Hello,
I am using jetty 7.2.2 20101205. I am trying to change the existing shipped
test application's authentication mechanisms.
Please find Test applications's test.xml and snippet from web.xml along with
httpheaders that I recevied on my mozilla.
I have configured test.xml for ConstraintSecurityHandler and loginModuleName
points to correct settings.
In, web.xml, I commented remaining constraints that are shipped with test
application. I commented security roles in the bottom of shipped test
application
web.xml snippet
<security-constraint>
<web-resource-collection>
<web-resource-name>Any User</web-resource-name>
<url-pattern>/dump/auth/*</url-pattern>
<url-pattern>*.htm</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Test_JAAS_Realm</realm-name>
<form-login-config>
<form-login-page>/logon.html?param=test1</form-login-page>
<form-error-page>/logonError.html?param=test1</form-error-page>
</form-login-config>
</login-config>
snippet from test.xml
<Set name="securityHandler">
<New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">Test_JAAS_Realm</Set>
<Set name="loginModuleName">xyz</Set>
</New>
</Set>
<!-- <Set name="strict">false</Set> -->
</New>
</Set>
login.conf
xyz {
com.sun.security.auth.module.NTLoginModule required
debug="true"
debugNative="true";
};
command line paramters:
java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=1044
-Djava.security.auth.login.config=C:\Jetty\jetty2\wjetty\login.conf -jar
start.jar
Problem that I face, I have put below in the form of HTTP Headers.
HTTP/1.1 403 !role
Date: Mon, 28 Feb 2011 10:46:03 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1371
Cache-Control: must-revalidate,no-cache,no-store
Server: Jetty(7.2.2.v20101205)
After debugging, I realised that:
At org.eclipse.jetty.security.SecurityHandler.java:459
boolean authorized=checkWebResourcePermissions(pathInContext, baseRequest,
base_response, constraintInfo, userAuth.getUserIdentity());
I am getting authorized = false.
Please look at the http headers:
At line1, I send post for /j_security_check (form submission), browser got in
return 302 ( at line 17, meaning, after successful authentiation,
a redirection to /dump/auth/info was done.)
At line 24 browser sent /dump/auth/info , for which at line 38, I get 403
saying constraint for url not satisifed.
if I set strict (for securityHandler, in text.xml) value to false, I am not
able to clear the constraint -- eventhough I gave wrong userid/pwd.
note: I have attached changed web.xml /changed test.xml /afterLogin.txt - this
has http header after I submit login form
Regards
Vinod
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
version="2.5">
<display-name>Test WebApp</display-name>
<context-param>
<param-name>org.eclipse.jetty.server.context.ManagedAttributes</param-name>
<param-value>QoSFilter,TransparentProxy.Logger,TransparentProxy.ThreadPool,TransparentProxy.HttpClient</param-value>
</context-param>
<!-- Declare TestListener, which declares TestFilter -->
<listener>
<listener-class>com.acme.TestListener</listener-class>
</listener>
<filter>
<filter-name>TestFilter</filter-name>
<filter-class>com.acme.TestFilter</filter-class>
<init-param>
<param-name>remote</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>QoSFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.QoSFilter</filter-class>
<init-param>
<param-name>maxRequests</param-name>
<param-value>20</param-value>
</init-param>
<init-param>
<param-name>managedAttr</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>QoSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>MultiPart</filter-name>
<filter-class>org.eclipse.jetty.servlets.MultiPartFilter</filter-class>
<init-param>
<param-name>deleteFiles</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>MultiPart</filter-name>
<url-pattern>/dump/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>GzipFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.IncludableGzipFilter</filter-class>
<init-param>
<param-name>bufferSize</param-name>
<param-value>8192</param-value>
</init-param>
<init-param>
<param-name>minGzipSize</param-name>
<param-value>2048</param-value>
</init-param>
<init-param>
<param-name>userAgent</param-name>
<param-value>(?:Mozilla[^\(]*\(compatible;\s*+([^;]*);.*)|(?:.*?([^\s]+/[^\s]+).*)</param-value>
</init-param>
<init-param>
<param-name>cacheSize</param-name>
<param-value>1024</param-value>
</init-param>
<init-param>
<param-name>excludedAgents</param-name>
<param-value>MSIE 6.0</param-value>
</init-param>
<init-param>
<param-name>uncheckedPrintWriter</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>/dump/gzip/*</url-pattern>
</filter-mapping>
<!-- Comment out to support PUT and DELETE
<filter>
<filter-name>RestFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.RestFilter</filter-class>
<async-support>true</async-support>
