[
https://issues.apache.org/jira/browse/GERONIMO-4777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Trygve Hardersen updated GERONIMO-4777:
---------------------------------------
Attachment: WADIJettyClusteringBuilder.patch
Patch for WADIJettyClusteringBuilder
> WADI clustering does not work with Jetty7
> -----------------------------------------
>
> Key: GERONIMO-4777
> URL: https://issues.apache.org/jira/browse/GERONIMO-4777
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Environment: Tested on OS X 10.5 and Ubuntu 8.10, both running 64-bit
> Java 1.6
> Reporter: Trygve Hardersen
> Attachments: WADIJettyClusteringBuilder.patch
>
>
> I've been trying to get WADI clustering to work with Jetty7, but I've found
> numerous issues:
> The first problem is that a Geronimo plugin that uses WADI clustering and
> Jetty7 cannot be built. The WADIJettyClusteringBuilder is unable to locate
> the web module in the deployment, so the build fails with the following error:
> org.apache.maven.lifecycle.LifecycleExecutionException: could not package
> plugin
> Caused by: org.apache.maven.plugin.MojoExecutionException: could not package
> plugin
> Caused by: org.apache.geronimo.common.DeploymentException: Could not locate
> web module gbean in web app configuration
> I was able to resolve this by copying the code that creates the
> webModuleQuery from the equivalent Jetty6 module into the Jetty7 module, see
> WADIJettyClusteringBuilder.patch. With this the build succeeds, and I'm able
> to deploy the plugin. I don't know if it breaks anything else, but I've not
> seen issues with it.
> AFAICT normal session replication works fine with this. However it does not
> work when combined with form based security for the web application. The
> first problem is that
> org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
> and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator
> are not serializable, so they can not be sent across the network. I made
> these classes serializable, and then login works as long as there is only one
> member in the cluster (well, not really a cluster...). When there are
> multiple members in the cluster, login fails because there is no valid
> constructor for
> org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
> I tried to add a default constructor, but it's an inner class, and it seems
> to me like theAuthenticator and UserIdentity properties are required for it
> to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but
> logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws
> an exception, because the curent session can not be found:
> java.lang.AssertionError: Session
> [org.apache.geronimo.clustering.wadi.wadisessionadap...@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key
> [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder
> (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that
> demonstrates the security problems I'm experiencing. The
> web-formlogin-clustering-plugin of the JGS project uses form based security
> and WADI clustering. The /customer page is protected, and to access it one
> must login with any username and password, as long as they are the same. Use
> test/test for instance. To test session invalidation, manually enter the URL
> /logout.
> It would be very helpful if someone can comment on the usability of WADI
> clustering in combination with Jetty7. To me it seems like it has not been
> tested much, and I think going back to Jetty6 again is the best option for
> us, unless the issues described above can be easily solved.
> Thanks for your help!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
