Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Role checking with JAAS settings gives Problem

Hello,

I am using jetty 7.2.2 20101205. I am trying to change the existing shipped test application's authentication mechanisms.
Please find Test applications's test.xml and snippet from web.xml along with httpheaders that I recevied on my mozilla.
I have configured test.xml for ConstraintSecurityHandler and loginModuleName points to correct settings.
In, web.xml, I commented remaining constraints that are shipped with test application. I commented security roles in the bottom of shipped test application
web.xml snippet
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Any User</web-resource-name>
      <url-pattern>/dump/auth/*</url-pattern>
      <url-pattern>*.htm</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Test_JAAS_Realm</realm-name>
    <form-login-config>
       <form-login-page>/logon.html?param=test1</form-login-page>
       <form-error-page>/logonError.html?param=test1</form-error-page>
    </form-login-config>
  </login-config>
 
 
snippet from test.xml
<Set name="securityHandler">
    <New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
     <Set name="loginService">
       <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
         <Set name="name">Test_JAAS_Realm</Set>
         <Set name="loginModuleName">xyz</Set>
       </New>
     </Set>
  <!-- <Set name="strict">false</Set> -->
 </New>
</Set>

login.conf
xyz {
       com.sun.security.auth.module.NTLoginModule required
             debug="true"
             debugNative="true";
    };
command line paramters: 
java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=1044  -Djava.security.auth.login.config=C:\Jetty\jetty2\wjetty\login.conf -jar start.jar  
 
 

Problem that I face, I have put below in the form of HTTP Headers.
HTTP/1.1 403 !role
Date: Mon, 28 Feb 2011 10:46:03 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1371
Cache-Control: must-revalidate,no-cache,no-store
Server: Jetty(7.2.2.v20101205)
 
After debugging, I realised that:
At org.eclipse.jetty.security.SecurityHandler.java:459
 boolean authorized=checkWebResourcePermissions(pathInContext, baseRequest, base_response, constraintInfo, userAuth.getUserIdentity());
I am getting authorized = false.
 
 
Please look at the http headers:
At line1, I send post for /j_security_check (form submission), browser got in return 302 ( at line 17, meaning, after successful authentiation,
a redirection to /dump/auth/info was done.)
At line 24 browser sent /dump/auth/info , for which at line 38, I get 403 saying constraint for url not satisifed.
 
if I set strict (for securityHandler, in text.xml) value to false, I am not able to clear the constraint -- eventhough I gave wrong userid/pwd.
note: I have attached changed web.xml /changed test.xml /afterLogin.txt - this has http header after I submit login form
 
Regards
Vinod
 

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app 
   xmlns="http://java.sun.com/xml/ns/javaee"; 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; 
   version="2.5"> 

  <display-name>Test WebApp</display-name>
  
  <context-param>
    <param-name>org.eclipse.jetty.server.context.ManagedAttributes</param-name>
    <param-value>QoSFilter,TransparentProxy.Logger,TransparentProxy.ThreadPool,TransparentProxy.HttpClient</param-value>
  </context-param>
  
  <!-- Declare TestListener, which declares TestFilter -->
  <listener>
    <listener-class>com.acme.TestListener</listener-class>
  </listener>

  <filter>
    <filter-name>TestFilter</filter-name>
    <filter-class>com.acme.TestFilter</filter-class>
    <init-param>
      <param-name>remote</param-name>
      <param-value>false</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>TestFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>


  <filter>
    <filter-name>QoSFilter</filter-name>
    <filter-class>org.eclipse.jetty.servlets.QoSFilter</filter-class>
    <init-param>
      <param-name>maxRequests</param-name>
      <param-value>20</param-value>
    </init-param>
    <init-param>
      <param-name>managedAttr</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>  
  <filter-mapping>
    <filter-name>QoSFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>