<init-param>
<param-name>maxPutSize</param-name><param-value>1024</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RestFilter</filter-name>
<servlet-name>default</servlet-name>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
-->
<servlet>
<servlet-name>Hello</servlet-name>
<servlet-class>com.acme.HelloWorld</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Hello</servlet-name>
<url-pattern>/hello/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Dump</servlet-name>
<servlet-class>com.acme.Dump</servlet-class>
<load-on-startup>1</load-on-startup>
<run-as><role-name>admin</role-name></run-as>
</servlet>
<servlet-mapping>
<servlet-name>Dump</servlet-name>
<url-pattern>/dump/*</url-pattern>
<url-pattern>*.dump</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Session</servlet-name>
<servlet-class>com.acme.SessionDump</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Session</servlet-name>
<url-pattern>/session/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Cookie</servlet-name>
<servlet-class>com.acme.CookieDump</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Cookie</servlet-name>
<url-pattern>/cookie/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Dispatch</servlet-name>
<servlet-class>com.acme.DispatchServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Dispatch</servlet-name>
<url-pattern>/dispatch/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>CGI</servlet-name>
<servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CGI</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Chat</servlet-name>
<servlet-class>com.acme.ChatServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Chat</servlet-name>
<url-pattern>/chat/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>WSChat</servlet-name>
<servlet-class>com.acme.WebSocketChatServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>WSChat</servlet-name>
<url-pattern>/ws/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Rewrite</servlet-name>
<servlet-class>com.acme.RewriteServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Rewrite</servlet-name>
<url-pattern>/rewritten/*</url-pattern>
<url-pattern>/redirected/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>SecureMode</servlet-name>
<servlet-class>com.acme.SecureModeServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SecureMode</servlet-name>
<url-pattern>/secureMode/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TransparentProxy</servlet-name>
<servlet-class>org.eclipse.jetty.servlets.ProxyServlet$Transparent</servlet-class>
<init-param>
<param-name>Prefix</param-name><param-value>/javadoc</param-value>
</init-param>
<init-param>
<param-name>ProxyTo</param-name><param-value>http://download.eclipse.org/jetty/stable-7/apidocs</param-value>
</init-param>
<init-param>
<param-name>HostHeader</param-name><param-value>download.eclipse.org</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TransparentProxy</servlet-name>
<url-pattern>/javadoc/*</url-pattern>
</servlet-mapping>
<error-page>
<error-code>404</error-code>
<location>/error404.html</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>Any User</web-resource-name>
<url-pattern>/dump/auth/*</url-pattern>
<url-pattern>*.htm</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>relax</web-resource-name>
<url-pattern>/dump/auth/relax/*</url-pattern>
<url-pattern>/auth/relax.txt</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
</security-constraint>
-->
<!-- <security-constraint>
<web-resource-collection>
<web-resource-name>Admin Role</web-resource-name>
<url-pattern>/dump/auth/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint> -->
<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<url-pattern>/dump/auth/noaccess/*</url-pattern>
<url-pattern>/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/dump/auth/ssl/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-->
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
-->
<!--
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Test_JAAS_Realm</realm-name>
<form-login-config>
<form-login-page>/logon.html?param=test1</form-login-page>
<form-error-page>/logonError.html?param=test1</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>5</session-timeout>
</session-config>
<!--<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role> -->
</web-app>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd";>
<!-- ==================================================================
Configure and deploy the test web application in $(jetty.home)/webapps/test
Note. If this file did not exist or used a context path other that /test
then the default configuration of jetty.xml would discover the test
webapplication with a WebAppDeployer. By specifying a context in this
directory, additional configuration may be specified and hot deployments
detected.
