Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » scout » RAP + BasicSecurityFilter + Tomcat = :'((Deployment blues with RAP and authentication)
RAP + BasicSecurityFilter + Tomcat = :'( [message #1067841] Wed, 10 July 2013 19:48 Go to next message
Chris Monty is currently offline Chris Monty
Messages: 24
Registered: July 2013
Junior Member
I've discovered three things which, as far as I can tell, simply refuse to play nice together. RAP, any form of authentication requiring a login-dialog (anything except AnonymousSecurityFilter), and Tomcat.

I have a Scout application which uses a DataSourceSecurityFilter. From Eclipse, the development RAP target runs in my browser beautifully. I wanted to have it running on Tomcat, so I created the .war packages and installed them on my local Tomcat server. Swing and SWT worked as expected. RAP however, does not.

When I point my browser to the /web alias, a login dialog appears which rejects false login/password combos. Once a correct login is entered, it redirects the browser to a broken page (see brokenpage.png attachment).
index.php/fa/15561/0/

Viewing the page source, there is the message contained within the HTML:
Quote:
Your browser or browser-setup is not supported. <br />Please use one of: IE 7+, Firefox 3.5+, Safari 4+, Google Chrome 7+ or Opera 10+.<br />Ensure that Javascript is enabled and XMLHttpRequests are allowed.


Now here's the fun bit. I edit the deployed config.ini (in \work\Catalina\localhost\appname\eclipse\configuration), disable the DataSourceSecurityFilter and enable the AnonymousSecurityFilter, restart the web application and try again. It works fine.

What I've concluded from my trials is that something is going awry with message passing between the RAP and server applets at authentication time (my finger is pointed at HttpServletRequest at this stage). I've read that browsers will block inter-server XMLHttpRequests (http:// gis.stackexchange .com/questions/38855/xmlhttprequest-cannot-load-http-localhost-geoserver-wfs-origin-http-local), but I didn't think that would apply to two servlets on the same server. I also found something else which could be related: http:// tomcat.10.x6.nabble .com/Session-IDs-amp-XMLHttpRequests-td2055494.html

There's one final possibility, and that's that I've missed some glaringly obvious step somewhere in the deployment process. I imagine that authenticated RAP deployments would be quite common so this ground must have been covered before.

I've managed to create a fairly simple example which reproduces the problem. Today I followed the following steps:
1. Download and install a fresh install of Scout (I'm using Kepler, 3.9.0.20130612).
2. Create a new Scout project (I named it 'test') with all bundles.
3. Download and install a fresh Tomcat (I'm using 7.0.42).
4. Export the Scout projects, copy the test.war and test_server.war into the Tomcat /webapps folder and let them load.
5. Point your browser to localhost:8080/test/web, which will work.
6. Edit \work\Catalina\localhost\test\eclipse\configuration\config.ini. Disable the AnonymousSecurityFilter and enable the BasicSecurityFilter.
7. Restart the test servlet.
8. Hit refresh on localhost:8080/test/web.
9. You will be prompted for a login, but the RAP UI won't load.

If this pitfall is known, some places to consider adding documentation would be here, here and here.

Also, I noticed that the DataSourceSecurityFilter authentication and Derby don't mix either, as Derby doesn't accept multiple DB connections. Perhaps it's worth mentioning in the Derby DB or Authentication tutorial?

[Updated on: Wed, 10 July 2013 23:07]

Report message to a moderator

Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1068107 is a reply to message #1067841] Fri, 12 July 2013 08:19 Go to previous messageGo to next message
Chris Monty is currently offline Chris Monty
Messages: 24
Registered: July 2013
Junior Member
Actually it would be really useful just to know if anyone has managed to successfully deploy an authentication-enabled RAP UI onto their Tomcat server. I'd know then that it was possible. Cheers.

