I have finally got login working with BASIC auth for a Servlet, after
looking at some docs further afield. I'm not sure if all my config is
relevant, but here it is in case it helps.
Relevant parts of latest web.xml (from war file):
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
<security-constraint>
<display-name>Restricted GET To user</display-name>
<web-resource-collection>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<url-pattern>/images/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
<servlet>
<servlet-name>images</servlet-name>
<servlet-class>com.priot.servlet.TagResourceServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>images</servlet-name>
<url-pattern>/images/*</url-pattern>
</servlet-mapping>
And in my /etc/realm.properties:
guest: guest, user
On startup I see:
2015-10-05 13:54:16.146:WARN:oejs.SecurityHandler:main:
[email protected]@2286778{/pr,file:///private/var/folders/r1/fghw80h10b90nlggmfmd8jjr0000gn/T/jetty-0.0.0.0-8080-pr.war-_pr-any-4185978627296347654.dir/webapp/,STARTING}{/pr.war}
has uncovered http methods for path: /images/*
So I know the security is being loaded. Assuming javascript Image.src =
"/images/HcS5U_9" results in a GET, I am not worried about POST being
uncovered for now.
--- /etc/realm.xml:
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.base"
default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
<Get class="org.eclipse.jetty.util.log.Log" name="rootLogger">
<Call name="warn"><Arg>demo test-realm is deployed. DO NOT USE IN
PRODUCTION!</Arg></Call>
</Get>
</Configure>
--- src/main/webapp/WEB-INF/jetty-env.xml
<Get name="securityHandler">
<Set name="realmName">Test Realm</Set>
</Get>
--- jetty-base/webapps/pr.xml [matches pr.war, not sure if picked up]
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/pr</Set>
<Set name="war"><Property name="jetty.webapps" default="."/>/pr.war</Set>
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.base"
default="."/>/etc/realm.properties</Set>
<!-- To enable reload of realm when properties change,
uncomment the following lines -->
<!-- changing refreshInterval (in seconds) as
desired -->
<!--
<Set name="refreshInterval">5</Set>
<Call name="start"></Call>
-->
</New>
</Set>
<Set name="authenticator">
<New
class="org.eclipse.jetty.security.authentication.BasicAuthenticator">
<!-- Set name="alwaysSaveUri">true</Set -->
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
</Configure>
That's the latest.
Bill
On 10/2/2015 2:37 PM, Bill Ross wrote:
Also tried adding this webapps/pr.xml per the 'webapps/test.xml' in
the demo, and got no errors (even with web.xml auth turned on, which
is progress, but still get no security - I'm expecting the browser to
pop up a basic username/password window with BASIC auth-method, but
when my javascript calls the servlet there is no such popup.
Bill
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/pr</Set>
<Set name="war"><Property name="jetty.webapps"
default="."/>/pr.war</Set>
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.base"
default="."/>/etc/realm.properties</Set>
<!-- To enable reload of realm when properties change,
uncomment the following lines -->
<!-- changing refreshInterval (in seconds) as
desired -->
<!--
<Set name="refreshInterval">5</Set>
<Call name="start"></Call>
-->
</New>
</Set>
<Set name="authenticator">
<New
class="org.eclipse.jetty.security.authentication.FormAuthenticator">
<Set name="alwaysSaveUri">true</Set>
</New>
</Set>
<Set name="checkWelcomeFiles">true</Set>
</Get>
</Configure>
On 10/2/2015 1:42 PM, Bill Ross wrote:
On 10/1/2015 1:26 PM, Bill Ross wrote:
jetty.demo.realm only exists in demo config files - it is not in any
java files.
And I can change it to jexty.demo.realm without error.
Same result when I put the basic auth in the web.xml of a war file
(java.lang.IllegalStateException: No LoginService), so the problem is
definitely either in the code or the config of the examples, which
have the dead tag as I described.
