[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] problem with security constraint
|
Hi Mario,
hope you didn't spent too much time on it. Wasn't quite trivial to
identify this bug. It'll be in 7.6 RC5 and then in the final release,
yes. Until then a workaround is to define a SecurityHandler as you've
already found out.
Cheers,
Thomas
On 1/23/12 3:57 PM, Mario Georgiev wrote:
Hi Thomas,
OK, that sounds good that the bug is found and fixed :)
Do you know is it going to be in Jetty 7.6?
On Mon, Jan 23, 2012 at 16:46, Thomas Becker<tbecker@xxxxxxxxxxx> wrote:
Hi Mario,
this is a bug in jetty which we recently have fixed:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=368773
Sorry, didn't remember your email. Otherwise I would have reported that to
you earlier.
Cheers,
Thomas
On 1/23/12 3:41 PM, Mario Georgiev wrote:
Hi,
So I've been busy with other stuff and a colleague of mine have been
taken the issue and here is what he found so far.
If there is "securityHandler" enabled the redirect works. So when we
add this in the context configuration it works:
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home"
default="."/>/etc/realm.properties</Set>
<!-- To enable reload of realm when properties change,
uncomment the following lines -->
<!-- changing refreshInterval (in seconds) as desired
-->
<!--
<Set name="refreshInterval">5</Set>
<Call name="start"></Call>
-->
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
So my questions are
1. Why do we need a "securityHandler"?
and
2. What is the right configuration when I need only to redirect users
but not to authenticate them?
On Fri, Jan 13, 2012 at 13:17, Thomas Becker<tbecker@xxxxxxxxxxx> wrote:
Hi Mario,
I've setup the same thing again within 5 min. by just using the standard
jetty config files, creating a keystore and enabling jetty-ssl.xml in
start.ini. It works just fine.
Here's the web.xml excerpt I've used.
<!-- redirect everything to confidential port -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Pretty much the same thing as you have and it simply works. All calls to
this webapp get redirected to https. So I don't have a clue why this is
not
working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make
a
difference in this case.
Cheers,
Thomas
On 1/12/12 10:20 AM, Thomas Becker wrote:
Hi Mario,
at a first glimpse your config looks completely ok to me. If I will find
some time to do so, I will see if I can put a config together that works
and
paste it to you. You can then start with a config that is known to work
and
if it still doesn't work for you, we at least know it's not the config.
Cheers,
Thomas
On 1/11/12 12:42 PM, Mario Georgiev wrote:
Hi,
Yes I have "confidentialPort" set in the config.
Here are the configurations for the connectors:
<New id="sslContextFactory"
class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore"><Property name="jetty.home" default="."
/>mykey.keystore</Set>
<Set name="KeyStorePassword">pass</Set>
<Set name="KeyManagerPassword">pass</Set>
<Set name="TrustStore"><Property name="jetty.home" default="."
/>mytruststore.keystore</Set>
<Set name="TrustStorePassword">pass</Set>
</New>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg><Ref id="sslContextFactory" /></Arg>
<Set name="Port">8443</Set>
<Set name="maxIdleTime">45000</Set>
<Set name="AcceptQueueSize">100</Set>
<Set name="Acceptors">2</Set>
<Set name="lowResourcesConnections">11000</Set>
<Set name="lowResourcesMaxIdleTime">1000</Set>
</New>
</Arg>
</Call>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="host">
<Property name="jetty.host" />
</Set>
<Set name="port">
<Property name="jetty.port" default="8080" />
</Set>
<Set name="maxIdleTime">45000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
<Set name="lowResourcesConnections">10000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
<Set name="ThreadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="name">SSL Thread Pool</Set>
<Set name="minThreads">10</Set>
<Set name="maxThreads">400</Set>
</New>
</Set>
</New>
</Arg>
</Call>
Do you know where in the code to look for these settings?
I can try to debug it and see what is going on, I just need some
direction to look for.
On Wed, Jan 11, 2012 at 11:15, Simone Bordet<sbordet@xxxxxxxxxxx>
wrote:
Hi,
On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<mario@xxxxxxxxxxxxxx>
wrote:
Hi Thomas,
The SSL connector is setup as it should and works like a charm. I
have
working SSL environment and I can open pages/access resources on
https
with no problems at all.
The redirect from http to https that should happen from the
configuration with this security constraint - that is not working.
I forgot to tell: Jetty version I use is 7.5.4.v20111024
Did you specify the confidentialPort in the non-SSL connector ?
Otherwise Jetty will not know where to redirect to.
Simon
--
http://cometd.org
http://intalio.com
http://bordet.blogspot.com
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
thomas becker
tbecker@xxxxxxxxxxx
http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
thomas becker
tbecker@xxxxxxxxxxx
http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
thomas becker
tbecker@xxxxxxxxxxx
http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)
