headers
Greg Wilkins | 1 Feb 2010 04:49
Favicon
Gravatar

Re: [jetty-user] How to propagate security context from Jetty to OpenEJB?


Geoff,

I've opened a bugzilla to track this:

  https://bugs.eclipse.org/bugs/show_bug.cgi?id=301375

We almost certainly wont do this for jetty-6, but jetty-7 has a new
security architecture that supports pluggable JASPI modules etc.
So we should be able to add OpenEJB support to jetty-7 without
major disruption.

This is not something we would be about to do next week (unless
sponsored by a client or contributed), but it's certainly something
that we can look at in the next few months.

cheers

Geoff Callender wrote:
> I posted the same question (full text below) on the OpenEJB user mailing
> list yesterday and got a good reply from David Blevins - that the
> solution is probably to write a JettySecurityService much like their
> existing TomcatSecurityService.  Has anyone here done this already or
> something similar?  Here's his reply:
> 
>     > I need advice on how to propagate the security context from (Jetty
>      6.1.6) to 
>     > OpenEJB (3.1.1). My web pages can retrieve the Principal
>     correctly but my 
>     > EJB session bean methods only get "guest". Is this a known
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jan Bartel | 1 Feb 2010 06:07

Re: [jetty-user] UserRealm not containing Principal

Geoff,

You don't need to access the UserRealm directly.

You can just call request.isUserInRole("SOME_ROLE").

Oh, I just read through to the end ... not sure what kind of authentication
information OpenEJB is looking for. 

If you're using JAAS, then you have the Subject which has a bunch of 
Principals representing the login name of the user and the roles that
the user has. The JAASUserPrincipal holds the Subject, and the JAASUserRealm
knows how to extract the Principals from it that represent the roles.

cheers
Jan

Geoff Callender wrote:
> What am I doing wrong? My user has logged in to a JAASUserRealm. I have 
> written a Filter which is attempting to get the UserRealm, populated 
> with the Principal and their roles but fails.  In the Filter i  do this:
> 
> Request base_request = (request instanceof Request) ? (Request) request 
> : HttpConnection.getCurrentConnection()
> .getRequest();
> 
> // This works...
> Principal p = base_request.getUserPrincipal());
> 
> // And this works...
(Continue reading)

Permalink | Reply | 2 comments |
headers
Geoff Callender | 1 Feb 2010 11:24
Picon

Re: [jetty-user] UserRealm not containing Principal

Jan,

Many thanks. Yes, I'm using JAAS. In my Filter, what's the best way to get the Subject? As you can tell, JAAS is a very new beast to me.

Cheers,

Geoff

On 01/02/2010, at 4:07 PM, Jan Bartel wrote:

Geoff,

You don't need to access the UserRealm directly.

You can just call request.isUserInRole("SOME_ROLE").

Oh, I just read through to the end ... not sure what kind of authentication
information OpenEJB is looking for.
If you're using JAAS, then you have the Subject which has a bunch of Principals representing the login name of the user and the roles that
the user has. The JAASUserPrincipal holds the Subject, and the JAASUserRealm
knows how to extract the Principals from it that represent the roles.

cheers
Jan

Geoff Callender wrote:
What am I doing wrong? My user has logged in to a JAASUserRealm. I have written a Filter which is attempting to get the UserRealm, populated with the Principal and their roles but fails.  In the Filter i  do this:
Request base_request = (request instanceof Request) ? (Request) request : HttpConnection.getCurrentConnection()
.getRequest();
// This works...
Principal p = base_request.getUserPrincipal());
// And this works...
UserRealm ur = base_request.getUserRealm();
// But this returns null...why?
Principal p1 = ur.getPrincipal(p.getName());
// And therefore this has no chance of returning true...
boolean authorised = ur.isUserInRole(p, "SOME_ROLE");
I presume I misunderstand what to expect of the UserRealm.  Can anyone set me straight? At what point i the process does the UserRealm have the Principal and its roles?
I need ti to pass to OpenEJB so that it doesn't need to re-authenticate the user on every call.
Geoff


