Jan (or anyone),
> There's also a jetty-specific feature that if the realm-name is
omitted from the <login-config> then we'll automatically select the
first LoginService that has been defined for a Server instance (eg as an
addBean() as has been shown in the doco and in the
demo-base/etc/test-realm.xml).
Aha, when I delete the realm-name from the <login-config> in web.xml, I
see that my HashLoginService evidently didn't get registered even though
the etc/realm.xml has
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><Property name="jetty.demo.realm"
default="etc/realm.properties"/></Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
<Get class="org.eclipse.jetty.util.log.Log" name="rootLogger">
<Call name="warn"><Arg>demo test-realm is deployed. DO NOT USE IN
PRODUCTION!</Arg></Call>
</Get>
</Configure>
And on startup I see:
2015-10-01 12:50:39.793:WARN::main: demo test-realm is deployed. DO NOT
USE IN PRODUCTION!
2015-10-01 12:50:40.203:WARN:oejw.WebAppContext:main: Failed startup of
context
o.e.j.w.WebAppContext@234bef66{/,file:///Users/priot/pr/jetty-base/webapps/ROOT/,STARTING}{/ROOT}
java.lang.IllegalStateException: No LoginService for
org.eclipse.jetty.security.authentication.BasicAuthenticator@47db50c5 in
org.eclipse.jetty.security.ConstraintSecurityHandler@5c072e3f
at
org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:76)
at
org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:354)
at
org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:448)
So there seems to be a bug in docs or code since the HashLoginService
setup is quietly consumed but seems to have no effect.
And in case anyone is still reading, once again, is the
"jetty.demo.realm" supposed to mean anything or match anything???
<Property name="jetty.demo.realm" default="etc/realm.properties"/>
Thanks,
Bill
On 9/30/2015 1:29 AM, Jan Bartel wrote:
Bill,
If you use the same realm-name in the <login-config> element of
multiple webapps, they'll all share the same LoginService.
There's also a jetty-specific feature that if the realm-name is
omitted from the <login-config> then we'll automatically select the
first LoginService that has been defined for a Server instance (eg as
an addBean() as has been shown in the doco and in the
demo-base/etc/test-realm.xml).
Jan
On 30 September 2015 at 18:10, Bill Ross <[email protected]
<mailto:[email protected]>> wrote:
Hi Jan,
So if web.xml only goes in a webapp, how can a realm defined in
one cover the contents of ROOT?
I will see how you change that text and try the result.
Thanks,
Bill
-------- Original message --------
From: Jan Bartel
Date:09/30/2015 12:46 AM (GMT-08:00)
To: JETTY user mailing list
Subject: Re: [jetty-users] JAAS questions
Hi Bill,
web.xml does not go into the ${jetty.base} directory. It can only
go into a WEB-INF directory of a webapp, such as a webapp inside
of the ${jetty.base}/webapps directory, which is the default
deploy directory.
Also, I will change the text on the Security page which mentions
jetty.xml - this is no doubt historical from before we had the
distinction between ${jetty.home} and ${jetty.base}. And no, I do
NOT recommend anyone edits ${jetty.home} - there should be very
very very few cases where this is necessary (and this isn't one of
them :)).
cheers
Jan
On 30 September 2015 at 17:35, Bill Ross <[email protected]
<mailto:[email protected]>> wrote:
Jan, there was no jetty-base etc dir before I created it to
put that file in. I thought jetty xmls were additive, but it
sounds like the base one tromped the home one. I have home set
to the distribution of my last build of the current tree.
The configuring security link brings me back to my previous
question about whether a jetty-base/web.xml will cover both my
webapps/x.war and ROOT. That page also recommends adding the
HashLoginService in ${jetty.home}/jetty.xml - but should we as
admins modify jetty.home files? All the more so in my case
because a build could overwrite my changes.
Thanks,
Bill
-------- Original message --------
From: Jan Bartel
Date:09/30/2015 12:10 AM (GMT-08:00)
To: JETTY user mailing list
Subject: Re: [jetty-users] JAAS questions
Bill,
Don't look at that wiki unless you are using an old version of
jetty. The recent documentation is here:
https://www.eclipse.org/jetty/documentation/current/.
In particular, here's a link to configuring realms:
https://www.eclipse.org/jetty/documentation/current/configuring-security-authentication.html
It looks like you've deleted all the content out of the
etc/jetty.xml file that should be there and just put in a
realm configuration. Leave the ${jetty.base}/etc/jetty.xml
file as it is originally, don't edit it. The idea would be to
create a new ${jetty.base} directory and then add files to it
to configure things the way you want - jetty config files are
generally additive. Say your new base is called "my-base",
then edit my-base/my-realm.xml - you could copy in the
contents of demo-base/etc/test-realm.xml for a start and
change it as appropriate. Edit your my-base/start.ini file and
put in a line with just etc/my-realm.xml on it (similarly to
demo-base/start.ini has a line with etc/test-realm.xml on it).
This will add your etc/my-realm.xml file to your command line
when you run jetty.
