If this already known (WRT to the following comment)? https://nierbeck.de/2013/01/bind-certain-web-applications-to-specific-httpconnectors/#comment-62
Am Do., 16. Mai 2019 um 20:26 Uhr schrieb Markus Rathgeb <maggu2...@gmail.com>: > > Hi Łukasz, hi JB, > > thank you for that information. > > I did not found an official documentation for that feature. > > I found this one (WRT the information given to me from you): > * https://ops4j1.jira.com/browse/PAXWEB-396 > * > https://nierbeck.de/2013/01/bind-certain-web-applications-to-specific-httpconnectors/ > * http://blog.nanthrax.net/?p=352 > * Source code of Pax Web > > I gave it a try using two additional connectors in jetty.xml. > I used the example that has been present in the current jetty.xml as > "SelectChannelConnector" did not work ("Caused by: > java.lang.ClassNotFoundException: > org.eclipse.jetty.server.nio.SelectChannelConnector not found by > org.eclipse.jetty.server [62]"). > === > <Call name="addConnector"> > <Arg> > <New class="org.eclipse.jetty.server.ServerConnector"> > <Arg name="server"><Ref refid="Server" /></Arg> > <Arg name="factories"> > <Array type="org.eclipse.jetty.server.ConnectionFactory"> > <Item> > <New > class="org.eclipse.jetty.server.HttpConnectionFactory"> > <Arg name="config"><Ref > refid="httpConfig" /></Arg> > </New> > </Item> > </Array> > </Arg> > <Set name="host"><Property name="jetty.host" > default="localhost" /></Set> > <Set name="port"><Property name="jetty.port" > default="8201" /></Set> > <Set name="idleTimeout"><Property name="http.timeout" > default="30000" /></Set> > <Set name="name">conn1</Set> > </New> > </Arg> > </Call> > <Call name="addConnector"> > <Arg> > <New class="org.eclipse.jetty.server.ServerConnector"> > <Arg name="server"><Ref refid="Server" /></Arg> > <Arg name="factories"> > <Array type="org.eclipse.jetty.server.ConnectionFactory"> > <Item> > <New > class="org.eclipse.jetty.server.HttpConnectionFactory"> > <Arg name="config"><Ref > refid="httpConfig" /></Arg> > </New> > </Item> > </Array> > </Arg> > <Set name="host"><Property name="jetty.host" > default="localhost" /></Set> > <Set name="port"><Property name="jetty.port" > default="8202" /></Set> > <Set name="idleTimeout"><Property name="http.timeout" > default="30000" /></Set> > <Set name="name">conn2</Set> > </New> > </Arg> > </Call> > === > > So, additional to 8181 there should be two connetors. conn1 on 8201 > and conn2 on 8202. > > I created two bundles. Each bundle registers one servlet and use one > Web-Connector settings: > > Bundle 1 - Component: > === > @Component(immediate = true) > @Header(name = "Web-Connectors", value = "conn1") > @Header(name = "Web-VirtualHosts", value = "localhost") > public class ComponentImpl { > > private static final String ALIAS = "/1"; > > private final HttpService httpService; > > @Activate > public ComponentImpl(final @Reference HttpService httpService) > throws ServletException, NamespaceException { > this.httpService = httpService; > httpService.registerServlet(ALIAS, new HttpServlet() { > > @Override > protected void doGet(final HttpServletRequest req, final > HttpServletResponse resp) > throws ServletException, IOException { > final PrintWriter writer = resp.getWriter(); > writer.println("This is the servlet: " + ALIAS); > } > > }, null, null); > } > > @Deactivate > public void close() { > httpService.unregister(ALIAS); > } > > } > === > > The "Bundle 2 - Component" is identicial to the "1" but uses the alias > "/2" and the "Web-Connectors" "conn2". > > But this does not seem to work as expected. > "/1" and "/2" can be open on port 8181, 8201 and 8202. > > So, all of them are available on all connectors. > > Can you point me to my misconfiguration? > Or can you provide me two working demo bundles each of them using > another connector? > > Best regards, > Markus > > Am Do., 16. Mai 2019 um 16:18 Uhr schrieb Jean-Baptiste Onofré > <j...@nanthrax.net>: > > > > Hi, > > > > I'm not sure it's what you are looking for, but you can configure > > several connectors via jetty.xml (in addition of the default one created > > by Pax Web), then, you can use "VirtualHost" to deploy a servlet on a > > specific connector. > > > > I blogged about this while ago (http://blog.nanthrax.net/?p=352). > > > > Regards > > JB > > > > On 16/05/2019 08:12, Markus Rathgeb wrote: > > > Hi, > > > > > > I assume there are different parties involved, so if this question > > > should be raised on another mailing list, please can you point me to? > > > > > > I am using Karaf + Pax Web + Jetty. > > > > > > Currently I build a custom distribution that Pax Web configuration > > > (org.ops4j.pax.web.cfg) contains also this lines: > > > > > > === > > > org.ops4j.pax.web.ssl.clientauthwanted = true > > > org.ops4j.pax.web.ssl.clientauthneeded = true > > > > > > org.ops4j.pax.web.ssl.truststore=${karaf.etc}/truststore.jks > > > org.ops4j.pax.web.ssl.truststore.password=that-is-not-the-real-one > > > === > > > > > > This distribution contains a bundle that registers a servlet "MyServlet". > > > > > > Now, just FYI, I assume not all is relevant: > > > > > > === > > > "MyServlet" extends the "WebSocketServlet" > > > (org.eclipse.jetty.websocket.servlet.WebSocketServlet). > > > Type hierarchy: MyServlet -> WebSocketServlet -> HttpServlet -> > > > GenericServlet [Servlet, ServletConfig, Serializable]. > > > > > > The WebSocketServlet requires the implementation of the abstract > > > method "public abstract void configure(WebSocketServletFactory > > > factory);" > > > > > > In the "configure" implementation is set a "creator". > > > > > > factory.setCreator(new MyCreator(...)); > > > > > > MyCreator implements the following method (required by the > > > WebSocketCreator interface): > > > > > > public @Nullable Object createWebSocket(final ServletUpgradeRequest > > > req, final ServletUpgradeResponse resp); > > > > > > In that method I do a simple certificate check. > > > > > > I call "final X509Certificate[] certs = req.getCertificates();" and > > > use the returned chain for the check. > > > > > > Now back to the relevant part. > > > === > > > > > > The current implementation of the client certificate chain check > > > relies that Jetty already required the client authentication > > > (clientauthneeded) and that the certificate is already checked against > > > the configured truststore (that contains only a special CA). > > > > > > As we could rely on a "valid" certifcate I just need to extract the > > > information I need from the client certifcate and "all is fine". > > > > > > > > > Now, I need to add another servlet to that custom distribution that > > > should work without a client certifcate. > > > > > > I assume I will need to remove the truststore and clientauth settings > > > from the configuration (keep wanted and drop needed?) and check the > > > certifcate in the code for "MyServlet" itself. > > > I further assume it should work by a filter or in the servlet itself. > > > > > > Are there better ways to handle two servlet > > > * Servlet1 needs client authentication > > > * Servlet2 do not use client authentication > > > > > > How can I trigger the check of the client certificate correctly in the > > > servlet / filter to check against a specific truststore? > > > > > > I am interested in your inputs. > > > > > > Best regards, > > > Markus > > > > > > > -- > > Jean-Baptiste Onofré > > jbono...@apache.org > > http://blog.nanthrax.net > > Talend - http://www.talend.com