--
Jan Bartel, Webtide LLC | janb <at> webtide.com | http://www.webtide.com

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

  http://xircles.codehaus.org/manage_email



Permalink | Reply | 1 comment |
headers
Tarun Reddy | 1 Feb 2010 22:15
Picon
Favicon

[Jetty-support] SSL secure cookie mod_proxy

Hi,


I'm sure this problem has been answered, but for the life of me, I can't find it. I have a fairly standard configuration:

Browser <----> HTTPS Apache <----> HTTP Jetty


X-Forwarded-Scheme "https"

+

Jetty configured to have "forwarded" set to true.


Previously, we had used Tomcat + mod_jk/ajp and that configuration automagically set our cookies to Secure Cookies, forcing the cookie to only be presented by the browser when connected to a secure endpoint.

After switching to the above Jetty configuration, Jetty does not set the Secure Cookies flag since the incoming connection is HTTP. What is the recommend solution here? Do I switch to using ajp (not recommended according to the docs)?

Thank you,
Tarun
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Jetty-support mailing list
Jetty-support <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jetty-support
Permalink | Reply | 0 comments |
headers
Colin Canfield | 2 Feb 2010 02:15
Picon

[jetty-user] Possible bug in ProxyServlet

I have been looking to use the ProxyServlet as a reverse proxy that manipulates the URL in some circumstances. There looks to be an issue that the Proxy determines the scheme from initial HTTP request rather than the protocol specified in the proxyHttpURI call.          

Line 274 of the ProxyServlet is currently    

exchange.setScheme(HttpSchemes.HTTPS.equals(request.getScheme())?HttpSchemes.HTTPS_BUFFER:HttpSchemes.HTTP_BUFFER);

I would think it should actually be

exchange.setScheme(HttpSchemes.HTTPS.equals(url.getScheme())?HttpSchemes.HTTPS_BUFFER:HttpSchemes.HTTP_BUFFER);



If this is intentional it would be good if the setSchema was put into to a method call that could be overridden when needed.

Regards, Colin




-------------------------------------------------------------------------------
Colin Canfield



Permalink | Reply | 0 comments |
headers
Miten Mehta | 2 Feb 2010 06:34
Favicon

Re: [jetty-user] UserRealm not containing Principal

Hi,

It seems when using container (jetty) based authentication (using jaasrealm) need to use security-contraints in web.xml and then in servlet/filter you should access the authenticated principal as request.getUserPrincipal and then you can create subject and add principal to it if for some reason need to have principal as subject.

Regards,

Miten Mehta
Morgan Stanley | Technology
Bldg. 5, Sector 30, Mindspace, Goregaon (West)
Mumbai (Ex Bombay), 400 090
Phone: +91 22 6641-1524
Miten.Mehta <at> morganstanley.com



On Mon, Feb 1, 2010 at 3:54 PM, Geoff Callender <abc_tec <at> mac.com> wrote:
Jan,

Many thanks. Yes, I'm using JAAS. In my Filter, what's the best way to get the Subject? As you can tell, JAAS is a very new beast to me.

Cheers,

Geoff

On 01/02/2010, at 4:07 PM, Jan Bartel wrote:

Geoff,

You don't need to access the UserRealm directly.

You can just call request.isUserInRole("SOME_ROLE").

Oh, I just read through to the end ... not sure what kind of authentication
information OpenEJB is looking for.
If you're using JAAS, then you have the Subject which has a bunch of Principals representing the login name of the user and the roles that
the user has. The JAASUserPrincipal holds the Subject, and the JAASUserRealm
knows how to extract the Principals from it that represent the roles.

