[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] Programmatically Configuring JASPI for Embedded Jetty
|
That would be useful!
Thanks, Jan.
--larry
On Thu, Feb 14, 2013 at 8:15 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
> Hi Larry,
>
> Good to hear your use-case for jetty-jaspi, and even more interesting
> to hear you were on the jsr! I'm positive the jetty-jaspi code needs
> some luvin', so if you have any time at all to take a look over it,
> kick the tires and contribute any comments and/or improvements back,
> then that would be most welcome!
>
> In the meanwhile, I will clean up the little test webapp I have that
> uses geronimo-jaspi jars and put it into a public repo - will post
> back here when its done.
>
> cheers
> Jan
>
> On 15 February 2013 11:28, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>> Hi Jan -
>>
>> Thank you for your response.
>>
>> I will have to resurrect that work now and try and close the remaining gaps.
>>
>> Personally, I like the programming model afforded by JASPIC and that
>> it empowers you to be able to guide the container in setting the
>> security context without getting into container specifics.
>>
>> We are developing a platform that have pluggable authentication
>> providers and things like shiro are great but I end up having to
>> normalize the authenticated user as a standard Subject afterward and
>> then execute a doAs() - which the SecurityManager frowns upon and is
>> not really intended as part of the application programming model.
>>
>> By leveraging the SPI provided by JASPIC you are plugged directly into
>> container code and can portably control the EE security context
>> without having to mess with Java security policy. This is a beautiful
>> thing.
>>
>> Unfortunately, JASPIC has had its own lack of marketing and
>> documentation issues.
>>
>> There are some interesting AuthModules available that I would like to
>> be able to take advantage within our platform however and that's why I
>> am pursuing JASPI on Jetty.
>>
>> By the way, as a member of the JSR-196 EG, I am a bit biased.
>> :-)
>>
>> As I make further progress on this - I will let you know.
>>
>> Peace,
>>
>> --larry
>>
>> On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
>>> Hi Larry,
>>>
>>> I'm impressed you've managed to get this far, as we've historically
>>> done a terrible job of documenting jaspi in jetty!
>>>
>>> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi
>>> jars, and a very early version of those geronimo jars at that.
>>>
>>> So in addition to what you've got already, here's the other pieces
>>> that I have used in a working test webapp using jaspi:
>>>
>>> + these geronimo-jaspi dependencies:
>>> <dependency>
>>> <groupId>org.apache.geronimo.components</groupId>
>>> <artifactId>geronimo-jaspi</artifactId>
>>> <version>2.0-SNAPSHOT</version>
>>> <exclusions>
>>> <exclusion>
>>> <groupId>org.apache.geronimo.specs</groupId>
>>> <artifactId>geronimo-jaspic_1.0_spec</artifactId>
>>> </exclusion>
>>> </exclusions>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.apache.geronimo.specs</groupId>
>>> <artifactId>geronimo-osgi-locator</artifactId>
>>> <version>1.0</version>
>>> </dependency>
>>>
>>>
>>> + a system property pointing to a geronimo jaspi config file (which
>>> sets up the missing piece from your stacktrace, the ServerAuthModule):
>>> -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml
>>>
>>> + a geronimo jaspi config file:
>>> <?xml version="1.0" encoding="UTF-8"?>
>>>
>>> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi">
>>> <configProvider>
>>> <messageLayer>HTTP</messageLayer>
>>> <appContext>server /foo</appContext>
>>> <description>description</description>
>>> <serverAuthConfig>
>>> <authenticationContextID>authenticationContextID2</authenticationContextID>
>>> <protected>true</protected>
>>> <serverAuthContext>
>>> <serverAuthModule>
>>>
>>> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>
>>> <options>
>>>
>>> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test
>>>
>>> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test
>>> </options>
>>> </serverAuthModule>
>>> </serverAuthContext>
>>> </serverAuthConfig>
>>> <persistent>true</persistent>
>>> </configProvider>
>>> </jaspi>
>>>
>>>
>>> Hopefully that might help you get a bit further.
>>>
>>> I'm interested to hear if many others on the lists are trying to use
>>> or are using the jetty-jaspi integration. Our impression is that it is
>>> hardly used by anyone. Of course, that could be because the
>>> documentation is missing! However, before we direct more of our
>>> limited resources to the jaspi stuff, we'd like to hear from the user
>>> community - is this something that you are using, or are likely to
>>> use???
>>>
>>> Jan
>>>
>>> On 17 January 2013 03:53, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>>>> Greetings -
>>>>
>>>> I am working on an embedded Jetty project in which we programmatically
>>>> deploy the WebAppContexts for dynamically created WebApps.
>>>> What I would like to do is configure the use of JASPI per application.
