Hello,
I am using jetty 7.2.2 20101205. I am trying to change the existing shipped test application's authentication mechanisms. Please find Test applications's test.xml and snippet from web.xml along with httpheaders that I recevied on my mozilla.
I have configured test.xml for ConstraintSecurityHandler and loginModuleName points to correct settings.
In, web.xml, I commented remaining constraints that are shipped with test application. I commented security roles in the bottom of shipped test application web.xml snippet <security-constraint> <web-resource-collection> <web-resource-name>Any User</web-resource-name> <url-pattern>/dump/auth/*</url-pattern> <url-pattern>*.htm</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Test_JAAS_Realm</realm-name>
<form-login-config> <form-login-page>/logon.html?param=test1</form-login-page> <form-error-page>/logonError.html?param=test1</form-error-page> </form-login-config> </login-config>
snippet from test.xml <Set name="securityHandler"> <New class="org.eclipse.jetty.security.ConstraintSecurityHandler"> <Set name="loginService"> <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> <Set name="name">Test_JAAS_Realm</Set> <Set name="loginModuleName">xyz</Set> </New> </Set> <!-- <Set name="strict">false</Set> --> </New> </Set>
login.conf xyz { com.sun.security.auth.module.NTLoginModule required debug="true" debugNative="true"; };
command line paramters: java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=1044 -Djava.security.auth.login.config=C:\Jetty\jetty2\wjetty\login.conf -jar start.jar
Problem that I face, I have put below in the form of HTTP Headers. HTTP/1.1 403 !role Date: Mon, 28 Feb 2011 10:46:03 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 1371 Cache-Control: must-revalidate,no-cache,no-store Server: Jetty(7.2.2.v20101205)
After debugging, I realised that: At org.eclipse.jetty.security.SecurityHandler.java:459 boolean authorized=checkWebResourcePermissions(pathInContext, baseRequest, base_response, constraintInfo, userAuth.getUserIdentity()); I am getting authorized = false.
Please look at the http headers: At line1, I send post for /j_security_check (form submission), browser got in return 302 ( at line 17, meaning, after successful authentiation, a redirection to /dump/auth/info was done.) At line 24 browser sent /dump/auth/info , for which at line 38, I get 403 saying constraint for url not satisifed.
if I set strict (for securityHandler, in text.xml) value to false, I am not able to clear the constraint -- eventhough I gave wrong userid/pwd.
note: I have attached changed web.xml /changed test.xml /afterLogin.txt - this has http header after I submit login form
Regards
Vinod
|