[CONF] Apache Camel > Shiro Security

[confluence]

Shiro Security Page edited by Ashwin Karpe Changes (2) h2. Shiro Security Component *Available as of Camel 2.5* The *shiro-security* component in Camel is a security focused component, based on the Apache Shiro security project. Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography. The objective of the Apache Shiro project is to provide the most robust and comprehensive application security framework available while also being very easy to understand and extremely simple to use. This camel shiro-security component allows authentication and authorization support to be applied to different segments of a camel route. Shiro security is applied on a route using a Camel Policy. A Policy in Camel utilizes a strategy pattern for applying interceptors on Camel Processors. It offering the ability to apply cross-cutting concerns (for example. security, transactions etc) on sections/segments of a camel route. Maven users will need to add the following dependency to their {{pom.xml}} for this component: {code:xml} <dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-shiro-security</artifactId> <version>x.x.x</version> <!-- use the same version as your Camel core version --> </dependency> {code} h3. Shiro Security Basics To employ Shiro security on a camel route, a ShiroSecurityPolicy object must be instantiated with security configuration details (including users, passwords, roles etc). This object must then be applied to a camel route. This ShiroSecurityPolicy Object may also be registered in the Camel registry (JNDI or ApplicationContextRegistry) and then utilized on other routes in the Camel Context. Configuration details are provided to the ShiroSecurityPolicy using an Ini file (properties file) or an Ini object. The Ini file is a standard Shiro configuration file containing user/role details as shown below {code} [users] # user 'ringo' with password 'starr' and the 'sec-level1' role ringo = starr, sec-level1 george = harrison, sec-level2 john = lennon, sec-level3 paul = mccartney, sec-level3 [roles] # 'sec-level3' role has all permissions, indicated by the # wildcard '*' sec-level3 = * # The 'sec-level2' role can do anything with access of permission # readonly (*) to help sec-level2 = zone1:* # The 'sec-level1' role can do anything with access of permission # readonly sec-level1 = zone1:readonly:* {code} h3. Instantiating a h3. Options {div:class=confluenceTableSmall} || Name || Default Value || Description || | {{keepAlive}} | {{true}} | Setting to ensure socket is not closed due to inactivity | | {{tcpNoDelay}} | {{true}} | Setting to improve TCP protocol performance | | {{broadcast}} | {{false}} | Setting to choose Multicast over UDP | | {{connectTimeout}} | {{10000}} | Time to wait for a socket connection to be available. Value is in millis. | | {{timeout}} | {{30000}} | Time to wait for a response to be received on a connection. Value is in millis. | | {{reuseAddress}} | {{true}} | Setting to facilitate socket multiplexing | | {{sync}} | {{true}} | Setting to set endpoint as one-way or request-response | | {{ssl}} | {{false}} | Setting to specify whether SSL encryption is applied to this endpoint | | {{sendBufferSize}} | {{65536 bytes}} | The TCP/UDP buffer sizes to be used during outbound communication. Size is bytes. | | {{receiveBufferSize}} | {{65536 bytes}} | The TCP/UDP buffer sizes to be used during inbound communication. Size is bytes. | | {{corePoolSize}} | {{10}} | The number of allocated threads at component startup. Defaults to 10 | | {{maxPoolSize}} | {{100}} | The maximum number of threads that may be allocated to this endpoint. Defaults to 100 | | {{disconnect}} | {{false}} | Whether or not to disconnect(close) from Netty Channel right after use. Can be used for both consumer and producer. | | {{lazyChannelCreation}} | {{true}} | Channels can be lazily created to avoid exceptions, if the remote server is not up and running when the Camel producer is started. | | {{transferExchange}} | {{false}} | Only used for TCP. You can transfer the exchange over the wire instead of just the body. The following fields are transferred: In body, Out body, fault body, In headers, Out headers, fault headers, exchange properties, exchange exception. This requires that the objects are serializable. Camel will exclude any non-serializable objects and log it at WARN level. | | {{disconnectOnNoReply}} | {{true}} | If sync is enabled then this option dictates NettyConsumer if it should disconnect where there is no reply to send back. | | {{noReplyLogLevel}} | {{WARN}} | If sync is enabled this option dictates NettyConsumer which logging level to use when logging a there is no reply to send back. Values are: {{FATAL, ERROR, INFO, DEBUG, OFF}}. | | {{allowDefaultCodec}} | {{true}} | *Camel 2.4:* The netty component installs a default codec if both, encoder/deocder is null and textline is false. Setting allowDefaultCodec to false prevents the netty component from installing a default codec