Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-24 Thread Wang Yicheng 
Hi Greg,

Yes, I've got the point that BASIC is bound to be stateless and work
without session. And we did observe the authentication header in the first
request while the second one didn't carry it.

I think our question is, we do need sessions to keep users logged in, but
we don't have HTML pages as FORM asks for. In this case, which
authentication method should we use? And I suppose all auth-methods support
JAAS customized login module right?

Do apologize if any of my previous questions are vague or misleading :)

On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins  wrote:

> OK,
>
> so if you are using BASIC auth, then you don't need sessions, so we're
> barking up the wrong tree!
>
> Can you share the headers of  your first and second requests?  Does the
> second request have the authentication header?
>
> cheers
>
>
>
> On Mon, 24 Feb 2020 at 20:21, Wang Yicheng 
> wrote:
>
>> Sorry for the late reply. Yes we use BASIC as the authentication method.
>> It works fine with WebLogic without extra configuration to create sessions.
>> So I supposed Jetty would do the same at the beginning. The thing is our
>> system doesn't have HTML pages as we only use the web server for
>> remote communication.
>>
>> I've tried to change the  to FORM in web.xml but it's
>> prompting that the pages are needed. I simply put "/" for the login page
>> and the error page but then the customized login module is not working
>> properly. We have a servlet for domain "/" but it wouldn't return any HTML
>> pages. I didn't get a chance to do further investigation.
>>
>> Any suggestions would be appreciated!
>>
>> On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:
>>
>>>
>>> What auth mechanism are you using?
>>> BASIC and DIGEST send auth information with every request
>>> FORM stores the auth in the session.
>>>
>>> You can have other varieties (eg OPENID) which do either, but you need
>>> to set an authenticator to do whatever auth conversation you want to have.
>>>
>>> So tell us a bit more detail about your actual authentication mechanism.
>>>
>>> cheers
>>>
>>>
>>>
>>>
>>> On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:
>>>
 If you use BASIC authentication, every single request must contain the
 realm, username and password and is authenticated on reception - there is
 no concept of a session maintaining state.

 The form login page can be generated by a servlet, it doesn't have to
 be a static html resource.

 Jan

 On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
 wrote:

> Thanks Jan! The thing is, my project actually doesn't have any pages.
> So, is it possible to have FORM authentication without login pages? Or 
> does
> it mean I should go with BASIC while create sessions myself?
>
> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>
>> You need to set up what the authentication method is, ie the
>> equivalent of the  in web.xml.
>> The default is basic authentication. If you want to use sessions to
>> maintain the authentication state, then configure FORM authentication,
>> either in web.xml or by setting an instance of
>> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
>> on the SecurityHandler.
>>
>> Jan
>>
>> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
>> wrote:
>>
>>> Thanks Joakim!
>>>
>>> Yes I do have a customized login module following JAAS spec. So it
>>> seems the missing session is causing the problem. Then my question is: 
>>> With
>>> default configuration, does Jetty generate session automatically for
>>> authenticated user? Or is my code responsible for doing that?
>>>
>>> I actually published another question here
>>> 
>>> which contains more details about my issue. Any help is highly 
>>> appreciated!
>>>
>>> Best
>>>
>>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
>>> wrote:
>>>
 If using Servlet authentication (or JAAS) the principal would be
 set.

 If you are using a 3rd party web library (like spring) then odds
 are you are not integrating with Servlet security.

 Joakim Erdfelt / joa...@webtide.com


 On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
 wangyicheng1...@gmail.com> wrote:

> Hi team,
>
> My question is as the subject state. My issue is the login request
> does have
> the principal by calling getUserPrincipal. But after logging in,
> the second
> request has a null principal. Besides, neither of the requests have
> sessions. So I'm wondering if Jetty uses session information to
> set the
> principal in HTTP request. Do appreciate your help!

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-24 Thread Greg Wilkins 
OK,

so if you are using BASIC auth, then you don't need sessions, so we're
barking up the wrong tree!

