Wednesday, May 21, 2008


I've working on implementing the security framework for ServiceMix 4. ServiceMix 3 used JAAS for the authentication part, and it also makes sense to use it in ServiceMix 4 for several reasons: reuse of existing login modules, integration with the JMX and the console security which are already based on JAAS.
However JAAS is not very OSGi friendly (well, most of the JEE specifications are not, and I'll talk about the others in another post), mostly because is makes some strong assumptions upon the thread context classloader, and this, mainly on the client code. This means the client that uses the JAAS api to authenticate has to have all the login modules available in its thread context classloader. This is usually not the case in OSGi.
So the solution is to use a proxy login module that will be available to all bundles (by using the boot framework delegation package). This proxy login module can use some OSGi properties on the login module configuration to determine the actual class to use and the bundle to load it from.
Using a simple XML schema for Spring, you can deploy a JAAS realm very easily:

<jaas:config id="realm" xmlns:jaas="">
<jaas:module className="org.apache.servicemix.kernel.jaas.config.SimpleLoginModule" flags="required">

This will register a service in OSGi that the OSGi specific Configuration for JAAS will discover and make it available for clients.

Find more informations on the ServiceMix Kernel JAAS doc.

1 comment:

Anonymous said...

hi, i have a question on jaas use with smx-http basic auth. I used servicemix-jaas-module.xml file in my SU. Looks like it cannot find the loginmodule.