  <filter>
    <filter-name>MultiPart</filter-name>
    <filter-class>org.eclipse.jetty.servlets.MultiPartFilter</filter-class>
    <init-param>
      <param-name>deleteFiles</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>MultiPart</filter-name>
    <url-pattern>/dump/*</url-pattern>
  </filter-mapping>
  

  <filter>
    <filter-name>GzipFilter</filter-name>
    <filter-class>org.eclipse.jetty.servlets.IncludableGzipFilter</filter-class>
    <init-param>
      <param-name>bufferSize</param-name>
      <param-value>8192</param-value>
    </init-param>
    <init-param>
      <param-name>minGzipSize</param-name>
      <param-value>2048</param-value>
    </init-param>
    <init-param>
      <param-name>userAgent</param-name>
      <param-value>(?:Mozilla[^\(]*\(compatible;\s*+([^;]*);.*)|(?:.*?([^\s]+/[^\s]+).*)</param-value>
    </init-param>
    <init-param>
      <param-name>cacheSize</param-name>
      <param-value>1024</param-value>
    </init-param>
    <init-param>
      <param-name>excludedAgents</param-name>
      <param-value>MSIE 6.0</param-value>
    </init-param>
    <init-param>
      <param-name>uncheckedPrintWriter</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>GzipFilter</filter-name>
    <url-pattern>/dump/gzip/*</url-pattern>
  </filter-mapping>
  
  

  <!-- Comment out to support PUT and DELETE
  <filter>
    <filter-name>RestFilter</filter-name>
    <filter-class>org.eclipse.jetty.servlets.RestFilter</filter-class>
    <async-support>true</async-support>
    <init-param>
      <param-name>maxPutSize</param-name><param-value>1024</param-value>
    </init-param>
  </filter>
  
  <filter-mapping>
    <filter-name>RestFilter</filter-name>
    <servlet-name>default</servlet-name>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  -->


  <servlet>
    <servlet-name>Hello</servlet-name>
    <servlet-class>com.acme.HelloWorld</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <servlet-mapping>
    <servlet-name>Hello</servlet-name>
    <url-pattern>/hello/*</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>Dump</servlet-name>
    <servlet-class>com.acme.Dump</servlet-class>
    <load-on-startup>1</load-on-startup>
    <run-as><role-name>admin</role-name></run-as>
  </servlet>

  <servlet-mapping>
    <servlet-name>Dump</servlet-name>
    <url-pattern>/dump/*</url-pattern>
    <url-pattern>*.dump</url-pattern>
  </servlet-mapping>

  <servlet>
    <servlet-name>Session</servlet-name>
    <servlet-class>com.acme.SessionDump</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  
  <servlet-mapping>
    <servlet-name>Session</servlet-name>
    <url-pattern>/session/*</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>Cookie</servlet-name>
    <servlet-class>com.acme.CookieDump</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  
  <servlet-mapping>
    <servlet-name>Cookie</servlet-name>
    <url-pattern>/cookie/*</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>Dispatch</servlet-name>
    <servlet-class>com.acme.DispatchServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  
  <servlet-mapping>
    <servlet-name>Dispatch</servlet-name>
    <url-pattern>/dispatch/*</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>CGI</servlet-name>
    <servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  
  <servlet-mapping>
    <servlet-name>CGI</servlet-name>
    <url-pattern>/cgi-bin/*</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>Chat</servlet-name>
    <servlet-class>com.acme.ChatServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <servlet-mapping>
    <servlet-name>Chat</servlet-name>
    <url-pattern>/chat/*</url-pattern>
  </servlet-mapping>
  
  <servlet>
    <servlet-name>WSChat</servlet-name>
    <servlet-class>com.acme.WebSocketChatServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <servlet-mapping>
    <servlet-name>WSChat</servlet-name>
    <url-pattern>/ws/*</url-pattern>
  </servlet-mapping>
  
  
  <servlet>
    <servlet-name>Rewrite</servlet-name>
    <servlet-class>com.acme.RewriteServlet</servlet-class>
  </servlet>
  
