This is a pax web whiteboard extender webapp that serves as authenticator and login page for the nginx_auth_request_module
Steinar Bang 6eeb0964a1 Add version 2.0.4 to the release history of the README and update the version to 2.0.4 in the examples in the README | hace 1 semana | |
---|---|---|
.github | hace 1 semana | |
authservice | hace 1 semana | |
authservice-bom | hace 1 semana | |
jacoco-coverage-report | hace 1 semana | |
.editorconfig | hace 7 años | |
.gitignore | hace 2 años | |
LICENSE | hace 7 años | |
README.org | hace 1 semana | |
pom.xml | hace 1 semana |
My usecase was this: I had a set of small OSGi web whiteboard web applications running in apache karaf fronted by nginx and I wanted to have the same login and set of users across all web application, and I wanted to have the same forms based for nginx as well. A sort of "poor man's single signon".
This project was my solution.
This project is an application that uses apache shiro to provide authentication and authorization.
Authservice creates a JDBC database for a shiro realm with users, roles and permission, and an admin GUI to adminstrate the database content.
It also creates a simple self-service GUI for logged in users to change their user info (name, email) and for users to modify their own passwords.
file:https://github.com/steinarb/authservice/actions/workflows/authservice-maven-ci-build.yml/badge.svg file:https://coveralls.io/repos/github/steinarb/authservice/badge.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=alert_status#.svg file:https://maven-badges.herokuapp.com/maven-central/no.priv.bang.authservice/authservice/badge.svg file:https://www.javadoc.io/badge/no.priv.bang.authservice/authservice.svg
file:https://sonarcloud.io/images/project_badges/sonarcloud-white.svg
file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=sqale_index#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=coverage#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=ncloc#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=code_smells#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=sqale_rating#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=security_rating#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=bugs#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=vulnerabilities#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=duplicated_lines_density#.svg file:https://sonarcloud.io/api/project_badges/measure?project=steinarb_authservice&metric=reliability_rating#.svg
/Note/: The instructions here don't describe a production enviroment, but they describe setting up something that will let the service be startet.
The webapp needs PostgreSQL running, with a database named "ukelonn" containing the table users, and a no-password authentication scheme.
The webapp is implemented as two servlets exposed as OSGi services, that will be picked up by the pax web whiteboard extender.
root /var/www/html;
# Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html;
server_name _;
location /authservice { auth_request off; # Necessary for REST API POST to work, shiro will handle authorization here proxy_pass http://localhost:8181/authservice; proxy_cookie_path ~^/authservice.*$ /; proxy_set_header Host $host; }
# Avoid browser attempt at fetching favicon.ico triggering a login and redirecting # a 404 Not Found when there is no favicon.ico on the site (which is perferctly OK # for both the site and the browser) location /favicon.ico { auth_request off; }
location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; }
# Auth configuration auth_request /authservice/check; error_page 401 = @error401;
private Realm realm; private SessionDAO session; private static final Ini INI_FILE = new Ini(); static { // Can't use the Ini.fromResourcePath(String) method because it can't find "shiro.ini" on the classpath in an OSGi context INI_FILE.load(UkelonnShiroFilter.class.getClassLoader().getResourceAsStream("shiro.ini")); }
@Reference public void setRealm(Realm realm) { this.realm = realm; }
@Reference public void setSession(SessionDAO session) { this.session = session; }
@Activate public void activate() { WebIniSecurityManagerFactory securityManagerFactory = new WebIniSecurityManagerFactory(INI_FILE); DefaultWebSecurityManager securityManager = (DefaultWebSecurityManager) securityManagerFactory.createInstance(); DefaultWebSessionManager sessionmanager = new DefaultWebSessionManager(); sessionmanager.setSessionDAO(session); securityManager.setSessionManager(sessionmanager); setSecurityManager(securityManager); securityManager.setRealm(realm);
[users]
@GET @Path("/login") @Produces(MediaType.TEXT_HTML) public InputStream getLogin() { return getClass().getClassLoader().getResourceAsStream("web/login.html"); }
@POST @Path("/login") @Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Produces("text/html") public Response postLogin(@FormParam("username") String username, @FormParam("password") String password) { Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password.toCharArray(), true); try { subject.login(token);
...or various permutations of the above. With ukelonn I plan to add the authservice tables to the ukelonn database, and then let the ukelonn database provide the database for authservice itself. I have made a first step in the direction of authservice integration by basing ukelonn's user management on the UserManagementService OSGi service, so that it later can be replaced by the authservice implementation of the service.
