[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Programmatically Configuring JASPI for Embedded Jetty
|
Hi Larry,
Good to hear your use-case for jetty-jaspi, and even more interesting
to hear you were on the jsr! I'm positive the jetty-jaspi code needs
some luvin', so if you have any time at all to take a look over it,
kick the tires and contribute any comments and/or improvements back,
then that would be most welcome!
In the meanwhile, I will clean up the little test webapp I have that
uses geronimo-jaspi jars and put it into a public repo - will post
back here when its done.
cheers
Jan
On 15 February 2013 11:28, larry mccay <larry.mccay@xxxxxxxxx> wrote:
> Hi Jan -
>
> Thank you for your response.
>
> I will have to resurrect that work now and try and close the remaining gaps.
>
> Personally, I like the programming model afforded by JASPIC and that
> it empowers you to be able to guide the container in setting the
> security context without getting into container specifics.
>
> We are developing a platform that have pluggable authentication
> providers and things like shiro are great but I end up having to
> normalize the authenticated user as a standard Subject afterward and
> then execute a doAs() - which the SecurityManager frowns upon and is
> not really intended as part of the application programming model.
>
> By leveraging the SPI provided by JASPIC you are plugged directly into
> container code and can portably control the EE security context
> without having to mess with Java security policy. This is a beautiful
> thing.
>
> Unfortunately, JASPIC has had its own lack of marketing and
> documentation issues.
>
> There are some interesting AuthModules available that I would like to
> be able to take advantage within our platform however and that's why I
> am pursuing JASPI on Jetty.
>
> By the way, as a member of the JSR-196 EG, I am a bit biased.
> :-)
>
> As I make further progress on this - I will let you know.
>
> Peace,
>
> --larry
>
> On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
>> Hi Larry,
>>
>> I'm impressed you've managed to get this far, as we've historically
>> done a terrible job of documenting jaspi in jetty!
>>
>> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi
>> jars, and a very early version of those geronimo jars at that.
>>
>> So in addition to what you've got already, here's the other pieces
>> that I have used in a working test webapp using jaspi:
>>
>> + these geronimo-jaspi dependencies:
>> <dependency>
>> <groupId>org.apache.geronimo.components</groupId>
>> <artifactId>geronimo-jaspi</artifactId>
>> <version>2.0-SNAPSHOT</version>
>> <exclusions>
>> <exclusion>
>> <groupId>org.apache.geronimo.specs</groupId>
>> <artifactId>geronimo-jaspic_1.0_spec</artifactId>
>> </exclusion>
>> </exclusions>
>> </dependency>
>> <dependency>
>> <groupId>org.apache.geronimo.specs</groupId>
>> <artifactId>geronimo-osgi-locator</artifactId>
>> <version>1.0</version>
>> </dependency>
>>
>>
>> + a system property pointing to a geronimo jaspi config file (which
>> sets up the missing piece from your stacktrace, the ServerAuthModule):
>> -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml
>>
>> + a geronimo jaspi config file:
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi">
>> <configProvider>
>> <messageLayer>HTTP</messageLayer>
>> <appContext>server /foo</appContext>
>> <description>description</description>
>> <serverAuthConfig>
>> <authenticationContextID>authenticationContextID2</authenticationContextID>
>> <protected>true</protected>
>> <serverAuthContext>
>> <serverAuthModule>
>>
>> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>
>> <options>
>>
>> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test
>>
>> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test
>> </options>
>> </serverAuthModule>
>> </serverAuthContext>
>> </serverAuthConfig>
>> <persistent>true</persistent>
>> </configProvider>
>> </jaspi>
>>
>>
>> Hopefully that might help you get a bit further.
>>
>> I'm interested to hear if many others on the lists are trying to use
>> or are using the jetty-jaspi integration. Our impression is that it is
>> hardly used by anyone. Of course, that could be because the
>> documentation is missing! However, before we direct more of our
>> limited resources to the jaspi stuff, we'd like to hear from the user
>> community - is this something that you are using, or are likely to
>> use???
>>
>> Jan
>>
>> On 17 January 2013 03:53, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>>> Greetings -
>>>
>>> I am working on an embedded Jetty project in which we programmatically
>>> deploy the WebAppContexts for dynamically created WebApps.
>>> What I would like to do is configure the use of JASPI per application.
