Methods to Connect
- If you are a Servlet in a Container, use CADI Framework with AAF Plugin. It’s very easy, and includes BasicAuth for Services.
- Java Technologies
- Technologies using Servlet Filters
- DME2 (and other Servlet Containers) can use Servlet Filters
- Any WebApp can plug in CADI as a Servlet Filter
- Jetty can attach a Servlet Filter with Code, or as WebApp
- Tomcat 7 has a “Valve” plugin, which is similar and supported
- Use the AAFLur Code directly (shown)
- All Java Technologies utilize Configuration to set what Security elements are required
- example: Global Login can be turned on/off, AAF Client needs information to connect to AAF Service
- There are several specialty cases, which AAF can work with, including embedding all properties in a Web.xml, but the essentials needed are:
- CADI Jars
- cadi.properties file (configured the same for all technologies)
- Encrypt passwords with included CADI technology, so that there are no Clear Text Passwords in Config Files (ASPR)
- See CADI Deployment on how to perform this with several different technologies.
- AAF Restfully (see RESTFul APIS)
IMPORTANT: If Direct RESTFul API is used, then it is the Client’s responsibility to Cache and avoid making an AAF Service Calls too often Example: A Tool like Cassandra will ask for Authentication hundreds of times a second for the same identity during a transaction. Calling the AAF Service for each would be slow for the client, and wasteful of Network and AAF Service Capacities. Rogue Clients can and will be denied access to AAF.
How to create CADI Keyfile & Encrypt Password
Password Encryption
CADI provides a method to encrypt data so that Passwords and other sensitive data can be stored safely.
Keygen (Generate local Symmetrical Key)
A Keyfile is created by Cadi Utility.
java -jar cadi-core-<version>.jar keygen <keyfile>
Given this key file unlocks any passwords created, it should be stored in your configuration directory and protected with appropriate access permissions. For instance, if your container is Tomcat, and runs with a "tomcat" id, then you should:
java -jar cadi-core-<version>.jar keygen keyfile chmod 400 keyfile chown tomcat:tomcat keyfile
Digest - Encrypt a Password
The password is obtained by using the Cadi digest Utility (contained in the cadi-core-<version>.jar).
java -jar cadi-core-<version>.jar digest <your_password> <keyfile>
- "<keyfile>" is created by Cadi Utility, #keygen
- Understand that if you change the keyfile, then you need to rerun "digest" on passwords used in the users/groups definitions.
- Note: You cannot mix versions of cadi; the version used to digest your password must be the same version used at runtime.
CADI PROPERTIES
CADI properties, typically named "cadi.properties", must have passwords encrypted.
- Take the results of the "Digest" command and prepend "enc:"
- Use this as the value of your property
Example: aaf_password=enc:fMKMBfKHlRWL68cxD5XSIWNKRNYi5dih2LEHRFMIsut