===================================================================== -->
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- Required minimal context configuration : -->
<!-- + contextPath -->
<!-- + war OR resourceBase -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<Set name="contextPath">/</Set>
<Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/test.war</Set>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- Optional context configuration -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<Set name="extractWAR">true</Set>
<Set name="copyWebDir">false</Set>
<Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set>
<Set name="overrideDescriptor"><SystemProperty name="jetty.home" default="."/>/contexts/test.d/override-web.xml</Set>
<!-- virtual hosts
<Set name="virtualHosts">
<Array type="String">
<Item>www.myVirtualDomain.com</Item>
<Item>localhost</Item>
<Item>127.0.0.1</Item>
</Array>
</Set>
-->
<!-- disable cookies
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="usingCookies" type="boolean">false</Set>
</Get>
</Get>
-->
<!--
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set> -->
<!-- To enable reload of realm when properties change, uncomment the following lines -->
<!-- changing refreshInterval (in seconds) as desired -->
<!--
<Set name="refreshInterval">5</Set>
<Call name="start"></Call>
-->
<!-- </New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
-->
<Set name="securityHandler">
<New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">Test_JAAS_Realm</Set>
<Set name="loginModuleName">xyz</Set>
<!--
<Set name="RoleCheckPolicy">
<New class="org.eclipse.jetty.plus.jaas.StrictRoleCheckPolicy"/>
</Set> -->
<!--<Set name="CallbackHandlerClass">
org.eclipse.jetty.plus.jaas.callback.DefaultCallbackHandler
</Set>-->
<!-- <Set name="roleClassNames">
<Array type="java.lang.String">
<Item>org.eclipse.jetty.plus.jaas.JAASRole</Item>
</Array>
</Set> -->
</New>
</Set>
<!-- <Set name="strict">false</Set> -->
</New>
</Set>
<!-- Non standard error page mapping -->
<!--
<Get name="errorHandler">
<Call name="addErrorPage">
<Arg type="int">500</Arg>
<Arg type="int">599</Arg>
<Arg type="String">/dump/errorCodeRangeMapping</Arg>
</Call>
</Get>
-->
<!-- Add context specific logger
<Set name="handler">
<New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler">
<Set name="requestLog">
<New id="RequestLogImpl" class="org.eclipse.jetty.server.NCSARequestLog">
<Set name="filename"><Property name="jetty.logs" default="./logs"/>/test-yyyy_mm_dd.request.log</Set>
<Set name="filenameDateFormat">yyyy_MM_dd</Set>
<Set name="append">true</Set>
<Set name="LogTimeZone">GMT</Set>
</New>
</Set>
</New>
</Set>
-->
</Configure>
http://localhost:8080/j_security_check
POST /j_security_check HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.13)
Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer:
http://localhost:8080/logon.html;jsessionid=1hymjqypxhwqu1puu3uwlj4rol?param=test1
Cookie: JSESSIONID=1hymjqypxhwqu1puu3uwlj4rol
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
j_username=*****&j_password=xxxxxxxx&submit=Login
HTTP/1.1 302 Found
Date: Mon, 28 Feb 2011 10:46:02 GMT
Set-Cookie: JSESSIONID=lxvjd3sslqzpmhlxala23ehp;Path=/
Location: http://localhost:8080/dump/auth/info
Content-Length: 0
Server: Jetty(7.2.2.v20101205)
----------------------------------------------------------
http://localhost:8080/dump/auth/info
GET /dump/auth/info HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.13)
Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer:
http://localhost:8080/logon.html;jsessionid=1hymjqypxhwqu1puu3uwlj4rol?param=test1
Cookie: JSESSIONID=lxvjd3sslqzpmhlxala23ehp
HTTP/1.1 403 !role
Date: Mon, 28 Feb 2011 10:46:03 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1371
Cache-Control: must-revalidate,no-cache,no-store
Server: Jetty(7.2.2.v20101205)
----------------------------------------------------------
_______________________________________________
jetty-users mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/jetty-users
