JAXRS whiteboard service with client certificate authentication

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

JAXRS whiteboard service with client certificate authentication

Alex Weirig

Hello,

I have multiple REST webservices running in karaf using Apache Aries JAX-RS Whiteboard.

Now I'd need to create a webservice that should require a client certificate authentication.

Is there an example somewhere on how to implement this authentication (filter, ...?) is an KISS OSGi approach?

I found some code samples using google but they all seem relatively complicated or relying on other frameworks (Spring ...).

Many thanks in advance for your help

--

Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger

alex_weirig.vcf (348 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS whiteboard service with client certificate authentication

Mike Hummel
Hello Alex,

this is not solving your problem... but we use a dedicated web server (apache) with http proxy to do all the ssl/tls stuff (this has also more performance). Also it checks the client certificate and it's possible to add the certificate owner in the http header.

Best Regards, Mike


On 4. Mar 2020, at 08:02, Alex Weirig <[hidden email]> wrote:

Hello,

I have multiple REST webservices running in karaf using Apache Aries JAX-RS Whiteboard.

Now I'd need to create a webservice that should require a client certificate authentication.

Is there an example somewhere on how to implement this authentication (filter, ...?) is an KISS OSGi approach?

I found some code samples using google but they all seem relatively complicated or relying on other frameworks (Spring ...).

Many thanks in advance for your help

-- 

Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
<alex_weirig.vcf>

Reply | Threaded
Open this post in threaded view
|

Re: JAXRS whiteboard service with client certificate authentication

Alex Weirig

Hi Mike,

thanks for the info.



Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
On 04/03/2020 08:59, Mike Hummel wrote:
Hello Alex,

this is not solving your problem... but we use a dedicated web server (apache) with http proxy to do all the ssl/tls stuff (this has also more performance). Also it checks the client certificate and it's possible to add the certificate owner in the http header.

Best Regards, Mike


On 4. Mar 2020, at 08:02, Alex Weirig <[hidden email]> wrote:

Hello,

I have multiple REST webservices running in karaf using Apache Aries JAX-RS Whiteboard.

Now I'd need to create a webservice that should require a client certificate authentication.

Is there an example somewhere on how to implement this authentication (filter, ...?) is an KISS OSGi approach?

I found some code samples using google but they all seem relatively complicated or relying on other frameworks (Spring ...).

Many thanks in advance for your help

-- 

Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="" moz-do-not-send="true">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
<alex_weirig.vcf>

-- 
This email was Anti Virus checked by SOPHOS UTM

alex_weirig.vcf (348 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS whiteboard service with client certificate authentication

Tim Ward-2
Hi Alex,

Did you consider using something like Apache Shiro? The Apache Aries JAX-RS whiteboard has a number of integration projects for relevant technologies, and one of them adds support for Apache Shiro.

What I would then do is add the Shiro authentication and authorization features to my whiteboard (configured appropriately) and then make sure that my whiteboard resource(s) that needed Shiro had the relevant extension select filter defined.

I hope that helps you with your research.

All the best,

Tim

On 4 Mar 2020, at 08:00, Alex Weirig <[hidden email]> wrote:

Hi Mike,

thanks for the info.



Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
On 04/03/2020 08:59, Mike Hummel wrote:
Hello Alex,

this is not solving your problem... but we use a dedicated web server (apache) with http proxy to do all the ssl/tls stuff (this has also more performance). Also it checks the client certificate and it's possible to add the certificate owner in the http header.

Best Regards, Mike


On 4. Mar 2020, at 08:02, Alex Weirig <[hidden email]> wrote:

Hello,

I have multiple REST webservices running in karaf using Apache Aries JAX-RS Whiteboard.

Now I'd need to create a webservice that should require a client certificate authentication.

Is there an example somewhere on how to implement this authentication (filter, ...?) is an KISS OSGi approach?

I found some code samples using google but they all seem relatively complicated or relying on other frameworks (Spring ...).

Many thanks in advance for your help

-- 

Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="" moz-do-not-send="true">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
 
schaufel.besten.kopie
 
supposons.levage.venger
<alex_weirig.vcf>

-- 
This email was Anti Virus checked by SOPHOS UTM
<alex_weirig.vcf>

Reply | Threaded
Open this post in threaded view
|

Re: JAXRS whiteboard service with client certificate authentication

Alex Weirig

Hi Tim,

thank you very much ... more stuff to look at.


Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
On 04/03/2020 11:20, Tim Ward wrote:
Hi Alex,

Did you consider using something like Apache Shiro? The Apache Aries JAX-RS whiteboard has a number of integration projects for relevant technologies, and one of them adds support for Apache Shiro.

What I would then do is add the Shiro authentication and authorization features to my whiteboard (configured appropriately) and then make sure that my whiteboard resource(s) that needed Shiro had the relevant extension select filter defined.

I hope that helps you with your research.

All the best,

Tim

On 4 Mar 2020, at 08:00, Alex Weirig <[hidden email]> wrote:

Hi Mike,

thanks for the info.



Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="" moz-do-not-send="true">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
On 04/03/2020 08:59, Mike Hummel wrote:
Hello Alex,

this is not solving your problem... but we use a dedicated web server (apache) with http proxy to do all the ssl/tls stuff (this has also more performance). Also it checks the client certificate and it's possible to add the certificate owner in the http header.