  <servlet-mapping>
    <servlet-name>Rewrite</servlet-name>
    <url-pattern>/rewritten/*</url-pattern>
    <url-pattern>/redirected/*</url-pattern>
  </servlet-mapping>
  
  
  <servlet>
    <servlet-name>SecureMode</servlet-name>
    <servlet-class>com.acme.SecureModeServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>

  <servlet-mapping>
    <servlet-name>SecureMode</servlet-name>
    <url-pattern>/secureMode/*</url-pattern>
  </servlet-mapping>
  
  
  <servlet>
    <servlet-name>TransparentProxy</servlet-name>
    <servlet-class>org.eclipse.jetty.servlets.ProxyServlet$Transparent</servlet-class>
    <init-param>
      <param-name>Prefix</param-name><param-value>/javadoc</param-value>
    </init-param>
    <init-param>
      <param-name>ProxyTo</param-name><param-value>http://download.eclipse.org/jetty/stable-7/apidocs</param-value>
    </init-param>
    <init-param>
      <param-name>HostHeader</param-name><param-value>download.eclipse.org</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>TransparentProxy</servlet-name>
    <url-pattern>/javadoc/*</url-pattern>
  </servlet-mapping>
  
  <error-page>
    <error-code>404</error-code>
    <location>/error404.html</location>
  </error-page>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Any User</web-resource-name>
      <url-pattern>/dump/auth/*</url-pattern>
      <url-pattern>*.htm</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
<!--
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>relax</web-resource-name>
      <url-pattern>/dump/auth/relax/*</url-pattern>
      <url-pattern>/auth/relax.txt</url-pattern>
      <http-method>GET</http-method>
      <http-method>HEAD</http-method>
    </web-resource-collection>
  </security-constraint>
-->
  <!-- <security-constraint>
    <web-resource-collection>
      <web-resource-name>Admin Role</web-resource-name>
      <url-pattern>/dump/auth/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint> -->
<!--
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Forbidden</web-resource-name>
      <url-pattern>/dump/auth/noaccess/*</url-pattern>
      <url-pattern>/auth/*</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SSL</web-resource-name>
      <url-pattern>/dump/auth/ssl/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
-->
<!--
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Test Realm</realm-name>
  </login-config>
-->

<!--
  <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>Test Realm</realm-name>
  </login-config>
-->

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Test_JAAS_Realm</realm-name>
    <form-login-config>
       <form-login-page>/logon.html?param=test1</form-login-page>
       <form-error-page>/logonError.html?param=test1</form-error-page>
    </form-login-config>
  </login-config>
  
  <session-config>
    <session-timeout>5</session-timeout>
  </session-config>

  <!--<security-role>
    <role-name>admin</role-name>
  </security-role>
  <security-role>
    <role-name>user</role-name>
  </security-role> -->

</web-app>



<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd";>

<!-- ==================================================================
Configure and deploy the test web application in $(jetty.home)/webapps/test

Note. If this file did not exist or used a context path other that /test
then the default configuration of jetty.xml would discover the test
webapplication with a WebAppDeployer.  By specifying a context in this
directory, additional configuration may be specified and hot deployments 
detected.
===================================================================== -->

<Configure class="org.eclipse.jetty.webapp.WebAppContext">


  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <!-- Required minimal context configuration :                        -->
  <!--  + contextPath                                                  -->
  <!--  + war OR resourceBase                                          -->
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <Set name="contextPath">/</Set>
  <Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/test.war</Set>

  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <!-- Optional context configuration                                  -->
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <Set name="extractWAR">true</Set>
  <Set name="copyWebDir">false</Set>
  <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set>
  <Set name="overrideDescriptor"><SystemProperty name="jetty.home" default="."/>/contexts/test.d/override-web.xml</Set>