as the first element in the filter chain. | | {{textline}} | {{false}} | *Camel 2.4:* Only used for TCP. If no codec is specified, you can use this flag to indicate a text line based codec; if not specified or the value is false, then Object Serialization is assumed over TCP. | | {{delimiter}} | {{LINE}} | *Camel 2.4:* The delimiter to use for the textline codec. Possible values are {{LINE}} and {{NULL}}. | | {{decoderMaxLineLength}} | {{1024}} | *Camel 2.4:* The max line length to use for the textline codec. | | {{autoAppendDelimiter}} | {{true}} | *Camel 2.4:* Whether or not to auto append missing end delimiter when sending using the textline codec. | | {{encoding}} | {{null}} | *Camel 2.4:* The encoding (a charset name) to use for the textline codec. If not provided, Camel will use the JVM default Charset. | {div} h3. Registry based Options Codec Handlers and SSL Keystores can be enlisted in the [Registry], such as in the Spring XML file. The values that could be passed in, are the following: {div:class=confluenceTableSmall} || Name || Description || | {{passphrase}} | password setting to use in order to encrypt/decrypt payloads sent using SSH | | {{keyStoreFormat}} | keystore format to be used for payload encryption. Defaults to "JKS" if not set | | {{securityProvider}} | Security provider to be used for payload encryption. Defaults to "SunX509" if not set. | | {{keyStoreFile}} | Client side certificate keystore to be used for encryption | | {{trustStoreFile}} | Server side certificate keystore to be used for encryption | | {{sslHandler}} | Reference to a class that could be used to return an SSL Handler | | {{encoder}} | A custom Handler class that can be used to perform special marshalling of outbound payloads. Must override {{org.jboss.netty.channel.ChannelDownStreamHandler}}. | | {{encorders}} | A list of encoder to be used. You can use a String which have values separated by comma, and have the values be looked up in the [Registry]. Just remember to prefix the value with # so Camel knows it should lookup. | | {{decoder}} | A custom Handler class that can be used to perform special marshalling of inbound payloads. Must override {{org.jboss.netty.channel.ChannelUpStreamHandler}}. | | {{decoders}} | A list of decorder to be used. You can use a String which have values separated by comma, and have the values be looked up in the [Registry]. Just remember to prefix the value with # so Camel knows it should lookup. | {div} h3. Sending Messages to/from a Netty endpoint h4. Netty Producer In Producer mode, the component provides the ability to send payloads to a socket endpoint using either TCP or UDP protocols (with optional SSL support). The producer mode supports both one-way and request-response based operations. h4. Netty Consumer In Consumer mode, the component provides the ability to: - listen on a specified socket using either TCP or UDP protocols (with optional SSL support), - receive requests on the socket using text/xml, binary and serialized object based payloads and - send them along on a route as message exchanges. The consumer mode supports both one-way and request-response based operations. h3. Usage Samples h4. A UDP Netty endpoint using Request-Reply and serialized object payload {code} RouteBuilder builder = new RouteBuilder() { public void configure() { from("netty:udp://localhost:5155?sync=true") .process(new Processor() { public void process(Exchange exchange) throws Exception { Poetry poetry = (Poetry) exchange.getIn().getBody(); poetry.setPoet("Dr. Sarojini Naidu"); exchange.getOut().setBody(poetry); } } } }; {code} h4. A TCP based Netty consumer endpoint using One-way communication {code} RouteBuilder builder = new RouteBuilder() { public void configure() { from("netty:tcp://localhost:5150") .to("mock:result"); } }; {code} h4. An SSL/TCP based Netty consumer endpoint using Request-Reply communication {code} JndiRegistry registry = new JndiRegistry(createJndiContext()); registry.bind("password", "changeit"); registry.bind("ksf", new File("src/test/resources/keystore.jks")); registry.bind("tsf", new File("src/test/resources/keystore.jks")); context.createRegistry(registry); context.addRoutes(new RouteBuilder() { public void configure() { String netty_ssl_endpoint = "netty:tcp://localhost:5150sync=true&ssl=true&passphrase=#password" + "&keyStoreFile=#ksf&trustStoreFile=#tsf"; String return_string = "When You Go Home, Tell Them Of Us And Say," + "For Your Tomorrow, We Gave Our Today."; from(netty_ssl_endpoint) .process(new Processor() { public void process(Exchange exchange) throws Exception { exchange.getOut().setBody(return_string); } } } }); {code} h4. Using Multiple Codecs In certain cases it may be necessary to add chains of encoders and decoders to the netty pipeline. To add multpile codecs to a camel netty endpoint the 'encoders' and 'decoders' uri parameters should be used. Like the 'encoder' and 'decoder' parameters they are used to supply references (to lists of ChannelUpstreamHandlers and