>>>
>>> The following code is being used at deployment time:
>>>
>>> private synchronized void internalDeploy( Topology topology, File warFile
>>> ) {
>>>
>>> String name = topology.getName();
>>>
>>> String warPath = warFile.getAbsolutePath();
>>>
>>> WebAppContext context = new WebAppContext();
>>>
>>> context.setDefaultsDescriptor( null );
>>>
>>> context.setContextPath( "/" + path + "/" + name );
>>>
>>> context.setWar( warPath );
>>>
>>>
>>> JaspiAuthenticatorFactory authenticatorFactory = new
>>> JaspiAuthenticatorFactory();
>>>
>>> SecurityHandler handler = new ConstraintSecurityHandler();
>>>
>>> handler.setAuthenticatorFactory(authenticatorFactory);
>>>
>>> JAASLoginService ls = new JAASLoginService();
>>>
>>> ls.setName("JAASRealm");
>>>
>>> ls.setLoginModuleName("jaas");
>>>
>>> ls.setIdentityService(new DefaultIdentityService());
>>>
>>> handler.setLoginService(ls);
>>>
>>> authenticatorFactory.setLoginService(ls);
>>>
>>> jetty.addBean(ls);
>>>
>>> Constraint constraint = new Constraint();
>>>
>>> constraint.setName(constraint.__BASIC_AUTH);
>>>
>>> constraint.setRoles(new String[]{"user","admin","moderator"});
>>>
>>> constraint.setAuthenticate(true);
>>>
>>>
>>>
>>> ConstraintMapping cm = new ConstraintMapping();
>>>
>>> cm.setConstraint(constraint);
>>>
>>> cm.setPathSpec("/*");
>>>
>>> // handler.setAuthMethod("BASIC");
>>>
>>> handler.setRealmName("JAASRealm");
>>>
>>> ((ConstraintSecurityHandler) handler).setConstraintMappings(new
>>> ConstraintMapping[]{cm});
>>>
>>> context.setSecurityHandler(handler);
>>>
>>> internalUndeploy( topology );
>>>
>>> deployments.put( name, context );
>>>
>>> contexts.addHandler( handler );
>>>
>>> contexts.addHandler( context );
>>>
>>> try {
>>>
>>> context.start();
>>>
>>> } catch( Exception e ) {
>>>
>>> //TODO: I18N message
>>>
>>> e.printStackTrace();
>>>
>>> }
>>>
>>> }
>>>
>>>
>>> and I am encountering the following stacktrace:
>>>
>>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED
>>> org.eclipse.jetty.server.session.SessionHandler@786c1a82:
>>> java.lang.IllegalStateException: No ServerAuthentication
>>> java.lang.IllegalStateException: No ServerAuthentication
>>> at
>>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371)
>>> at
>>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233)
>>> at
>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>> at
>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>> at
>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>> at
>>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124)
>>> at
>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>> at
>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>> at
>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>> at
>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752)
>>> at
>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247)
>>> at
>>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238)
>>> at
>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706)
>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480)
>>> at
>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>> at
>>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323)
>>> at org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68)
>>> at
>>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367)
>>> at
>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148)
>>> at
>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113)
>>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255)
>>> at
>>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180)
>>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97)
>>>
>>> Looking at the ServerHandler code this indicates that no authenticator is
>>> being found in the following code snippet:
>>> ...
>>>
>>> if (_authenticator==null && _authenticatorFactory!=null &&
>>> _identityService!=null)
>>>
>>> {
>>>
>>>
>>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this,
>>> _identityService, _loginService);
>>>
>>> if (_authenticator!=null)
>>>
>>> _authMethod=_authenticator.getAuthMethod();
>>>
>>> }
>>>
>>>
>>> if (_authenticator==null)
>>>
>>> {
>>>
>>> if (_realmName!=null)
>>>
>>> {
>>>
>>> LOG.warn("No ServerAuthentication for "+this);
>>>
>>> throw new IllegalStateException("No ServerAuthentication");
>>>
>>> }
>>>
>>> }
>>>
>>> else
>>>
>>> {
>>>
>>> _authenticator.setConfiguration(this);
>>>
>>> if (_authenticator instanceof LifeCycle)
>>>
>>> ((LifeCycle)_authenticator).start();
>>>
>>> }
>>>
>>> ...
>>>
>>> Can anyone tell what is missing from my configuration code or alternatively
>>> point me to relevant tests?
>>>
>>> Thank you in advance!
>>>
>>> --larry
>>>
>>>
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>
>>
>>
>> --
>> Jan Bartel <janb@xxxxxxxxxxx>
>> www.webtide.com – Developer advice, services and support
>> from the Jetty & CometD experts.
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com – Developer advice, services and support
from the Jetty & CometD experts.