Best Regards, Mike


On 4. Mar 2020, at 08:02, Alex Weirig <[hidden email]> wrote:

Hello,

I have multiple REST webservices running in karaf using Apache Aries JAX-RS Whiteboard.

Now I'd need to create a webservice that should require a client certificate authentication.

Is there an example somewhere on how to implement this authentication (filter, ...?) is an KISS OSGi approach?

I found some code samples using google but they all seem relatively complicated or relying on other frameworks (Spring ...).

Many thanks in advance for your help

-- 

Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="" moz-do-not-send="true">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
 
schaufel.besten.kopie
 
supposons.levage.venger
<alex_weirig.vcf>

-- 
This email was Anti Virus checked by SOPHOS UTM
<alex_weirig.vcf>


alex_weirig.vcf (348 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS whiteboard service with client certificate authentication

jbonofre
Hi

FYI, I did several fixes in Shiro 1.5.x for OSGi/Karaf.

So, definitely, Shiro is a good option.

Regards
JB

Le 4 mars 2020 à 11:25, Alex Weirig <[hidden email]> a écrit :

Hi Tim,

thank you very much ... more stuff to look at.


Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
schaufel.besten.kopie
supposons.levage.venger
On 04/03/2020 11:20, Tim Ward wrote:
Hi Alex,

Did you consider using something like Apache Shiro? The Apache Aries JAX-RS whiteboard has a number of integration projects for relevant technologies, and one of them adds support for Apache Shiro.

What I would then do is add the Shiro authentication and authorization features to my whiteboard (configured appropriately) and then make sure that my whiteboard resource(s) that needed Shiro had the relevant extension select filter defined.

I hope that helps you with your research.

All the best,

Tim

On 4 Mar 2020, at 08:00, Alex Weirig <[hidden email]> wrote:

Hi Mike,

thanks for the info.



Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="" moz-do-not-send="true">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
 
schaufel.besten.kopie
 
supposons.levage.venger
On 04/03/2020 08:59, Mike Hummel wrote:
Hello Alex,

this is not solving your problem... but we use a dedicated web server (apache) with http proxy to do all the ssl/tls stuff (this has also more performance). Also it checks the client certificate and it's possible to add the certificate owner in the http header.

Best Regards, Mike


On 4. Mar 2020, at 08:02, Alex Weirig <[hidden email]> wrote:

Hello,

I have multiple REST webservices running in karaf using Apache Aries JAX-RS Whiteboard.

Now I'd need to create a webservice that should require a client certificate authentication.

Is there an example somewhere on how to implement this authentication (filter, ...?) is an KISS OSGi approach?

I found some code samples using google but they all seem relatively complicated or relying on other frameworks (Spring ...).

Many thanks in advance for your help

-- 

Mat frëndleche Gréiss,
Mit freundlichen Grüßen,
Meilleures salutations,
Kind regards,

Alex Weirig
Responsable Technique
Ville de Luxembourg
Service Enseignement
Centre Technolink

Tel <a href="tel:+35247966127" class="" moz-do-not-send="true">+352 4796 - 6127
Fax +352 42 88 81
Email [hidden email]
www.vdl.lu // www.technolink.lu

Centre Technolink
2, rue Charles de Tornaco 
L-2623 LUXEMBOURG

indoors.this.blesses
  
 
schaufel.besten.kopie
  
 
supposons.levage.venger
<alex_weirig.vcf>

-- 
This email was Anti Virus checked by SOPHOS UTM
<alex_weirig.vcf>

<alex_weirig.vcf>

Reply | Threaded
Open this post in threaded view
|

Re: JAXRS whiteboard service with client certificate authentication

Łukasz Dywicki
In reply to this post by Alex Weirig
Hey Alex,
In order to get client certificates you need to configure server for
that. Sample jetty configuration (from Java API) is available here:
https://gist.github.com/jankronquist/6412839

Major trouble here is fact that SSL context will be shared across whole
server/connector (port) which you declare. Secured service which
requires client cert might redirect automatically to https to force
validation on the server side.

Anyhow if you will find a working configuration then it will be very
nice material for publication! :-)

Cheers,
Łukasz

On 04.03.2020 08:02, Alex Weirig wrote:

> Hello,
>
> I have multiple REST webservices running in karaf using Apache Aries
> JAX-RS Whiteboard.
>
> Now I'd need to create a webservice that should require a client
> certificate authentication.
>
> Is there an example somewhere on how to implement this authentication
> (filter, ...?) is an KISS OSGi approach?
>
> I found some code samples using google but they all seem relatively
> complicated or relying on other frameworks (Spring ...).
>
> Many thanks in advance for your help
>
> --
>
> Mat frëndleche Gréiss, Mit freundlichen Grüßen, Meilleures salutations,
> Kind regards,
> Alex Weirig
> Responsable Technique Ville de Luxembourg Service Enseignement Centre
> Technolink *Tel* +352 4796 - 6127 <tel:+35247966127> *Fax* +352 42 88 81
> *Email* [hidden email] <mailto:[hidden email]>
> www.vdl.lu <http://www.vdl.lu> // www.technolink.lu
> <http://www.technolink.lu> Centre Technolink 2, rue Charles de Tornaco
> L-2623 LUXEMBOURG
>
> //indoors.this.blesses
> <https://map.what3words.com/indoors.this.blesses>
> //schaufel.besten.kopie
> <https://map.what3words.com/schaufel.besten.kopie>
> //supposons.levage.venger
> <https://map.what3words.com/supposons.levage.venger>