cheers
Jan

Geoff Callender wrote:
What am I doing wrong? My user has logged in to a JAASUserRealm. I have written a Filter which is attempting to get the UserRealm, populated with the Principal and their roles but fails.  In the Filter i  do this:
Request base_request = (request instanceof Request) ? (Request) request : HttpConnection.getCurrentConnection()
.getRequest();
// This works...
Principal p = base_request.getUserPrincipal());
// And this works...
UserRealm ur = base_request.getUserRealm();
// But this returns null...why?
Principal p1 = ur.getPrincipal(p.getName());
// And therefore this has no chance of returning true...
boolean authorised = ur.isUserInRole(p, "SOME_ROLE");
I presume I misunderstand what to expect of the UserRealm.  Can anyone set me straight? At what point i the process does the UserRealm have the Principal and its roles?
I need ti to pass to OpenEJB so that it doesn't need to re-authenticate the user on every call.
Geoff


--
Jan Bartel, Webtide LLC | janb <at> webtide.com | http://www.webtide.com

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

  http://xircles.codehaus.org/manage_email




Permalink | Reply | 0 comments |
headers
Greg Wilkins | 3 Feb 2010 00:08
Favicon
Gravatar

[jetty-user] Tech writer wanted for jetty?


Does anybody know a good tech writer who we could engage for
a few weeks that knows java and/or jetty?

cheers

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Permalink | Reply | 1 comment |
headers
ChadDavis | 3 Feb 2010 00:14
Picon

Re: [jetty-user] Tech writer wanted for jetty?

I could be interested.  I'm a Java developer and a published author of
books on software.  I'm pretty busy, but it would be worth hearing the
details.

http://www.amazon.com/Struts-2-Action-Don-Brown/dp/193398807X/ref=pd_zg_rss_ts_b_3608_18

On Tue, Feb 2, 2010 at 4:08 PM, Greg Wilkins <gregw <at> intalio.com> wrote:
>
> Does anybody know a good tech writer who we could engage for
> a few weeks that knows java and/or jetty?
>
> cheers
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Permalink | Reply | 0 comments |
headers
JohnM_Gallagher | 3 Feb 2010 16:27
Favicon

[jetty-user] How to Test Http POST Method?

I am using Jetty 6.1.22. Please explain how to use the HttpTester class to test the http POST method. Thank you.

Permalink | Reply | 3 comments |
headers
Ruchi Goel | 8 Feb 2010 12:20
Picon
Favicon

[jetty-user] lock at org.mortbay.jetty.webapp.WebAppClassLoader

Hi , 

    I am getting following in production.

 

 

- locked <0x0000002a9eeb4c40> (a org.mortbay.jetty.webapp.WebAppClassLoader)

        at java.lang.ClassLoader.getResourceAsStream(ClassLoader.java:1159)

        at javax.xml.parsers.SecuritySupport$4.run(SecuritySupport.java:72)

        at java.security.AccessController.doPrivileged(Native Method)

        at javax.xml.parsers.SecuritySupport.getResourceAsStream(SecuritySupport.java:65)

        at javax.xml.parsers.FactoryFinder.findJarServiceProvider(FactoryFinder.java:213)

        at javax.xml.parsers.FactoryFinder.find(FactoryFinder.java:185)

        at javax.xml.parsers.SAXParserFactory.newInstance(SAXParserFactory.java:107)

        at org.dom4j.io.JAXPHelper.createXMLReader(JAXPHelper.java:34)

        at org.dom4j.io.SAXHelper.createXMLReaderViaJAXP(SAXHelper.java:103)

        at org.dom4j.io.SAXHelper.createXMLReader(SAXHelper.java:63)

        at org.dom4j.io.SAXReader.createXMLReader(SAXReader.java:657)

        at org.dom4j.io.SAXReader.getXMLReader(SAXReader.java:532)

        at org.dom4j.io.SAXReader.read(SAXReader.java:312)

        at org.dom4j.io.SAXReader.read(SAXReader.java:265)

 

 

All other threads are waiting to acquire the same lock. Is the WebAppClassLoader locked while getting SAXParserFactory Instance.

 

Please help .

 

Thanks,

Ruchi

 

 

Permalink | Reply | 10 comments |

Gmane