Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Programmatically Configuring JASPI for Embedded Jetty 
Hi Larry,

Good to hear your use-case for jetty-jaspi, and even more interesting
to hear you were on the jsr! I'm positive the jetty-jaspi code needs
some luvin', so if you have any time at all to take a look over it,
kick the tires and contribute any comments and/or improvements back,
then that would be most welcome!

In the meanwhile, I will clean up the little test webapp I have that
uses geronimo-jaspi jars and put it into a public repo - will post
back here when its done.

cheers
Jan

On 15 February 2013 11:28, larry mccay <larry.mccay@xxxxxxxxx> wrote:
> Hi Jan -
>
> Thank you for your response.
>
> I will have to resurrect that work now and try and close the remaining gaps.
>
> Personally, I like the programming model afforded by JASPIC and that
> it empowers you to be able to guide the container in setting the
> security context without getting into container specifics.
>
> We are developing a platform that have pluggable authentication
> providers and things like shiro are great but I end up having to
> normalize the authenticated user as a standard Subject afterward and
> then execute a doAs() - which the SecurityManager frowns upon and is
> not really intended as part of the application programming model.
>
> By leveraging the SPI provided by JASPIC you are plugged directly into
> container code and can portably control the EE security context
> without having to mess with Java security policy. This is a beautiful
> thing.
>
> Unfortunately, JASPIC has had its own lack of marketing and
> documentation issues.
>
> There are some interesting AuthModules available that I would like to
> be able to take advantage within our platform however and that's why I
> am pursuing JASPI on Jetty.
>
> By the way, as a member of the JSR-196 EG, I am a bit biased.
> :-)
>
> As I make further progress on this - I will let you know.
>
> Peace,
>
> --larry
>
> On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
>> Hi Larry,
>>
>> I'm impressed you've managed to get this far, as we've historically
>> done a terrible job of documenting jaspi in jetty!
>>
>> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi
>> jars, and a very early version of those geronimo jars at that.
>>
>> So in addition to what you've got already, here's the other pieces
>> that I have used in a working test webapp using jaspi:
>>
>> + these geronimo-jaspi dependencies:
>>          <dependency>
>>               <groupId>org.apache.geronimo.components</groupId>
>>               <artifactId>geronimo-jaspi</artifactId>
>>               <version>2.0-SNAPSHOT</version>
>>               <exclusions>
>>                 <exclusion>
>>                   <groupId>org.apache.geronimo.specs</groupId>
>>                   <artifactId>geronimo-jaspic_1.0_spec</artifactId>
>>                 </exclusion>
>>               </exclusions>
>>            </dependency>
>>            <dependency>
>>              <groupId>org.apache.geronimo.specs</groupId>
>>              <artifactId>geronimo-osgi-locator</artifactId>
>>              <version>1.0</version>
>>            </dependency>
>>
>>
>> + a system property pointing to a geronimo jaspi config file (which
>> sets up the missing piece from your stacktrace, the ServerAuthModule):
>>    -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml
>>
>> + a geronimo jaspi config file:
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";>
>>     <configProvider>
>>         <messageLayer>HTTP</messageLayer>
>>         <appContext>server /foo</appContext>
>>         <description>description</description>
>>         <serverAuthConfig>
>>             <authenticationContextID>authenticationContextID2</authenticationContextID>
>>             <protected>true</protected>
>>             <serverAuthContext>
>>                 <serverAuthModule>
>>
>> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>
>>                     <options>
>>
>> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test
>>
>> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test
>>                     </options>
>>                 </serverAuthModule>
>>             </serverAuthContext>
>>         </serverAuthConfig>
>>         <persistent>true</persistent>
>>     </configProvider>
>> </jaspi>
>>
>>
>> Hopefully that might help you get a bit further.
>>
>> I'm interested to hear if many others on the lists are trying to use
>> or are using the jetty-jaspi integration. Our impression is that it is
>> hardly used by anyone. Of course, that could be because the
>> documentation is missing! However, before we direct more of our
>> limited resources to the jaspi stuff, we'd like to hear from the user
>> community - is this something that you are using, or are likely to
>> use???
>>
>> Jan
>>
>> On 17 January 2013 03:53, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>>> Greetings -
>>>
>>> I am working on an embedded Jetty project in which we programmatically
>>> deploy the WebAppContexts for dynamically created WebApps.
>>> What I would like to do is configure the use of JASPI per application.
>>>
>>> The following code is being used at deployment time:
>>>
