How to add the entry Export-Package in the OSGi header of a bundle with Maven? (dependencies)

ngennart · March 15, 2022, 10:46am

Hi everyone,

I try to check the user’s token and roles every time he requests his items in the org.openhab.core.io.rest.auth bundle at the /openhab-core/bundles/org.openhab.core.io.rest.auth location in the openhab-core project, in this code fragment:

For this the org.openhab.core.io.rest.core bundle at the location openhab-core/bundles/org.openhab.core.io.rest.core needs the dependency of the org.openhab.core.io.rest.auth bundle to get the token verification function. But I have a problem. The org.openhab.core.io.rest.core bundle can’t import the required package (which is org.openhab.core.io.rest.auth bundle) as shown below :

I added the dependency in the org.openhab.core.io.rest.core bundle like this:

  <dependency>
      <groupId>org.openhab.core.bundles</groupId>
      <artifactId>org.openhab.core.io.rest.auth</artifactId>
      <version>${project.version}</version>
  </dependency>

I know that the OSGi headers of each bundle are generated with Maven. But do you know how to make the org.openhab.core.io.rest.auth bundle available for other bundles?

In the OSGi header, generated by Maven, of the bundle org.openhab.core.io.rest.auth there is no Export-Package as shown in his manifest file, below:

Manifest-Version: 1.0
Automatic-Module-Name: org.openhab.core.io.rest.auth
Bnd-LastModified: 1647291640150
Bundle-Description: This project contains the core components of openH
 AB
Bundle-Developers: openhab;email="info@openhab.org";name=openHAB;organ
 ization=openHAB;organizationUrl="https://www.openHAB.org"
Bundle-DocURL: https://github.com/openhab/infrastructure/org.openhab.c
 ore.reactor/org.openhab.core.reactor.bundles/org.openhab.core.io.rest
 .auth
Bundle-License: "Eclipse Public License 2.0";link="https://www.eclipse
 .org/legal/epl-2.0/"
Bundle-ManifestVersion: 2
Bundle-Name: openHAB Core :: Bundles :: Authentication Support for the
  REST Interface
Bundle-SCM: url="https://github.com/openhab/openhab-core/org.openhab.c
 ore.reactor.bundles/org.openhab.core.io.rest.auth",connection="scm:gi
 t:https://github.com/openhab/openhab-core.git/org.openhab.core.reacto
 r.bundles/org.openhab.core.io.rest.auth",developer-connection="scm:gi
 t:https://github.com/openhab/openhab-core.git/org.openhab.core.reacto
 r.bundles/org.openhab.core.io.rest.auth",tag=HEAD
Bundle-SymbolicName: org.openhab.core.io.rest.auth
Bundle-Vendor: openHAB.org
Bundle-Version: 3.3.0.202203142100
Created-By: 11.0.14 (Ubuntu)
Import-Package: io.swagger.v3.oas.annotations;resolution:=optional;ver
 sion="[2.1,3)",io.swagger.v3.oas.annotations.media;resolution:=option
 al;version="[2.1,3)",io.swagger.v3.oas.annotations.responses;resoluti
 on:=optional;version="[2.1,3)",io.swagger.v3.oas.annotations.tags;res
 olution:=optional;version="[2.1,3)",javax.annotation.security;resolut
 ion:=optional;version="[1.2,2)",javax.annotation;version="[1.2,2)",ja
 vax.ws.rs,javax.ws.rs.container,javax.ws.rs.core,javax.ws.rs.ext,org.
 jose4j.base64url;version="[0.7,1)",org.jose4j.jwa;version="[0.7,1)",o
 rg.jose4j.jwk;version="[0.7,1)",org.jose4j.jws;version="[0.7,1)",org.
 jose4j.jwt;version="[0.7,1)",org.jose4j.jwt.consumer;version="[0.7,1)
 ",org.jose4j.lang;version="[0.7,1)",org.openhab.core;version="[3.3,4)
 ",org.openhab.core.auth;version="[3.3,4)",org.openhab.core.common.reg
 istry;version="[3.3,4)",org.openhab.core.io.rest;version="[3.3,4)",or
 g.slf4j;version="[1.7,2)"
Private-Package: OH-INF.config,OH-INF.i18n,org.openhab.core.io.rest.au
 th.internal
Provide-Capability: osgi.service;objectClass:List<String>="javax.ws.rs
 .container.DynamicFeature";uses:="javax.ws.rs.container",osgi.service
 ;objectClass:List<String>="org.openhab.core.io.rest.RESTResource,org.
 openhab.core.io.rest.auth.internal.TokenResource";uses:="org.openhab.
 core.io.rest,org.openhab.core.io.rest.auth.internal",osgi.service;obj
 ectClass:List<String>="org.openhab.core.io.rest.auth.internal.AuthFil
 ter";uses:="org.openhab.core.io.rest.auth.internal",osgi.service;obje
 ctClass:List<String>="org.openhab.core.io.rest.auth.internal.JwtHelpe
 r";uses:="org.openhab.core.io.rest.auth.internal"
Require-Capability: osgi.service;filter:="(objectClass=org.openhab.cor
 e.auth.UserRegistry)";effective:=active,osgi.service;filter:="(object
 Class=org.openhab.core.io.rest.auth.internal.JwtHelper)";effective:=a
 ctive,osgi.extender;filter:="(&(osgi.extender=osgi.component)(version
 >=1.4.0)(!(version>=2.0.0)))",osgi.implementation;filter:="(&(osgi.im
 plementation=osgi.jaxrs)(version>=1.0.0)(!(version>=2.0.0)))",osgi.se
 rvice;filter:="(osgi.jaxrs.media.type=application/json)";resolution:=
 optional;effective:=active,osgi.contract;osgi.contract=JavaJAXRS;filt
 er:="(&(osgi.contract=JavaJAXRS)(version=2.1.0))",osgi.ee;filter:="(&
 (osgi.ee=JavaSE)(version=11))"
Service-Component: OSGI-INF/org.openhab.core.io.rest.auth.internal.Aut
 hFilter.xml,OSGI-INF/org.openhab.core.io.rest.auth.internal.JwtHelper
 .xml,OSGI-INF/org.openhab.core.io.rest.auth.internal.RolesAllowedDyna
 micFeatureImpl.xml,OSGI-INF/org.openhab.core.io.rest.auth.internal.To
 kenResource.xml
Tool: Bnd-6.1.0.202111221555

