Hi Łukasz, hi JB, thank you for that information.
I did not found an official documentation for that feature. I found this one (WRT the information given to me from you): * https://ops4j1.jira.com/browse/PAXWEB-396 * https://nierbeck.de/2013/01/bind-certain-web-applications-to-specific-httpconnectors/ * http://blog.nanthrax.net/?p=352 * Source code of Pax Web I gave it a try using two additional connectors in jetty.xml. I used the example that has been present in the current jetty.xml as "SelectChannelConnector" did not work ("Caused by: java.lang.ClassNotFoundException: org.eclipse.jetty.server.nio.SelectChannelConnector not found by org.eclipse.jetty.server [62]"). === <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="httpConfig" /></Arg> </New> </Item> </Array> </Arg> <Set name="host"><Property name="jetty.host" default="localhost" /></Set> <Set name="port"><Property name="jetty.port" default="8201" /></Set> <Set name="idleTimeout"><Property name="http.timeout" default="30000" /></Set> <Set name="name">conn1</Set> </New> </Arg> </Call> <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="httpConfig" /></Arg> </New> </Item> </Array> </Arg> <Set name="host"><Property name="jetty.host" default="localhost" /></Set> <Set name="port"><Property name="jetty.port" default="8202" /></Set> <Set name="idleTimeout"><Property name="http.timeout" default="30000" /></Set> <Set name="name">conn2</Set> </New> </Arg> </Call> === So, additional to 8181 there should be two connetors. conn1 on 8201 and conn2 on 8202. I created two bundles. Each bundle registers one servlet and use one Web-Connector settings: Bundle 1 - Component: === @Component(immediate = true) @Header(name = "Web-Connectors", value = "conn1") @Header(name = "Web-VirtualHosts", value = "localhost") public class ComponentImpl { private static final String ALIAS = "/1"; private final HttpService httpService; @Activate public ComponentImpl(final @Reference HttpService httpService) throws ServletException, NamespaceException { this.httpService = httpService; httpService.registerServlet(ALIAS, new HttpServlet() { @Override protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException { final PrintWriter writer = resp.getWriter(); writer.println("This is the servlet: " + ALIAS); } }, null, null); } @Deactivate public void close() { httpService.unregister(ALIAS); } } === The "Bundle 2 - Component" is identicial to the "1" but uses the alias "/2" and the "Web-Connectors" "conn2". But this does not seem to work as expected. "/1" and "/2" can be open on port 8181, 8201 and 8202. So, all of them are available on all connectors. Can you point me to my misconfiguration? Or can you provide me two working demo bundles each of them using another connector? Best regards, Markus Am Do., 16. Mai 2019 um 16:18 Uhr schrieb Jean-Baptiste Onofré <j...@nanthrax.net>: > > Hi, > > I'm not sure it's what you are looking for, but you can configure > several connectors via jetty.xml (in addition of the default one created > by Pax Web), then, you can use "VirtualHost" to deploy a servlet on a > specific connector. > > I blogged about this while ago (http://blog.nanthrax.net/?p=352). > > Regards > JB > > On 16/05/2019 08:12, Markus Rathgeb wrote: > > Hi, > > > > I assume there are different parties involved, so if this question > > should be raised on another mailing list, please can you point me to? > > > > I am using Karaf + Pax Web + Jetty. > > > > Currently I build a custom distribution that Pax Web configuration > > (org.ops4j.pax.web.cfg) contains also this lines: > > > > === > > org.ops4j.pax.web.ssl.clientauthwanted = true > > org.ops4j.pax.web.ssl.clientauthneeded = true > > > > org.ops4j.pax.web.ssl.truststore=${karaf.etc}/truststore.jks > > org.ops4j.pax.web.ssl.truststore.password=that-is-not-the-real-one > > === > > > > This distribution contains a bundle that registers a servlet "MyServlet". > > > > Now, just FYI, I assume not all is relevant: > > > > === > > "MyServlet" extends the "WebSocketServlet" > > (org.eclipse.jetty.websocket.servlet.WebSocketServlet). > > Type hierarchy: MyServlet -> WebSocketServlet -> HttpServlet -> > > GenericServlet [Servlet, ServletConfig, Serializable]. > > > > The WebSocketServlet requires the implementation of the abstract > > method "public abstract void configure(WebSocketServletFactory > > factory);" > > > > In the "configure" implementation is set a "creator". > > > > factory.setCreator(new MyCreator(...)); > > > > MyCreator implements the following method (required by the > > WebSocketCreator interface): > > > > public @Nullable Object createWebSocket(final ServletUpgradeRequest > > req, final ServletUpgradeResponse resp); > > > > In that method I do a simple certificate check. > > > > I call "final X509Certificate[] certs = req.getCertificates();" and > > use the returned chain for the check. > > > > Now back to the relevant part. > > === > > > > The current implementation of the client certificate chain check > > relies that Jetty already required the client authentication > > (clientauthneeded) and that the certificate is already checked against > > the configured truststore (that contains only a special CA). > > > > As we could rely on a "valid" certifcate I just need to extract the > > information I need from the client certifcate and "all is fine". > > > > > > Now, I need to add another servlet to that custom distribution that > > should work without a client certifcate. > > > > I assume I will need to remove the truststore and clientauth settings > > from the configuration (keep wanted and drop needed?) and check the > > certifcate in the code for "MyServlet" itself. > > I further assume it should work by a filter or in the servlet itself. > > > > Are there better ways to handle two servlet > > * Servlet1 needs client authentication > > * Servlet2 do not use client authentication > > > > How can I trigger the check of the client certificate correctly in the > > servlet / filter to check against a specific truststore? > > > > I am interested in your inputs. > > > > Best regards, > > Markus > > > > -- > Jean-Baptiste Onofré > jbono...@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com
