I have written a custom LoginModule to authenticate users using nodes in a 
Neo4J graph database. Kind of like the functionality in the provided 
org.eclipse.jetty.jaas.spi.JDBCLoginModule. Basically, provide the node type 
and attributes in the node for the username and password and we can 
authenticate against the graph database. As part of this, I am using the 
following three classes from the Jetty distribution, 

import org.eclipse.jetty.jaas.JAASRole;

import org.eclipse.jetty.security.UserPrincipal;
import org.eclipse.jetty.util.security.Credential;
I chose to use these three classes, to simplify the process. No need to 
re-invent the wheel with these since they existed already and the 
JDBCLoginModule used them.  Probably the most critical I wanted to use was 
Credential since it provides the password hashing and verification logic. I saw 
no reason to create my own version of this since what I created would pretty 
much be exactly the logic from this. 
I am working with Jetty 11.0.7 and I have the whole thing working fine running 
under eclipse, but when I try and use it in a standalone jetty instance I am 
getting class loader problems. When I try and create a credential using,

Credential.getCredential(neo4jCredential);

I am getting this;

java.lang.NoClassDefFoundError: org/eclipse/jetty/util/security/Credential

When I debug the problem, what I am finding is that the class loader context 
for the JDBCLoginModule is not the same as for my custom login module. When in 
the initialize() method of the login modules I see this;
Using the JDBCLoginModule

this.getClass()

class org.eclipse.jetty.jaas.spi.JDBCLoginModule




this.getClass().getClassLoader()

startJarLoader@2d3379b4







Using the Neo4jLoginModule
this.getClass()


class com.bb.neo4j_login_module.Neo4jLoginModule




this.getClass().getClassLoader()
WebAppClassLoader{Fermenation}@6bc28a83

My login module is deployed just like any other jetty module, isolated from my 
webapp.  These files are included in my JETTY_BASE directory;

etc/neo4j-authentication.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>



<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" 
"https://www.eclipse.org/jetty/configure_10_0.dtd";>



<Configure id="Server" class="org.eclipse.jetty.server.Server">



    <Call name="addBean">



        <Arg>



            <New class="org.eclipse.jetty.jaas.JAASLoginService">



                <Set name="name">beercalc.realm</Set>



                <Set name="LoginModuleName">beercalc.login.module</Set>



            </New>



        </Arg>



    </Call>


</Configure>



lib/neo4j_login_module-1.0.jar
Jar file containing the classes for the login module. Code is in a public repo 
here; GitHub - scottastanley/neo4j_login_module, if there is anything in the 
implementation that should matter.




modules/neo4j-authentication.mod

[description]



Configures the Neo4J JAAS login module.








[depend]



server



jaas








[lib]



lib/neo4j_login_module-1.0.jar








[xml]



etc/neo4j-authentication.xml








[ini-template]



# --------------------------------------- 



# Module: neo4j-authentication



# Enables the JAAS Login service for authentication against Neo4J. 



# --------------------------------------- 



--module=neo4j-authentication



start.d/neo4j-authentication.ini

# --------------------------------------- 



# Module: neo4j-authentication



# Enables the JAAS Login service for authentication against Neo4J. 



# --------------------------------------- 


--module=neo4j-authentication


I am aware that I am not supposed to be able to use server classes in a webapp. 
So, I am sure this is why the Credential class is not found. But I can not 
figure out why my login module is being loaded in the webapp context. I had 
assumed it would operate under the same class loaded as the JDBCLoginModule. I 
know that I should be able to change the filtering of server classes by the 
class loader in the webapp, although the only concrete example I have found is 
doing it for Jetty 8 and this has changed in Jetty 11. So, have not figured 
that out yet. Although I would rather figure out why the module is using the 
webapp classloader so I do not need to set up customer, more permissive class 
loader configuration.
The really funny thing is I have been using the static method 
Credential.MD5.digest(password) in my actual web application for a long time in 
the logic allowing users to change their password. Not sure how or why this 
ever worked, but I know it did in Jetty 8. I will admit, I just tested tonight 
and this no longer works. Must have gotten broken when I upgraded to Jetty 11 
and I never realized.
Is there any way to get my module to utilize the startJarLoader instead of the 
one in the webapp? I would really like to get this figured out. I may need to 
reimplement the whole Credential logic anyway since I can't use the method to 
digest passwords anymore. That would be a shame, but I do need the symmetric 
digest/validate logic available.
I really appreciate any insight anyone has on why the module is using the 
webapp class loader.  Would really like to understand this.  Also, if anyone 
has any suggestions on how to solve this problem besides 
re-implementing/duplicating the credential logic I'd appreciate it.
Scott

 
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to