[Updated on: Fri, 12 July 2013 08:19]

Report message to a moderator

Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1069412 is a reply to message #1068107] Mon, 15 July 2013 20:55 Go to previous messageGo to next message
Claudio Guglielmo is currently offline Claudio Guglielmo
Messages: 127
Registered: March 2010
Senior Member
Hi Chris

I think your problem may be related to this post:
http://www.eclipse.org/forums/index.php/t/449281/

Also see this post for further information about basic auth and rap ui:
http://www.eclipse.org/forums/index.php/m/1064181/

I must admit I don't know what the problem is. Try to enable the javascript console of your browser and check if there are some errors.

I'll try to reproduce it as soon as I find some time. Thank you for the detailed description.

Best regards
Claudio

Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1069695 is a reply to message #1069412] Tue, 16 July 2013 12:13 Go to previous messageGo to next message
Chris Monty is currently offline Chris Monty
Messages: 24
Registered: July 2013
Junior Member
Thanks Claudio for your reply. With your help, I have solved the problem. Scroll to the bottom for the short version.

The forum discussions you linked to suggested that it might have to do with RAP trying to access javascript files on the server, and tomcat was denying access to it. Seems it's possible, but nobody remembers quite how they did it - like George's Marvellous Medicine in a way. Well knowing that it was possible, and that it had something to do with file access, I got this sneaking suspicion and tried a few things out. And managed to get it working.

Here's the important part of my new and improved RAP plugin.xml:
  <extension point="org.eclipse.scout.http.servletfilter.filters">
    <filter
      aliases="/"
      class="org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter"
      ranking="10">
    </filter>
    <filter
      aliases="/ /web"
      class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
      ranking="20">
    </filter>
    <filter
      aliases="/"
      class="org.eclipse.scout.rt.ui.rap.servletfilter.LogoutFilter"
      ranking="-1000000">
      <init-param
        name="active"
        value="true">
      </init-param>
    </filter>
  </extension>

And the RAP production config.ini:
org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=test Development
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=admin\=manager,allen\=allen,blake\=blake

The crucial update lies in the alases. You have to give the aliases "/web" AND "/" to the BasicSecurityFilter, as it needs permission to access resources in "/" as well. I've applied this to my DataSourceSecurityFilter, and it works.

Ah, software development. I think I just spent the better part of a week searching for a missing "/" character. Smile Confused

I'd really like to see this crucial bit of info added to the tutorials (and possibly to the default generated plugin.xml). Is there somewhere better than here to suggest that?

[Updated on: Tue, 16 July 2013 12:18]

Report message to a moderator

Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1070544 is a reply to message #1069695] Thu, 18 July 2013 07:27 Go to previous messageGo to next message
Claudio Guglielmo is currently offline Claudio Guglielmo
Messages: 127
Registered: March 2010
Senior Member
Hi Chris

Thank you very much for investigating this issue! We definitely have to improve the generation of the plugin.xml. As you suggested, I added a hint to http://wiki.eclipse.org/Scout/Tutorial/3.9/Deploy_to_Tomcat#Test_the_Application.

We'll inform you as soon as the bug is fixed.
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1070607 is a reply to message #1070544] Thu, 18 July 2013 10:03 Go to previous messageGo to next message
Andreas Hoegger is currently offline Andreas Hoegger
Messages: 174
Registered: February 2010
Senior Member
I opened two bugs facing this subject:
1. Template generation of Scout SDK Bugzilla 413229
2. Documentation of container handled security Bugzille 413231

Thank you Chris for the great research.

-andreas
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1071923 is a reply to message #1070607] Sun, 21 July 2013 15:46 Go to previous messageGo to next message
Chris Monty is currently offline Chris Monty
Messages: 24
Registered: July 2013
Junior Member
Cool. Likewise, thanks for your support.
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1093806 is a reply to message #1071923] Sat, 24 August 2013 18:00 Go to previous messageGo to next message
Li Hao is currently offline Li Hao
Messages: 28
Registered: August 2011
Junior Member
I am having the same issue after I create permission for all the pages. The RAP client is always getting exception:
MESSAGE org.eclipse.scout.rt.ui.rap.login.internal.InternalNetAuthenticator.getPasswordAuthentication(InternalNetAuthenticator.java:74) http://localhost:8080/ems/ajax

I trace it down to this:
org.eclipse.scout.rt.shared.servicetunnel.HttpException: 401 - UNAUTHORIZED exception.