>>>   private synchronized void internalDeploy( Topology topology, File warFile
>>> ) {
>>>
>>>     String name = topology.getName();
>>>
>>>     String warPath = warFile.getAbsolutePath();
>>>
>>>     WebAppContext context = new WebAppContext();
>>>
>>>     context.setDefaultsDescriptor( null );
>>>
>>>     context.setContextPath( "/" + path + "/" + name );
>>>
>>>     context.setWar( warPath );
>>>
>>>
>>>     JaspiAuthenticatorFactory authenticatorFactory = new
>>> JaspiAuthenticatorFactory();
>>>
>>>     SecurityHandler handler = new ConstraintSecurityHandler();
>>>
>>>     handler.setAuthenticatorFactory(authenticatorFactory);
>>>
>>>     JAASLoginService ls = new JAASLoginService();
>>>
>>>     ls.setName("JAASRealm");
>>>
>>>     ls.setLoginModuleName("jaas");
>>>
>>>     ls.setIdentityService(new DefaultIdentityService());
>>>
>>>     handler.setLoginService(ls);
>>>
>>>     authenticatorFactory.setLoginService(ls);
>>>
>>>     jetty.addBean(ls);
>>>
>>>     Constraint constraint = new Constraint();
>>>
>>>     constraint.setName(constraint.__BASIC_AUTH);
>>>
>>>     constraint.setRoles(new String[]{"user","admin","moderator"});
>>>
>>>     constraint.setAuthenticate(true);
>>>
>>>
>>>
>>>     ConstraintMapping cm = new ConstraintMapping();
>>>
>>>     cm.setConstraint(constraint);
>>>
>>>     cm.setPathSpec("/*");
>>>
>>> //    handler.setAuthMethod("BASIC");
>>>
>>>     handler.setRealmName("JAASRealm");
>>>
>>>     ((ConstraintSecurityHandler) handler).setConstraintMappings(new
>>> ConstraintMapping[]{cm});
>>>
>>>     context.setSecurityHandler(handler);
>>>
>>>     internalUndeploy( topology );
>>>
>>>     deployments.put( name, context );
>>>
>>>     contexts.addHandler( handler );
>>>
>>>     contexts.addHandler( context );
>>>
>>>     try {
>>>
>>>       context.start();
>>>
>>>     } catch( Exception e ) {
>>>
>>>       //TODO: I18N message
>>>
>>>       e.printStackTrace();
>>>
>>>     }
>>>
>>>   }
>>>
>>>
>>> and I am encountering the following stacktrace:
>>>
>>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED
>>> org.eclipse.jetty.server.session.SessionHandler@786c1a82:
>>> java.lang.IllegalStateException: No ServerAuthentication
>>> java.lang.IllegalStateException: No ServerAuthentication
>>> at
>>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371)
>>> at
>>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233)
>>> at
>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>> at
>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>> at
>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>> at
>>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124)
>>> at
>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>> at
>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>> at
>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>> at
>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752)
>>> at
>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247)
>>> at
>>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238)
>>> at
>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706)
>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480)
>>> at
>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>> at
>>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323)
>>> at org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68)
>>> at
>>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367)
>>> at
>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148)
>>> at
>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113)
>>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255)
>>> at
>>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180)
>>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97)
>>>
>>> Looking at the ServerHandler code this indicates that no authenticator is
>>> being found in the following code snippet:
>>> ...
>>>
>>>         if (_authenticator==null && _authenticatorFactory!=null &&
>>> _identityService!=null)
>>>
>>>         {
>>>
>>>
>>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this,
>>> _identityService, _loginService);
>>>
>>>             if (_authenticator!=null)
>>>
>>>                 _authMethod=_authenticator.getAuthMethod();
>>>
>>>         }
>>>
>>>
>>>         if (_authenticator==null)
>>>
>>>         {
>>>
>>>             if (_realmName!=null)
>>>
>>>             {
>>>
>>>                 LOG.warn("No ServerAuthentication for "+this);
>>>
>>>                 throw new IllegalStateException("No ServerAuthentication");
>>>
>>>             }
>>>
>>>         }
>>>
>>>         else
>>>
>>>         {
>>>
>>>             _authenticator.setConfiguration(this);
>>>
>>>             if (_authenticator instanceof LifeCycle)
>>>
>>>                 ((LifeCycle)_authenticator).start();
>>>
>>>         }
>>>
>>> ...
>>>
>>> Can anyone tell what is missing from my configuration code or alternatively
>>> point me to relevant tests?
>>>
>>> Thank you in advance!
>>>
>>> --larry
>>>
>>>
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>
>>
>>
>> --
>> Jan Bartel <janb@xxxxxxxxxxx>
>> www.webtide.com – Developer advice, services and support
>> from the Jetty & CometD experts.
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com – Developer advice, services and support
from the Jetty & CometD experts.

Back to the top