Uploaded image for project: 'Application Authorization Framework'
  1. Application Authorization Framework
  2. AAF-91

Provide a Jetty server level solution to secure all servlets on a Jetty instance

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Highest Highest
    • Beijing Release
    • None
    • None
    • AAF 2018-04 (03/07-03/27), AAF 2018-05 (03/28-04/17)

      Securing third party web services in OpenDaylight with servlet filters requires modifying third party jars to add the AAF CadiFilter to servlet instances in web.xml files. Supplying modified third party jar files in Linux Foundation ONAP is not an optimal solution and is likely to be rejected by the community.

      The base infrastructure of some ONAP components including APPC, and many SDC components is OpenDaylight which uses PaxWeb to manage the web services in the OSGI container. PaxWeb simplifies the deployment of Web Services in an OSGI container while isolating the services from each other. PaxWeb-Jetty is an instance of a Jetty Server that can be configured through a jetty.xml or PaxWeb fragment bundle. PaxWeb isolates the web services on a per bundle basis with a WebContext and ServletHandler connected to the main Jetty Server resulting in difficulty adding security filters to third party web services such as RestConf and APIDOC. Due to this it is difficult to dynamically inject filters into existing OSGI web services as it is not possible to access the WebContext or ServletHandler outside of the web service bundle. Current implementations of Cadi/AAF filters require modified versions of the web.xml in third party jars to add the CadiFilter, and AAF permissions filters to the servlet.

      PaxWeb allows customization of the Jetty server at startup by providing a jetty.xml.

      An AAF security handling solution that can be added to a jetty.xml will allow third party servlets to be secured through AAF without the need to modify the associated components. Permission mapping should allow for customization based on request urls (without server and port) configured in a configuration file.

      Default permission example:

          {namspace (from configuration file)} | {url} | {method:get,post,put}

      Configuration example:
          #Required
          default_namespace=org.onap.appc
          #Optional
          url1=/api
          namespace1=org.onap.appc.api
          url2=/jolokia
          namespace2=org.onap.appc.jolokia
          
          
          
      Solution should be compatible with Open Daylight Nitrogen SR1, Karaf 4.0.9, Pax Web 4.3.0, Jetty 9.2.19.v20160908.

            sg481n sg481n
            ry303t ry303t
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days
                2d