Meanwhile I have added a filename-masking Servlet on /images/* that
uses an evanescent tag instead of the filename. So my only remaining
security task is getting login working. I have tried a bunch of stuff
and it seems I have found a bug or two in demos and maybe source, but
no one seems to be paying attention. Please don't make me read the
code :-)
Thanks,
Bill
-------- Original message --------
From: Bill Ross
Date:10/01/2015 1:06 PM (GMT-08:00)
To: [email protected]
Subject: Re: [jetty-users] HashLoginService (was JAAS)
Jan (or anyone),
> There's also a jetty-specific feature that if the realm-name is
omitted from the <login-config> then we'll automatically select the
first LoginService that has been defined for a Server instance (eg
as an addBean() as has been shown in the doco and in the
demo-base/etc/test-realm.xml).
Aha, when I delete the realm-name from the <login-config> in
web.xml, I see that my HashLoginService evidently didn't get
registered even though the etc/realm.xml has
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><Property name="jetty.demo.realm"
default="etc/realm.properties"/></Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
<Get class="org.eclipse.jetty.util.log.Log" name="rootLogger">
<Call name="warn"><Arg>demo test-realm is deployed. DO NOT USE
IN PRODUCTION!</Arg></Call>
</Get>
</Configure>
And on startup I see:
2015-10-01 12:50:39.793:WARN::main: demo test-realm is deployed. DO
NOT USE IN PRODUCTION!
2015-10-01 12:50:40.203:WARN:oejw.WebAppContext:main: Failed startup
of context
o.e.j.w.WebAppContext@234bef66{/,file:///Users/priot/pr/jetty-base/webapps/ROOT/,STARTING}{/ROOT}
java.lang.IllegalStateException: No LoginService for
org.eclipse.jetty.security.authentication.BasicAuthenticator@47db50c5 in
org.eclipse.jetty.security.ConstraintSecurityHandler@5c072e3f
at
org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:76)
at
org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:354)
at
org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:448)
So there seems to be a bug in docs or code since the
HashLoginService setup is quietly consumed but seems to have no effect.
And in case anyone is still reading, once again, is the
"jetty.demo.realm" supposed to mean anything or match anything???
<Property name="jetty.demo.realm" default="etc/realm.properties"/>
Thanks,
Bill
On 9/30/2015 1:29 AM, Jan Bartel wrote:
Bill,
If you use the same realm-name in the <login-config> element of
multiple webapps, they'll all share the same LoginService.
There's also a jetty-specific feature that if the realm-name is
omitted from the <login-config> then we'll automatically select the
first LoginService that has been defined for a Server instance (eg
as an addBean() as has been shown in the doco and in the
demo-base/etc/test-realm.xml).
Jan
On 30 September 2015 at 18:10, Bill Ross <[email protected]
<mailto:[email protected]>> wrote:
Hi Jan,
So if web.xml only goes in a webapp, how can a realm defined in
one cover the contents of ROOT?
I will see how you change that text and try the result.
Thanks,
Bill
-------- Original message --------
From: Jan Bartel
Date:09/30/2015 12:46 AM (GMT-08:00)
To: JETTY user mailing list
Subject: Re: [jetty-users] JAAS questions
Hi Bill,
web.xml does not go into the ${jetty.base} directory. It can
only go into a WEB-INF directory of a webapp, such as a webapp
inside of the ${jetty.base}/webapps directory, which is the
default deploy directory.
Also, I will change the text on the Security page which
mentions jetty.xml - this is no doubt historical from before we
had the distinction between ${jetty.home} and ${jetty.base}.
And no, I do NOT recommend anyone edits ${jetty.home} - there
should be very very very few cases where this is necessary (and
this isn't one of them :)).
cheers
Jan
On 30 September 2015 at 17:35, Bill Ross <[email protected]> wrote:
Jan, there was no jetty-base etc dir before I created it to
put that file in. I thought jetty xmls were additive, but
it sounds like the base one tromped the home one. I have
home set to the distribution of my last build of the
current tree.
The configuring security link brings me
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
