Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Programmatically Configuring JASPI for Embedded Jetty

That would be useful!

Thanks, Jan.

--larry

On Thu, Feb 14, 2013 at 8:15 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
> Hi Larry,
>
> Good to hear your use-case for jetty-jaspi, and even more interesting
> to hear you were on the jsr! I'm positive the jetty-jaspi code needs
> some luvin', so if you have any time at all to take a look over it,
> kick the tires and contribute any comments and/or improvements back,
> then that would be most welcome!
>
> In the meanwhile, I will clean up the little test webapp I have that
> uses geronimo-jaspi jars and put it into a public repo - will post
> back here when its done.
>
> cheers
> Jan
>
> On 15 February 2013 11:28, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>> Hi Jan -
>>
>> Thank you for your response.
>>
>> I will have to resurrect that work now and try and close the remaining gaps.
>>
>> Personally, I like the programming model afforded by JASPIC and that
>> it empowers you to be able to guide the container in setting the
>> security context without getting into container specifics.
>>
>> We are developing a platform that have pluggable authentication
>> providers and things like shiro are great but I end up having to
>> normalize the authenticated user as a standard Subject afterward and
>> then execute a doAs() - which the SecurityManager frowns upon and is
>> not really intended as part of the application programming model.
>>
>> By leveraging the SPI provided by JASPIC you are plugged directly into
>> container code and can portably control the EE security context
>> without having to mess with Java security policy. This is a beautiful
>> thing.
>>
>> Unfortunately, JASPIC has had its own lack of marketing and
>> documentation issues.
>>
>> There are some interesting AuthModules available that I would like to
>> be able to take advantage within our platform however and that's why I
>> am pursuing JASPI on Jetty.
>>
>> By the way, as a member of the JSR-196 EG, I am a bit biased.
>> :-)
>>
>> As I make further progress on this - I will let you know.
>>
>> Peace,
>>
>> --larry
>>
>> On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <janb@xxxxxxxxxxx> wrote:
>>> Hi Larry,
>>>
>>> I'm impressed you've managed to get this far, as we've historically
>>> done a terrible job of documenting jaspi in jetty!
>>>
>>> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi
>>> jars, and a very early version of those geronimo jars at that.
>>>
>>> So in addition to what you've got already, here's the other pieces
>>> that I have used in a working test webapp using jaspi:
>>>
>>> + these geronimo-jaspi dependencies:
>>>          <dependency>
>>>               <groupId>org.apache.geronimo.components</groupId>
>>>               <artifactId>geronimo-jaspi</artifactId>
>>>               <version>2.0-SNAPSHOT</version>
>>>               <exclusions>
>>>                 <exclusion>
>>>                   <groupId>org.apache.geronimo.specs</groupId>
>>>                   <artifactId>geronimo-jaspic_1.0_spec</artifactId>
>>>                 </exclusion>
>>>               </exclusions>
>>>            </dependency>
>>>            <dependency>
>>>              <groupId>org.apache.geronimo.specs</groupId>
>>>              <artifactId>geronimo-osgi-locator</artifactId>
>>>              <version>1.0</version>
>>>            </dependency>
>>>
>>>
>>> + a system property pointing to a geronimo jaspi config file (which
>>> sets up the missing piece from your stacktrace, the ServerAuthModule):
>>>    -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml
>>>
>>> + a geronimo jaspi config file:
>>> <?xml version="1.0" encoding="UTF-8"?>
>>>
>>> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";>
>>>     <configProvider>
>>>         <messageLayer>HTTP</messageLayer>
>>>         <appContext>server /foo</appContext>
>>>         <description>description</description>
>>>         <serverAuthConfig>
>>>             <authenticationContextID>authenticationContextID2</authenticationContextID>
>>>             <protected>true</protected>
>>>             <serverAuthContext>
>>>                 <serverAuthModule>
>>>
>>> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>
>>>                     <options>
>>>
>>> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test
>>>
>>> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test
>>>                     </options>
>>>                 </serverAuthModule>
>>>             </serverAuthContext>
>>>         </serverAuthConfig>
>>>         <persistent>true</persistent>
>>>     </configProvider>
>>> </jaspi>
>>>
>>>
>>> Hopefully that might help you get a bit further.
>>>
>>> I'm interested to hear if many others on the lists are trying to use
>>> or are using the jetty-jaspi integration. Our impression is that it is
>>> hardly used by anyone. Of course, that could be because the
>>> documentation is missing! However, before we direct more of our
>>> limited resources to the jaspi stuff, we'd like to hear from the user
>>> community - is this something that you are using, or are likely to
>>> use???
>>>
>>> Jan
>>>
>>> On 17 January 2013 03:53, larry mccay <larry.mccay@xxxxxxxxx> wrote:
>>>> Greetings -
>>>>
>>>> I am working on an embedded Jetty project in which we programmatically
>>>> deploy the WebAppContexts for dynamically created WebApps.
>>>> What I would like to do is configure the use of JASPI per application.
>>>>
>>>> The following code is being used at deployment time:
>>>>
