Re: [jetty-users] shibboleth idp webapp under jetty 12.0.7

[Greg Wilkins <gregw@xxxxxxxxxxx>]

Paul,

Jetty will extract from to a temp web-inf directory to avoid the jar inside war class loading issues when a war file is not unpacked.   It should not be doing this if the webapp is unpacked.  It should definitely not put both on the classpath.

I think we may have a bug here.  We will investigate.  To better track this, can you open an issue and paste your message in as the description.

regards

 

On Tue, 26 Mar 2024 at 04:54, Paul B. Henson via jetty-users <jetty-users@xxxxxxxxxxx> wrote:

I'm currently running the shibboleth idp webapp 4 under jetty 9, and
trying to migrate to idp 5 using jetty 12. I've run into an odd problem,
I get the following error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowRegistry' defined in class path resource [net/shibboleth/idp/conf/webflow-config.xml]: Illegal attempt to register pre-existing flow ID 'authn/DuoOIDC'via resource: URL [jar:file:/var/lib/jetty/tmp/jetty-127_0_0_1-80-idp_war-_idp-any-10824638488520165161/webapp/WEB-INF/lib/idp-plugin-duo-impl-2.0.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-flow.xml]

This generally occurs if there are multiple copies of the jar on the
classpath, such as if the war accidentally included more than one (which
isn't the case here).

The deployment descriptor for the idp app is:

<Configure class="org.eclipse.jetty.ee9.webapp.WebAppContext">
        <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
        <Set name="contextPath">/idp</Set>
        <Set name="extractWAR">false</Set>
        <Set name="copyWebDir">false</Set>
        <Set name="copyWebInf">true</Set>
</Configure>

which is the recommended config per the idp documentation. With this
config, I see two separate copies of the jar in the jetty tmp directory,
one in webapp and one in webinf:

# find | grep duo                                                               
./webapp/WEB-INF/lib/idp-plugin-duo-nimbus-client-impl-2.0.0.jar               
./webapp/WEB-INF/lib/idp-plugin-duo-impl-2.0.0.jar                             
./webapp/WEB-INF/lib/idp-plugin-duo-api-2.0.0.jar                               
./webinf/WEB-INF/lib/idp-plugin-duo-nimbus-client-impl-2.0.0.jar               
./webinf/WEB-INF/lib/idp-plugin-duo-impl-2.0.0.jar                             
./webinf/WEB-INF/lib/idp-plugin-duo-api-2.0.0.jar                               

If I update the config and set copyWebInf=false, there's only one copy
of the jar in the tmp directory (in webapp) and everything works fine.

Looking at my existing jetty 9 deployment, there's only the webinf
directory in the tmp dir, not the webapp one. If I update my jetty 9
config and set extractWAR=true, then I get the same multiple copies (one
in webapp, one in webinf) as I do with extractWAR=false in jetty 12,
although this doesn't cause an error under jetty 9. If I set
extractWAR=true under jetty 12, I see no change in the content of the
tmp directory as compared to extractWAR=false.

So I'm confused. Why is jetty 12 apparently extracting the war when
extractWAR=false? And when it does, how come the same jar file seems to
get processed twice, when that doesn't occur under jetty 9 with
extractWAR=true?

I'm not sure if I'm hitting a bug or have something misconfigured. It
seems to be working now with copyWebInf=false, but that also seems more
of a workaround than a resolution. This feels buggy, that jetty is
extracting the war when it shouldn't be, and also loading the same jars
from two different places when the war is extracted *and* copyWebInf=true.
But I'm far from a jetty expert :).

Thanks for any hints...

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

--

Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com