ChannelDownstreamHandlers) that should be added to the pipeline. Note that if encoders is specified then the encoder param will be ignored, similarly for decoders and the decoder param. The lists of codecs need to be added to the Camel's registry so they can be resolved when the endpoint is created. {snippet:id=registry-beans|lang=java|url="" Spring's native collections support can be used to specify the codec lists in an application context {snippet:id=registry-beans|lang=xml|url="" The bean names can then be used in netty endpoint definitions either as a comma separated list or contained in a List e.g. {snippet:id=routes|lang=java|url="" or via spring. {snippet:id=routes|lang=xml|url="" h3. Closing Channel When Complete When acting as a server you sometimes want to close the channel when, for example, a client conversion is finished. You can do this by simply setting the endpoint option {{disconnect=true}}. However you can also instruct Camel on a per message basis as follows. To instruct Camel to close the channel, you should add a header with the key {{CamelNettyCloseChannelWhenComplete}} set to a boolean {{true}} value. For instance, the example below will close the channel after it has written the bye message back to the client: {code} from("netty:tcp://localhost:8080").process(new Processor() { public void process(Exchange exchange) throws Exception { String body = exchange.getIn().getBody(String.class); exchange.getOut().setBody("Bye " + body); // some condition which determines if we should close if (close) { exchange.getOut().setHeader(NettyConstants.NETTY_CLOSE_CHANNEL_WHEN_COMPLETE, true); } } }); {code} {include:Endpoint See Also} - [Mina] Full Content Shiro Security Component Available as of Camel 2.5 The shiro-security component in Camel is a security focused component, based on the Apache Shiro security project. Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography. The objective of the Apache Shiro project is to provide the most robust and comprehensive application security framework available while also being very easy to understand and extremely simple to use. This camel shiro-security component allows authentication and authorization support to be applied to different segments of a camel route. Shiro security is applied on a route using a Camel Policy. A Policy in Camel utilizes a strategy pattern for applying interceptors on Camel Processors. It offering the ability to apply cross-cutting concerns (for example. security, transactions etc) on sections/segments of a camel route. Maven users will need to add the following dependency to their pom.xml for this component: <dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-shiro-security</artifactId> <version>x.x.x</version> <!-- use the same version as your Camel core version --> </dependency> Shiro Security Basics To employ Shiro security on a camel route, a ShiroSecurityPolicy object must be instantiated with security configuration details (including users, passwords, roles etc). This object must then be applied to a camel route. This ShiroSecurityPolicy Object may also be registered in the Camel registry (JNDI or ApplicationContextRegistry) and then utilized on other routes in the Camel Context. Configuration details are provided to the ShiroSecurityPolicy using an Ini file (properties file) or an Ini object. The Ini file is a standard Shiro configuration file containing user/role details as shown below [users] # user 'ringo' with password 'starr' and the 'sec-level1' role ringo = starr, sec-level1 george = harrison, sec-level2 john = lennon, sec-level3 paul = mccartney, sec-level3 [roles] # 'sec-level3' role has all permissions, indicated by the # wildcard '*' sec-level3 = * # The 'sec-level2' role can do anything with access of permission # readonly (*) to help sec-level2 = zone1:* # The 'sec-level1' role can do anything with access of permission # readonly sec-level1 = zone1:readonly:* Instantiating a Options Name Default Value Description keepAlive true Setting to ensure socket is not closed due to inactivity tcpNoDelay true Setting to improve TCP protocol performance broadcast false Setting to choose Multicast over UDP connectTimeout 10000 Time to wait for a socket connection to be available. Value is in millis. timeout 30000 Time to wait for a response to be received on a connection. Value is in millis. reuseAddress true Setting to facilitate socket multiplexing sync true Setting to set endpoint as one-way or request-response ssl false Setting to specify whether SSL encryption is applied to this endpoint sendBufferSize 65536 bytes The TCP/UDP buffer sizes to be used during outbound communication. Size is bytes. receiveBufferSize 65536 bytes The TCP/UDP buffer sizes to be used during inbound communication. Size is bytes. corePoolSize 10 The number of allocated threads at component startup. Defaults to 10 maxPoolSize 100 The maximum number of threads that may be allocated to this endpoint. Defaults to 100 disconnect false Whether or not to disconnect(close) from