The JAAS JDBC login module enables you to store user data in a database back-end, using
Java Database Connectivity (JDBC) to connect to the database. Hence, you can use any
database that supports JDBC to store your user data. To manage the user data, you can use
either the native database client tools or the jaas:* console commands (where
the backing engine uses configured SQL queries to perform the relevant database
updates).
The JAAS JDBC Login Module authenticates username/password credentials, returning the list of roles associated with the authenticated user.
The following classes implement the JAAS JDBC Login Module:
org.apache.karaf.jaas.modules.jdbc.JDBCLoginModuleImplements the JAAS login module.
org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactoryMust be exposed as an OSGi service. This service makes it possible for you to manage the user data using the
jaas:*console commands from the Apache Karaf shell (see JAAS Console Commands in Console Reference).
The JAAS JDBC login module supports the following options:
- datasource
The JDBC data source, specified either as an OSGi service or as a JNDI name. You can specify a data source's OSGi service using the following syntax:
osgi:
ServiceInterfaceName[/ServicePropertiesFilter]The
ServiceInterfaceNameis the interface or class that is exported by the data source's OSGi service (usuallyjavax.sql.DataSource).Because multiple data sources can be exported as OSGi services in a container, it is usually necessary to specify a filter,
ServicePropertiesFilter, to select the particular data source that you want. Filters on OSGi services are applied to the service property settings and follow a syntax that is borrowed from LDAP filter syntax.- query.password
The SQL query that retrieves the user's password. The query can contain a single question mark character,
?, which is substituted by the username at run time.- query.role
The SQL query that retrieves the user's roles. The query can contain a single question mark character,
?, which is substituted by the username at run time.- insert.user
The SQL query that creates a new user entry. The query can contain two question marks,
?, characters: the first question mark is substituted by the username and the second question mark is substituted by the password at run time.- insert.role
The SQL query that adds a role to a user entry. The query can contain two question marks,
?, characters: the first question mark is substituted by the username and the second question mark is substituted by the role at run time.- delete.user
The SQL query that deletes a user entry. The query can contain a single question mark character,
?, which is substituted by the username at run time.- delete.role
The SQL query that deletes a role from a user entry. The query can contain two question marks,
?, characters: the first question mark is substituted by the username and the second question mark is substituted by the role at run time.- delete.roles
The SQL query that deletes multiple roles from a user entry. The query can contain a single question mark character,
?, which is substituted by the username at run time.
To set up a JDBC login module, perform the following main steps:
Before you can set up the JDBC login module, you must set up a users table and a roles
table in the backing database to store the user data. For example, the following SQL
commands show how to create a suitable users table and roles
table:
CREATE TABLE users ( username varchar(255) NOT NULL, password varchar(255) NOT NULL, PRIMARY KEY (username) ); CREATE TABLE roles ( username varchar(255) NOT NULL, role varchar(255) NOT NULL, PRIMARY KEY (username,role) );
The users table stores username/password data and the roles
table associates a username with one or more roles.
To use a JDBC datasource with the JDBC login module, the correct approach to take is to
create a data source instance and export the data source as an OSGi service. The JDBC login
module can then access the data source by referencing the exported OSGi service. For
example, you could create a MySQL data source instance and expose it as an OSGi service (of
javax.sql.DataSource type) using code like the following in a Blueprint
file:
<blueprint xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0">
<bean class="com.mysql.jdbc.jdbc2.optional.MysqlDataSource" id="mysqlDatasource">
<property name="serverName" value="localhost"></property>
<property name="databaseName" value="DBName"></property>
<property name="port" value="3306"></property>
<property name="user" value="DBUser"></property>
<property name="password" value="DBPassword"></property>
</bean>
<service id="mysqlDS" interface="javax.sql.DataSource" ref="mysqlDatasource">
<service-properties>
<entry key="osgi.jndi.service.name" value="jdbc/karafdb"/>
</service-properties>
</service>
</blueprint>The preceding Blueprint configuration should be packaged and installed in the container as an OSGi bundle.
After the data source has been instantiated and exported as an OSGi service, you are
ready to configure the JDBC login module. In particular, the datasource option
of the JDBC login module can reference the data source's OSGi service using the following
syntax:
osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
Where javax.sql.DataSource is the interface type of the exported OSGi
service and the filter, (osgi.jndi.service.name=jdbc/karafdb), selects the
particular javax.sql.DataSource instance whose
osgi.jndi.service.name service property has the value,
jdbc/karafdb.
For example, you can use the following Blueprint configuration to override the
karaf realm with a JDBC login module that references the sample MySQL data
source:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<!-- Allow usage of System properties, especially the karaf.base property -->
<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
<jaas:config name="karaf" rank="2">
<jaas:module className="org.apache.karaf.jaas.modules.jdbc.JDBCLoginModule"
flags="required">
datasource = osgi:javax.sql.DataSource/(osgi.jndi.service.name=jdbc/karafdb)
query.password = SELECT PASSWORD FROM USERS WHERE USERNAME=?
query.role = SELECT ROLE FROM ROLES WHERE USERNAME=?
insert.user = INSERT INTO USERS VALUES(?,?)
insert.role = INSERT INTO ROLES VALUES(?,?)
delete.user = DELETE FROM USERS WHERE USERNAME=?
delete.role = DELETE FROM ROLES WHERE USERNAME=? AND ROLE=?
delete.roles = DELETE FROM ROLES WHERE USERNAME=?
</jaas:module>
</jaas:config>
<!-- The Backing Engine Factory Service for the JDBCLoginModule -->
<service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
<bean class="org.apache.karaf.jaas.modules.jdbc.JDBCBackingEngineFactory"/>
</service>
</blueprint>![[Note]](imagesdb/note.gif) | Note |
|---|---|
The SQL statements shown in the preceding configuration are in fact the default values of these options. Hence, if you create user and role tables consistent with these SQL statements, you could omit the options settings and rely on the defaults. |
In addition to creating a JDBCLoginModule, the preceding Blueprint configuration also
instantiates and exports a JDBCBackingEngineFactory instance, which enables you
to manage the user data using the jaas:* console commands.
 |  |  |
 |