I try the suggested change in rap plugin.xml and config.ini, but I am still getting the same issue. I am using DataSourceSecurityFilter and apply the change to it but still not working. Swing and Swt client are working fine.

My plugin.xml:

<extension
point="org.eclipse.scout.http.servletfilter.filters">
<filter
aliases="/ /web /process /remotefiles /updatesite"
class="org.eclipse.scout.http.servletfilter.security.DataSourceSecurityFilter"
ranking="10">
<!-- some db paramters here -->
</filter>
<filter
aliases="/"
class="org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter"
ranking="20">
</filter>
<filter
aliases="/ /web"
class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
ranking="30">
</filter>
</extension>

config.ini:

org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false

org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=ems Development
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=admin\=manager,allen\=allen,blake\=blake



Any other suggestion?
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1093831 is a reply to message #1093806] Sat, 24 August 2013 18:58 Go to previous messageGo to next message
Li Hao is currently offline Li Hao
Messages: 28
Registered: August 2011
Junior Member
Looks like RAP app does not attempt to authenticate to the server by login using the ID/password I supplied, swing and swt client will submit the id/password to the server.

I change the /ajax in server filter to anonymous filter, now I am getting another error:

!ENTRY org.eclipse.scout.rt.server 4 0 2013-08-25 02:52:23.179
!MESSAGE org.eclipse.scout.rt.server.ServiceTunnelServlet.doPost(ServiceTunnelServlet.java:322) Session=svcadf3s5014vm6il8b5etqy, Client=anonymous@127.0.0.1/127.0.0.1
!STACK 0
ProcessingException[ProcessingStatus[ERROR code=0 Unexpected java.lang.SecurityException: access denied]]
at org.eclipse.scout.commons.job.JobEx.throwOnError(JobEx.java:69)
at org.eclipse.scout.rt.server.services.common.session.ServerSessionRegistryService.newServerSession(ServerSessionRegistryService.java:61)
at org.eclipse.scout.rt.server.ServiceTunnelServlet.lookupScoutServerSessionOnVirtualSession(ServiceTunnelServlet.java:224)
at org.eclipse.scout.rt.server.ServiceTunnelServlet.doPost(ServiceTunnelServlet.java:287)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.scout.http.servletfilter.HttpServletEx.access$0(HttpServletEx.java:1)
at org.eclipse.scout.http.servletfilter.HttpServletEx$1.service(HttpServletEx.java:38)
at org.eclipse.scout.http.servletfilter.internal.FilterChainImpl.doFilter(FilterChainImpl.java:44)
at org.eclipse.scout.rt.server.SoapWsseJaasFilter.doFilter(SoapWsseJaasFilter.java:111)
at org.eclipse.scout.http.servletfilter.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
at org.eclipse.scout.http.servletfilter.security.AbstractChainableSecurityFilter.doFilterInternal(AbstractChainableSecurityFilter.java:220)
at org.eclipse.scout.http.servletfilter.security.AbstractChainableSecurityFilter.access$0(AbstractChainableSecurityFilter.java:219)
at org.eclipse.scout.http.servletfilter.security.AbstractChainableSecurityFilter$1.run(AbstractChainableSecurityFilter.java:157)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.eclipse.scout.http.servletfilter.security.AbstractChainableSecurityFilter.doFilter(AbstractChainableSecurityFilter.java:149)
at org.eclipse.scout.http.servletfilter.internal.FilterChainImpl.doFilter(FilterChainImpl.java:41)
at org.eclipse.scout.http.servletfilter.ServletFilterDelegate.delegateServiceMethod(ServletFilterDelegate.java:57)
at org.eclipse.scout.http.servletfilter.HttpServletEx.service(HttpServletEx.java:35)
at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:384)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:598)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:486)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1065)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:413)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:192)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:999)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:350)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:454)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:900)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:954)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:851)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:606)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.SecurityException: access denied
at com.sageway.ems.server.ServerSession.execLoadSession(ServerSession.java:56)
at org.eclipse.scout.rt.server.AbstractServerSession.loadSession(AbstractServerSession.java:212)
at org.eclipse.scout.rt.server.services.common.session.ServerSessionRegistryService$1.runTransaction(ServerSessionRegistryService.java:56)
at org.eclipse.scout.rt.server.ServerJob.runTransactionWrapper(ServerJob.java:202)
at org.eclipse.scout.rt.server.ServerJob.access$0(ServerJob.java:190)
at org.eclipse.scout.rt.server.ServerJob$1.run(ServerJob.java:161)
at org.eclipse.scout.rt.server.ServerJob$1.run(ServerJob.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.eclipse.scout.rt.server.ServerJob.run(ServerJob.java:156)
at org.eclipse.scout.commons.job.JobEx.runNow(JobEx.java:50)
at org.eclipse.scout.rt.server.ServerJob.runNow(ServerJob.java:148)
at org.eclipse.scout.rt.server.services.common.session.ServerSessionRegistryService.newServerSession(ServerSessionRegistryService.java:60)
... 45 more