Netty Channel right after use. Can be used for both consumer and producer. lazyChannelCreation true Channels can be lazily created to avoid exceptions, if the remote server is not up and running when the Camel producer is started. transferExchange false Only used for TCP. You can transfer the exchange over the wire instead of just the body. The following fields are transferred: In body, Out body, fault body, In headers, Out headers, fault headers, exchange properties, exchange exception. This requires that the objects are serializable. Camel will exclude any non-serializable objects and log it at WARN level. disconnectOnNoReply true If sync is enabled then this option dictates NettyConsumer if it should disconnect where there is no reply to send back. noReplyLogLevel WARN If sync is enabled this option dictates NettyConsumer which logging level to use when logging a there is no reply to send back. Values are: FATAL, ERROR, INFO, DEBUG, OFF. allowDefaultCodec true Camel 2.4: The netty component installs a default codec if both, encoder/deocder is null and textline is false. Setting allowDefaultCodec to false prevents the netty component from installing a default codec as the first element in the filter chain. textline false Camel 2.4: Only used for TCP. If no codec is specified, you can use this flag to indicate a text line based codec; if not specified or the value is false, then Object Serialization is assumed over TCP. delimiter LINE Camel 2.4: The delimiter to use for the textline codec. Possible values are LINE and NULL. decoderMaxLineLength 1024 Camel 2.4: The max line length to use for the textline codec. autoAppendDelimiter true Camel 2.4: Whether or not to auto append missing end delimiter when sending using the textline codec. encoding null Camel 2.4: The encoding (a charset name) to use for the textline codec. If not provided, Camel will use the JVM default Charset. Registry based Options Codec Handlers and SSL Keystores can be enlisted in the Registry, such as in the Spring XML file. The values that could be passed in, are the following: Name Description passphrase password setting to use in order to encrypt/decrypt payloads sent using SSH keyStoreFormat keystore format to be used for payload encryption. Defaults to "JKS" if not set securityProvider Security provider to be used for payload encryption. Defaults to "SunX509" if not set. keyStoreFile Client side certificate keystore to be used for encryption trustStoreFile Server side certificate keystore to be used for encryption sslHandler Reference to a class that could be used to return an SSL Handler encoder A custom Handler class that can be used to perform special marshalling of outbound payloads. Must override org.jboss.netty.channel.ChannelDownStreamHandler. encorders A list of encoder to be used. You can use a String which have values separated by comma, and have the values be looked up in the Registry. Just remember to prefix the value with # so Camel knows it should lookup. decoder A custom Handler class that can be used to perform special marshalling of inbound payloads. Must override org.jboss.netty.channel.ChannelUpStreamHandler. decoders A list of decorder to be used. You can use a String which have values separated by comma, and have the values be looked up in the Registry. Just remember to prefix the value with # so Camel knows it should lookup. Sending Messages to/from a Netty endpoint Netty Producer In Producer mode, the component provides the ability to send payloads to a socket endpoint using either TCP or UDP protocols (with optional SSL support). The producer mode supports both one-way and request-response based operations. Netty Consumer In Consumer mode, the component provides the ability to: listen on a specified socket using either TCP or UDP protocols (with optional SSL support), receive requests on the socket using text/xml, binary and serialized object based payloads and send them along on a route as message exchanges. The consumer mode supports both one-way and request-response based operations. Usage Samples A UDP Netty endpoint using Request-Reply and serialized object payload RouteBuilder builder = new RouteBuilder() { public void configure() { from("netty:udp://localhost:5155?sync=true") .process(new Processor() { public void process(Exchange exchange) throws Exception { Poetry poetry = (Poetry) exchange.getIn().getBody(); poetry.setPoet("Dr. Sarojini Naidu"); exchange.getOut().setBody(poetry); } } } }; A TCP based Netty consumer endpoint using One-way communication RouteBuilder builder = new RouteBuilder() { public void configure() { from("netty:tcp://localhost:5150") .to("mock:result"); } }; An SSL/TCP based Netty consumer endpoint using Request-Reply communication JndiRegistry registry = new JndiRegistry(createJndiContext()); registry.bind("password", "changeit"); registry.bind("ksf", new File("src/test/resources/keystore.jks")); registry.bind("tsf", new File("src/test/resources/keystore.jks")); context.createRegistry(registry); context.addRoutes(new