Hi Grzegorz, perfect, removing one org.eclipse.jetty.jaas.JAASLoginService and it works!
Thanks a lot for digging into the details! I really appreciate this. Is there a reason that in the default jetty.xml exist 2 org.eclipse.jetty.jaas.JAASLoginService definitions? One further question .. would it be possible to extend Jetty to use an other port additionally and bind the servlets to this additional port only (it's for security reasons because I don't want to expose the web console externally, only the functional servlets). I tried some other approach too, described here https://www.catshout.de/?p=161. This one is tricky as a Jetty security handler can be bind only once to a port. You mentioned Undertow. It's also contained in Camel. So I wonder what might be finally the best and straightforward approach for the following requirements 1. Define multiple URIs on on single port 2. Secure the communication with TLS 3. Define independently an authentication for each URI on this single port Jetty? Servlet inside Jetty? Undertow? I'll test now multiple servlets inside Jetty for independent co-existence. Best - Gerald > Grzegorz Grzybek <gr.grzy...@gmail.com> hat am 18. Mai 2020 15:24 geschrieben: > > > Hello > > I have some answer. First, the "http context processing" feature was mainly > tested to "inject" Keycloak authenticator and I mostly tested it with > pax-web-undertow. > > But I checked how it works with pax-web-jetty in the debugger. > > The key problem is that when Jetty's SecurityHandler is starting, it tries to > find/discover org.eclipse.jetty.security.LoginService instance. > > With default etc/jetty.xml, there are TWO beans with > org.eclipse.jetty.jaas.JAASLoginService class and > org.eclipse.jetty.security.SecurityHandler#findLoginService() method does > this: > > else if (list.size() == 1) > service = list.iterator().next(); > > So I simply made it working by ensuring there's only one > org.eclipse.jetty.jaas.JAASLoginService: > > list = {java.util.ArrayList@9544} size = 1 > 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547} > "JAASLoginService@7ba67d0b{STARTED}" > LOG: org.eclipse.jetty.util.log.Logger = > {org.eclipse.jetty.util.log.Slf4jLog@9549} > "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7" > DEFAULT_ROLE_CLASS_NAME: java.lang.String = "org.eclipse.jetty.jaas.JAASRole" > DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] = {java.lang.String[1]@9551} > _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552} > _callbackHandlerClass: java.lang.String = null > _realmName: java.lang.String = "karaf" > _loginModuleName: java.lang.String = "karaf" > > Now, with your Camel route, I got: > > $ curl -v http://localhost:8181/camel/api/say/hello > * Trying ::1:8181... > * Connected to localhost (::1) port 8181 (#0) > > GET /camel/api/say/hello HTTP/1.1 > > Host: localhost:8181 > > User-Agent: curl/7.69.1 > > Accept: */* > > > * Mark bundle as not supporting multiuse > < HTTP/1.1 404 Not Found > < Cache-Control: must-revalidate,no-cache,no-store > < Content-Type: text/html;charset=iso-8859-1 > < Content-Length: 456 > < Server: Jetty(9.4.22.v20191022) > < > > $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello > * Trying ::1:8181... > * Connected to localhost (::1) port 8181 (#0) > * Server auth using Basic with user 'karaf' > > GET /camel/api/say/hello HTTP/1.1 > > Host: localhost:8181 > > Authorization: Basic a2FyYWY6a2FyYWY= > > User-Agent: curl/7.69.1 > > Accept: */* > > > * Mark bundle as not supporting multiuse > < HTTP/1.1 200 OK > < Content-Type: application/json > < Accept: */* > < Authorization: Basic a2FyYWY6a2FyYWY= > < breadcrumbId: ID-everfree-forest-1589807499756-0-1 > < User-Agent: curl/7.69.1 > < Transfer-Encoding: chunked > < Server: Jetty(9.4.22.v20191022) > < > * Connection #0 to host localhost left intact > "Hello World" > > In theory it should be possible to grab (in etc/jetty.xml, using <Configure> > element) instance of SecurityHandler and simply set there the "realmName" > property to "Karaf", so even with two different beans with > org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the right > one. But in Pax Web security handler is part of every > org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and only > in Pax Web 8 I'd be able to fix this in more clean way. > > So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your > etc/jetty.xml > > regards > Grzegorz Grzybek > > > pon., 18 maj 2020 o 10:25 Achim Nierbeck <bcanh...@googlemail.com.invalid> > napisał(a): > > Hi, > > > > I already also answered Gerald in another mail. > > I'm not quite sure but what might be an issue, is that the default > > http-context used in his application isn't bound to the underlying security > > realm. > > Therefore it's quite a possibility that there needs to be a configuration > > done in his own application, using his own http-Context. > > > > Can be found here: > > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java > > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java > > and here: > > https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java > > > > regards, Achim > > > > > > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <alex.s...@envieta.com>: > > > > > I’m sorry, I don’t know why it's not working; it looks correct to me. > > > Maybe somebody from the Pax-Web team can help you. > > > The only suspicious thing is the warning: > > > > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler > > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No > > > authenticator for: {RoleInfo,C[admin],None} > > > > > > > > > Which suggest something is misconfigured. > > > > > > Best regards, > > > Alex soto > > > > > > > > > > > > > > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <catsh...@mailbox.org> wrote: > > > > > > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler > > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No > > > authenticator for: {RoleInfo,C[admin],None} > > > > > > > > > > -- > > > > Apache Member > > Apache Karaf <http://karaf.apache.org/> Committer & PMC > > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > > Project Lead > > blog <http://notizblog.nierbeck.de/> > > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
