Thank you, Grzegorz, this is excellent news!
I'm looking forward for this to be improved in version 8, as it is very useful,
and not only for Keycloak.
In particular, for securing Camel Rest services, and perhaps there are many
other use cases as well.
Best regards,
Alex soto
> On May 18, 2020, at 9:24 AM, Grzegorz Grzybek <gr.grzy...@gmail.com> wrote:
>
> Hello
>
> I have some answer. First, the "http context processing" feature was mainly
> tested to "inject" Keycloak authenticator and I mostly tested it with
> pax-web-undertow.
>
> But I checked how it works with pax-web-jetty in the debugger.
>
> The key problem is that when Jetty's SecurityHandler is starting, it tries
> to find/discover org.eclipse.jetty.security.LoginService instance.
> With default etc/jetty.xml, there are TWO beans with
> org.eclipse.jetty.jaas.JAASLoginService class and
> org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> this:
>
> else if (list.size() == 1)
> service = list.iterator().next();
>
> So I simply made it working by ensuring there's only one
> org.eclipse.jetty.jaas.JAASLoginService:
>
> list = {java.util.ArrayList@9544} size = 1
> 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> "JAASLoginService@7ba67d0b{STARTED}"
> LOG: org.eclipse.jetty.util.log.Logger =
> {org.eclipse.jetty.util.log.Slf4jLog@9549}
> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> DEFAULT_ROLE_CLASS_NAME: java.lang.String =
> "org.eclipse.jetty.jaas.JAASRole"
> DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] =
> {java.lang.String[1]@9551}
> _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552}
> _callbackHandlerClass: java.lang.String = null
> _realmName: java.lang.String = "karaf"
> _loginModuleName: java.lang.String = "karaf"
>
> Now, with your Camel route, I got:
>
> $ curl -v http://localhost:8181/camel/api/say/hello
> * Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
>> GET /camel/api/say/hello HTTP/1.1
>> Host: localhost:8181
>> User-Agent: curl/7.69.1
>> Accept: */*
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 404 Not Found
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=iso-8859-1
> < Content-Length: 456
> < Server: Jetty(9.4.22.v20191022)
> <
>
> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> * Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> * Server auth using Basic with user 'karaf'
>> GET /camel/api/say/hello HTTP/1.1
>> Host: localhost:8181
>> Authorization: Basic a2FyYWY6a2FyYWY=
>> User-Agent: curl/7.69.1
>> Accept: */*
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Content-Type: application/json
> < Accept: */*
> < Authorization: Basic a2FyYWY6a2FyYWY=
> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> < User-Agent: curl/7.69.1
> < Transfer-Encoding: chunked
> < Server: Jetty(9.4.22.v20191022)
> <
> * Connection #0 to host localhost left intact
> "Hello World"
>
> In theory it should be possible to grab (in etc/jetty.xml, using
> <Configure> element) instance of SecurityHandler and simply set there the
> "realmName" property to "Karaf", so even with two different beans with
> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> right one. But in Pax Web security handler is part of every
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> only in Pax Web 8 I'd be able to fix this in more clean way.
>
> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> etc/jetty.xml
>
> regards
> Grzegorz Grzybek
>
> pon., 18 maj 2020 o 10:25 Achim Nierbeck <bcanh...@googlemail.com.invalid>
> napisał(a):
>
>> Hi,
>>
>> I already also answered Gerald in another mail.
>> I'm not quite sure but what might be an issue, is that the default
>> http-context used in his application isn't bound to the underlying security
>> realm.
>> Therefore it's quite a possibility that there needs to be a configuration
>> done in his own application, using his own http-Context.
>>
>> Can be found here:
>>
>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
>>
>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
>> and here:
>>
>> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
>>
>> regards, Achim
>>
>>
>> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <alex.s...@envieta.com
>>> :
>>
>>> I’m sorry, I don’t know why it's not working; it looks correct to me.
>>> Maybe somebody from the Pax-Web team can help you.
>>> The only suspicious thing is the warning:
>>>
>>> 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
>>> | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>> authenticator for: {RoleInfo,C[admin],None}
>>>
>>>
>>> Which suggest something is misconfigured.
>>>
>>> Best regards,
>>> Alex soto
>>>
>>>
>>>
>>>
>>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <catsh...@mailbox.org>
>> wrote:
>>>>
>>>> 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
>>> | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>> authenticator for: {RoleInfo,C[admin],None}
>>>
>>>
>>
>> --
>>
>> Apache Member
>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
>> Project Lead
>> blog <http://notizblog.nierbeck.de/>
>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>
