RAP + BasicSecurityFilter + Tomcat = :'( [message #1067841] |
Wed, 10 July 2013 19:48 |
Chris Monty Messages: 26 Registered: July 2013 |
Junior Member |
|
|
I've discovered three things which, as far as I can tell, simply refuse to play nice together. RAP, any form of authentication requiring a login-dialog (anything except AnonymousSecurityFilter), and Tomcat.
I have a Scout application which uses a DataSourceSecurityFilter. From Eclipse, the development RAP target runs in my browser beautifully. I wanted to have it running on Tomcat, so I created the .war packages and installed them on my local Tomcat server. Swing and SWT worked as expected. RAP however, does not.
When I point my browser to the /web alias, a login dialog appears which rejects false login/password combos. Once a correct login is entered, it redirects the browser to a broken page (see brokenpage.png attachment).
Viewing the page source, there is the message contained within the HTML:
Quote:Your browser or browser-setup is not supported. <br />Please use one of: IE 7+, Firefox 3.5+, Safari 4+, Google Chrome 7+ or Opera 10+.<br />Ensure that Javascript is enabled and XMLHttpRequests are allowed.
Now here's the fun bit. I edit the deployed config.ini (in \work\Catalina\localhost\appname\eclipse\configuration), disable the DataSourceSecurityFilter and enable the AnonymousSecurityFilter, restart the web application and try again. It works fine.
What I've concluded from my trials is that something is going awry with message passing between the RAP and server applets at authentication time (my finger is pointed at HttpServletRequest at this stage). I've read that browsers will block inter-server XMLHttpRequests (http:// gis.stackexchange .com/questions/38855/xmlhttprequest-cannot-load-http-localhost-geoserver-wfs-origin-http-local), but I didn't think that would apply to two servlets on the same server. I also found something else which could be related: http:// tomcat.10.x6.nabble .com/Session-IDs-amp-XMLHttpRequests-td2055494.html
There's one final possibility, and that's that I've missed some glaringly obvious step somewhere in the deployment process. I imagine that authenticated RAP deployments would be quite common so this ground must have been covered before.
I've managed to create a fairly simple example which reproduces the problem. Today I followed the following steps:
1. Download and install a fresh install of Scout (I'm using Kepler, 3.9.0.20130612).
2. Create a new Scout project (I named it 'test') with all bundles.
3. Download and install a fresh Tomcat (I'm using 7.0.42).
4. Export the Scout projects, copy the test.war and test_server.war into the Tomcat /webapps folder and let them load.
5. Point your browser to localhost:8080/test/web, which will work.
6. Edit \work\Catalina\localhost\test\eclipse\configuration\config.ini. Disable the AnonymousSecurityFilter and enable the BasicSecurityFilter.
7. Restart the test servlet.
8. Hit refresh on localhost:8080/test/web.
9. You will be prompted for a login, but the RAP UI won't load.
If this pitfall is known, some places to consider adding documentation would be here, here and here.
Also, I noticed that the DataSourceSecurityFilter authentication and Derby don't mix either, as Derby doesn't accept multiple DB connections. Perhaps it's worth mentioning in the Derby DB or Authentication tutorial?
[Updated on: Wed, 10 July 2013 23:07] Report message to a moderator
|
|
|
|
|
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1069695 is a reply to message #1069412] |
Tue, 16 July 2013 12:13 |
Chris Monty Messages: 26 Registered: July 2013 |
Junior Member |
|
|
Thanks Claudio for your reply. With your help, I have solved the problem. Scroll to the bottom for the short version.
The forum discussions you linked to suggested that it might have to do with RAP trying to access javascript files on the server, and tomcat was denying access to it. Seems it's possible, but nobody remembers quite how they did it - like George's Marvellous Medicine in a way. Well knowing that it was possible, and that it had something to do with file access, I got this sneaking suspicion and tried a few things out. And managed to get it working.
Here's the important part of my new and improved RAP plugin.xml:
<extension point="org.eclipse.scout.http.servletfilter.filters">
<filter
aliases="/"
class="org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter"
ranking="10">
</filter>
<filter
aliases="/ /web"
class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
ranking="20">
</filter>
<filter
aliases="/"
class="org.eclipse.scout.rt.ui.rap.servletfilter.LogoutFilter"
ranking="-1000000">
<init-param
name="active"
value="true">
</init-param>
</filter>
</extension>
And the RAP production config.ini:
org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=test Development
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=admin\=manager,allen\=allen,blake\=blake
The crucial update lies in the alases. You have to give the aliases "/web" AND "/" to the BasicSecurityFilter, as it needs permission to access resources in "/" as well. I've applied this to my DataSourceSecurityFilter, and it works.
Ah, software development. I think I just spent the better part of a week searching for a missing "/" character.
I'd really like to see this crucial bit of info added to the tutorials (and possibly to the default generated plugin.xml). Is there somewhere better than here to suggest that?
[Updated on: Tue, 16 July 2013 12:18] Report message to a moderator
|
|
|
|
|
|
|
|
Re: RAP + BasicSecurityFilter + Tomcat = :'( [message #1098599 is a reply to message #1093831] |
Sat, 31 August 2013 10:21 |
Chris Monty Messages: 26 Registered: July 2013 |
Junior Member |
|
|
Hi Li Hao,
You wrote:
Quote:Looks like RAP app does not attempt to authenticate to the server by login using the ID/password I supplied, swing and swt client will submit the id/password to the server.
You need to understand that RAP is a bit special because it doesn't authenticate with the Server. Swing and SWT clients have to authenticate with the Server, but RAP handles its own authentication independently, and it has its own config.ini and plugin.xml.
This means that if you configure a BasicSecurityFilter on the server, and an AnonymousSecurityFilter in RAP, Swing and SWT will be required to enter login credentials, but RAP won't. Yes it's ugly (imho - a unified authentication mechanism would be preferable), but in a way this also makes debugging easier because you know the two applications are independent of each other; if you are having issues with RAP authentication, the problem most likely lies within RAP's configuration.
To solve your problem, I would take the following steps:
- Configure an AnonymousSecurityFilter on the Server.
If you have problems here, it will likely be related to issues with your aliases in the Server's plugin.xml.
- Change to a BasicSecurityFilter on the Server.
This proves that the BasicSecurityFilter works.
- Configure an AnonymousSecurityFilter on RAP.
If you have problems here, it will likely be related to issues with your aliases in RAP's plugin.xml.
- Change to a BasicSecurityFilter on RAP.
Hope this helps.
EDIT: Since I'm ranting about the pitfalls of having two authentication methods, it's worth pointing out that this is the reason why you will never be able to get a RAP application working on a Derby DB with a DataSourceSecurityFilter. RAP's DataSourceSecurityFilter will try to connect to the DB, but Derby doesn't support multiple connections. A single authentication method would solve this. Not that anyone really uses Derby anyway.
[Updated on: Sat, 31 August 2013 10:27] Report message to a moderator
|
|
|
Powered by
FUDForum. Page generated in 0.03436 seconds