Hi Larry, Good to hear your use-case for jetty-jaspi, and even more interesting to hear you were on the jsr! I'm positive the jetty-jaspi code needs some luvin', so if you have any time at all to take a look over it, kick the tires and contribute any comments and/or improvements back, then that would be most welcome!
In the meanwhile, I will clean up the little test webapp I have that uses geronimo-jaspi jars and put it into a public repo - will post back here when its done. cheers Jan On 15 February 2013 11:28, larry mccay <[email protected]> wrote: > Hi Jan - > > Thank you for your response. > > I will have to resurrect that work now and try and close the remaining gaps. > > Personally, I like the programming model afforded by JASPIC and that > it empowers you to be able to guide the container in setting the > security context without getting into container specifics. > > We are developing a platform that have pluggable authentication > providers and things like shiro are great but I end up having to > normalize the authenticated user as a standard Subject afterward and > then execute a doAs() - which the SecurityManager frowns upon and is > not really intended as part of the application programming model. > > By leveraging the SPI provided by JASPIC you are plugged directly into > container code and can portably control the EE security context > without having to mess with Java security policy. This is a beautiful > thing. > > Unfortunately, JASPIC has had its own lack of marketing and > documentation issues. > > There are some interesting AuthModules available that I would like to > be able to take advantage within our platform however and that's why I > am pursuing JASPI on Jetty. > > By the way, as a member of the JSR-196 EG, I am a bit biased. > :-) > > As I make further progress on this - I will let you know. > > Peace, > > --larry > > On Thu, Feb 14, 2013 at 5:52 PM, Jan Bartel <[email protected]> wrote: >> Hi Larry, >> >> I'm impressed you've managed to get this far, as we've historically >> done a terrible job of documenting jaspi in jetty! >> >> I've only ever used jetty-jaspi in conjunction with geronimo's jaspi >> jars, and a very early version of those geronimo jars at that. >> >> So in addition to what you've got already, here's the other pieces >> that I have used in a working test webapp using jaspi: >> >> + these geronimo-jaspi dependencies: >> <dependency> >> <groupId>org.apache.geronimo.components</groupId> >> <artifactId>geronimo-jaspi</artifactId> >> <version>2.0-SNAPSHOT</version> >> <exclusions> >> <exclusion> >> <groupId>org.apache.geronimo.specs</groupId> >> <artifactId>geronimo-jaspic_1.0_spec</artifactId> >> </exclusion> >> </exclusions> >> </dependency> >> <dependency> >> <groupId>org.apache.geronimo.specs</groupId> >> <artifactId>geronimo-osgi-locator</artifactId> >> <version>1.0</version> >> </dependency> >> >> >> + a system property pointing to a geronimo jaspi config file (which >> sets up the missing piece from your stacktrace, the ServerAuthModule): >> -Dorg.apache.geronimo.jaspic.configurationFile=jaspi.xml >> >> + a geronimo jaspi config file: >> <?xml version="1.0" encoding="UTF-8"?> >> >> <jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi";> >> <configProvider> >> <messageLayer>HTTP</messageLayer> >> <appContext>server /foo</appContext> >> <description>description</description> >> <serverAuthConfig> >> >> <authenticationContextID>authenticationContextID2</authenticationContextID> >> <protected>true</protected> >> <serverAuthContext> >> <serverAuthModule> >> >> <className>org.eclipse.jetty.security.jaspi.modules.FormAuthModule</className> >> <options> >> >> org.eclipse.jetty.security.jaspi.modules.LoginPage=/logon.html?param=test >> >> org.eclipse.jetty.security.jaspi.modules.ErrorPage=/logonError.html?param=test >> </options> >> </serverAuthModule> >> </serverAuthContext> >> </serverAuthConfig> >> <persistent>true</persistent> >> </configProvider> >> </jaspi> >> >> >> Hopefully that might help you get a bit further. >> >> I'm interested to hear if many others on the lists are trying to use >> or are using the jetty-jaspi integration. Our impression is that it is >> hardly used by anyone. Of course, that could be because the >> documentation is missing! However, before we direct more of our >> limited resources to the jaspi stuff, we'd like to hear from the user >> community - is this something that you are using, or are likely to >> use??? >> >> Jan >> >> On 17 January 2013 03:53, larry mccay <[email protected]> wrote: >>> Greetings - >>> >>> I am working on an embedded Jetty project in which we programmatically >>> deploy the WebAppContexts for dynamically created WebApps. >>> What I would like to do is configure the use of JASPI per application. >>> >>> The following code is being used at deployment time: >>> >>> private synchronized void internalDeploy( Topology topology, File warFile >>> ) { >>> >>> String name = topology.getName(); >>> >>> String warPath = warFile.getAbsolutePath(); >>> >>> WebAppContext context = new WebAppContext(); >>> >>> context.setDefaultsDescriptor( null ); >>> >>> context.setContextPath( "/" + path + "/" + name ); >>> >>> context.setWar( warPath ); >>> >>> >>> JaspiAuthenticatorFactory authenticatorFactory = new >>> JaspiAuthenticatorFactory(); >>> >>> SecurityHandler handler = new ConstraintSecurityHandler(); >>> >>> handler.setAuthenticatorFactory(authenticatorFactory); >>> >>> JAASLoginService ls = new JAASLoginService(); >>> >>> ls.setName("JAASRealm"); >>> >>> ls.setLoginModuleName("jaas"); >>> >>> ls.setIdentityService(new DefaultIdentityService()); >>> >>> handler.setLoginService(ls); >>> >>> authenticatorFactory.setLoginService(ls); >>> >>> jetty.addBean(ls); >>> >>> Constraint constraint = new Constraint(); >>> >>> constraint.setName(constraint.