[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [ecf-dev] RFC 119 Distributed OSGi authentication
|
Hi Saul,
Saul Goode wrote:
Is it possible to establish some kind of authentication between the
provider of a DOSGi remote service (exposed via ECF) and its client?
There's no specification of authentication or authorization as part of
RFC119 itself (which is moving to be 'remote services' in the
forthcoming OSGi spec).
What I'm looking for is a way to authenticate one DOSGi/ECF instance to
another one to be able to restrict access on certain services. The
authentication should be transparent, i.e. the bundles which provide or
use the services shouldn't be changed.
Because it's not specified in the spec, it depends upon what the rfc119
implementer makes available in terms of authentication and
authorization. For authentication, ECF's remote services API (that is
used by the ECF RFC 119 impl) does have a notion of providing/getting
authentication information from the client (i.e. the
org.eclipse.ecf.remoteservice.IRemoteServiceContainerAdapter.setConnectContextForAuthentication(IConnectContext)),
and this can be used by the provider to authenticate (and subsequently
authorize based upon that authentication). Because rfc119 doesn't say
anything about passing of credentials, it's necessary to call the
setConnectContextForAuthentication directly (by getting the
IRemoteServiceContainerAdapter and calling that method).
The various ECF remote service providers use/handle the connectContext
in different ways. r-OSGi does not use it (currently). ECF generic
does use it for passing password to server/service host. The new REST
provider does not use it (although probably should...that would be a
good enhancement Holger).
On the service host side (to evaluate the auth information and
allow/disallow access)...again because nothing is specified in the spec
it depends upon the provider. AFAIK, r-osgi doesn't allow customization
of the access control...but Jan will/should correct me if I'm wrong.
See below for a brief explanation of how to programmatically set the
connect handling for the ECF generic service host.
So the main points are: 1) rfc119 and the forthcoming remote services
spec (I believe) doesn't define authentication and authorization for
remote services. 2) ECF has api for authentication; 3) the existing ECF
remote services providers support that api to varying degrees (and new
providers, or extensions of existing providers can certanly support this).
Thanks,
Scott
Setting the connect handling policy on the ECF generic service host:
ECF generic allows such customization via the setting of a callback
implementing this method
org.eclipse.ecf.core.security.IConnectHandlerPolicy on
ISharedObjectContainerGroupManager.setConnectPolicy(IConnectHandlerPolicy).
The ISharedObjectContainerGroupManager can be accessed (e.g.)
ISharedObjectContainerGroupManager sogroupManager =
(ISharedObjectContainerGroupManager)
container.getAdapter(ISharedObjectContainerGroupManager.class);
