Re: [jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty.util.security.Credential

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Mon, 24 Feb 2020 11:00:40 -0600
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Welcome to jetty-users.

For starters, use a Jetty version that is more up to date[1], stable[2], and not covered by various public vulnerabilities[3].

1. https://www.eclipse.org/lists/jetty-announce/msg00139.html

2. https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html

3. https://www.eclipse.org/jetty/security-reports.html

Your choice of 9.4.15.v20190215 is 11 versions behind current stable, and has about 10 public security vulnerabilities on it.

The "detailed stack" is missing package names, we cannot tell if the referenced class is ours or yours or some third party.

It is also cut off at Request.login() which isn't the complete stack trace.

If you must anonymize your stacktrace, just change the package/company/product names to something generic.

Example: if your company is called FizzBuzz and your product is called WhizBang.

Then you'll likely see something like "com.fizzbuzz.web.whizbang.WhizBangController" in your stacktraces.

Change that to "com.acme.web.product.ProductController".

But leave jetty and any other open source project's package/classes/product names alone (it helps us)

We would also need to know how you are configuring and starting your Jetty instance.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Feb 24, 2020 at 9:54 AM Sujay Pujari <sujay_pujari@xxxxxxxxxxxxxx> wrote:

Hello Jetty users,

We are migrating Jetty from v6 to ver 9.4.15 & using embedded Jetty.

Where in authentication is performed using form based , Jaas authentication.

In Jaas.conf file we have configured to use following custom module

class DiscoveryLoginModule which extends from AbstractLoginModule.

Now inside Login method of this class, We have following line of code

Credential cr = Credential.getCredential(pwdStr);

Where we are getting NoClassDefFoundError for org.eclipse.jetty.util.security.Credential.

Inspite of the fact that jetty-util jar corresponding to this is present in the buildpath.

Also,

Verbose:class shows that this class is getting loaded.

class load: org.eclipse.jetty.util.security.Credential from: file:/../lib/Jetty9.4.15/jetty-util-9.4.15.v20190215.jar

Can anybody suggest what I might be missing ? Any appropriate way to troubleshoot this?

Any help would be really appreciated.

Here is detailed stack:

NoClassDefFoundError.<init>(String) line: 70

DiscoveryLoginModule.login() line: 151

NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method]

NativeMethodAccessorImpl.invoke(Object, Object[]) line: 95

DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 55

Method.invoke(Object, Object...) line: 508

LoginContext.invoke(String) line: 788

LoginContext.access$000(LoginContext, String) line: 196

LoginContext$4.run() line: 698

LoginContext$4.run() line: 696

AccessController.doPrivileged(PrivilegedExceptionAction<T>) line: 650

LoginContext.invokePriv(String) line: 696

LoginContext.login() line: 597

JAASLoginService.login(String, Object, ServletRequest) line: 274

FormAuthenticator(LoginAuthenticator).login(String, Object, ServletRequest) line: 56

FormAuthenticator.login(String, Object, ServletRequest) line: 192

DeferredAuthentication.login(String, Object, ServletRequest) line: 123

Request.login(String, String) line: 2437

Thanks & Regards,

Sujay

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

References:
- [jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty.util.security.Credential
  - From: Sujay Pujari

Prev by Date: [jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty.util.security.Credential
Next by Date: Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request
Previous by thread: [jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty.util.security.Credential
Next by thread: [jetty-users] Native memory leak in 9.4.x fixed in 9.4.26
Index(es):
- Date
- Thread

Breadcrumbs