Re: [jetty-users] JASPI 196: make it work on Jetty 8

Wed, 28 Sep 2011 00:40:39 -0700 

The sources in jetty-7.5.1.v20110908/jetty-jaspi and 
jetty-8.0.1.v20110908/jetty-jaspi are the same each other.

JASPI does not work in etty-7.5.1.v20110908. Merge what I changed to 
jetty-7.5.1.v20110908 works by my test, so you could first fix it in Jetty 7, 
then merge the fix to Jetty 8.


From: jetty-users-boun...@eclipse.org<mailto:jetty-users-boun...@eclipse.org> 
[mailto:jetty-users-boun...@eclipse.org]<mailto:[mailto:jetty-users-boun...@eclipse.org]>
 On Behalf Of Jan Bartel
Sent: Wednesday, September 28, 2011 2:07 PM
To: JETTY user mailing list
Subject: Re: [jetty-users] JASPI 196: make it work on Jetty 8

Hi,

Thanks for that comprehensive information, we will certainly look into it.

In saying that jetty-jaspi currently does not work well on jetty-8, does this 
mean that it is working fine
with jetty-7? We try to maintain as much of the codebase in common between 
jetty-7 and jetty-8 as
possible, so I'd like to know if this is something that should go into jetty-7, 
and will then get merged
into jetty-8, or if this is a problem specific to jetty-8.

thanks
Jan
On 28 September 2011 15:23, Guofeng Zhang 
<guof...@radvision.com<mailto:guof...@radvision.com>> wrote:
Hi,

JASPI make us to plug in other authentication module (for example, using openID 
or other mechanism to authenticate users) easier on Jetty for container-managed 
security. There is jetty-jaspi module in the Jetty source code base, but I 
think it has not been maintained for a long time.

By making a little fix on jetty-jaspi module, I make the JASPI works well on 
Jetty 8. I attach the changes. I hope if I did it well, it could be merged into 
the next Jetty 8 release.

To use JASPI:

1.       Creating a JASPI configuration XML file for your auth module:

<?xml version="1.0" encoding="UTF-8"?>

<jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";>



    <configProvider>

        <messageLayer>HTTP</messageLayer>

        <appContext>/ui</appContext>

        <description>description</description>

        <serverAuthConfig>

            
<authenticationContextID>authenticationContextID2</authenticationContextID>

            <protected>true</protected>

            <serverAuthContext>

                <serverAuthModule>

                    
<className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className>

                    <options>

                       
org.eclipse.jetty.security.jaspi.modules.LoginPage=/secure/jaaslogin

                       
org.eclipse.jetty.security.jaspi.modules.ErrorPage=/secure/jaaserror

                    </options>

                </serverAuthModule>

            </serverAuthContext>

        </serverAuthConfig>

        <persistent>true</persistent>

    </configProvider>

</jaspi>
   The above using the Jetty built-in FormAuthModule, if you want to use the 
built-in Basic or Digest auth module, the <serverAuthModule> part should be:
                <serverAuthModule>
                    
<className>org.eclipse.jetty.security.jaspi.modules.DigestAuthModule</className>
                    <options>
                       
org.eclipse.jetty.security.jaspi.modules.RealmName=JAASRealm
                    </options>
                </serverAuthModule>
Or
                <serverAuthModule>
                    
<className>org.eclipse.jetty.security.jaspi.modules.BasicAuthModule</className>
                    <options>
                       
org.eclipse.jetty.security.jaspi.modules.RealmName=JAASRealm
                    </options>
                </serverAuthModule>

Here I use the implementation of JASPI of geronimo-jaspi 2.0-SNAPSHOT from 
geronimo-jaspi (https://github.com/apache/geronimo-jaspi). you could use 
geronimo-jaspi 1.1.1 release, but you might need to implements 
javax.security.auth.message.config.AuthConfigProvider (and not 
javax.security.auth.message.module.ServerAuthModule) and configure it in the 
above XML file.


2.       Configuring your AppContext to use JaspiAuthenticatorFactory. I 
configured it in jetty-web.xml file:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">

  <Set name="securityHandler">

      <New class="org.eclipse.jetty.security.ConstraintSecurityHandler">

         <Set name="loginService">

            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">

              <Set name="name">JAASRealm</Set>

              <Set name="loginModuleName">jaas</Set>

            </New>

         </Set>



         <Set name="authenticatorFactory">

             <New 
class="org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory" />

         </Set>

      </New>

  </Set>

</Configure>


3.       When launching Jetty, using 
-Dorg.apache.geronimo.jaspic.configurationFile to tell geronimo-jaspi where to 
find the JASPI configuration file. The following is the jetty-maven-plugin 
configuration (my JASPI configuration file is form-test-jaspi-2.xml):

      <plugin>

        <groupId>org.mortbay.jetty</groupId>

        <artifactId>jetty-maven-plugin</artifactId>

        <version>${jetty.version}</version>

       <configuration>

           <scanIntervalSeconds>10</scanIntervalSeconds>

           <webAppConfig>

              <contextPath>/ui</contextPath>

              <parentLoaderPriority>true</parentLoaderPriority>

          </webAppConfig>



          <systemProperties>

             <systemProperty>

               <name>java.security.auth.login.config</name>

               <value>./conf/jetty/jaas.conf</value>

            </systemProperty>

            <systemProperty>

              <name>org.apache.geronimo.jaspic.configurationFile</name>

              <value>./conf/jaspi/form-test-jaspi-2.xml</value>

            </systemProperty>

        </configuration>

        <dependencies>

           <dependency>

              <groupId>org.eclipse.jetty</groupId>

              <artifactId>jetty-jaspi</artifactId>

              <version>${jetty.version}</version>

           </dependency>

           <dependency>

              <groupId>org.apache.geronimo.components</groupId>

              <artifactId>geronimo-jaspi</artifactId>

              <version>2.0-SNAPSHOT</version>

           </dependency>

         </dependencies>

      </plugin>
In my test, I use my own JAAS login module, which configured in jaas.conf. you 
could use Jetty built-in login module as described in 
http://wiki.eclipse.org/Jetty/Feature/JAAS.

Q: what I cannot know if I did it correctly is the changes to 
JaspiAuthenticator. I removed the following lines at the beginning of 
validateRequest():
        if (_allowLazyAuthentication && !mandatory)
            return _deferred;
and add the following:
                     if ( !isMandatory( messageInfo ) )
                               return _deferred ;
after "if (authStatus == AuthStatus.SUCCESS)" at line 114. This make me have to 
add the following in validateRequest() of FormAuthModule class:
            Authentication authentication = 
((org.eclipse.jetty.server.Request)request).getAuthentication() ;
            if (authentication instanceof Authentication.Deferred )
                return AuthStatus.SEND_SUCCESS;
or the unprotected resources won't be handled properly. This makes the auth 
module to have to know how Authentication.Deferred works, it is not an easier 
to use dependency. This might be that I do not understand 
DeferredAuthentication class clearly. Your advice is appreciated.

Thanks.



_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
https://dev.eclipse.org/mailman/listinfo/jetty-users

Reply via email to