Guofeng, When you raise the issue, assign it to me. I'm most of the way through setting up an environment to deal with this.
thanks Jan On 28 September 2011 22:53, Jesse McConnell <[email protected]>wrote: > Code diff's have to come in through bugzilla before we can apply them, > so if you would open an issue on bugs.eclipse.org and attach the diff > there we can look at applying it....this is standard eclipse policy, > sorry about the hassle :) > > cheers, > jesse > > -- > jesse mcconnell > [email protected] > > > > On Wed, Sep 28, 2011 at 02:30, Guofeng Zhang <[email protected]> > wrote: > > The sources in jetty-7.5.1.v20110908/jetty-jaspi and > > jetty-8.0.1.v20110908/jetty-jaspi are the same each other. > > > > > > > > JASPI does not work in etty-7.5.1.v20110908. Merge what I changed to > > jetty-7.5.1.v20110908 works by my test, so you could first fix it in > Jetty > > 7, then merge the fix to Jetty 8. > > > > > > > > > > > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Jan Bartel > > Sent: Wednesday, September 28, 2011 2:07 PM > > To: JETTY user mailing list > > Subject: Re: [jetty-users] JASPI 196: make it work on Jetty 8 > > > > > > > > Hi, > > > > Thanks for that comprehensive information, we will certainly look into > it. > > > > In saying that jetty-jaspi currently does not work well on jetty-8, does > > this mean that it is working fine > > with jetty-7? We try to maintain as much of the codebase in common > between > > jetty-7 and jetty-8 as > > possible, so I'd like to know if this is something that should go into > > jetty-7, and will then get merged > > into jetty-8, or if this is a problem specific to jetty-8. > > > > thanks > > Jan > > > > On 28 September 2011 15:23, Guofeng Zhang <[email protected]> wrote: > > > > Hi, > > > > > > > > JASPI make us to plug in other authentication module (for example, using > > openID or other mechanism to authenticate users) easier on Jetty for > > container-managed security. There is jetty-jaspi module in the Jetty > source > > code base, but I think it has not been maintained for a long time. > > > > > > > > By making a little fix on jetty-jaspi module, I make the JASPI works well > on > > Jetty 8. I attach the changes. I hope if I did it well, it could be > merged > > into the next Jetty 8 release. > > > > > > > > To use JASPI: > > > > 1. Creating a JASPI configuration XML file for your auth module: > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";> > > > > > > > > <configProvider> > > > > <messageLayer>HTTP</messageLayer> > > > > <appContext>/ui</appContext> > > > > <description>description</description> > > > > <serverAuthConfig> > > > > > > > <authenticationContextID>authenticationContextID2</authenticationContextID> > > > > <protected>true</protected> > > > > <serverAuthContext> > > > > <serverAuthModule> > > > > > > > <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className> > > > > <options> > > > > > > org.eclipse.jetty.security.jaspi.modules.LoginPage=/secure/jaaslogin > > > > > > org.eclipse.jetty.security.jaspi.modules.ErrorPage=/secure/jaaserror > > > > </options> > > > > </serverAuthModule> > > > > </serverAuthContext> > > > > </serverAuthConfig> > > > > <persistent>true</persistent> > > > > </configProvider> > > > > </jaspi> > > > > The above using the Jetty built-in FormAuthModule, if you want to use > the > > built-in Basic or Digest auth module, the <serverAuthModule> part should > be: > > > > <serverAuthModule> > > > > > > > <className>org.eclipse.jetty.security.jaspi.modules.DigestAuthModule</className> > > > > <options> > > > > > > org.eclipse.jetty.security.jaspi.modules.RealmName=JAASRealm > > > > </options> > > > > </serverAuthModule> > > > > Or > > > > <serverAuthModule> > > > > > > > <className>org.eclipse.jetty.security.jaspi.modules.BasicAuthModule</className> > > > > <options> > > > > > > org.eclipse.jetty.security.jaspi.modules.RealmName=JAASRealm > > > > </options> > > > > </serverAuthModule> > > > > > > > > Here I use the implementation of JASPI of geronimo-jaspi 2.0-SNAPSHOT > from > > geronimo-jaspi (https://github.com/apache/geronimo-jaspi). you could use > > geronimo-jaspi 1.1.1 release, but you might need to implements > > javax.security.auth.message.config.AuthConfigProvider (and not > > javax.security.auth.message.module.ServerAuthModule) and configure it in > the > > above XML file. > > > > > > > > 2. Configuring your AppContext to use JaspiAuthenticatorFactory. I > > configured it in jetty-web.xml file: > > > > <Configure class="org.eclipse.jetty.webapp.WebAppContext"> > > > > <Set name="securityHandler"> > > > > <New class="org.eclipse.jetty.security.ConstraintSecurityHandler"> > > > > <Set name="loginService"> > > > > <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"> > > > > <Set name="name">JAASRealm</Set> > > > > <Set name="loginModuleName">jaas</Set> > > > > </New> > > > > </Set> > > > > > > > > <Set name="authenticatorFactory"> > > > > <New > > class="org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory" /> > > > > </Set> > > > > </New> > > > > </Set> > > > > </Configure> > > > > > > > > 3. When launching Jetty, using > > -Dorg.apache.geronimo.jaspic.configurationFile to tell geronimo-jaspi > where > > to find the JASPI configuration file. The following is the > > jetty-maven-plugin configuration (my JASPI configuration file is > > form-test-jaspi-2.xml): > > > > <plugin> > > > > <groupId>org.mortbay.jetty</groupId> > > > > <artifactId>jetty-maven-plugin</artifactId> > > > > <version>${jetty.version}</version> > > > > <configuration> > > > > <scanIntervalSeconds>10</scanIntervalSeconds> > > > > <webAppConfig> > > > > <contextPath>/ui</contextPath> > > > > <parentLoaderPriority>true</parentLoaderPriority> > > > > </webAppConfig> > > > > > > > > <systemProperties> > > > > <systemProperty> > > > > <name>java.security.auth.login.config</name> > > > > <value>./conf/jetty/jaas.conf</value> > > > > </systemProperty> > > > > <systemProperty> > > > > <name>org.apache.geronimo.jaspic.configurationFile</name> > > > > <value>./conf/jaspi/form-test-jaspi-2.xml</value> > > > > </systemProperty> > > > > </configuration> > > > > <dependencies> > > > > <dependency> > > > > <groupId>org.eclipse.jetty</groupId> > > > > <artifactId>jetty-jaspi</artifactId> > > > > <version>${jetty.version}</version> > > > > </dependency> > > > > <dependency> > > > > <groupId>org.apache.geronimo.components</groupId> > > > > <artifactId>geronimo-jaspi</artifactId> > > > > <version>2.0-SNAPSHOT</version> > > > > </dependency> > > > > </dependencies> > > > > </plugin> > > > > In my test, I use my own JAAS login module, which configured in > jaas.conf. > > you could use Jetty built-in login module as described in > > http://wiki.eclipse.org/Jetty/Feature/JAAS. > > > > > > > > Q: what I cannot know if I did it correctly is the changes to > > JaspiAuthenticator. I removed the following lines at the beginning of > > validateRequest(): > > > > if (_allowLazyAuthentication && !mandatory) > > > > return _deferred; > > > > and add the following: > > > > if ( !isMandatory( messageInfo ) ) > > > > return _deferred ; > > > > after “if (authStatus == AuthStatus.SUCCESS)” at line 114. This make me > have > > to add the following in validateRequest() of FormAuthModule class: > > > > Authentication authentication = > > ((org.eclipse.jetty.server.Request)request).getAuthentication() ; > > > > if (authentication instanceof Authentication.Deferred ) > > > > return AuthStatus.SEND_SUCCESS; > > > > or the unprotected resources won’t be handled properly. This makes the > auth > > module to have to know how Authentication.Deferred works, it is not an > > easier to use dependency. This might be that I do not understand > > DeferredAuthentication class clearly. Your advice is appreciated. > > > > > > > > Thanks. > > > > > > > > > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
