Schema - 7.0

Talend ESB Container Administration Guide

EnrichVersion
7.0
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Administration and Monitoring
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

To override or deploy a new realm, you can use the following XSD which is supported by a Spring namespace handler and can thus be defined in a Spring xml configuration file.

You can find the schema at the following location: http://karaf.apache.org/xmlns/jaas/v1.1.0.

Here are two examples using this schema:

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
       xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
       xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/
               v1.0.0">

   <!-- Bean that allows the $[karaf.base] property to be resolved -->
   <ext:property-placeholder 
      placeholder-prefix="$[" placeholder-suffix="]"/>

   <jaas:config name="myrealm">
      <jaas:module className="org.apache.karaf.jaas.modules.properties.
         PropertiesLoginModule" 
         flags="required">
         users = $[karaf.base]/etc/users.properties
      </jaas:module>
   </jaas:config>

</blueprint>
<jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
   name="ks"
   rank="1"
   path="classpath:privatestore.jks"
   keystorePassword="keyStorePassword"
   keyPasswords="myalias=myAliasPassword">
</jaas:keystore>

The id attribute is the blueprint id of the bean, but it will be used by default as the name of the realm if no name attribute is specified. Additional attributes on the config elements are a rank, which is an integer. When the LoginContext looks for a realm for authenticating a given user, the realms registered in the OSGi registry are matched against the required name. If more than one realm is found, the one with the highest rank will be used, thus allowing the override of some realms with new values. The last attribute is publish which can be set to false to not publish the realm in the OSGi registry, thereby disabling the use of this realm.

Each realm can contain one or more module definitions. Each module identifies a LoginModule and the className attribute must be set to the class name of the login module to use. Note that this login module must be available from the bundle classloader, so either it has to be defined in the bundle itself, or the needed package needs to be correctly imported. The flags attribute can take one of four values that are explained on the JAAS documentation. The content of the module element is parsed as a properties file and will be used to further configure the login module.

Deploying such a code will lead to a JaasRealm object in the OSGi registry, which will then be used when using the JAAS login module.

Configuration override and use of the rank attribute

The rank attribute on the config element is tied to the ranking of the underlying OSGi service. When the JAAS framework performs an authentication, it will use the realm name to find a matching JAAS configuration. If multiple configurations are used, the one with the highest rank attribute will be used. So if you want to override the default security configuration in Karaf (which is used by the ssh shell, web console and JMX layer), you need to deploy a JAAS configuration with the name name="karaf" and rank="1".

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
   xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.1.0"
   xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/
      v1.0.0">

   <!-- Bean that allows the $[karaf.base] property to be resolved -->
   <ext:property-placeholder 
      placeholder-prefix="$[" placeholder-suffix="]"/>

   <jaas:config name="karaf" rank="1">
      <jaas:module className="org.apache.karaf.jaas.modules.properties.
         PropertiesLoginModule" flags="required">
         users = $[karaf.base]/etc/users.properties
         ...
      </jaas:module>
   </jaas:config>

</blueprint>