Short story: it should be possible. It should possible to use blank JDBC database that can be connected to with a combination of a JDBC url and username and password.
Currently authservice operates with two databases: an in-memory derby with mock data used for tests and development, and a PostgreSQL database used for production deployments.
Authservice uses XML syntax liquibase to set up the schema, straightforward SQL to insert initial data/mock data, and straightforward SQL to updated and query the authservice database, so replacing both derby and PostgreSQL, with other JDBC databases supported by liquibase (which is basically all of them), should be possible.
Please note however, that none of the config below has been tested.
Date | Version | Comment |
---|---|---|
[2024-12-13] | 2.0.4 | Use liquibase 4.30.0, postgresql jdbc 42.7.4, shiro 2.0.2, bang-servlet 1.8.1 |
[2024-08-03] | 2.0.3 | Use jersey 2.44 and jackson 2.17.2 |
[2024-07-31] | 2.0.2 | Use liquibase 4.29.0 and jsoup 1.18.1 |
[2024-07-04] | 2.0.1 | Use liquibase 4.28.0 |
[2024-04-06] | 2.0.0 | Use shiro 2.0.1 and new record-based API of the UserService OSGi service |
[2024-04-06] | 1.15.20 | Use liquibase 4.27.0, build with node.js 20.12.0 and karaf 4.4.5 |
[2024-03-25] | 1.15.19 | Use postgresql jdbc 42.7.3, jersey 2.42, jackson 2.16.2 |
[2024-03-01] | 1.15.18 | Use postgresql jdbc 42.7.2 |
[2024-03-01] | 1.15.17 | Use version of JerseyServlet that supports shiro-jaxrs |
[2024-02-12] | 1.15.16 | Shiro version set by maven parent, no longer export shiro deps in the BOM |
[2023-12-13] | 1.15.15 | Use shiro 1.13.0, postgresql JDBC 42.7.1, jsoup 1.17.1 and mockito 5.8.0 |
[2023-12-12] | 1.15.14 | Use liquibase 4.24.0 |
[2023-11-14] | 1.15.13 | junit jupiter 5.10.1, axios 1.6.1 . |
[2023-11-05] | 1.15.12 | Use jersey 2.41, jackson 2.15.3, pax-jdbc 1.5.6, jsoup 1.16.2, junit jupiter 5.10.0, mockito 5.7.0, and mockrunner 2.0.7 |
[2023-10-31] | 1.15.11 | Use karaf 4.4.4 and updated npm dependencies |
[2023-07-30] | 1.15.10 | Use jersey 2.40 and jackson 2.15.2 |
[2023-07-08] | 1.15.9 | Use java 17 |
[2023-07-01] | 1.15.8 | Use liquibase 4.23.0 |
[2023-06-05] | 1.15.7 | Use shiro 1.11.0 |
[2023-04-26] | 1.15.6 | Use jersey-karaf-feature 1.9.4 and jackson 2.15.0 |
[2023-04-24] | 1.15.5 | Use jersey-karaf-feature 1.9.4, jersey 2.39.1 and jackson 2.14.2 |
[2023-04-23] | 1.15.4 | Avoid caching of user admin webapp |
[2023-03-06] | 1.15.3 | Use liquibase 4.19.0, karaf 4.4.3, pax-jdbc 1.5.5, postgresql jdbc 42.5.4, jsoup 1.15.4, junit jupiter 5.9.2, mockito 5.1.1, assertj 3.24.2 |
[2023-01-20] | 1.15.2 | Use bang servlet 1.6.4, frontend security fix |
[2022-12-09] | 1.15.1 | Fix broken BOM of authservice 1.15.0 |
[2022-12-08] | 1.15.0 | Use shiro 1.10.1 |
