[ https://issues.apache.org/jira/browse/GERONIMO-4777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shawn Jiang reassigned GERONIMO-4777: ------------------------------------- Assignee: Shawn Jiang > WADI clustering does not work with Jetty7 > ----------------------------------------- > > Key: GERONIMO-4777 > URL: https://issues.apache.org/jira/browse/GERONIMO-4777 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Jetty > Affects Versions: 2.2 > Environment: Tested on OS X 10.5 and Ubuntu 8.10, both running 64-bit > Java 1.6 > Reporter: Trygve Hardersen > Assignee: Shawn Jiang > Attachments: jgs.tar.gz, WADIJettyClusteringBuilder.patch > > > I've been trying to get WADI clustering to work with Jetty7, but I've found > numerous issues: > The first problem is that a Geronimo plugin that uses WADI clustering and > Jetty7 cannot be built. The WADIJettyClusteringBuilder is unable to locate > the web module in the deployment, so the build fails with the following error: > org.apache.maven.lifecycle.LifecycleExecutionException: could not package > plugin > Caused by: org.apache.maven.plugin.MojoExecutionException: could not package > plugin > Caused by: org.apache.geronimo.common.DeploymentException: Could not locate > web module gbean in web app configuration > I was able to resolve this by copying the code that creates the > webModuleQuery from the equivalent Jetty6 module into the Jetty7 module, see > WADIJettyClusteringBuilder.patch. With this the build succeeds, and I'm able > to deploy the plugin. I don't know if it breaks anything else, but I've not > seen issues with it. > AFAICT normal session replication works fine with this. However it does not > work when combined with form based security for the web application. The > first problem is that > org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication > and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator > are not serializable, so they can not be sent across the network. I made > these classes serializable, and then login works as long as there is only one > member in the cluster (well, not really a cluster...). When there are > multiple members in the cluster, login fails because there is no valid > constructor for > org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. > I tried to add a default constructor, but it's an inner class, and it seems > to me like theAuthenticator and UserIdentity properties are required for it > to work so I did not try to extract the class. > As I said login works as long as there's only one member in the cluster, but > logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws > an exception, because the curent session can not be found: > java.lang.AssertionError: Session > [org.apache.geronimo.clustering.wadi.wadisessionadap...@7f488ddb] is undefined > org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key > [ccge2q2w9dz2] does not exist > I am attaching the patch for the WADIJettyClusteringBuilder > (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that > demonstrates the security problems I'm experiencing. The > web-formlogin-clustering-plugin of the JGS project uses form based security > and WADI clustering. The /customer page is protected, and to access it one > must login with any username and password, as long as they are the same. Use > test/test for instance. To test session invalidation, manually enter the URL > /logout. > It would be very helpful if someone can comment on the usability of WADI > clustering in combination with Jetty7. To me it seems like it has not been > tested much, and I think going back to Jetty6 again is the best option for > us, unless the issues described above can be easily solved. > Thanks for your help! -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.