[jira] Created: (SM-842) about security in servicemix-http (3.2-SNAPSHOT)

Wed, 14 Feb 2007 06:44:25 -0800 

about security in servicemix-http (3.2-SNAPSHOT)
------------------------------------------------

                 Key: SM-842
                 URL: https://issues.apache.org/activemq/browse/SM-842
             Project: ServiceMix
          Issue Type: Bug
          Components: servicemix-http
    Affects Versions: 3.2
         Environment: linux, intel, normal pc
            Reporter: Eduardo Burgos
            Priority: Critical
             Fix For: 3.2
         Attachments: JettyContextManager.java

I have a servicemix running and I was trying to take over the security 
(including jetty), so I first went to read about servicemix-http in the 
official site and I found out about the "authenticationService" property in the 
http:component. 
First I found out that there are 3 places where you can set this property, the 
first one is the http:component itself, then the "AuthenticationServiceName" 
property in the http:configuration and the "authenticationService" property in 
the http:configuration. That's ok, I made my own authenticationService by 
implementing AuthenticationService interface and I set it on the 
http:component. The problem I had is that no matter which of the 3 properties I 
set, my authenticationService wont take over jetty. So I gave a look at the 
code to both jetty and servicemix-http and I solved my problem by modifying a 
class in servicemix-http. I'll explain the changes below: 
 
 
class: JettyContextManager.java ( 
servicemix/trunk/deployables/bindingcomponents/servicemix-http/src/main/java/org/apache/servicemix/http/jetty/JettyContextManager.java
 )
 
svn version:  line 198-199
 
            secHandler.setUserRealm(new JaasUserRealm());
            context.setHandler(secHandler);
 
modified version: line 198-204
 
            JaasUserRealm realm = new JaasUserRealm();
            if (configuration.getAuthenticationService()!= null)
            {
             
realm.setAuthenticationService(configuration.getAuthenticationService());
            } 
            secHandler.setUserRealm(realm);
            context.setHandler(secHandler);
 
 
So basically the problem I was having is that even if I set an 
authenticationService for my configuration, when jetty was creating the 
JaasUserRealm it was ignoring my settings and was creating a default 
JaasAuthenticationService in its constructor, so I modified it to take into 
account the configuration's authenticationService to be able to use it on the 
newly created JaasUserRealm.

I will attach my JettyContextManager.java

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to