Security :: Authentication with a Database
This document explains how Roboconf distributions can be configured to authenticate users from a database.
You need a relational database with existing tables.
Creating the Data Source
Install the JDBC driver for the database.
feature:repo-add mvn:org.ops4j.pax.jdbc/pax-jdbc-features/0.9.0/xml/features feature:install pax-jdbc-config feature:install pax-jdbc-mysql
You can refer to PAX’s documentation for help about PAX-JDBC.
Then, prepare a configuration file to declare a data source.
In Roboconf’s etc directory, create a file named org.ops4j.datasource-auth.cfg.
What is important is that its name begins with org.ops4j.datasource-.
osgi.jdbc.driver.name = mysql databaseName = users serverName = localhost portNumber = 3306 user = roboconf password = roboconf dataSourceName = jdbc/roboconf-auth-db
Properties names can be found in the driver’s documentation.
Generic ones are also listed here.
Once saved, you can find your configuration in Karaf’s web console, under the OSGi > Configuration menu.
You should also find it as a javax.sql.DataSource under the OSGi > Services menu.
Working with a Test (SQL) Database
Create the tables as follows.
CREATE TABLE users ( username varchar(255) NOT NULL, password varchar(255) NOT NULL, PRIMARY KEY (username) ); CREATE TABLE roles ( username varchar(255) NOT NULL, role varchar(255) NOT NULL, PRIMARY KEY (username,role) ); INSERT INTO users VALUES ("toto","toto"); INSERT INTO roles VALUES ("toto","admin"); INSERT INTO roles VALUES ("toto","viewer");
Creating the REALM
Prepare a (blueprint) file with the connection properties.
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule" flags="required"> datasource = osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/roboconf-auth-db) query.password = SELECT password FROM USERS WHERE username=? query.role = SELECT role FROM ROLES WHERE username=? </jaas:module> </jaas:config> </blueprint>
This login module creates a JAAS realm called karaf. It overrides the default JAAS realm (used by Karaf) by using a rank attribute value greater than 0 (the default karaf realm has a rank of 0). Notice that the database and the tables must exist first.
Get the Karaf shell and deploy the blueprint in Karaf.
# Log into the Karaf shell ./client -u user -p password # Install the deployer feature feature:install deployer # Install it using the blueprint deployer bundle:install --start blueprint:file:/path/to/blueprint.xml # Verify it is installed bundle:list jaas:realm-list
You could also copy the XML file under Karaf’s deploy directory.
Or create a Karaf feature that reference the blueprint.
Then, you can verify your users are found…
# Provided you have a user called "toto" in the "users" table ./client -u toto
The client should prompt for the user password.
The password will be verified against the database.
Notice that you can configure this module to manage users and roles from the DM.
You need to configure the JDBC back-end. Please, refer to Karaf’s web site for more details.