Web Console Security Provider

As of Apache Felix Web Console 3.1.0 security of the Web Console can be extended by providing a WebConsoleSecurityProvicer service. An extension to this service has been introduced with the WebConsoleSecurityProvider2 service in Apache Felix Web Console 3.1.4.

As of Web Console 4.3.16 it is now possible to require a WebConsoleSecurityProvider service to be present in order for the Web Console to become active. This can be used to prevent bypassing the security provider if this is provided asynchronously. To do this, the WebConsoleSecurityProvider service needs to be registered with a Service Registration property to identify itself:

"webconsole.security.provider.id" = "my.security.provider"

Then the Web Console can be informed about the security providers it needs to operate by setting the following OSGi Framework property:

"felix.webconsole.security.providers" = "my.security.provider"

With this property specified, the Web Console will not activate until the service with the specified property is present. Local login as typically done with admin/password is disabled when this property is specified.


The WebConsoleSecurityProvider service provides two methods:

{code:java} /**

  • Authenticates the user with the given user name and password. *

  • @param username The name of the user presented by the client

  • @param password The password presented by the client

  • @return Some object representing the authenticated user indicating general

  • access to be granted to the web console. If the user cannot be

  • authenticated (e.g. unknown user name or wrong password) or the

  • user must not be allowed access to the web console at all

  • null must be returned from this method. */ public Object authenticate( String username, String password );


  • Checks whether bthe authenticated user has the given role permission. *

  • @param user The object referring to the authenticated user. This is the

  • object returned from the {@link #authenticate(String, String)}

  • method and will never be null.

  • @param role The requested role

  • @return true if the user is given permission for the given

  • role. */ public boolean authorize( Object user, String role );

Use of the {{authorize}} method is not currently implemented, though. Mainly this is because it is not readily clear, what exactly the {{role}} means. One possible interpretation could be that this is the label of the plugin whose access is checked. Or it might be a combination of the plugin called and the request method used.

The drawback of the {{WebConsoleSecurityProvider}} interface is that it just provides a mechanism to check for a user name and password using HTTP BASIC authentication. If other authenication mechanisms should be used the {{WebConsoleSecurityProvider2}} interface introduced in Apache Felix Web Console 3.1.4 can be used.

h2. WebConsoleSecurityProvider2

The {{WebConsoleSecurityProvider2}} interface extends the {{WebConsoleSecurityProvider}} by a single method:

 * The name of the request attribute providing the object representing the
 * authenticated user. This object is used to call the
 * {@link WebConsoleSecurityProvider#authorize(Object, String)} to
 * authorize access for certain roles.
String USER_ATTRIBUTE = "org.apache.felix.webconsole.user";

 * Authenticates the given request or asks the client for credentials.
 * <p>
 * Implementations of this method are expected to respect and implement
 * the semantics of the <code>HttpContext.handleSecurity</code> method
 * as specified in the OSGi HTTP Service specification.
 * <p>
 * If this method returns <code>true</code> it is assumed the request
 * provided valid credentials identifying the user as accepted to access
 * the web console. In addition, the {@link #USER_ATTRIBUTE} request
 * attribute must be set to a non-<code>null</code> object reference
 * identifying the authenticated user.
 * <p>
 * If this method returns <code>false</code> the request to the web console
 * is terminated without any more response sent back to the client. That is
 * the implementation is expected to have informed the client in case of
 * non-granted access.
 * @param request The request object
 * @param response The response object
 * @return <code>true</code> If the request provided valid credentials.
public boolean authenticate( HttpServletRequest request, HttpServletResponse response );

This method is in full control of authentication and thus has to extract the user credentials from the request and can also fail the request.


A sample of a WebConsoleSecurityProvider service is the Apache Sling implementation SlingWebConsoleSecurityProvider. This implementation uses a JCR implementation to login to the repository and thus validate the credentials.