  <!-- virtual hosts
  <Set name="virtualHosts">
    <Array type="String">
      <Item>www.myVirtualDomain.com</Item>
      <Item>localhost</Item>
      <Item>127.0.0.1</Item>
    </Array>
  </Set>
  -->

  <!-- disable cookies 
  <Get name="sessionHandler">
     <Get name="sessionManager">
        <Set name="usingCookies" type="boolean">false</Set>
     </Get>
  </Get>
  -->

  <!--
  <Get name="securityHandler">
    <Set name="loginService">
      <New class="org.eclipse.jetty.security.HashLoginService">
	    <Set name="name">Test Realm</Set>
	    <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set> -->
            <!-- To enable reload of realm when properties change, uncomment the following lines -->
            <!-- changing refreshInterval (in seconds) as desired                                -->
            <!-- 
            <Set name="refreshInterval">5</Set>
            <Call name="start"></Call>
            -->
<!--      </New>
    </Set>
    <Set name="checkWelcomeFiles">true</Set>
  </Get>
  -->

  <Set name="securityHandler">
    <New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
     <Set name="loginService">
       <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
         <Set name="name">Test_JAAS_Realm</Set>
         <Set name="loginModuleName">xyz</Set>
			<!-- 
		   <Set name="RoleCheckPolicy">
			<New class="org.eclipse.jetty.plus.jaas.StrictRoleCheckPolicy"/>
		  </Set>  -->
		  <!--<Set name="CallbackHandlerClass">
			   org.eclipse.jetty.plus.jaas.callback.DefaultCallbackHandler
		  </Set>-->
		  <!-- <Set name="roleClassNames">
			<Array type="java.lang.String">
			  <Item>org.eclipse.jetty.plus.jaas.JAASRole</Item>
			</Array> 
		  </Set> -->

		 
       </New>
     </Set>
	 <!-- <Set name="strict">false</Set> -->
	</New>
  </Set>
  
  
  
  <!-- Non standard error page mapping -->
  <!--
  <Get name="errorHandler">
    <Call name="addErrorPage">
      <Arg type="int">500</Arg>
      <Arg type="int">599</Arg>
      <Arg type="String">/dump/errorCodeRangeMapping</Arg>
    </Call>
  </Get>
  -->

  <!-- Add context specific logger
  <Set name="handler">
    <New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler">
      <Set name="requestLog">
	<New id="RequestLogImpl" class="org.eclipse.jetty.server.NCSARequestLog">
	  <Set name="filename"><Property name="jetty.logs" default="./logs"/>/test-yyyy_mm_dd.request.log</Set>
	  <Set name="filenameDateFormat">yyyy_MM_dd</Set>
	  <Set name="append">true</Set>
	  <Set name="LogTimeZone">GMT</Set>
	</New>
      </Set>
    </New>
  </Set>
  -->

</Configure>

http://localhost:8080/j_security_check

POST /j_security_check HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/logon.html;jsessionid=1hymjqypxhwqu1puu3uwlj4rol?param=test1
Cookie: JSESSIONID=1hymjqypxhwqu1puu3uwlj4rol
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
j_username=*****&j_password=xxxxxxxx&submit=Login
HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 10:46:02 GMT
Set-Cookie: JSESSIONID=lxvjd3sslqzpmhlxala23ehp;Path=/
Location: http://localhost:8080/dump/auth/info
Content-Length: 0
Server: Jetty(7.2.2.v20101205)
----------------------------------------------------------
http://localhost:8080/dump/auth/info

GET /dump/auth/info HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/logon.html;jsessionid=1hymjqypxhwqu1puu3uwlj4rol?param=test1
Cookie: JSESSIONID=lxvjd3sslqzpmhlxala23ehp

HTTP/1.1 403 !role
Date: Mon, 28 Feb 2011 10:46:03 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1371
Cache-Control: must-revalidate,no-cache,no-store
Server: Jetty(7.2.2.v20101205)
----------------------------------------------------------

Back to the top