RouteBuilder() { public void configure() { String netty_ssl_endpoint = "netty:tcp://localhost:5150sync=true&ssl=true&passphrase=#password" + "&keyStoreFile=#ksf&trustStoreFile=#tsf"; String return_string = "When You Go Home, Tell Them Of Us And Say," + "For Your Tomorrow, We Gave Our Today."; from(netty_ssl_endpoint) .process(new Processor() { public void process(Exchange exchange) throws Exception { exchange.getOut().setBody(return_string); } } } }); Using Multiple Codecs In certain cases it may be necessary to add chains of encoders and decoders to the netty pipeline. To add multpile codecs to a camel netty endpoint the 'encoders' and 'decoders' uri parameters should be used. Like the 'encoder' and 'decoder' parameters they are used to supply references (to lists of ChannelUpstreamHandlers and ChannelDownstreamHandlers) that should be added to the pipeline. Note that if encoders is specified then the encoder param will be ignored, similarly for decoders and the decoder param. The lists of codecs need to be added to the Camel's registry so they can be resolved when the endpoint is created. LengthFieldBasedFrameDecoder lengthDecoder = new LengthFieldBasedFrameDecoder(1048576, 0, 4, 0, 4); StringDecoder stringDecoder = new StringDecoder(); registry.bind("length-decoder", lengthDecoder); registry.bind("string-decoder", stringDecoder); LengthFieldPrepender lengthEncoder = new LengthFieldPrepender(4); StringEncoder stringEncoder = new StringEncoder(); registry.bind("length-encoder", lengthEncoder); registry.bind("string-encoder", stringEncoder); List<ChannelUpstreamHandler> decoders = new ArrayList<ChannelUpstreamHandler>(); decoders.add(lengthDecoder); decoders.add(stringDecoder); List<ChannelDownstreamHandler> encoders = new ArrayList<ChannelDownstreamHandler>(); encoders.add(lengthEncoder); encoders.add(stringEncoder); registry.bind("encoders", encoders); registry.bind("decoders", decoders); Spring's native collections support can be used to specify the codec lists in an application context <util:list id="decoders" list-class="java.util.LinkedList"> <bean class="org.jboss.netty.handler.codec.frame.LengthFieldBasedFrameDecoder"> <constructor-arg value="1048576"/> <constructor-arg value="0"/> <constructor-arg value="4"/> <constructor-arg value="0"/> <constructor-arg value="4"/> </bean> <bean class="org.jboss.netty.handler.codec.string.StringDecoder"/> </util:list> <util:list id="encoders" list-class="java.util.LinkedList"> <bean class="org.jboss.netty.handler.codec.frame.LengthFieldPrepender"> <constructor-arg value="4"/> </bean> <bean class="org.jboss.netty.handler.codec.string.StringEncoder"/> </util:list> <bean id="length-encoder" class="org.jboss.netty.handler.codec.frame.LengthFieldPrepender"> <constructor-arg value="4"/> </bean> <bean id="string-encoder" class="org.jboss.netty.handler.codec.string.StringEncoder"/> <bean id="length-decoder" class="org.jboss.netty.handler.codec.frame.LengthFieldBasedFrameDecoder"> <constructor-arg value="1048576"/> <constructor-arg value="0"/> <constructor-arg value="4"/> <constructor-arg value="0"/> <constructor-arg value="4"/> </bean> <bean id="string-decoder" class="org.jboss.netty.handler.codec.string.StringDecoder"/> </beans> The bean names can then be used in netty endpoint definitions either as a comma separated list or contained in a List e.g. from("direct:multiple-codec").to("netty:tcp://localhost:5150?encoders=#encoders&sync=false"); from("netty:tcp://localhost:5150?decoders=#length-decoder,#string-decoder&sync=false").to("mock:multiple-codec"); } }; } } or via spring. <camelContext id="multiple-netty-codecs-context" xmlns="http://camel.apache.org/schema/spring"> <route> <from uri="direct:multiple-codec"/> <to uri="netty:tcp://localhost:5150?encoders=#encoders&amp;sync=false"/> </route> <route> <from uri="netty:tcp://localhost:5150?decoders=#length-decoder,#string-decoder&amp;sync=false"/> <to uri="mock:multiple-codec"/> </route> </camelContext> Closing Channel When Complete When acting as a server you sometimes want to close the channel when, for example, a client conversion is finished. You can do this by simply setting the endpoint option disconnect=true. However you can also instruct Camel on a per message basis as follows. To instruct Camel to close the channel, you should add a header with the key CamelNettyCloseChannelWhenComplete set to a boolean true value. For instance, the example below will close the channel after it has written the bye message back to the client: from("netty:tcp://localhost:8080").process(new Processor() { public void process(Exchange exchange) throws Exception { String body = exchange.getIn().getBody(String.class); exchange.getOut().setBody("Bye " + body); // some condition which determines if we should close if (close) { exchange.getOut().setHeader(NettyConstants.NETTY_CLOSE_CHANNEL_WHEN_COMPLETE, true); } } }); See Also Configuring Camel Component Endpoint Getting Started MINA Change Notification Preferences View Online | View Changes | Add Comment