dynamic JAAS configuration • Retain backward compatibility Page 4 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • General design• We are focusing on the following JAAS framework artifacts • Login modules • Ensure dynamic OSGi disposal of login module bundles • Proxy loading mechanism to cope with JAAS limitations • Login contexts • Control of login context creation • Try to facilitate login module classloading • Configuration • Provide own JAAS configuration implementation tied to wrapped login modules • Expose the configuration through standard OSGi API Page 5 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Overview Configuration Managed ServiceConfigurator Admin Service Factory LoginContextFactoryImpl Login ContextLogin Consumer Factory Service Managed Configuration (Realms) Login Module Factory JAAS Extender (Generic Login Module Factory Implementations) True OSGi Login Module BundleLogin Provider Login Module Login Module Login Module Libraries Factory Impl Implementation Page 6 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Login Consumer• Access the JAAS through a LoginContextFactory:interface LoginContextFactory { LoginContext createLoginContext(String realm, Subject subject, CallbackHandler handler);}• Benefits: • Control and influence the creation of login contexts • It really feels like to OSGi way communication between modules Page 7 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Login Consumer• Legacy support:LoginContext context = new LoginContext(…);• Notes: • Products are used to this API • The proxy login module should be on the bootstrap classpath or on the thread context classpath when the context is created by the JAAS framework Page 8 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Login Module Provider• Login Module Factoryinterface LoginModuleFactory { LoginModule createLoginModule();}• Notes: • Allows creation of custom login module implementations through the whiteboard architectural pattern • OSGi aware providers may implement and register own login module factories and have full control over the instantiation of login modules Page 9 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Login Module Provider• Login Module Libraries: • Login module extender bundle will automatically register declared login modules in bundle manifests (under the Jaas-ModuleClass header) • Convenience for providers that wish to restrain from dependencies to the OSGi API. • Using Extender pattern to plug libraries into the Whiteboard (cool eh?) Page 10 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Configuration• JAAS Realm configuration • Realm name • List of module entries. Each entry consists of: • Module name • Flag: required, sufficient, requisite, optional • Set of key=value options. Page 11 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Configuration• Managed JAAS configuration: • Replace the standard JAAS configuration • Exposed through the OSGi service registry • Merge with standard JAAS configuration file (using central configuration) • Wrap configured login modules in proxy login modules (ClassLoader aware about delegates) Page 12 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Configuration• Using the Configuration Admin service to provide access to the JAAS configuration dynamically, through OSGi API • JAAS application configuration entries are pushed to the Managed configuration when they have the „jaas.config.pid “ persistent identificator • Although the Configuration Admin service offers very basic API for managing the JAAS configuration it has its benefits – Configuration will be available through any generic tool / UI that supports the Configuration Admin • A dedicated Realm configuration service should be evaluated in the future. Page 13 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Bundle structure JAAS API BUNDLE JAAS BUNDLE - LoginContextFactory <iface> Implementations - LoginModuleFactory <iface> Login module registry (Whiteboard) Managed Configuration Configure JAAS EXTENDER BUNDLE - LoginModuleBundleTracker JAAS PROXY JAAS PARSER BUNDLE - ProxyLoginModule - ConfigurationAdmin Service Tracker Page 14 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Out of scope• User Admin service – We want to stay focused only on the pure JAAS API. Adopters are free to use whatever security component they want, on top of JAAS.• We are currently working on providing a common SSO service in an OSGi server environment.• Prototyping with OpenID and SAML Page 15 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved
    • Q&A Page 16 OSGi Alliance Community Event 2011© 2008-2011. All Rights Reserved