Home Explore Help
Sign In
steinarb
/
authservice
Watch 1
Star 0
Fork 1
Files Issues 0 Pull Requests 0 Wiki

This is a pax web whiteboard extender webapp that serves as authenticator and login page for the nginx_auth_request_module

Branch: bug/mjavadoc-594
Branches Tags
authservice
ZIP TAR.GZ
Steinar Bang e617108447 Upgrade maven-javadoc-plugin version to 3.1.0 5 years ago
authservice.db.derby.test 5ffd627e0a Require the useradmin to be allowed to access /authservice/useradmin 5 years ago
authservice.db.liquibase da2873d261 Replace LATEST with actual version number to make it possible to release to OSSRH 5 years ago
authservice.db.postgresql bd2d2dd80c Add a PostgreSQL database for authservice 5 years ago
authservice.definitions bd2d2dd80c Add a PostgreSQL database for authservice 5 years ago
authservice.tests 3e45912533 Set version of depends-maven-plugin to fix build issue 5 years ago
authservice.users 42e5759975 Add a method to the UserManagementService to retrieve the list of permissions for a user based on the user's username 5 years ago
authservice.web.security a8d32e62f6 Make authservice feature startup more stable by ensuring that HK2 is loaded before the jersey servlet 5 years ago
authservice.web.security.dbrealm 956e4f1d3c Remove duplicate derby maven test dependencies 5 years ago
authservice.web.security.memorysession e28b40028c Add a DS component implementing the UserService OSGi service 5 years ago
authservice.web.users.api a8d32e62f6 Make authservice feature startup more stable by ensuring that HK2 is loaded before the jersey servlet 5 years ago
authservice.web.users.frontend e71471592c Make redirect to "/" work right 5 years ago
src bd2d2dd80c Add a PostgreSQL database for authservice 5 years ago
.editorconfig cfeea2849c Initial commit. 7 years ago
.gitignore cfeea2849c Initial commit. 7 years ago
.travis.yml 47617e4f71 Add .travis.yml configuration file for builds on travis-ci 6 years ago
LICENSE 10b035d97f License this software under Apache License v 2.0. 7 years ago
README.org bd2d2dd80c Add a PostgreSQL database for authservice 5 years ago
pom.xml e617108447 Upgrade maven-javadoc-plugin version to 3.1.0 5 years ago

README.org

Forms based nginx login and pluggable shiro auth in karaf

    This project contains a set of [[https://karaf.apache.org/manual/latest/#_feature_and_resolver][apache karaf features]] that fills two purposes
  1. Providing a forms based login mechanism for nginx (Note: the webapp provides only authentication. No authorization of individual URLs. All authenticated users get in)
  2. Providing a "poor man's single sign-on" for web applications running in the same apache karaf instance

Status of the project

file:https://travis-ci.org/steinarb/authservice.svg?branch=master file:https://coveralls.io/repos/steinarb/authservice/badge.svg file:https://sonarcloud.io/api/project_badges/measure?project=no.priv.bang.authservice%3Aauthservice&metric=alert_status#.svg file:https://maven-badges.herokuapp.com/maven-central/no.priv.bang.authservice/authservice/badge.svg file:https://www.javadoc.io/badge/no.priv.bang.authservice/authservice.svg

SonarCloud

file:https://sonarcloud.io/api/project_badges/measure?project=no.priv.bang.authservice%3Aauthservice&metric=ncloc#.svg file:https://sonarcloud.io/api/project_badges/measure?project=no.priv.bang.authservice%3Aauthservice&metric=bugs#.svg file:https://sonarcloud.io/api/project_badges/measure?project=no.priv.bang.authservice%3Aauthservice&metric=vulnerabilities#.svg file:https://sonarcloud.io/api/project_badges/measure?project=no.priv.bang.authservice%3Aauthservice&metric=code_smells#.svg file:https://sonarcloud.io/api/project_badges/measure?project=no.priv.bang.authservice%3Aauthservice&metric=coverage#.svg

Installing on karaf

/Note/: The instructions here don't describe a production enviroment, but they describe setting up something that will let the service be startet.

The webapp needs PostgreSQL running, with a database named "ukelonn" containing the table users, and a no-password authentication scheme.

    Instructions:
  1. In bash, clone and build the authservice app:
    2. #+BEGIN_EXAMPLE mkdir -p ~/git/ cd ~/git/ git clone https://github.com/steinarb/authservice.git cd ~/git/authservice/ mvn clean install #+END_EXAMPLE
  2. [https://karaf.apache.org/manual/latest/quick-start.html][Follow the quick start guide to downloading, unpacking and starting apache karaf]]
  3. In the karaf shell, install the authservice feature repository
    4. #+BEGIN_EXAMPLE feature:repo-add mvn:no.priv.bang.authservice/authservice/LATEST/xml/features #+END_EXAMPLE
  4. In the karaf shell, install the feature that installs the authorization service that is used by nginx (this feature installs a set of test users, roles and features)
    5. #+BEGIN_EXAMPLE feature:install authservice-with-derby-dbrealm-and-session #+END_EXAMPLE
  5. Open a browser on the URL http://localhost:8181/authservice and do a login with a valid username/password combination (e.g. "admin/admin")
  6. Open a browser on the URL http://localhost:8181/authservice/check and verify that it doesn't return a 401 HTTP code
  7. Optionally install the user administration UI (not needed for using this service with nginx, but needed for administrating the access)
    8. #+BEGIN_EXAMPLE feature:install user-admin-with-derby #+END_EXAMPLE
  8. Open a browser on the URL http://localhost:8181/authservice/useradmin and test adding/modifying users, roles and permissions

Forms based login for nginx

    The webapp installed by the above installation instructions offers two URLs for use by the [[http://nginx.org/en/docs/http/ngx_http_auth_request_module.html][NGINX auth_request module]]:
  • /auth which will just check the login state of Apache Shiro, returning the status code 401 for failure and 200 for success
  • /login which contains a login form and will authenticate against Apache Shiro

The webapp is implemented as two servlets exposed as OSGi services, that will be picked up by the pax web whiteboard extender.

