net.adamcin.sling.auth.httpsig
HTTP Signature Authentication Handler implementation for Apache Sling using SSH authorized_keys.
How It Works
- Install the following bundles:
- net.adamcin.httpsig.osgi: HTTP Signature Implementation for Java
- net.adamcin.sling.auth.httpsig: Sling HTTP Signature Authentication Handler
- Deploy an authorized_keys file containing the SSH public keys of clients who are authorized to login as admin, such as that of a Jenkins server, to either of the two locations on the server filesystem:
- ${sling.home}/../.ssh/authorized_keys: Deploy to this location to only grant HTTP admin permission to client public keys. Notice that the .ssh directory in the path is a sibling of ${sling.home}, which allows for re-installation and backup/restore of the Sling instance without disturbing the authorized_keys file. This file takes precedence over the standard user home location.
- ${user.home}/.ssh/authorized_keys: Deploy to this location only in order to grant ssh/scp access to clients with these public keys, in addition to granting them HTTP admin authentication.
- Use a Signature-enabled HTTP client to interact with the Sling instance, with a keyId format following the Joyent convention of "/$username/keys/$fingerprint". You can find Java-based helpers in httpsig-java for Apache Commons HttpClient 3.x, Apache Http Components 4.x, and Ning AsyncHttpClient.