__BASIC_AUTH); >>> >>> constraint.setRoles(new String[]{"user","admin","moderator"}); >>> >>> constraint.setAuthenticate(true); >>> >>> >>> >>> ConstraintMapping cm = new ConstraintMapping(); >>> >>> cm.setConstraint(constraint); >>> >>> cm.setPathSpec("/*"); >>> >>> // handler.setAuthMethod("BASIC"); >>> >>> handler.setRealmName("JAASRealm"); >>> >>> ((ConstraintSecurityHandler) handler).setConstraintMappings(new >>> ConstraintMapping[]{cm}); >>> >>> context.setSecurityHandler(handler); >>> >>> internalUndeploy( topology ); >>> >>> deployments.put( name, context ); >>> >>> contexts.addHandler( handler ); >>> >>> contexts.addHandler( context ); >>> >>> try { >>> >>> context.start(); >>> >>> } catch( Exception e ) { >>> >>> //TODO: I18N message >>> >>> e.printStackTrace(); >>> >>> } >>> >>> } >>> >>> >>> and I am encountering the following stacktrace: >>> >>> 13/01/16 11:16:05 WARN component.AbstractLifeCycle: FAILED >>> org.eclipse.jetty.server.session.SessionHandler@786c1a82: >>> java.lang.IllegalStateException: No ServerAuthentication >>> java.lang.IllegalStateException: No ServerAuthentication >>> at >>> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:371) >>> at >>> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:233) >>> at >>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) >>> at >>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95) >>> at >>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115) >>> at >>> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:124) >>> at >>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) >>> at >>> org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95) >>> at >>> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:115) >>> at >>> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:752) >>> at >>> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:247) >>> at >>> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1238) >>> at >>> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:706) >>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:480) >>> at >>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) >>> at >>> org.apache.hadoop.gateway.GatewayServer.internalDeploy(GatewayServer.java:323) >>> at org.apache.hadoop.gateway.GatewayServer.access$600(GatewayServer.java:68) >>> at >>> org.apache.hadoop.gateway.GatewayServer$InternalTopologyListener.handleTopologyEvent(GatewayServer.java:367) >>> at >>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.notifyChangeListeners(FileTopologyProvider.java:148) >>> at >>> org.apache.hadoop.gateway.topology.file.FileTopologyProvider.reloadTopologies(FileTopologyProvider.java:113) >>> at org.apache.hadoop.gateway.GatewayServer.start(GatewayServer.java:255) >>> at >>> org.apache.hadoop.gateway.GatewayServer.startGateway(GatewayServer.java:180) >>> at org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:97) >>> >>> Looking at the ServerHandler code this indicates that no authenticator is >>> being found in the following code snippet: >>> ... >>> >>> if (_authenticator==null && _authenticatorFactory!=null && >>> _identityService!=null) >>> >>> { >>> >>> >>> _authenticator=_authenticatorFactory.getAuthenticator(getServer(),ContextHandler.getCurrentContext(),this, >>> _identityService, _loginService); >>> >>> if (_authenticator!=null) >>> >>> _authMethod=_authenticator.getAuthMethod(); >>> >>> } >>> >>> >>> if (_authenticator==null) >>> >>> { >>> >>> if (_realmName!=null) >>> >>> { >>> >>> LOG.warn("No ServerAuthentication for "+this); >>> >>> throw new IllegalStateException("No ServerAuthentication"); >>> >>> } >>> >>> } >>> >>> else >>> >>> { >>> >>> _authenticator.setConfiguration(this); >>> >>> if (_authenticator instanceof LifeCycle) >>> >>> ((LifeCycle)_authenticator).start(); >>> >>> } >>> >>> ... >>> >>> Can anyone tell what is missing from my configuration code or alternatively >>> point me to relevant tests? >>> >>> Thank you in advance! >>> >>> --larry >>> >>> >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>> >> >> >> >> -- >> Jan Bartel <[email protected]> >> www.webtide.com – Developer advice, services and support >> from the Jetty & CometD experts. >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/jetty-users > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users -- Jan Bartel <[email protected]> www.webtide.com – Developer advice, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