Do you know how to configure the pom.xml file to make the org.openhab.core.io.rest.auth bundle available to other bundles, by exporting its packages?

In the feature.xml file at the location openhab-core/features/karaf/openhab-core/src/main/feature/feature.xml, I added the dependency openhab-core-io-rest-auth but it does not work.

I tried to add the following lines in the pom.xml of the openhab-core-io-rest-auth bundle to make its packages available.

 <build>
    <plugins>

      <plugin>
        <groupId>org.openhab.core.bundles</groupId>
        <artifactId>org.openhab.core.io.rest.auth</artifactId>
        <version>3.3.0-SNAPSHOT</version>
        <extensions>true</extensions>
        <configuration>
          <manifestLocation>./target/classes/META-INF/MANIFEST.MF</manifestLocation>
          <instructions>
            <Export-Package>*</Export-Package>
          </instructions>
        </configuration>
      </plugin>
    </plugins>
  </build>

But it doesn’t work too.

So anyone know what I need to do so that Maven will add the Export-Package entry in the OSGi header of the openhab-core-io-rest-auth bundle to export all its packages and make them available to other bundles?

I hoop I have been clear.

Thank you,

Nicolas Gennart.

J-N-K · March 15, 2022, 11:30am

Internal packages are not exported as they are not intended for external usage. They can change without notice, while non-internal packages are usually more stable. So there is no way to export the packages you need.

ngennart · March 15, 2022, 11:37am

So I can’t use it in another bundle? I have to reimplement the functions I need in the bundle? Or can I put it in a folder that is not internal?

J-N-K · March 15, 2022, 2:07pm

What exactly are you trying to do? What is the problem you want to solve? In general you can’t use these methods outside of the bundle and there should be no need to do so (or something is missing in the API).

ngennart · March 15, 2022, 2:15pm

I try to check the validity of the token for each request the user makes to get its items and get the roles put in the token to filter the items sent to the user (client side) with those roles.

And for that, the org.openhab.core.io.rest.core bundle that returns the items to the user (in the ItemRessource.class file) needs the functions of the org.openhab.core.io.rest.auth bundle to check the token and decrypt it to get the roles.

splatch · March 16, 2022, 4:48pm

This is shortage of current way how token auth is being implemented. It does not use AuthenticationProvider interface which was initially designed as a way to bring different authentication mechanisms to system. Currently we have in openHAB the AuthenticationManager which is practically not used as its use was superseded by the 3.x APIs which embeds everything in couple of rest resources.

The old API permitted use of AuthenticationManager#authenticate(Credentials) method which could also work with JWT payloads. Yet its gone for two years already and nobody, except you noticed.

Cheers,
Łukasz

ngennart · March 16, 2022, 5:08pm

Ho great, thank you, and what do you mean by the 3.x APIs which embeds everything in couple of rest resources , OpenAPI verify the token ?

splatch · March 22, 2022, 10:33am

If you look for a way on your application then you can still rely on functionality provided AuthFilter, even if its hidden from your code. This is because this filter sets the security context for incoming HTTP invocations. If you implement REST resources then you can use @Context SecurityContext in order to get at least some notion of security.

The openAPI is just a descriptor format. Tools which utilize that format can generate code or clients which can authenticate using ie. standard oauth2 endpoints. However, openHAB 3.x implements oauth2 partially, so you can’t verify token out of the box using predefined endpoints. In order to do such openHAB would need to start tracking oauth clients (token validation is reserved for oauth clients) which would complicate implementation.

system · May 3, 2022, 2:33am

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.