Jan
On 30 September 2015 at 16:44, Bill Ross <[email protected]
<mailto:[email protected]>> wrote:
Thanks Jan,
Seeing that the HashLoginService is sufficient, and that
it is associated with a realm, I found
https://wiki.eclipse.org/Jetty/Tutorial/Realms
and per that I added an /etc/jetty.xml file:
<Configure id="Server"
class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New
class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty
name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
</Configure>
However when I start jetty with this file and a simple
etc/realm.properties file, I get this on loading the
standard jetty-http.xml:
2015-09-29 23:28:12.676:WARN:oejx.XmlConfiguration:main:
Config error at <Call name="addConnector"><Arg>| <New
id="httpConnector"
class="org.eclipse.jetty.server.ServerConnector"><Arg
name="server"><Ref refid="Server"/></Arg><Arg
name="acceptors" type="int"><Property
name="jetty.http.acceptors" deprecated="http.acceptors"
default="-1"/></Arg><Arg name="selectors"
type="int"><Property name="jetty.http.selectors"
deprecated="http.selectors" default="-1"/></Arg><Arg
name="factories">| <Array
type="org.eclipse.jetty.server.ConnectionFactory"><Item>|
<New
class="org.eclipse.jetty.server.HttpConnectionFactory"><Arg
name="config"><Ref
refid="httpConfig"/></Arg></New>| </Item></Array>|
</Arg><Set name="host"><Property name="jetty.http.host"
deprecated="jetty.host"/></Set><Set name="port"><Property
name="jetty.http.port" deprecated="jetty.port"
default="8080"/></Set><Set name="idleTimeout"><Property
name="jetty.http.idleTimeout" deprecated="http.timeout"
default="30000"/></Set><Set name="soLingerTime"><Property
name="jetty.http.soLingerTime"
deprecated="http.soLingerTime" default="-1"/></Set><Set
name="acceptorPriorityDelta"><Property
name="jetty.http.acceptorPriorityDelta"
deprecated="http.acceptorPriorityDelta"
default="0"/></Set><Set name="acceptQueueSize"><Property
name="jetty.http.acceptQueueSize"
deprecated="http.acceptQueueSize"
default="0"/></Set></New>| </Arg></Call>
java.lang.reflect.InvocationTargetException in
file:/Users/priot/jetty/org.eclipse.jetty.project/jetty-distribution/target/distribution/etc/jetty-http.xml
java.lang.reflect.InvocationTargetException
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.lang.reflect.InvocationTargetException
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.eclipse.jetty.util.TypeUtil.construct(TypeUtil.java:627)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:782)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.itemValue(XmlConfiguration.java:1233)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.value(XmlConfiguration.java:1138)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newArray(XmlConfiguration.java:860)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.itemValue(XmlConfiguration.java:1237)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.value(XmlConfiguration.java:1138)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:766)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.itemValue(XmlConfiguration.java:1233)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.value(XmlConfiguration.java:1138)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.access$500(XmlConfiguration.java:274)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$AttrOrElementNode.getList(XmlConfiguration.java:1366)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$AttrOrElementNode.getList(XmlConfiguration.java:1341)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:704)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:417)
at
org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:358)
at
org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:259)
at
org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1498)
at
java.security.AccessController.doPrivileged(Native Method)
at
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435)
... 7 more
Caused by: java.lang.IllegalArgumentException: Null
HttpConfiguration
at
org.eclipse.jetty.server.HttpConnectionFactory.<init>(HttpConnectionFactory.java:45)
... 31 more
Speaking of problems, I just did a git pull in case the
problem was an earlier pull, and got this on building:
[ERROR] symbol: class NamingContext <== seems to be gone
[ERROR] location: class
org.eclipse.jetty.jndi.local.localContextRoot
Thanks,
Bill
On 9/29/2015 6:44 PM, Jan Bartel wrote:
Hi Bill,
I think you'll get a bit more clarity if you look in
demo-base/webapps at the test-jaas.xml and test-jaas.war
file. This is the example webapp for configuring and
using jaas.
My question is, why have two password files? Are both
required?
There are different password files for different purposes:
etc/test-realm.xml configures a HashLoginService that is
set as the default login service on the Server object and
references etc/realm.properties with the passwords and roles
etc/realm.properties is also referenced by the
webapp-specific HashLoginService configured for the test
webapp in webapps/test.xml
etc/login.conf is a jaas configuration file. The
webapps/test-jaas.xml context file sets up a
JAASLoginService for the webapps/test-jaas.war webapp,
which will use the etc/login.conf file to point to the
passwords and roles defined in etc/login.properties.
So, HashLoginService is an alternative to
JAASLoginService and they both have different config
files and formats. The demo-base has both to cater to the
multiple different webapps deployed in it.
regards
Jan
Also, etc/test-realm.xml creates a HashLoginService,
is that complementary to JAASLoginService? I don't
see that in demo-base/etc/ at least. I expected to
see a Configure Server somewhere at the top level of
the demo bringing in JAASLoginService based on
http://www.eclipse.org/jetty/documentation/current/jaas-support.html
Third question is, why is there no demo-base/web.xml?
It seems I need one because I want to password
protect both war/servlets and ROOT:
--webapp/my.war [2 servlets with a web.xml]
--webapp/ROOT
It seems I need to define a realm that encompasses
them? Would a ${jetty.base}/web.xml like this be
sufficient (per the jaas-support page)?
<login-config>
<auth-method>FORM</auth-method>
<realm-name>mywholesite</realm-name>
<form-login-config>
<form-login-page>/login/login</form-login-page> <==
example?
<form-error-page>/login/error</form-error-page> <==
example? (e.g. if a param is passed)
</form-login-config>
</login-config>
And it would automatically cover the war and ROOT, or
would that need to be spelled out?
The web.xml info I see on Google looks generally like
servlet config, which I have down in my war's web.xml.
Thanks,
Bill
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected] <mailto:[email protected]>>
www.webtide.com <http://www.webtide.com>
/Expert assistance from the creators of Jetty and CometD/
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password,
or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected] <mailto:[email protected]>>
www.webtide.com <http://www.webtide.com>
/Expert assistance from the creators of Jetty and CometD/
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected] <mailto:[email protected]>>
www.webtide.com <http://www.webtide.com>
/Expert assistance from the creators of Jetty and CometD/
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Jan Bartel <[email protected] <mailto:[email protected]>>
www.webtide.com <http://www.webtide.com>
/Expert assistance from the creators of Jetty and CometD/
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
