[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] JASPI 196: make it work on Jetty 8
|
Code diff's have to come in through bugzilla before we can apply them,
so if you would open an issue on bugs.eclipse.org and attach the diff
there we can look at applying it....this is standard eclipse policy,
sorry about the hassle :)
cheers,
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Wed, Sep 28, 2011 at 02:30, Guofeng Zhang <guofeng@xxxxxxxxxxxxx> wrote:
> The sources in jetty-7.5.1.v20110908/jetty-jaspi and
> jetty-8.0.1.v20110908/jetty-jaspi are the same each other.
>
>
>
> JASPI does not work in etty-7.5.1.v20110908. Merge what I changed to
> jetty-7.5.1.v20110908 works by my test, so you could first fix it in Jetty
> 7, then merge the fix to Jetty 8.
>
>
>
>
>
> From: jetty-users-bounces@xxxxxxxxxxx
> [mailto:jetty-users-bounces@xxxxxxxxxxx] On Behalf Of Jan Bartel
> Sent: Wednesday, September 28, 2011 2:07 PM
> To: JETTY user mailing list
> Subject: Re: [jetty-users] JASPI 196: make it work on Jetty 8
>
>
>
> Hi,
>
> Thanks for that comprehensive information, we will certainly look into it.
>
> In saying that jetty-jaspi currently does not work well on jetty-8, does
> this mean that it is working fine
> with jetty-7? We try to maintain as much of the codebase in common between
> jetty-7 and jetty-8 as
> possible, so I'd like to know if this is something that should go into
> jetty-7, and will then get merged
> into jetty-8, or if this is a problem specific to jetty-8.
>
> thanks
> Jan
>
> On 28 September 2011 15:23, Guofeng Zhang <guofeng@xxxxxxxxxxxxx> wrote:
>
> Hi,
>
>
>
> JASPI make us to plug in other authentication module (for example, using
> openID or other mechanism to authenticate users) easier on Jetty for
> container-managed security. There is jetty-jaspi module in the Jetty source
> code base, but I think it has not been maintained for a long time.
>
>
>
> By making a little fix on jetty-jaspi module, I make the JASPI works well on
> Jetty 8. I attach the changes. I hope if I did it well, it could be merged
> into the next Jetty 8 release.
>
>
>
> To use JASPI:
>
> 1. Creating a JASPI configuration XML file for your auth module:
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";>
>
>
>
> <configProvider>
>
> <messageLayer>HTTP</messageLayer>
>
> <appContext>/ui</appContext>
>
> <description>description</description>
>
> <serverAuthConfig>
>
>
> <authenticationContextID>authenticationContextID2</authenticationContextID>
>
> <protected>true</protected>
>
> <serverAuthContext>
>
> <serverAuthModule>
>
>
> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>
>
> <options>
>
>
> org.eclipse.jetty.security.jaspi.modules.LoginPage=/secure/jaaslogin
>
>
> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/secure/jaaserror
>
> </options>
>
> </serverAuthModule>
>
> </serverAuthContext>
>
> </serverAuthConfig>
>
> <persistent>true</persistent>
>
> </configProvider>
>
> </jaspi>
>
> The above using the Jetty built-in FormAuthModule, if you want to use the
> built-in Basic or Digest auth module, the <serverAuthModule> part should be:
>
> <serverAuthModule>
>
>
> <className>org.eclipse.jetty.security.jaspi.modules.DigestAuthModule</className>
>
> <options>
>
>
> org.eclipse.jetty.security.jaspi.modules.RealmName=JAASRealm
>
> </options>
>
> </serverAuthModule>
>
> Or
>
> <serverAuthModule>
>
>
> <className>org.eclipse.jetty.security.jaspi.modules.BasicAuthModule</className>
>
> <options>
>
>
> org.eclipse.jetty.security.jaspi.modules.RealmName=JAASRealm
>
> </options>
>
> </serverAuthModule>
>
>
>
> Here I use the implementation of JASPI of geronimo-jaspi 2.0-SNAPSHOT from
> geronimo-jaspi (https://github.com/apache/geronimo-jaspi). you could use
> geronimo-jaspi 1.1.1 release, but you might need to implements
> javax.security.auth.message.config.AuthConfigProvider (and not
> javax.security.auth.message.module.ServerAuthModule) and configure it in the
> above XML file.
