[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] Programmatically Configuring JASPI for Embedded Jetty
|
Hi Jan -
Thank you for your response.
I will have to resurrect that work now and try and close the remaining gaps.
Personally, I like the programming model afforded by JASPIC and that
it empowers you to be able to guide the container in setting the
security context without getting into container specifics.
We are developing a platform that have pluggable authentication
providers and things like shiro are great but I end up having to
normalize the authenticated user as a standard Subject afterward and
then execute a doAs() - which the SecurityManager frowns upon and is
not really intended as part of the application programming model.
By leveraging the SPI provided by JASPIC you are plugged directly into
container code and can portably control the EE security context
without having to mess with Java security policy. This is a beautiful
thing.
Unfortunately, JASPIC has had its own lack of marketing and
documentation issues.
There are some interesting AuthModules available that I would like to
be able to take advantage within our platform however and that's why I
am pursuing JASPI on Jetty.
By the way, as a member of the JSR-196 EG, I am a bit biased.
:-)
As I make further progress on this - I will let you know.
Peace,
--larry
On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
> Hi Larry,
>
> I'm impressed you've managed to get this far, as we've historically
> done a terrible job of documenting jaspi in jetty!
>
> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi
> jars, and a very early version of those geronimo jars at that.
>
> So in addition to what you've got already, here's the other pieces
> that I have used in a working test webapp using jaspi:
>
> + these geronimo-jaspi dependencies:
> <dependency>
> <groupId>org.apache.geronimo.components</groupId>
> <artifactId>geronimo-jaspi</artifactId>
> <version>2.0-SNAPSHOT</version>
> <exclusions>
> <exclusion>
> <groupId>org.apache.geronimo.specs</groupId>
> <artifactId>geronimo-jaspic_1.0_spec</artifactId>
> </exclusion>
> </exclusions>
> </dependency>
> <dependency>
> <groupId>org.apache.geronimo.specs</groupId>
> <artifactId>geronimo-osgi-locator</artifactId>
> <version>1.0</version>
> </dependency>
>
>
> + a system property pointing to a geronimo jaspi config file (which
> sets up the missing piece from your stacktrace, the ServerAuthModule):
> -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml
>
> + a geronimo jaspi config file:
> <?xml version="1.0" encoding="UTF-8"?>
>
> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";>
> <configProvider>
> <messageLayer>HTTP</messageLayer>
> <appContext>server /foo</appContext>
> <description>description</description>
> <serverAuthConfig>
> <authenticationContextID>authenticationContextID2</authenticationContextID>
> <protected>true</protected>
> <serverAuthContext>
> <serverAuthModule>
>
> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>
> <options>
>
> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test
>
> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test
> </options>
> </serverAuthModule>
> </serverAuthContext>
> </serverAuthConfig>
> <persistent>true</persistent>
> </configProvider>
> </jaspi>
>
>
> Hopefully that might help you get a bit further.
>
> I'm interested to hear if many others on the lists are trying to use
> or are using the jetty-jaspi integration. Our impression is that it is
> hardly used by anyone. Of course, that could be because the
> documentation is missing! However, before we direct more of our
> limited resources to the jaspi stuff, we'd like to hear from the user
> community - is this something that you are using, or are likely to
> use???
>
> Jan
>
> On 17 January 2013 03:53, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>> Greetings -
>>
>> I am working on an embedded Jetty project in which we programmatically
>> deploy the WebAppContexts for dynamically created WebApps.
>> What I would like to do is configure the use of JASPI per application.
>>
>> The following code is being used at deployment time:
>>
>> private synchronized void internalDeploy( Topology topology, File warFile
>> ) {
>>
>> String name = topology.getName();
>>
>> String warPath = warFile.getAbsolutePath();
>>
>> WebAppContext context = new WebAppContext();
>>
>> context.setDefaultsDescriptor( null );
>>
>> context.setContextPath( "/" + path + "/" + name );
>>
>> context.setWar( warPath );
>>
>>
>> JaspiAuthenticatorFactory authenticatorFactory = new
>> JaspiAuthenticatorFactory();
>>
>> SecurityHandler handler = new ConstraintSecurityHandler();
>>
>> handler.setAuthenticatorFactory(authenticatorFactory);
>>
>> JAASLoginService ls = new JAASLoginService();
>>
>> ls.setName("JAASRealm");
>>
>> ls.setLoginModuleName("jaas");
>>
>> ls.setIdentityService(new DefaultIdentityService());
>>
>> handler.setLoginService(ls);
>>
>> authenticatorFactory.setLoginService(ls);
>>
>> jetty.addBean(ls);
>>
>> Constraint constraint = new Constraint();
>>
>> constraint.setName(constraint.__BASIC_AUTH);
>>
>> constraint.setRoles(new String[]{"user","admin","moderator"});
>>
>> constraint.setAuthenticate(true);
>>
>>
>>
>> ConstraintMapping cm = new ConstraintMapping();
>>
>> cm.setConstraint(constraint);
>>
>> cm.setPathSpec("/*");
>>
>> // handler.setAuthMethod("BASIC");
>>
>> handler.setRealmName("JAASRealm");
>>
>> ((ConstraintSecurityHandler) handler).setConstraintMappings(new
>> ConstraintMapping[]{cm});
>>
>> context.setSecurityHandler(handler);
>>
>> internalUndeploy( topology );
>>
>> deployments.put( name, context );
>>
>> contexts.addHandler( handler );
>>
>> contexts.addHandler( context );
>>
>> try {
>>
>> context.start();
>>
>> } catch( Exception e ) {
>>
>> //TODO: I18N message
>>
>> e.printStackTrace();
>>
>> }
>>
>> }
>>
>>
>> and I am encountering the following stacktrace:
>>
>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED
>> org.eclipse.jetty.server.session.SessionHandler@786c1a82:
>> java.lang.IllegalStateException: No ServerAuthentication
>> java.lang.IllegalStateException: No ServerAuthentication
>> at
>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371)
>> at
>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233)
>> at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>> at
>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>> at
>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>> at
>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124)
>> at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>> at
>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>> at
>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>> at
>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752)
>> at
>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247)
>> at
>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238)
>> at
>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706)
>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480)
>> at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>> at
>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323)
>> at org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68)
>> at
>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367)
>> at
>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148)
>> at
>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113)
>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255)
>> at
>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180)
>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97)
>>
>> Looking at the ServerHandler code this indicates that no authenticator is
>> being found in the following code snippet:
>> ...
>>
>> if (_authenticator==null && _authenticatorFactory!=null &&
>> _identityService!=null)
>>
>> {
>>
>>
>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this,
>> _identityService, _loginService);
>>
>> if (_authenticator!=null)
>>
>> _authMethod=_authenticator.getAuthMethod();
>>
>> }
>>
>>
>> if (_authenticator==null)
>>
>> {
>>
>> if (_realmName!=null)
>>
>> {
>>
>> LOG.warn("No ServerAuthentication for "+this);
>>
>> throw new IllegalStateException("No ServerAuthentication");
>>
>> }
>>
>> }
>>
>> else
>>
>> {
>>
>> _authenticator.setConfiguration(this);
>>
>> if (_authenticator instanceof LifeCycle)
>>
>> ((LifeCycle)_authenticator).start();
>>
>> }
>>
>> ...
>>
>> Can anyone tell what is missing from my configuration code or alternatively
>> point me to relevant tests?
>>
>> Thank you in advance!
>>
>> --larry
>>
>>
>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>
>
>
> --
> Jan Bartel <janb@xxxxxxxxxxx>
> www.webtide.com – Developer advice, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
