如何使用基本身份验证在 Apache Knox 中配置 websocket 服务 [英] How to configure a websocket service in Apache Knox with basic authentication

问题描述

我设法在 Knox 中配置了一个 websocket 服务，用于测试目的是 ws://echo.websocket.org

这是我的配置文件:

service.xml

<政策><policy role="webappsec"/><policy role="authentication" name="匿名"/><policy role="rewrite"/><policy role="授权"/></政策><路线><路由路径="/echows"><rewrite apply="ECHOWS/echows/inbound" to="request.url"/></路线></路线></服务>

rewrite.xml

<rule dir="IN" name="ECHOWS/echows/inbound" pattern="*://*:*/**/echows"><rewrite template="{$serviceUrl[ECHOWS]}"/></规则></规则>

{topology}.xml 部分:

<角色>回声</角色><url>ws://echo.websocket.org</url></服务>

我可以连接到它:

wscat -c wss://my-knox-server/gateway/default/echows已连接(按 CTRL+C 退出)>你好诺克斯！<你好诺克斯！

但我希望 Knox 仅在提供正确凭据时接受连接:

wscat --auth <用户名:密码>-c wss://my-knox-server/gateway/default/echows

我的 http 服务 Knox 配置以这种方式工作，我必须输入凭据，否则我会得到 401:

curl -i https://my-knox-server/gateway/default/my_service/pingHTTP/1.1 401 未经授权curl -i -u '<用户>:<密码>'https://my-knox-server/gateway/default/my_service/pingHTTP/1.1 200 正常

我想用 websockets 实现相同的结果.

此外，我并不完全理解我的 websocket 服务的上述 service.xml 配置，因为它与我能够使用的 http 服务的最简单配置不同:

<路线><路由路径="/my_app/**"/></路线></服务>

1. 为什么在 websocket 服务的情况下我需要 policies，它们是什么意思?
2. 为什么 / 有一个元素 以及它的语义是什么?它是否对应于 rewrite.xml 中的 /?request.url 是什么意思?

解决方案

好问题，不幸的是 Knox 中的身份验证和授权机制基于 Http servlet 过滤器，不适用于 Websocket.

您可以做的一件事是让 HTTP 端进行身份验证，然后打开 websocket 连接.

如果您愿意，可以为此增强功能打开 JIRA.>

回答后续问题

1. 万一Websockets没有意义，它们是来自http的工件
2. 再次重申，使用 http 上下文比使用 websocket 可以更好地解释 in 重写.他们所做的是，告诉 Knox 何时应用重写规则，即 request.url、request.body、response.url、response.body 等.由于规则基于 HTTP servlet 过滤器，因此它们不用于重写 websocket 数据.我相信应该有一些 JIRA 来解决这个问题.

I managed to configure a websocket service in Knox which for test purposes is ws://echo.websocket.org

Here are my configuration files:

service.xml

<service role="ECHOWS" name="echows" version="0.0.1">
  <policies>
        <policy role="webappsec"/>
        <policy role="authentication" name="Anonymous"/>
        <policy role="rewrite"/>
        <policy role="authorization"/>
  </policies>
  <routes>
    <route path="/echows">
        <rewrite apply="ECHOWS/echows/inbound" to="request.url"/>
    </route>
  </routes>
</service>

rewrite.xml

<rules>
  <rule dir="IN" name="ECHOWS/echows/inbound" pattern="*://*:*/**/echows">
    <rewrite template="{$serviceUrl[ECHOWS]}"/>
  </rule>
</rules>

{topology}.xml section:

<service>
    <role>ECHOWS</role>
    <url>ws://echo.websocket.org</url>
</service>

I can connect to it:

wscat -c wss://my-knox-server/gateway/default/echows
connected (press CTRL+C to quit)
> Hello Knox!
< Hello Knox!

But I'd like Knox accept connection only when proper credentials are given:

wscat --auth <username:password> -c wss://my-knox-server/gateway/default/echows

My Knox configuration for http services works in this way that I have to put credentials, otherwise I get 401:

curl -i https://my-knox-server/gateway/default/my_service/ping
HTTP/1.1 401 Unauthorized

curl -i -u '<user>:<password>' https://my-knox-server/gateway/default/my_service/ping
HTTP/1.1 200 OK

I'd like to achieve the same result with websockets.

[EDIT]

Moreover I don't fully understand the above service.xml configuration for my websocket service, since it is different than the simplest possible configuration for a http service I was able to use:

<service role="MY_APP" name="my_app" version="0.0.1">
    <routes>
        <route path="/my_app/**"/>
    </routes>
</service>

1. Why in case of a websocket service I need policies, and what do they mean?
2. Why <routes>/<route> has an element <rewrite> and what is its semantics? Does it correspond to <rule>/<rewrite> from rewrite.xml? What does request.url mean there?

解决方案

Good question, unfortunately the Authentication and Authorization mechanism in Knox is based on Http servlet filters which won't be applicable for Websocket.

One thing you can do is have a HTTP side that does the authentication and then opens up the websocket connection.

If you want you can open up a JIRA for this enhancement.

[EDIT]

Answers to followup questions

1. In case of Websockets have no meaning, they are artifacts from http
2. Again the in rewrites can be explained better with http context than with websocket. What they do is, tell Knox when to apply the rewrite rule i.e. request.url, request.body, response.url, response.body etc. Since, rules are based on HTTP servlet filters they are not used to rewrite websocket data. I believe there should be some JIRA lying around for that.

这篇关于如何使用基本身份验证在 Apache Knox 中配置 websocket 服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！