>
>
>
> 2. Configuring your AppContext to use JaspiAuthenticatorFactory. I
> configured it in jetty-web.xml file:
>
> <Configure class="org.eclipse.jetty.webapp.WebAppContext">
>
> <Set name="securityHandler">
>
> <New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>
> <Set name="loginService">
>
> <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
>
> <Set name="name">JAASRealm</Set>
>
> <Set name="loginModuleName">jaas</Set>
>
> </New>
>
> </Set>
>
>
>
> <Set name="authenticatorFactory">
>
> <New
> class="org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory" />
>
> </Set>
>
> </New>
>
> </Set>
>
> </Configure>
>
>
>
> 3. When launching Jetty, using
> -Dorg.apache.geronimo.jaspic.configurationFile to tell geronimo-jaspi where
> to find the JASPI configuration file. The following is the
> jetty-maven-plugin configuration (my JASPI configuration file is
> form-test-jaspi-2.xml):
>
> <plugin>
>
> <groupId>org.mortbay.jetty</groupId>
>
> <artifactId>jetty-maven-plugin</artifactId>
>
> <version>${jetty.version}</version>
>
> <configuration>
>
> <scanIntervalSeconds>10</scanIntervalSeconds>
>
> <webAppConfig>
>
> <contextPath>/ui</contextPath>
>
> <parentLoaderPriority>true</parentLoaderPriority>
>
> </webAppConfig>
>
>
>
> <systemProperties>
>
> <systemProperty>
>
> <name>java.security.auth.login.config</name>
>
> <value>./conf/jetty/jaas.conf</value>
>
> </systemProperty>
>
> <systemProperty>
>
> <name>org.apache.geronimo.jaspic.configurationFile</name>
>
> <value>./conf/jaspi/form-test-jaspi-2.xml</value>
>
> </systemProperty>
>
> </configuration>
>
> <dependencies>
>
> <dependency>
>
> <groupId>org.eclipse.jetty</groupId>
>
> <artifactId>jetty-jaspi</artifactId>
>
> <version>${jetty.version}</version>
>
> </dependency>
>
> <dependency>
>
> <groupId>org.apache.geronimo.components</groupId>
>
> <artifactId>geronimo-jaspi</artifactId>
>
> <version>2.0-SNAPSHOT</version>
>
> </dependency>
>
> </dependencies>
>
> </plugin>
>
> In my test, I use my own JAAS login module, which configured in jaas.conf.
> you could use Jetty built-in login module as described in
> http://wiki.eclipse.org/Jetty/Feature/JAAS.
>
>
>
> Q: what I cannot know if I did it correctly is the changes to
> JaspiAuthenticator. I removed the following lines at the beginning of
> validateRequest():
>
> if (_allowLazyAuthentication && !mandatory)
>
> return _deferred;
>
> and add the following:
>
> if ( !isMandatory( messageInfo ) )
>
> return _deferred ;
>
> after “if (authStatus == AuthStatus.SUCCESS)” at line 114. This make me have
> to add the following in validateRequest() of FormAuthModule class:
>
> Authentication authentication =
> ((org.eclipse.jetty.server.Request)request).getAuthentication() ;
>
> if (authentication instanceof Authentication.Deferred )
>
> return AuthStatus.SEND_SUCCESS;
>
> or the unprotected resources won’t be handled properly. This makes the auth
> module to have to know how Authentication.Deferred works, it is not an
> easier to use dependency. This might be that I do not understand
> DeferredAuthentication class clearly. Your advice is appreciated.
>
>
>
> Thanks.
>
>
>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