Can you share the headers of  your first and second requests?  Does the
second request have the authentication header?

cheers



On Mon, 24 Feb 2020 at 20:21, Wang Yicheng 
wrote:

> Sorry for the late reply. Yes we use BASIC as the authentication method.
> It works fine with WebLogic without extra configuration to create sessions.
> So I supposed Jetty would do the same at the beginning. The thing is our
> system doesn't have HTML pages as we only use the web server for
> remote communication.
>
> I've tried to change the  to FORM in web.xml but it's
> prompting that the pages are needed. I simply put "/" for the login page
> and the error page but then the customized login module is not working
> properly. We have a servlet for domain "/" but it wouldn't return any HTML
> pages. I didn't get a chance to do further investigation.
>
> Any suggestions would be appreciated!
>
> On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:
>
>>
>> What auth mechanism are you using?
>> BASIC and DIGEST send auth information with every request
>> FORM stores the auth in the session.
>>
>> You can have other varieties (eg OPENID) which do either, but you need to
>> set an authenticator to do whatever auth conversation you want to have.
>>
>> So tell us a bit more detail about your actual authentication mechanism.
>>
>> cheers
>>
>>
>>
>>
>> On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:
>>
>>> If you use BASIC authentication, every single request must contain the
>>> realm, username and password and is authenticated on reception - there is
>>> no concept of a session maintaining state.
>>>
>>> The form login page can be generated by a servlet, it doesn't have to be
>>> a static html resource.
>>>
>>> Jan
>>>
>>> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
>>> wrote:
>>>
 Thanks Jan! The thing is, my project actually doesn't have any pages.
 So, is it possible to have FORM authentication without login pages? Or does
 it mean I should go with BASIC while create sessions myself?

 On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:

> You need to set up what the authentication method is, ie the
> equivalent of the  in web.xml.
> The default is basic authentication. If you want to use sessions to
> maintain the authentication state, then configure FORM authentication,
> either in web.xml or by setting an instance of
> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
> on the SecurityHandler.
>
> Jan
>
> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
> wrote:
>
>> Thanks Joakim!
>>
>> Yes I do have a customized login module following JAAS spec. So it
>> seems the missing session is causing the problem. Then my question is: 
>> With
>> default configuration, does Jetty generate session automatically for
>> authenticated user? Or is my code responsible for doing that?
>>
>> I actually published another question here
>> 
>> which contains more details about my issue. Any help is highly 
>> appreciated!
>>
>> Best
>>
>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
>> wrote:
>>
>>> If using Servlet authentication (or JAAS) the principal would be set.
>>>
>>> If you are using a 3rd party web library (like spring) then odds are
>>> you are not integrating with Servlet security.
>>>
>>> Joakim Erdfelt / joa...@webtide.com
>>>
>>>
>>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
>>> wangyicheng1...@gmail.com> wrote:
>>>
 Hi team,

 My question is as the subject state. My issue is the login request
 does have
 the principal by calling getUserPrincipal. But after logging in,
 the second
 request has a null principal. Besides, neither of the requests have
 sessions. So I'm wondering if Jetty uses session information to set
 the
 principal in HTTP request. Do appreciate your help!

 Best



 --
 Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
 ___
 jetty-users mailing list
 jetty-users@eclipse.org
 To change your delivery options, retrieve your password, or
 unsubscribe from this list, visit
 https://www.eclipse.org/mailman/listinfo/jetty-users

>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or
>>> unsubscribe from this list, visit
>>>

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-24 Thread Wang Yicheng 
Sorry for the late reply. Yes we use BASIC as the authentication method. It
works fine with WebLogic without extra configuration to create sessions. So
I supposed Jetty would do the same at the beginning. The thing is our
system doesn't have HTML pages as we only use the web server for
remote communication.

I've tried to change the  to FORM in web.xml but it's
prompting that the pages are needed. I simply put "/" for the login page
and the error page but then the customized login module is not working
properly. We have a servlet for domain "/" but it wouldn't return any HTML
pages. I didn't get a chance to do further investigation.

Any suggestions would be appreciated!

