Uploaded image for project: 'Application Authorization Framework'
  1. Application Authorization Framework
  2. AAF-91

Provide a Jetty server level solution to secure all servlets on a Jetty instance

    XMLWordPrintable

Details

    • Story
    • Status: Closed
    • Highest
    • Resolution: Done
    • None
    • Beijing Release
    • None
    • AAF 2018-04 (03/07-03/27), AAF 2018-05 (03/28-04/17)

    Description

      Securing third party web services in OpenDaylight with servlet filters requires modifying third party jars to add the AAF CadiFilter to servlet instances in web.xml files. Supplying modified third party jar files in Linux Foundation ONAP is not an optimal solution and is likely to be rejected by the community.

      The base infrastructure of some ONAP components including APPC, and many SDC components is OpenDaylight which uses PaxWeb to manage the web services in the OSGI container. PaxWeb simplifies the deployment of Web Services in an OSGI container while isolating the services from each other. PaxWeb-Jetty is an instance of a Jetty Server that can be configured through a jetty.xml or PaxWeb fragment bundle. PaxWeb isolates the web services on a per bundle basis with a WebContext and ServletHandler connected to the main Jetty Server resulting in difficulty adding security filters to third party web services such as RestConf and APIDOC. Due to this it is difficult to dynamically inject filters into existing OSGI web services as it is not possible to access the WebContext or ServletHandler outside of the web service bundle. Current implementations of Cadi/AAF filters require modified versions of the web.xml in third party jars to add the CadiFilter, and AAF permissions filters to the servlet.

      PaxWeb allows customization of the Jetty server at startup by providing a jetty.xml.

      An AAF security handling solution that can be added to a jetty.xml will allow third party servlets to be secured through AAF without the need to modify the associated components. Permission mapping should allow for customization based on request urls (without server and port) configured in a configuration file.

      Default permission example:

          {namspace (from configuration file)} | {url} | {method:get,post,put}

      Configuration example:
          #Required
          default_namespace=org.onap.appc
          #Optional
          url1=/api
          namespace1=org.onap.appc.api
          url2=/jolokia
          namespace2=org.onap.appc.jolokia
          
          
          
      Solution should be compatible with Open Daylight Nitrogen SR1, Karaf 4.0.9, Pax Web 4.3.0, Jetty 9.2.19.v20160908.

      Attachments

        Issue Links

          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. APPC-404 Integrated with AAF

          • Highest - Catastrophic defect that causes total failure of the software or unrecoverable data loss with no available workaround. Complete shut-down of the process, nothing can proceed further. Blocks testing of the product / feature. Must be fixed in the next build.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AAF-72 App-C Integration

          • Medium - Failure of non-critical aspects of the system but results in an inconvenient situation. It causes some undesirable behavior, but the system is still functional. There is a reasonably satisfactory workaround. It is still a valid defect that should be corrected May be fixed after the release or in the next release.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              sg481n Sai Gandham
              ry303t Ryan Young
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days
                  2d