Installing and configuring nginx

    Instructions:
  1. Install nginx with the auth module. On debian this is done with the command
    2. #+BEGIN_EXAMPLE apt-get update apt-get install nginx-extras #+END_EXAMPLE
  2. Add the following to the /etc/nginx/sites-available/default (adapt this to the actual server/site in use):
    3. #+BEGIN_SRC conf server { listen 80 default_server; listen [::]:80 default_server;

root /var/www/html;

# Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html;

server_name _;

location /authservice { auth_request off; # Necessary for REST API POST to work, shiro will handle authorization here proxy_pass http://localhost:8181/authservice; proxy_cookie_path ~^/authservice.*$ /; proxy_set_header Host $host; }

# Avoid browser attempt at fetching favicon.ico triggering a login and redirecting # a 404 Not Found when there is no favicon.ico on the site (which is perferctly OK # for both the site and the browser) location /favicon.ico { auth_request off; }

location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; }

# Auth configuration auth_request /authservice/check; error_page 401 = @error401;

Installing and configuring postgresql

Installing and configuring apache karaf

Integrating with other webapps in karaf

    # If the user is not logged in, redirect to authservice login URL, with redirect information location @error401 { add_header X-Original-URI "$scheme://$http_host$request_uri"; add_header Set-Cookie "NSREDIRECT=$scheme://$http_host$request_uri"; return 302 /authservice/login } } #+END_SRC /Note/: only command examples for debian/ubuntu/etc. are shown, but the overall steps should work on a lot of platforms
  1. Install PostgreSQL, as root do the following command:
    2. #+BEGIN_EXAMPLE apt-get install postgresql #+END_EXAMPLE
  2. Add a PostgreSQL user named "karaf", as root do the following command
    3. #+BEGIN_EXAMPLE PGPASSWORD=karaf sudo -u postgres createuser karaf #+END_EXAMPLE /Note/: Replace the password in the PGPASSWORD environment variable with something other than the example and use that password in the karaf configuration
  3. Create an empty PostgreSQL database named "authservice" owned by user "karaf"
    4. #+BEGIN_EXAMPLE sudo -u postgres createdb -O karaf authservice #+END_EXAMPLE Instructions:
  4. Install apache karaf as a service, either using the karaf installation scripts or by using apt-get and the unofficial karaf deb package
  5. SSH in to the karaf console:
    6. #+BEGIN_EXAMPLE ssh -p 8101 karaf@localhost #+END_EXAMPLE The default password is "karaf" (without the quotes). It might be a good idea to change this. See the karaf documentation for how to change the password
  6. In the karaf console, do the following:
  7. Add connection configuration for the postgresql database:
    8. #+BEGIN_EXAMPLE config:edit no.priv.bang.authservice.db.postgresql.PostgresqlDatabase config:property-set authservice.db.jdbc.url "jdbc:postgresql:///authservice" config:property-set authservice.db.jdbc.user "karaf" config:property-set authservice.db.jdbc.password "karaf" config:update #+END_EXAMPLE /Note/: use the actual password given in the PGPASSWORD environment variable when creating the karaf user
  8. Install authservice from maven central:
    9. #+BEGIN_EXAMPLE feature:repo-add mvn:no.priv.bang.authservice/authservice/LATEST/xml/features feature:install user-admin-with-postgresql #+END_EXAMPLE
  9. Open a the nginx authservice URL in a web browser, e.g. https://myserver.com/authservice/ and:
  10. Log in as user "admin" with password "admin" (without the quotes)
  11. Click on the "User administration UI" link
  12. In the administration UI:
  13. Click on "Administrate users"
  14. Change the password of user "admin"
  15. Add users that are to be able to log in to nginx
    16. /Note/: The nginx config provides only authentication for nginx, no authorization based on the combination of path and role or permission. Therefore there is no need to add roles to users that only needs to log in Users that need to administrate other users, should get the useradmin role
  16. Add some links to the selfservice URLs from your website's top page (or whereever is convenient):
  17. Change password: https://myserver.com/authservice/password/
  18. Modify real namd and email: https://myserver.com/authservice/user
    There are several ways for a webapp to interact with authservice:
  1. Install authservice separately and add OSGi service injections for shiro Realm and Session (all user administration done in the authservice webapplication)
  2. Add the features for the liquibase database setup and the shiro Realm and Session and provide the necessary tables from a different web application's database
  3. Add the features for the authservice UserManagementService implementation, as well as the features for Realm and Session and and implement a user management GUI and webservice on top of the UserManagementService

...or various permutations of the above. With ukelonn I plan to add the authservice tables to the ukelonn database, and then let the ukelonn database provide the database for authservice itself. I have made a first step in the direction of authservice integration by basing ukelonn's user management on the UserManagementService OSGi service, so that it later can be replaced by the authservice implementation of the service.

License

This software is licensed under Apache Public License v 2.0.

See the LICENSE file for the full details.