[2022-11-28] | 1.14.8 | Use jersey 2.37, jackson 2.14.1 (fixes CVE-2022-42003 and CVE-2022-42004), and bang-servlet 1.6.3 |
[2022-11-26] | 1.14.7 | Use postgresql jdbc 42.5.1 to fix CVE-2022-41946, use jsoup 1.15.3 to fix CVE-2022-36033 |
[2022-11-01] | 1.14.6 | Use liquibase 4.17.1, postgresql jdbc driver 42.4.1 and upgrade of all upgradable frontend packages |
[2022-08-21] | 1.14.5 | Use liquibase 4.15.0 |
[2022-08-10] | 1.14.4 | Use jersey 2.36, karaf 4.4.1, maven-bundle-plugin 5.1.8, jsoup 1.15.2, junit jupiter 5.9.0, mockito 4.6.1, assertj 3.23.1 |
[2022-08-09] | 1.14.3 | Use jersey 2.36 and postgresql jdbc driver 42.4.1 |
[2022-07-25] | 1.14.2 | Use karaf 4.4.1 |
[2022-06-01] | 1.14.1 | Use jackson 2.13.3, bang-osgi-service 1.8.0 and bang-servlet 1.6.1 |
[2022-05-29] | 1.14.0 | Use karaf 4.4.0 and OSGi 8 |
[2022-02-21] | 1.13.12 | Use Java 11, karaf 4.3.6, postgresql JDBC 42.3.3, jersey 2.35, jackson 2.13.1 and node.js 16.14.0 |
[2021-10-13] | 1.13.11 | karaf 4.3.3, postgresql JDBC 4.2.24, junit jupiter 5.8.1, mockito 4.0.0 and assertj 3.21.0 |
[2021-09-30] | 1.13.10 | Use jsoup 1.14.3 and axios 0.21.4 |
[2021-07-25] | 1.13.9 | Use PostgreSQL JDBC driver 4.2.23 |
[2021-06-15] | 1.13.8 | Use jersey 2.34 and jackson 12.3 |
[2021-06-13] | 1.13.7 | Add shiro dependencies to the authservice BoM |
[2021-06-12] | 1.13.6 | Stop dependencyManagement version leakage from the authservice BoM |
[2021-06-01] | 1.13.5 | Get OSGi 7 and OSGi 7 compendium versions from the karaf BoM |
[2021-05-24] | 1.13.4 | Use eslint in frontend, upgrade frontend deps, use OSGi 7 web whiteboard annotations |
[2021-05-02] | 1.13.3 | servlet 1.5.4, bootstrap 4.6.0 and node.js 14.16.1 |
[2021-04-19] | 1.13.2 | Provide a Bill of Materials to clients of the authserice |
[2021-04-15] | 1.13.1 | Get maven dependencies and maven plugin config from a parent POM |
[2021-04-12] | 1.13.0 | Built with karaf 4.3.0 and OSGi 7 |
[2021-03-21] | 1.12.3 | Get maven dependencies from the karaf 4.2.11 BoM |
[2021-03-14] | 1.12.2 | Use beans with builders from UserManagementService 1.6.1 |
[2021-01-24] | 1.12.1 | Use jersey 2.33 and JerseyServlet 1.4.0 |
[2021-01-19] | 1.12.0 | Use shiro 1.7.0 |
[2021-01-14] | 1.11.17 | fix build problems during release caused by the authservice.tests integration test |
[2021-01-14] | 1.11.16 | use axios 0.21.1 to fix github security alert, big rewrite of user admin frontend: use saga, redux simplification, use bootstrap navbar |
[2020-10-10] | 1.11.15 | Use PostgreSQL JDBC driver 42.2.17 |
[2020-09-26] | 1.11.14 | Use PostgreSQL JDBC driver 42.2.12 |
[2020-09-12] | 1.11.13 | Fix startup problem because InjectionFactory can't be found |
[2020-09-11] | 1.11.12 | Remove servicemix javax.inject from maven build and runtime dependencies |
