Uploaded image for project: 'Application Authorization Framework'
  1. Application Authorization Framework
  2. AAF-91

Provide a Jetty server level solution to secure all servlets on a Jetty instance

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Closed
    • Priority: Highest
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: Beijing Release
    • Labels:
      None
    • Sprint:
      AAF 2018-04 (03/07-03/27), AAF 2018-05 (03/28-04/17)

      Description

      Securing third party web services in OpenDaylight with servlet filters requires modifying third party jars to add the AAF CadiFilter to servlet instances in web.xml files. Supplying modified third party jar files in Linux Foundation ONAP is not an optimal solution and is likely to be rejected by the community.

      The base infrastructure of some ONAP components including APPC, and many SDC components is OpenDaylight which uses PaxWeb to manage the web services in the OSGI container. PaxWeb simplifies the deployment of Web Services in an OSGI container while isolating the services from each other. PaxWeb-Jetty is an instance of a Jetty Server that can be configured through a jetty.xml or PaxWeb fragment bundle. PaxWeb isolates the web services on a per bundle basis with a WebContext and ServletHandler connected to the main Jetty Server resulting in difficulty adding security filters to third party web services such as RestConf and APIDOC. Due to this it is difficult to dynamically inject filters into existing OSGI web services as it is not possible to access the WebContext or ServletHandler outside of the web service bundle. Current implementations of Cadi/AAF filters require modified versions of the web.xml in third party jars to add the CadiFilter, and AAF permissions filters to the servlet.

      PaxWeb allows customization of the Jetty server at startup by providing a jetty.xml.

      An AAF security handling solution that can be added to a jetty.xml will allow third party servlets to be secured through AAF without the need to modify the associated components. Permission mapping should allow for customization based on request urls (without server and port) configured in a configuration file.

      Default permission example:

          {namspace (from configuration file)} | {url} | {method:get,post,put}

      Configuration example:
          #Required
          default_namespace=org.onap.appc
          #Optional
          url1=/api
          namespace1=org.onap.appc.api
          url2=/jolokia
          namespace2=org.onap.appc.jolokia
          
          
          
      Solution should be compatible with Open Daylight Nitrogen SR1, Karaf 4.0.9, Pax Web 4.3.0, Jetty 9.2.19.v20160908.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              sg481n Sai Gandham
              Reporter:
              ry303t Ryan Young
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days
                  2d