WADI clustering does not work with Jetty7
-----------------------------------------
Key: GERONIMO-4777
URL: https://issues.apache.org/jira/browse/GERONIMO-4777
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: Jetty
Affects Versions: 2.2
Environment: Tested on OS X 10.5 and Ubuntu 8.10, both running 64-bit
Java 1.6
Reporter: Trygve Hardersen
Attachments: WADIJettyClusteringBuilder.patch
I've been trying to get WADI clustering to work with Jetty7, but I've found
numerous issues:
The first problem is that a Geronimo plugin that uses WADI clustering and
Jetty7 cannot be built. The WADIJettyClusteringBuilder is unable to locate the
web module in the deployment, so the build fails with the following error:
org.apache.maven.lifecycle.LifecycleExecutionException: could not package plugin
Caused by: org.apache.maven.plugin.MojoExecutionException: could not package
plugin
Caused by: org.apache.geronimo.common.DeploymentException: Could not locate web
module gbean in web app configuration
I was able to resolve this by copying the code that creates the webModuleQuery
from the equivalent Jetty6 module into the Jetty7 module, see
WADIJettyClusteringBuilder.patch. With this the build succeeds, and I'm able to
deploy the plugin. I don't know if it breaks anything else, but I've not seen
issues with it.
AFAICT normal session replication works fine with this. However it does not
work when combined with form based security for the web application. The first
problem is that
org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are
not serializable, so they can not be sent across the network. I made these
classes serializable, and then login works as long as there is only one member
in the cluster (well, not really a cluster...). When there are multiple members
in the cluster, login fails because there is no valid constructor for
org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
I tried to add a default constructor, but it's an inner class, and it seems to
me like theAuthenticator and UserIdentity properties are required for it to
work so I did not try to extract the class.
As I said login works as long as there's only one member in the cluster, but
logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an
exception, because the curent session can not be found:
java.lang.AssertionError: Session
[org.apache.geronimo.clustering.wadi.wadisessionadap...@7f488ddb] is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key
[ccge2q2w9dz2] does not exist
I am attaching the patch for the WADIJettyClusteringBuilder
(WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that
demonstrates the security problems I'm experiencing. The
web-formlogin-clustering-plugin of the JGS project uses form based security and
WADI clustering. The /customer page is protected, and to access it one must
login with any username and password, as long as they are the same. Use
test/test for instance. To test session invalidation, manually enter the URL
/logout.
It would be very helpful if someone can comment on the usability of WADI
clustering in combination with Jetty7. To me it seems like it has not been
tested much, and I think going back to Jetty6 again is the best option for us,
unless the issues described above can be easily solved.
Thanks for your help!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