>>>>   private synchronized void internalDeploy( Topology topology, File warFile
>>>> ) {
>>>>
>>>>     String name = topology.getName();
>>>>
>>>>     String warPath = warFile.getAbsolutePath();
>>>>
>>>>     WebAppContext context = new WebAppContext();
>>>>
>>>>     context.setDefaultsDescriptor( null );
>>>>
>>>>     context.setContextPath( "/" + path + "/" + name );
>>>>
>>>>     context.setWar( warPath );
>>>>
>>>>
>>>>     JaspiAuthenticatorFactory authenticatorFactory = new
>>>> JaspiAuthenticatorFactory();
>>>>
>>>>     SecurityHandler handler = new ConstraintSecurityHandler();
>>>>
>>>>     handler.setAuthenticatorFactory(authenticatorFactory);
>>>>
>>>>     JAASLoginService ls = new JAASLoginService();
>>>>
>>>>     ls.setName("JAASRealm");
>>>>
>>>>     ls.setLoginModuleName("jaas");
>>>>
>>>>     ls.setIdentityService(new DefaultIdentityService());
>>>>
>>>>     handler.setLoginService(ls);
>>>>
>>>>     authenticatorFactory.setLoginService(ls);
>>>>
>>>>     jetty.addBean(ls);
>>>>
>>>>     Constraint constraint = new Constraint();
>>>>
>>>>     constraint.setName(constraint.__BASIC_AUTH);
>>>>
>>>>     constraint.setRoles(new String[]{"user","admin","moderator"});
>>>>
>>>>     constraint.setAuthenticate(true);
>>>>
>>>>
>>>>
>>>>     ConstraintMapping cm = new ConstraintMapping();
>>>>
>>>>     cm.setConstraint(constraint);
>>>>
>>>>     cm.setPathSpec("/*");
>>>>
>>>> //    handler.setAuthMethod("BASIC");
>>>>
>>>>     handler.setRealmName("JAASRealm");
>>>>
>>>>     ((ConstraintSecurityHandler) handler).setConstraintMappings(new
>>>> ConstraintMapping[]{cm});
>>>>
>>>>     context.setSecurityHandler(handler);
>>>>
>>>>     internalUndeploy( topology );
>>>>
>>>>     deployments.put( name, context );
>>>>
>>>>     contexts.addHandler( handler );
>>>>
>>>>     contexts.addHandler( context );
>>>>
>>>>     try {
>>>>
>>>>       context.start();
>>>>
>>>>     } catch( Exception e ) {
>>>>
>>>>       //TODO: I18N message
>>>>
>>>>       e.printStackTrace();
>>>>
>>>>     }
>>>>
>>>>   }
>>>>
>>>>
>>>> and I am encountering the following stacktrace:
>>>>
>>>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED
>>>> org.eclipse.jetty.server.session.SessionHandler@786c1a82:
>>>> java.lang.IllegalStateException: No ServerAuthentication
>>>> java.lang.IllegalStateException: No ServerAuthentication
>>>> at
>>>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371)
>>>> at
>>>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233)
>>>> at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>>> at
>>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>>> at
>>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>>> at
>>>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124)
>>>> at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>>> at
>>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
>>>> at
>>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115)
>>>> at
>>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752)
>>>> at
>>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247)
>>>> at
>>>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238)
>>>> at
>>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706)
>>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480)
>>>> at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
>>>> at
>>>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323)
>>>> at org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68)
>>>> at
>>>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367)
>>>> at
>>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148)
>>>> at
>>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113)
>>>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255)
>>>> at
>>>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180)
>>>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97)
>>>>
>>>> Looking at the ServerHandler code this indicates that no authenticator is
>>>> being found in the following code snippet:
>>>> ...
>>>>
>>>>         if (_authenticator==null && _authenticatorFactory!=null &&
>>>> _identityService!=null)
>>>>
>>>>         {
>>>>
>>>>
>>>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this,
>>>> _identityService, _loginService);
>>>>
>>>>             if (_authenticator!=null)
>>>>
>>>>                 _authMethod=_authenticator.getAuthMethod();
>>>>
>>>>         }
>>>>
>>>>
>>>>         if (_authenticator==null)
>>>>
>>>>         {
>>>>
>>>>             if (_realmName!=null)
>>>>
>>>>             {
>>>>
>>>>                 LOG.warn("No ServerAuthentication for "+this);
>>>>
>>>>                 throw new IllegalStateException("No ServerAuthentication");
>>>>
>>>>             }
>>>>
>>>>         }
>>>>
>>>>         else
>>>>
>>>>         {
>>>>
>>>>             _authenticator.setConfiguration(this);
>>>>
>>>>             if (_authenticator instanceof LifeCycle)
>>>>
>>>>                 ((LifeCycle)_authenticator).start();
>>>>
>>>>         }
>>>>
>>>> ...
>>>>
>>>> Can anyone tell what is missing from my configuration code or alternatively
>>>> point me to relevant tests?
>>>>
>>>> Thank you in advance!
>>>>
>>>> --larry
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> jetty-users@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>
>>>
>>>
>>>
>>> --
>>> Jan Bartel <janb@xxxxxxxxxxx>
>>> www.webtide.com – Developer advice, services and support
>>> from the Jetty & CometD experts.
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> --
> Jan Bartel <janb@xxxxxxxxxxx>
> www.webtide.com – Developer advice, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top