Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] problem with security constraint 
Hi Thomas,

OK, that sounds good that the bug is found and fixed :)
Do you know is it going to be in Jetty 7.6?

On Mon, Jan 23, 2012 at 16:46, Thomas Becker <tbecker@xxxxxxxxxxx> wrote:
> Hi Mario,
>
> this is a bug in jetty which we recently have fixed:
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=368773
> Sorry, didn't remember your email. Otherwise I would have reported that to
> you earlier.
>
> Cheers,
> Thomas
>
>
> On 1/23/12 3:41 PM, Mario Georgiev wrote:
>>
>> Hi,
>>
>> So I've been busy with other stuff and a colleague of mine have been
>> taken the issue and here is what he found so far.
>>
>> If there is "securityHandler" enabled the redirect works. So when we
>> add this in the context configuration it works:
>>
>> <Get name="securityHandler">
>>     <Set name="loginService">
>>       <New class="org.eclipse.jetty.security.HashLoginService">
>>        <Set name="name">Test Realm</Set>
>>        <Set name="config"><SystemProperty name="jetty.home"
>> default="."/>/etc/realm.properties</Set>
>>             <!-- To enable reload of realm when properties change,
>> uncomment the following lines -->
>>             <!-- changing refreshInterval (in seconds) as desired
>>                           -->
>>             <!--
>>             <Set name="refreshInterval">5</Set>
>>             <Call name="start"></Call>
>>             -->
>>       </New>
>>     </Set>
>>     <Set name="checkWelcomeFiles">true</Set>
>>   </Get>
>>
>> So my questions are
>> 1. Why do we need a "securityHandler"?
>> and
>> 2. What is the right configuration when I need only to redirect users
>> but not to authenticate them?
>>
>> On Fri, Jan 13, 2012 at 13:17, Thomas Becker<tbecker@xxxxxxxxxxx>  wrote:
>>>
>>> Hi Mario,
>>>
>>> I've setup the same thing again within 5 min. by just using the standard
>>> jetty config files, creating a keystore and enabling jetty-ssl.xml in
>>> start.ini. It works just fine.
>>>
>>> Here's the web.xml excerpt I've used.
>>>
>>> <!-- redirect everything to confidential port -->
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Protected Context</web-resource-name>
>>>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <user-data-constraint>
>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>> </user-data-constraint>
>>> </security-constraint>
>>>
>>> Pretty much the same thing as you have and it simply works. All calls to
>>> this webapp get redirected to https. So I don't have a clue why this is
>>> not
>>> working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make
>>> a
>>> difference in this case.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> On 1/12/12 10:20 AM, Thomas Becker wrote:
>>>>
>>>> Hi Mario,
>>>>
>>>> at a first glimpse your config looks completely ok to me. If I will find
>>>> some time to do so, I will see if I can put a config together that works
>>>> and
>>>> paste it to you. You can then start with a config that is known to work
>>>> and
>>>> if it still doesn't work for you, we at least know it's not the config.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Yes I have "confidentialPort" set in the config.
>>>>> Here are the configurations for the connectors:
>>>>>
>>>>> <New id="sslContextFactory"
>>>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>>> <Set name="KeyStore"><Property name="jetty.home" default="."
>>>>> />mykey.keystore</Set>
>>>>> <Set name="KeyStorePassword">pass</Set>
>>>>> <Set name="KeyManagerPassword">pass</Set>
>>>>> <Set name="TrustStore"><Property name="jetty.home" default="."
>>>>> />mytruststore.keystore</Set>
>>>>> <Set name="TrustStorePassword">pass</Set>
>>>>> </New>
>>>>>
>>>>> <Call name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>>> <Arg><Ref id="sslContextFactory" /></Arg>
>>>>> <Set name="Port">8443</Set>
>>>>>
>>>>> <Set name="maxIdleTime">45000</Set>
>>>>> <Set name="AcceptQueueSize">100</Set>
>>>>> <Set name="Acceptors">2</Set>
>>>>> <Set name="lowResourcesConnections">11000</Set>
>>>>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>> <Call name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>>>> <Set name="host">
>>>>> <Property name="jetty.host" />
>>>>> </Set>
>>>>> <Set name="port">
>>>>> <Property name="jetty.port" default="8080" />
>>>>> </Set>
>>>>> <Set name="maxIdleTime">45000</Set>
>>>>> <Set name="Acceptors">2</Set>
>>>>> <Set name="statsOn">false</Set>
>>>>> <Set name="confidentialPort">8443</Set>
>>>>> <Set name="lowResourcesConnections">10000</Set>
>>>>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>>>>> <Set name="ThreadPool">
>>>>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>>>>> <Set name="name">SSL Thread Pool</Set>
>>>>> <Set name="minThreads">10</Set>
>>>>> <Set name="maxThreads">400</Set>
>>>>> </New>
>>>>> </Set>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>>
>>>>> Do you know where in the code to look for these settings?
>>>>> I can try to debug it and see what is going on, I just need some
>>>>> direction to look for.
>>>>>
>>>>>
>>>>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<sbordet@xxxxxxxxxxx>
>>>>>  wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<mario@xxxxxxxxxxxxxx>
>>>>>>  wrote:
>>>>>>>
>>>>>>> Hi Thomas,
>>>>>>>
>>>>>>> The SSL connector is setup as it should and works like a charm. I
>>>>>>> have
>>>>>>> working SSL environment and I can open pages/access resources on
>>>>>>> https
>>>>>>> with no problems at all.
>>>>>>> The redirect from http to https that should happen from the
>>>>>>> configuration with this security constraint - that is not working.
>>>>>>>
>>>>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>>>>>
>>>>>> Did you specify the confidentialPort in the non-SSL connector ?
>>>>>> Otherwise Jetty will not know where to redirect to.
>>>>>>
>>>>>> Simon
>>>>>> --
>>>>>> http://cometd.org
>>>>>> http://intalio.com
>>>>>> http://bordet.blogspot.com
>>>>>> ----
>>>>>> Finally, no matter how good the architecture and design are,
>>>>>> to deliver bug-free software with optimal performance and reliability,
>>>>>> the implementation technique must be flawless.   Victoria Livschitz
>>>>>> _______________________________________________
>>>>>> jetty-users mailing list
>>>>>> jetty-users@xxxxxxxxxxx
>>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>>
>>>>>
>>>>>
>>> --
>>> thomas becker
>>> tbecker@xxxxxxxxxxx
>>>
>>> http://webtide.com / http://intalio.com
>>> (the folks behind jetty and cometd)
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>>
>>
>
> --
> thomas becker
> tbecker@xxxxxxxxxxx
>
> http://webtide.com / http://intalio.com
> (the folks behind jetty and cometd)
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users



-- 
Regards,
Mario Georgiev
Senior Web Developer

Trading 212
www.trading212.com

E-mail: mario.georgiev@xxxxxxxxxxxxxx

Back to the top