Documentation

By leveraging JAAS, simple modules can be developed that integrate Authentication and Authorization into more complex systems.

A simple example is as follows:

HyperIoT Framework was integrated with ActiveMQ to manage device login via MQTT protocol. This integration was developed by creating, precisely, a JaaS module and using it directly within the ActiveMQ configuration.

HyperIoT already exposes its own JaaS provider that can be further inherited and customized to define its own authentication and authorization implementations.

Customization is really very simple because you just need to override a method that tells the plugin how to retrieve the AuthenticationProvider to use. The retrieval of that entity is based on an OSGi filter that must match the properties of the registered AuthenticationProvider.

@Component(service = {..., HyperIoTAuthenticationProvider.class}, immediate = true, property = {
        OSGI_AUTH_PROVIDER_RESOURCE + "=it.acsoftware.hyperiot.hdevice.model.HDevice"
})
public final class HDeviceServiceImpl extends HyperIoTBaseEntityServiceImpl<HDevice> implements HDeviceApi, HyperIoTAuthenticationProvider, HyperIoTOwnershipResourceService {
  ....
  @Override
    public HyperIoTAuthenticable login(String username, String password) {
        return this.systemService.login(username, password);
    }
}

In the previous example, a new authentication Provider was declared that logs in on entities of type HDevice (which is a HyperioTAuthenticable). The implementation involves registering the component with HyperIoTAuthenticationProvider interface and implementing the login. In addition, a property is added that will be used just for the system to figure out how to eventually retrieve this authentication provider.

This property tells the system that the registered provider logs in on entities of type en.acsoftware.hyperiot.hdevice.model.HDevice

At this point, to register a Jaas plugin that uses this provider, simply extend the HyperIoT base JaaS plugin by specifying via override which authentication provider to use.

package it.acsoftware.hyperiot.mqtt.authentication.service.jaas;

import it.acsoftware.hyperiot.base.model.authentication.principal.HyperIoTTopicPrincipal; import it.acsoftware.hyperiot.authentication.service.jaas.HyperIoTJaaSAuthenticationModule; import it.acsoftware.hyperiot.base.api.entity.HyperIoTAuthenticable; import it.acsoftware.hyperiot.base.util.HyperIoTConstants; import it.acsoftware.hyperiot.base.util.HyperIoTUtil; import it.acsoftware.hyperiot.hdevice.api.HDeviceSystemApi; import it.acsoftware.hyperiot.hdevice.model.HDevice; import it.acsoftware.hyperiot.hproject.api.HProjectSystemApi; import it.acsoftware.hyperiot.hproject.model.HyperIoTTopicType; import it.acsoftware.hyperiot.osgi.util.filter.OSGiFilterBuilder; import org.apache.activemq.jaas.CertificateCallback; import org.osgi.framework.InvalidSyntaxException; import org.osgi.framework.ServiceReference; import org.slf4j.Logger; import org.slf4j.LoggerFactory;

import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import java.io.IOException; import java.security.cert.X509Certificate; import java.util.*;

public class HyperIoTJaaSMqttAuthenticationModule extends HyperIoTJaaSAuthenticationModule implements LoginModule {

private static Logger log = LoggerFactory.getLogger(HyperIoTJaaSMqttAuthenticationModule.class.getName());

....

protected String getAuthenticationProviderFilter() {
    String osgiFilter = OSGiFilterBuilder.createFilter(HyperIoTConstants.OSGI_AUTH_PROVIDER_RESOURCE, HDevice.class.getName()).getFilter();
    return osgiFilter;
}

}

```

At this point by registering a Realm associated with the JaaS plugin shown above the login will be handled via the custom authentication provider.

It is also possible to perform post authentication actions by overriding the commit and postAuthentication methods.