So it seems the rap client is only try to authenticate to server using anonymous, and get the error since I set the server session to required login id.

So the rap is actually login to its own client app only. How do I force RAP to login to the server?
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1098599 is a reply to message #1093831] Sat, 31 August 2013 10:21 Go to previous message
Chris Monty is currently offline Chris Monty
Messages: 24
Registered: July 2013
Junior Member
Hi Li Hao,

You wrote:
Quote:
Looks like RAP app does not attempt to authenticate to the server by login using the ID/password I supplied, swing and swt client will submit the id/password to the server.


You need to understand that RAP is a bit special because it doesn't authenticate with the Server. Swing and SWT clients have to authenticate with the Server, but RAP handles its own authentication independently, and it has its own config.ini and plugin.xml.

This means that if you configure a BasicSecurityFilter on the server, and an AnonymousSecurityFilter in RAP, Swing and SWT will be required to enter login credentials, but RAP won't. Yes it's ugly (imho - a unified authentication mechanism would be preferable), but in a way this also makes debugging easier because you know the two applications are independent of each other; if you are having issues with RAP authentication, the problem most likely lies within RAP's configuration.

To solve your problem, I would take the following steps:

  1. Configure an AnonymousSecurityFilter on the Server.
    If you have problems here, it will likely be related to issues with your aliases in the Server's plugin.xml.
  2. Change to a BasicSecurityFilter on the Server.
    This proves that the BasicSecurityFilter works.
  3. Configure an AnonymousSecurityFilter on RAP.
    If you have problems here, it will likely be related to issues with your aliases in RAP's plugin.xml.
  4. Change to a BasicSecurityFilter on RAP.

Hope this helps.

EDIT: Since I'm ranting about the pitfalls of having two authentication methods, it's worth pointing out that this is the reason why you will never be able to get a RAP application working on a Derby DB with a DataSourceSecurityFilter. RAP's DataSourceSecurityFilter will try to connect to the DB, but Derby doesn't support multiple connections. A single authentication method would solve this. Not that anyone really uses Derby anyway. Smile

[Updated on: Sat, 31 August 2013 10:27]

Report message to a moderator

Previous Topic:setting the RAP user location
Next Topic:Generic LookupCall
Goto Forum:
  


Current Time: Sat Oct 25 03:46:24 GMT 2014

Powered by FUDForum. Page generated in 0.01884 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software