On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:

>
> What auth mechanism are you using?
> BASIC and DIGEST send auth information with every request
> FORM stores the auth in the session.
>
> You can have other varieties (eg OPENID) which do either, but you need to
> set an authenticator to do whatever auth conversation you want to have.
>
> So tell us a bit more detail about your actual authentication mechanism.
>
> cheers
>
>
>
>
> On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:
>
>> If you use BASIC authentication, every single request must contain the
>> realm, username and password and is authenticated on reception - there is
>> no concept of a session maintaining state.
>>
>> The form login page can be generated by a servlet, it doesn't have to be
>> a static html resource.
>>
>> Jan
>>
>> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
>> wrote:
>>
>>> Thanks Jan! The thing is, my project actually doesn't have any pages.
>>> So, is it possible to have FORM authentication without login pages? Or does
>>> it mean I should go with BASIC while create sessions myself?
>>>
>>> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>>>
 You need to set up what the authentication method is, ie the equivalent
 of the  in web.xml. The default
 is basic authentication. If you want to use sessions to maintain the
 authentication state, then configure FORM authentication, either in web.xml
 or by setting an instance of
 https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
 on the SecurityHandler.

 Jan

 On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
 wrote:

> Thanks Joakim!
>
> Yes I do have a customized login module following JAAS spec. So it
> seems the missing session is causing the problem. Then my question is: 
> With
> default configuration, does Jetty generate session automatically for
> authenticated user? Or is my code responsible for doing that?
>
> I actually published another question here
> 
> which contains more details about my issue. Any help is highly 
> appreciated!
>
> Best
>
> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
> wrote:
>
>> If using Servlet authentication (or JAAS) the principal would be set.
>>
>> If you are using a 3rd party web library (like spring) then odds are
>> you are not integrating with Servlet security.
>>
>> Joakim Erdfelt / joa...@webtide.com
>>
>>
>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
>> wangyicheng1...@gmail.com> wrote:
>>
>>> Hi team,
>>>
>>> My question is as the subject state. My issue is the login request
>>> does have
>>> the principal by calling getUserPrincipal. But after logging in, the
>>> second
>>> request has a null principal. Besides, neither of the requests have
>>> sessions. So I'm wondering if Jetty uses session information to set
>>> the
>>> principal in HTTP request. Do appreciate your help!
>>>
>>> Best
>>>
>>>
>>>
>>> --
>>> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or
>>> unsubscribe from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>>
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or
>> unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users



 --
 Jan Bartel 
 www.webtide.com
 *Expert assistance from the creators of Jetty and CometD*

Re: [jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty.util.security.Credential

2020-02-24 Thread Joakim Erdfelt 
Welcome to jetty-users.

For starters, use a Jetty version that is more up to date[1], stable[2],
and not covered by various public vulnerabilities[3].

1. https://www.eclipse.org/lists/jetty-announce/msg00139.html
2.
https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
3. https://www.eclipse.org/jetty/security-reports.html

Your choice of 9.4.15.v20190215 is 11 versions behind current stable, and
has about 10 public security vulnerabilities on it.

The "detailed stack" is missing package names, we cannot tell if the
referenced class is ours or yours or some third party.
It is also cut off at Request.login() which isn't the complete stack trace.
If you must anonymize your stacktrace, just change the
package/company/product names to something generic.
Example: if your company is called FizzBuzz and your product is called
WhizBang.
Then you'll likely see something like
"com.fizzbuzz.web.whizbang.WhizBangController" in your stacktraces.
Change that to "com.acme.web.product.ProductController".
But leave jetty and any other open source project's package/classes/product
names alone (it helps us)

We would also need to know how you are configuring and starting your Jetty
instance.

Joakim Erdfelt / joa...@webtide.com


On Mon, Feb 24, 2020 at 9:54 AM Sujay Pujari 
wrote:

