Hi
On 11/10/12 22:05, Juan José Pérez Consuegra wrote:
I'm trying to use Jetty security loading configuration from xml config
file. The file loads without any error but policies seems not to work. I
thought to load configuration via code, but I'm using
JAXRSServerFactoryBean and it seems also not to be possible. Here it is mi
config file:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:httpj="
http://cxf.apache.org/transports/http-jetty/configuration";
xsi:schemaLocation="
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd";>
<httpj:engine-factory bus="cxf">
<httpj:engine port="0">
<httpj:threadingParameters minThreads="5"
maxThreads="15" />
<httpj:handlers>
<bean
class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService"
ref="securityLoginService" />
<property name="constraintMappings">
<list>
<ref bean="securityConstraintMapping" />
</list>
</property>
</bean>
</httpj:handlers>
</httpj:engine>
</httpj:engine-factory>
<bean id="securityLoginService"
class="org.eclipse.jetty.security.HashLoginService">
<property name="name" value="WSRealm" />
<property name="config"
value="src/es/uned/scc/related/cserver/ws/configuration/jetty-realm.properties"
/>
</bean>
<bean id="securityConstraint"
class="org.eclipse.jetty.http.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admin" />
<property name="authenticate" value="true" />
</bean>
<bean id="securityConstraintMapping"
class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/*" />
</bean>
</beans>
jetty-realm.properties
# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
ffang: pswd, admin
And the code that creates the server:
static{
// set the configuration file
SpringBusFactory factory = new SpringBusFactory();
Bus bus =
factory.createBus("src/es/uned/scc/related/cserver/ws/configuration/server-sec-bean.xml");
BusFactory.setDefaultBus(bus);
}
....
....
....
.....
public void start() throws Exception{
if (sf == null){
sf = new JAXRSServerFactoryBean();
sf.setResourceClasses(RLABSystemWSRest.class);
sf.setResourceProvider(RLABSystemWSRest.class,
new SingletonResourceProvider(new RLABSystemWSRest()));
sf.setAddress(address);
server = sf.create();
System.out.println("Servidor arrancado y servicio
publicado...");
} else {
if (server.isStarted()) {
System.out.println("Servidor ya estaba arrancado y el servicio
publicado...");
}else{
server.start();
System.out.println("Servidor arrancado y servicio
publicado...");
}
}
}
As I said before, the config file loads perfectly, at least apparently, but
if I try to call any operation defined as service without any credential, I
receive server status 200 OK, and the correct response of course.
Any idea.
I think this kind of configuration has to be enforced and there's no
'enforcer' there, given that it's embedded Jetty which is supporting it.
We have a couple of tests that use JAASLoginInterceptor and
SimpleAuthorizingInterceptor. The former uses the underlying JAAS module
to authenticate and populate Subject, the latter - to apply the RBAC rules.
If it is possible to refer to the above configuration using the JAAS
module name somehow then having JAASLoginInterceptor added to the
endpoint will make it all work fine...
Cheers, Sergey
Thank to everybody,
Juanjo.
