That would be useful! Thanks, Jan.
--larry On Thu, Feb 14, 2013 at 8:15 PM, Jan Bartel <[email protected]> wrote: > Hi Larry, > > Good to hear your use-case for jetty-jaspi, and even more interesting > to hear you were on the jsr! I'm positive the jetty-jaspi code needs > some luvin', so if you have any time at all to take a look over it, > kick the tires and contribute any comments and/or improvements back, > then that would be most welcome! > > In the meanwhile, I will clean up the little test webapp I have that > uses geronimo-jaspi jars and put it into a public repo - will post > back here when its done. > > cheers > Jan > > On 15 February 2013 11:28, larry mccay <[email protected]> wrote: >> Hi Jan - >> >> Thank you for your response. >> >> I will have to resurrect that work now and try and close the remaining gaps. >> >> Personally, I like the programming model afforded by JASPIC and that >> it empowers you to be able to guide the container in setting the >> security context without getting into container specifics. >> >> We are developing a platform that have pluggable authentication >> providers and things like shiro are great but I end up having to >> normalize the authenticated user as a standard Subject afterward and >> then execute a doAs() - which the SecurityManager frowns upon and is >> not really intended as part of the application programming model. >> >> By leveraging the SPI provided by JASPIC you are plugged directly into >> container code and can portably control the EE security context >> without having to mess with Java security policy. This is a beautiful >> thing. >> >> Unfortunately, JASPIC has had its own lack of marketing and >> documentation issues. >> >> There are some interesting AuthModules available that I would like to >> be able to take advantage within our platform however and that's why I >> am pursuing JASPI on Jetty. >> >> By the way, as a member of the JSR-196 EG, I am a bit biased. >> :-) >> >> As I make further progress on this - I will let you know. >> >> Peace, >> >> --larry >> >> On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <[email protected]> wrote: >>> Hi Larry, >>> >>> I'm impressed you've managed to get this far, as we've historically >>> done a terrible job of documenting jaspi in jetty! >>> >>> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi >>> jars, and a very early version of those geronimo jars at that. >>> >>> So in addition to what you've got already, here's the other pieces >>> that I have used in a working test webapp using jaspi: >>> >>> + these geronimo-jaspi dependencies: >>> <dependency> >>> <groupId>org.apache.geronimo.components</groupId> >>> <artifactId>geronimo-jaspi</artifactId> >>> <version>2.0-SNAPSHOT</version> >>> <exclusions> >>> <exclusion> >>> <groupId>org.apache.geronimo.specs</groupId> >>> <artifactId>geronimo-jaspic_1.0_spec</artifactId> >>> </exclusion> >>> </exclusions> >>> </dependency> >>> <dependency> >>> <groupId>org.apache.geronimo.specs</groupId> >>> <artifactId>geronimo-osgi-locator</artifactId> >>> <version>1.0</version> >>> </dependency> >>> >>> >>> + a system property pointing to a geronimo jaspi config file (which >>> sets up the missing piece from your stacktrace, the ServerAuthModule): >>> -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml >>> >>> + a geronimo jaspi config file: >>> <?xml version="1.0" encoding="UTF-8"?> >>> >>> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";> >>> <configProvider> >>> <messageLayer>HTTP</messageLayer> >>> <appContext>server /foo</appContext> >>> <description>description</description> >>> <serverAuthConfig> >>> >>> <authenticationContextID>authenticationContextID2</authenticationContextID> >>> <protected>true</protected> >>> <serverAuthContext> >>> <serverAuthModule> >>> >>> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className> >>> <options> >>> >>> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test >>> >>> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test >>> </options> >>> </serverAuthModule> >>> </serverAuthContext> >>> </serverAuthConfig> >>> <persistent>true</persistent> >>> </configProvider> >>> </jaspi> >>> >>> >>> Hopefully that might help you get a bit further. >>> >>> I'm interested to hear if many others on the lists are trying to use >>> or are using the jetty-jaspi integration. Our impression is that it is >>> hardly used by anyone. Of course, that could be because the >>> documentation is missing! However, before we direct more of our >>> limited resources to the jaspi stuff, we'd like to hear from the user >>> community - is this something that you are using, or are likely to >>> use??? >>> >>> Jan >>> >>> On 17 January 2013 03:53, larry mccay <[email protected]> wrote: >>>> Greetings - >>>> >>>> I am working on an embedded Jetty project in which we programmatically >>>> deploy the WebAppContexts for dynamically created WebApps. >>>> What I would like to do is configure the use of JASPI per application. >>>> >>>> The following code is being used at deployment time: >>>> >>>> private synchronized void internalDeploy( Topology topology, File warFile >>>> ) { >>>> >>>> String name = topology.getName(); >>>> >>>> String warPath = warFile.getAbsolutePath(); >>>> >>>> WebAppContext context = new WebAppContext(); >>>> >>>> context.setDefaultsDescriptor( null ); >>>> >>>> context.setContextPath( "/" + path + "/" + name ); >>>> >>>> context.setWar( warPath ); >>>> >>>> >>>> JaspiAuthenticatorFactory authenticatorFactory = new >>>> JaspiAuthenticatorFactory(); >>>> >>>> SecurityHandler handler = new ConstraintSecurityHandler(); >>>> >>>> handler.setAuthenticatorFactory(authenticatorFactory); >>>> >>>> JAASLoginService ls = new JAASLoginService(); >>>> >>>> ls.setName("JAASRealm"); >>>> >>>> ls.setLoginModuleName("jaas"); >>>> >>>> ls.setIdentityService(new DefaultIdentityService()); >>>> >>>> handler.setLoginService(ls); >>>> >>>> authenticatorFactory.setLoginService(ls); >>>> >>>> jetty.addBean(ls); >>>> >>>> Constraint constraint = new Constraint(); >>>> >>>> constraint.setName(constraint.__BASIC_AUTH); >>>> >>>> constraint.setRoles(new String[]{"user","admin","moderator"}); >>>> >>>> constraint.setAuthenticate(true); >>>> >>>> >>>> >>>> ConstraintMapping cm = new ConstraintMapping(); >>>> >>>> cm.setConstraint(constraint); >>>> >>>> cm.setPathSpec("/*"); >>>> >>>> // handler.setAuthMethod("BASIC"); >>>> >>>> handler.setRealmName("JAASRealm"); >>>> >>>> ((ConstraintSecurityHandler) handler).setConstraintMappings(new >>>> ConstraintMapping[]{cm}); >>>> >>>> context.setSecurityHandler(handler); >>>> >>>> internalUndeploy( topology ); >>>> >>>> deployments.put( name, context ); >>>> >>>> contexts.addHandler( handler ); >>>> >>>> contexts.addHandler( context ); >>>> >>>> try { >>>> >>>> context.start(); >>>> >>>> } catch( Exception e ) { >>>> >>>> //TODO: I18N message >>>> >>>> e.printStackTrace(); >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> and I am encountering the following stacktrace: >>>> >>>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED >>>> org.eclipse.jetty.server.session.SessionHandler@786c1a82: >>>> java.lang.IllegalStateException: No ServerAuthentication >>>> java.lang.IllegalStateException: No ServerAuthentication >>>> at >>>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371) >>>> at >>>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233) >>>> at >>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) >>>> at >>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95) >>>> at >>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115) >>>> at >>>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124) >>>> at >>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) >>>> at >>>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95) >>>> at >>>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115) >>>> at >>>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752) >>>> at >>>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247) >>>> at >>>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238) >>>> at >>>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706) >>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480) >>>> at >>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) >>>> at >>>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323) >>>> at >>>> org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68) >>>> at >>>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367) >>>> at >>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148) >>>> at >>>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113) >>>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255) >>>> at >>>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180) >>>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97) >>>> >>>> Looking at the ServerHandler code this indicates that no authenticator is >>>> being found in the following code snippet: >>>> ... >>>> >>>> if (_authenticator==null && _authenticatorFactory!=null && >>>> _identityService!=null) >>>> >>>> { >>>> >>>> >>>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this, >>>> _identityService, _loginService); >>>> >>>> if (_authenticator!=null) >>>> >>>> _authMethod=_authenticator.getAuthMethod(); >>>> >>>> } >>>> >>>> >>>> if (_authenticator==null) >>>> >>>> { >>>> >>>> if (_realmName!=null) >>>> >>>> { >>>> >>>> LOG.warn("No ServerAuthentication for "+this); >>>> >>>> throw new IllegalStateException("No ServerAuthentication"); >>>> >>>> } >>>> >>>> } >>>> >>>> else >>>> >>>> { >>>> >>>> _authenticator.setConfiguration(this); >>>> >>>> if (_authenticator instanceof LifeCycle) >>>> >>>> ((LifeCycle)_authenticator).start(); >>>> >>>> } >>>> >>>> ... >>>> >>>> Can anyone tell what is missing from my configuration code or alternatively >>>> point me to relevant tests? >>>> >>>> Thank you in advance! >>>> >>>> --larry >>>> >>>> >>>> >>>> _______________________________________________ >>>> jetty-users mailing list >>>> [email protected] >>>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>>> >>> >>> >>> >>> -- >>> Jan Bartel <[email protected]> >>> www.webtide.com – Developer advice, services and support >>> from the Jetty & CometD experts. >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > -- > Jan Bartel <[email protected]> > www.webtide.com – Developer advice, services and support > from the Jetty & CometD experts. > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