>>>>
>>>> The following code is being used at deployment time:
>>>>
>>>> private synchronized void internalDeploy( Topology topology, File warFile
>>>> ) {
>>>>
>>>> String name = topology.getName();
>>>>
>>>> String warPath = warFile.getAbsolutePath();
>>>>
>>>> WebAppContext context = new WebAppContext();
>>>>
>>>> context.setDefaultsDescriptor( null );
>>>>
>>>> context.setContextPath( "/" + path + "/" + name );
>>>>
>>>> context.setWar( warPath );
>>>>
>>>>
>>>> JaspiAuthenticatorFactory authenticatorFactory = new
>>>> JaspiAuthenticatorFactory();
>>>>
>>>> SecurityHandler handler = new ConstraintSecurityHandler();
>>>>
>>>> handler.setAuthenticatorFactory(authenticatorFactory);
>>>>
>>>> JAASLoginService ls = new JAASLoginService();
>>>>
>>>> ls.setName("JAASRealm");
>>>>
>>>> ls.setLoginModuleName("jaas");
>>>>
>>>> ls.setIdentityService(new DefaultIdentityService());
>>>>
>>>> handler.setLoginService(ls);
>>>>
>>>> authenticatorFactory.setLoginService(ls);
>>>>
>>>> jetty.addBean(ls);
>>>>
>>>> Constraint constraint = new Constraint();
>>>>
>>>> constraint.setName(constraint.__BASIC_AUTH);
>>>>
>>>> constraint.setRoles(new String[]{"user","admin","moderator"});
>>>>
>>>> constraint.setAuthenticate(true);
>>>>
>>>>
>>>>
>>>> ConstraintMapping cm = new ConstraintMapping();
>>>>
>>>> cm.setConstraint(constraint);
>>>>
>>>> cm.setPathSpec("/*");
>>>>
>>>> // handler.setAuthMethod("BASIC");
>>>>
>>>> handler.setRealmName("JAASRealm");
>>>>
>>>> ((ConstraintSecurityHandler) handler).setConstraintMappings(new
>>>> ConstraintMapping[]{cm});
>>>>
>>>> context.setSecurityHandler(handler);
>>>>
>>>> internalUndeploy( topology );
>>>>
>>>> deployments.put( name, context );
>>>>
>>>> contexts.addHandler( handler );
>>>>
>>>> contexts.addHandler( context );
>>>>
>>>> try {
>>>>
>>>> context.start();
>>>>
>>>> } catch( Exception e ) {
>>>>
>>>> //TODO: I18N message
>>>>
>>>> e.printStackTrace();
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>> and I am encountering the following stacktrace:
>>>>
>>>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED
>>>> org.eclipse.jetty.server.session.SessionHandler@786c1a82:
>>>> java.lang.IllegalStateException: No ServerAuthentication
>>>> java.lang.IllegalStateException: No ServerAuthentication
>>>> at
>>>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371)
>>>> at
>>>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233)
>>>> at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>>> at
>>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>>> at
>>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>>> at
>>>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124)
>>>> at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>>> at
>>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>>> at
>>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>>> at
>>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752)
>>>> at
>>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247)
>>>> at
>>>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238)
>>>> at
>>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706)
>>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480)
>>>> at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>>> at
>>>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323)
>>>> at org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68)
>>>> at
>>>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367)
>>>> at
>>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148)
>>>> at
>>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113)
>>>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255)
>>>> at
>>>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180)
>>>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97)
>>>>
>>>> Looking at the ServerHandler code this indicates that no authenticator is
>>>> being found in the following code snippet:
>>>> ...
>>>>
>>>> if (_authenticator==null && _authenticatorFactory!=null &&
>>>> _identityService!=null)
>>>>
>>>> {
>>>>
>>>>
>>>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this,
>>>> _identityService, _loginService);
>>>>
>>>> if (_authenticator!=null)
>>>>
>>>> _authMethod=_authenticator.getAuthMethod();
>>>>
>>>> }
>>>>
>>>>
>>>> if (_authenticator==null)
>>>>
>>>> {
>>>>
>>>> if (_realmName!=null)
>>>>
>>>> {
>>>>
>>>> LOG.warn("No ServerAuthentication for "+this);
>>>>
>>>> throw new IllegalStateException("No ServerAuthentication");
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>> else
>>>>
>>>> {
>>>>
>>>> _authenticator.setConfiguration(this);
>>>>
>>>> if (_authenticator instanceof LifeCycle)
>>>>
>>>> ((LifeCycle)_authenticator).start();
>>>>
>>>> }
>>>>
>>>> ...
>>>>
>>>> Can anyone tell what is missing from my configuration code or alternatively
>>>> point me to relevant tests?
>>>>
>>>> Thank you in advance!
>>>>
>>>> --larry
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> jetty-users@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>
>>>
>>>
>>>
>>> --
>>> Jan Bartel <janb@xxxxxxxxxxx>
>>> www.webtide.com – Developer advice, services and support
>>> from the Jetty & CometD experts.
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> --
> Jan Bartel <janb@xxxxxxxxxxx>
> www.webtide.com – Developer advice, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users