Re: [jetty-users] HashLoginService (was JAAS)

Fri, 02 Oct 2015 13:43:13 -0700 

On 10/1/2015 1:26 PM, Bill Ross wrote:
jetty.demo.realm only exists in demo config files - it is not in any java files. 

And I can change it to jexty.demo.realm without error.


Same result when I put the basic auth in the web.xml of a war file 
(java.lang.IllegalStateException: No LoginService), so the problem is 
definitely either in the code or the config of the examples, which have 
the dead tag as I described.



Meanwhile I have added a filename-masking Servlet on /images/* that uses 
an evanescent tag instead of the filename. So my only remaining security 
task is getting login working. I have tried a bunch of stuff and it 
seems I have found a bug or two in demos and maybe source, but no one 
seems to be paying attention. Please don't make me read the code :-)


Thanks,
Bill



-------- Original message --------
From: Bill Ross
Date:10/01/2015 1:06 PM (GMT-08:00)
To: [email protected]
Subject: Re: [jetty-users] HashLoginService (was JAAS)

Jan (or anyone),


> There's also a jetty-specific feature that if the realm-name is 
omitted from the <login-config> then we'll automatically select the 
first LoginService that has been defined for a Server instance (eg as 
an addBean() as has been shown in the doco and in the 
demo-base/etc/test-realm.xml).



Aha, when I delete the realm-name from the <login-config> in web.xml, 
I see that my HashLoginService evidently didn't get registered even 
though the etc/realm.xml has


<Configure id="Server" class="org.eclipse.jetty.server.Server">
    <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.security.HashLoginService">
          <Set name="name">Test Realm</Set>

          <Set name="config"><Property name="jetty.demo.realm" 
default="etc/realm.properties"/></Set>

          <Set name="refreshInterval">0</Set>
        </New>
      </Arg>
    </Call>

    <Get class="org.eclipse.jetty.util.log.Log" name="rootLogger">

      <Call name="warn"><Arg>demo test-realm is deployed. DO NOT USE 
IN PRODUCTION!</Arg></Call>

    </Get>
</Configure>

And on startup I see:


2015-10-01 12:50:39.793:WARN::main: demo test-realm is deployed. DO 
NOT USE IN PRODUCTION!



2015-10-01 12:50:40.203:WARN:oejw.WebAppContext:main: Failed startup 
of context 
o.e.j.w.WebAppContext@234bef66{/,file:///Users/priot/pr/jetty-base/webapps/ROOT/,STARTING}{/ROOT}
java.lang.IllegalStateException: No LoginService for 
org.eclipse.jetty.security.authentication.BasicAuthenticator@47db50c5 
in org.eclipse.jetty.security.ConstraintSecurityHandler@5c072e3f
        at 
org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:76)
        at 
org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:354)
        at 
org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:448)



So there seems to be a bug in docs or code since the HashLoginService 
setup is quietly consumed but seems to have no effect.



And in case anyone is still reading, once again, is the 
"jetty.demo.realm" supposed to mean anything or match anything???


    <Property name="jetty.demo.realm" default="etc/realm.properties"/>

Thanks,
Bill

On 9/30/2015 1:29 AM, Jan Bartel wrote:

Bill,


If you use the same realm-name in the <login-config> element of 
multiple webapps, they'll all share the same LoginService.



There's also a jetty-specific feature that if the realm-name is 
omitted from the <login-config> then we'll automatically select the 
first LoginService that has been defined for a Server instance (eg as 
an addBean() as has been shown in the doco and in the 
demo-base/etc/test-realm.xml).


Jan


On 30 September 2015 at 18:10, Bill Ross <[email protected] 
<mailto:[email protected]>> wrote:


    Hi Jan,

    So if web.xml only goes in a webapp, how can a realm defined in
    one cover the contents of ROOT?

    I will see how you change that text and try the result.

    Thanks,
    Bill


    -------- Original message --------
    From: Jan Bartel
    Date:09/30/2015 12:46 AM (GMT-08:00)
    To: JETTY user mailing list
    Subject: Re: [jetty-users] JAAS questions

    Hi Bill,

    web.xml does not go into the ${jetty.base} directory. It can only
    go into a WEB-INF directory of a webapp, such as a webapp inside
    of the ${jetty.base}/webapps directory, which is the default
    deploy directory.

    Also, I will change the text on the Security page which mentions
    jetty.xml - this is no doubt historical from before we had the
    distinction between ${jetty.home} and ${jetty.base}.  And no, I
    do NOT recommend anyone edits ${jetty.home} - there should be
    very very very few cases where this is necessary (and this isn't
    one of them :)).

    cheers
    Jan

    On 30 September 2015 at 17:35, Bill Ross <[email protected]> wrote:

        Jan, there was no jetty-base etc dir before I created it to
        put that file in. I thought jetty xmls were additive, but it
        sounds like the base one tromped the home one. I have home
        set to the distribution of my last build of the current tree.

        The configuring security link brings me




_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users





















					Reply via email to