> Hello Jetty users,
>
>
>
> We are migrating Jetty from v6 to ver 9.4.15 & using embedded Jetty.
>
> Where in authentication is performed using form based , Jaas
> authentication.
>
> In Jaas.conf file we have configured to use following  custom module
>
> class DiscoveryLoginModule which  extends from AbstractLoginModule.
>
>
>
> Now inside Login method of this class, We have following line of code
>
> Credential cr =  Credential.getCredential(pwdStr);
>
>
>
> Where we are getting *NoClassDefFoundError* for
> org.eclipse.jetty.util.security.Credential.
>
> Inspite of the  fact that jetty-util jar corresponding to this is present
> in the buildpath.
>
> Also,
>
> Verbose:class shows that this class is getting loaded.
>
> class load: org.eclipse.jetty.util.security.Credential from:
> file:/../lib/Jetty9.4.15/jetty-util-9.4.15.v20190215.jar
>
>
>
> Can anybody suggest what I might be missing ? Any appropriate way to
> troubleshoot this?
>
> Any help would be really appreciated.
>
>
>
> *Here is detailed stack:*
>
> NoClassDefFoundError.(String) line: 70
>
> DiscoveryLoginModule.login() line: 151
>
> NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not
> available [native method]
>
> NativeMethodAccessorImpl.invoke(Object, Object[]) line: 95
>
> DelegatingMethodAccessorImpl.invoke(Object, Object[]) line:
> 55
>
> Method.invoke(Object, Object...) line: 508
>
> LoginContext.invoke(String) line: 788
>
> LoginContext.access$000(LoginContext, String) line: 196
>
> LoginContext$4.run() line: 698
>
> LoginContext$4.run() line: 696
>
> AccessController.doPrivileged(PrivilegedExceptionAction) line: 650
>
> LoginContext.invokePriv(String) line: 696
>
> LoginContext.login() line: 597
>
> JAASLoginService.login(String, Object, ServletRequest) line: 274
>
> FormAuthenticator(LoginAuthenticator).login(String, Object,
> ServletRequest) line: 56
>
> FormAuthenticator.login(String, Object, ServletRequest) line:
> 192
>
> DeferredAuthentication.login(String, Object, ServletRequest) line: 123
>
> Request.login(String, String) line: 2437
>
>
>
>
>
> Thanks & Regards,
>
> Sujay
> DISCLAIMER
> ==
> This e-mail may contain privileged and confidential information which is
> the property of Persistent Systems Ltd. It is intended only for the use of
> the individual or entity to which it is addressed. If you are not the
> intended recipient, you are not authorized to read, retain, copy, print,
> distribute or use this message. If you have received this communication in
> error, please notify the sender and delete all copies of this message.
> Persistent Systems Ltd. does not accept any liability for virus infected
> mails.
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

[jetty-users] Jetty9.4.15 NoClassDefFoundError for org.eclipse.jetty.util.security.Credential

2020-02-24 Thread Sujay Pujari 
Hello Jetty users,

We are migrating Jetty from v6 to ver 9.4.15 & using embedded Jetty.
Where in authentication is performed using form based , Jaas authentication.
In Jaas.conf file we have configured to use following  custom module
class DiscoveryLoginModule which  extends from AbstractLoginModule.

Now inside Login method of this class, We have following line of code
Credential cr =  Credential.getCredential(pwdStr);

Where we are getting NoClassDefFoundError for 
org.eclipse.jetty.util.security.Credential.
Inspite of the  fact that jetty-util jar corresponding to this is present in 
the buildpath.
Also,
Verbose:class shows that this class is getting loaded.
class load: org.eclipse.jetty.util.security.Credential from: 
file:/../lib/Jetty9.4.15/jetty-util-9.4.15.v20190215.jar

Can anybody suggest what I might be missing ? Any appropriate way to 
troubleshoot this?
Any help would be really appreciated.

Here is detailed stack:
NoClassDefFoundError.(String) line: 70
DiscoveryLoginModule.login() line: 151
NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available 
[native method]
NativeMethodAccessorImpl.invoke(Object, Object[]) line: 95
DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 55
Method.invoke(Object, Object...) line: 508
LoginContext.invoke(String) line: 788
LoginContext.access$000(LoginContext, String) line: 196
LoginContext$4.run() line: 698
LoginContext$4.run() line: 696
AccessController.doPrivileged(PrivilegedExceptionAction) line: 650
LoginContext.invokePriv(String) line: 696
LoginContext.login() line: 597
JAASLoginService.login(String, Object, ServletRequest) line: 274
FormAuthenticator(LoginAuthenticator).login(String, Object, ServletRequest) 
line: 56
FormAuthenticator.login(String, Object, ServletRequest) line: 192
DeferredAuthentication.login(String, Object, ServletRequest) line: 123
Request.login(String, String) line: 2437


Thanks & Regards,
Sujay
DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users