[2020-07-29] | 1.11.11 | Use version 1.2.3 of FrontendServlet and JerseyServlet, fix sonar issues, build with karaf 4.2.8 |
[2020-07-29] | 1.11.10 | Use version 1.2.0 of FrontendServlet and JerseyServlet |
[2020-07-22] | 1.11.9 | Use liquibase 3.8.0 |
[2020-04-10] | 1.11.7 | Use jersey 2.30.1 and jackson 2.10.3 |
[2020-04-01] | 1.11.6 | Remove the use of deprecated classes and methods in the shiro setup |
[2020-03-26] | 1.11.5 | Use pax-web 7.2.14 (the version used by karaf 4.2.8) |
[2020-03-05] | 1.11.4 | Use runtime and compile dependency to jackson-databind 2.9.10.3 to fix security issue CVE-2020-8840 |
[2020-02-29] | 1.11.3 | Upgrade PostgreSQL JDBC to 42.2.10, react to 16.13.0, redux to 7.2.0, reduxjs toolkit to 1.2.5 and react-router to 5.1.2 |
[2020-02-27] | 1.11.2 | Uses JerseyServlet to implement the REST API, no functional changes (but different runtime dependencies) |
[2020-02-24] | 1.11.1 | Use Shiro 1.5.1 to fix SHIRO-742 |
[2020-02-08] | 1.11.0 | Use Shiro 1.5.0 and the JdbcRealm with base64 encoded salt from Shiro 1.5.0 (Note! This version isn't usable because of SHIRO-742) |
[2020-02-08] | 1.10.0 | Use jersey 2.30 and jackson 2.9.10.2 (Note! jersey 2.28 doesn't work on OSGi with JDK8 so with JDK8 you need this version of authservice) |
[2020-01-14] | 1.9.0 | Use FrontendServlet to serve the react frontend and styling |
[2019-12-31] | 1.8.0 | Let Immutable provide hashCode() and equals() implementation to user management beans |
[2019-12-07] | 1.7.1 | Move pax-jdbc-config from the master feature repository to the template feature.xml files of the liquibase PreHook maven modules |
[2019-11-15] | 1.7.0 | Replace DatabaseService with pax-jdbc-config (opens for using other RDBMSes than PostgreSQL and derby) |
[2019-11-05] | 1.6.0 | Upgrade jackson to 2.9.10.1 to fix github security alert, use DataServiceBase |
[2019-10-16] | 1.5.4 | Use DatabaseService from osgi-service 1.3.0 |
[2019-09-29] | 1.5.3 | Start authservice without updating liquibase schema if lock is held until liquibase lock timeout (5 minutes) |
[2019-09-25] | 1.5.2 | Upgrade jackson to 2.9.10 to fix github security alert |
[2019-09-24] | 1.5.1 | Remove leftover reference to feature postgresql-jdbc-karaf that broke feature loading in karaf |
[2019-09-23] | 1.5.0 | Use PostgreSQL JDBC driver version 4.2.8, which has its own karaf feature |
[2019-08-02] | 1.4.0 | Better bootstrap styling of links, frontend version upgrades, PostgreSQL JDBC plugin that survives reloads, fix github security warning |
[2019-06-10] | 1.3.0 | Make authservice build with openjdk-11 |
[2019-05-26] | 1.2.0 | Upgrade apache shiro to version 1.4.1 and upgrade jackson to version 2.9.9, fix webapp |