form based security for the web application does not work with Jetty WADI
clustering.
-------------------------------------------------------------------------------------
Key: GERONIMO-4846
URL: https://issues.apache.org/jira/browse/GERONIMO-4846
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: Clustering
Affects Versions: 2.2
Reporter: Shawn Jiang
This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777, the
major issue has been resolved with the patch from Trygve Hardersen. Opening
this JIRA to track the remaining problems.
{noformat}
However it does not work when combined with form based security for the web
application. The first problem is that
org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are
not serializable, so they can not be sent across the network. I made these
classes serializable, and then login works as long as there is only one member
in the cluster (well, not really a cluster...). When there are multiple members
in the cluster, login fails because there is no valid constructor for
org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
I tried to add a default constructor, but it's an inner class, and it seems to
me like theAuthenticator and UserIdentity properties are required for it to
work so I did not try to extract the class.
As I said login works as long as there's only one member in the cluster, but
logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an
exception, because the curent session can not be found:
java.lang.AssertionError: Session
[org.apache.geronimo.clustering.wadi.wadisessionadap...@7f488ddb] is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key
[ccge2q2w9dz2] does not exist
I am attaching the patch for the WADIJettyClusteringBuilder
(WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that
demonstrates the security problems I'm experiencing. The
web-formlogin-clustering-plugin of the JGS project uses form based security and
WADI clustering. The /customer page is protected, and to access it one must
login with any username and password, as long as they are the same. Use
test/test for instance. To test session invalidation, manually enter the URL
/logout.
It would be very helpful if someone can comment on the usability of WADI
clustering in combination with Jetty7. To me it seems like it has not been
tested much, and I think going back to Jetty6 again is the best option for us,
unless the issues described above can be easily solved.
Thanks for your help!
{noformat}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
