XmlBlaster Logo

REQUIREMENT

security.htpasswd

XmlBlaster Logo


Type NEW
Priority HIGH
Status CLOSED
Topic XmlBlaster provides a crypt password based authentication plugin
Des
cription

Authentication in xmlBlaster is based on plugins. The plugin described here is based on the UNIX /etc/passwd crypt password schema.

The password file

To get started with htpasswd authentication please setup a htpasswd file. Todo that, there are two methods to create a crypted password:

  1. Use httpasswd command found in Apache distribution
  2. Use jcrypt delivered with the xmlBlaster distribution (thanks to http://locutus.kingwoodcable.com/jfd/crypt.html and Eric Young, eay@psych.uq.oz.au)
java org.xmlBlaster.authentication.plugins.htpasswd.jcrypt <salt> <password>

[mad@kawa]$ java org.xmlBlaster.authentication.plugins.htpasswd.jcrypt yZ secret
            [yZ] [secret] => [yZ24stvIel1j6]

Cut/paste the password (here yZ24stvIel1j6) in your htpassword file (here xmlBlaster.htpasswd): 

Joel:yZ24stvIel1j6

Lines starting with '#' are comments and are ignored. Consequently you can't have user names starting with a '#' with the current implementation. Empty lines are ignored.

Configure xmlBlaster

To configure xmlBlaster for that htpasswd auth plugin add these lines in xmlBlaster.properties 

#for server :
Security.Server.Plugin[htpasswd][1.0]=org.xmlBlaster.authentication.plugins.htpasswd.Manager
Security.Server.Plugin.htpasswd.secretfile=${user.home}${file.separator}xmlBlaster.htpasswd

#for client :
Security.Client.Plugin[htpasswd][1.0]=org.xmlBlaster.authentication.plugins.htpasswd.ClientPlugin

Get it running

Start the xmlBlaster server

java -jar lib/xmlBlaster.jar

Start a client (all in one line), e.g.

java HelloWorld3 -Security.Client.DefaultPlugin htpasswd,1.0
                 -session.name <username> -passwd <username>

java HelloWorld3 -Security.Client.DefaultPlugin htpasswd,1.0 
                 -session.name Joel -passwd secret

In the log output of xmlBlaster server you should see something like:

SecurityPluginManager] Plugin 'org.xmlBlaster.authentication.plugins.htpasswd.Manager'
                       successfully initialized

Congratulations, you were authenticated by HTPASSWD !

The used connect() QoS which you can directly use from Python or Perl clients looks like this:

<qos>
 <securityService type="htpasswd" version="1.0">
   <user>Joel</user>
   <passwd>secret</passwd>
 </securityService>
 ...
</qos>

Now try an invalid password:

java HelloWorld3 -Security.Client.DefaultPlugin htpasswd,1.0 
                 -session.name Joel -passwd BadPassword

You should get an authentication error from HTPASSWD

That is not the best performing way for authentification, but it's very simple for managing 1 to 500 users.

Reload

The password file is reloaded on each login, but not on client-reconnect.

Wildcard user names

It is possible that the password file just contains a * instead of (username,password) tuples -> any username and password combination is authenticated. Same if setting Security.Server.Plugin.htpasswd.secretfile=NONE

Additionally you can add a *:<password> entry, for example '*:sd7aksf1f'. This is used if the user is not found explicitly in the password file and the wildcard setting is used as the general fallback password.

Partial user names

You can switch on authentication with partial user name by setting Security.Server.Plugin.htpasswd.allowPartialUsername=true. In this case if a username starts with or ends with the token given in the htpasswd file that password is used.

This may be useful for example for email based login names where all clients from the same email domain have the same password.
Example
Java

Here is a password file which authenticates the internal user __sys__jdbc with the password secret. 

__sys__jdbc:yZ24stvIel1j6
Example
all

Basic authorization

Here is a password file which does basic authorization on method name level, all use the password secret. 


guest:yZ24stvIel1j6:connect,disconnect,publish(tennis;sailing)
weatherAlert:yZ24stvIel1j6:connect,disconnect,publish("startsWith:weather.")
jogger:yZ24stvIel1j6:connect,disconnect,publish(jogging),subscribe(jogging),unSubscribe(jogging),erase(jogging)
joe:yZ24stvIel1j6:connect,disconnect,publish
snoopy:yZ24stvIel1j6:subscribe("exact:tennis";"domain:sport";"xpath:/xmlBlaster/key[starts-with(@oid,'sport.')]")
admin:yZ24stvIel1j6:!erase
other:yZ24stvIel1j6:! subscribe,unSubscribe
all:yZ24stvIel1j6::
__sys__jdbc:yZ24stvIel1j6
  • The user guest may only connect, disconnect.
    Additionally, he may publish on topics tennis and sailing.
  • The user jogger is specialized on handling the topic jogging.
  • The user admin may do anything, but not erase topics.
  • The user all may do anything once he is authenticated.
  • The user snoopy is authorized to do an EXACT subscribe on tennis, one XPATH and one DOMAIN specific subscribe, note that topic names without a schema prefix default to "exact:".

The method names are separated by commas ',', for a complete list of method names, see MethodName.java

A method name can be followed by round braces '(...)' containing topic oids separated by semicolons ';'. This is useful for publish, subscribe, unSubscribe, get and erase calls.

Note that the negation sign '!' at the beginning negates the complete list given.

Configure

Server side configuration

Property Default / Example Description Impl
Security.Server.Plugin[htpasswd][1.0] org.xmlBlaster. authentication.plugins. htpasswd.Manager Load/activate this plugin yes
Security.Server.Plugin. htpasswd.secretfile NONE Configure where to find the password file, NONE switches the passwd check off. A good name could be ${user.home} ${file.separator} xmlBlaster.htpasswd yes
Security.Server.Plugin. htpasswd.allowPartialUsername false Setting it to true allows to add the starting letters of login names to the password files. All users starting with this token are authenticated by the same password. This simplifies authentication administration. yes

Additional client side configuration

Property Default Description Impl
Security.Client.Plugin[htpasswd][1.0] org.xmlBlaster.authentication. plugins.htpasswd.ClientPlugin Load the plugin on client side yes

NOTE: Configuration parameters are specified on command line (-someValue 17) or in the xmlBlaster.properties file (someValue=17). See requirement "util.property" for details.
Columns named Impl tells you if the feature is implemented.
Columns named Hot tells you if the configuration is changeable in hot operation.

Todo
See REQ security.introduction
See REQ security.development.serverPlugin.howto
See REQ security.ldap
See API org.xmlBlaster.authentication.plugins.htpasswd.HtPasswd
See ../../src/java/org/xmlBlaster/authentication/plugins/htpasswd/README
See TEST org.xmlBlaster.test.authentication.TestAuthenticationHtPassWd
See TEST org.xmlBlaster.test.authentication.TestHtpasswdAuthorization

This page is generated from the requirement XML file xmlBlaster/doc/requirements/security.htpasswd.xml

Back to overview