You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Shawn Jiang (JIRA)" <ji...@apache.org> on 2009/09/04 08:46:57 UTC

[jira] Created: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

form based security for the web application does not work with Jetty WADI clustering.
-------------------------------------------------------------------------------------

                 Key: GERONIMO-4846
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: Clustering
    Affects Versions: 2.2
            Reporter: Shawn Jiang


This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.

{noformat}

However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!
{noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12772536#action_12772536 ] 

Trygve Hardersen commented on GERONIMO-4846:
--------------------------------------------

I'll try to get this tested sometime later this week. Thanks!

> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "liangkun (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12772409#action_12772409 ] 

liangkun commented on GERONIMO-4846:
------------------------------------

Hi Trygve,
I tested this issue 2 month ago  and I remembered there was no different between jetty6 and jetty7. I am very appreciate that you can test it again.

> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "Shawn Jiang (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shawn Jiang reassigned GERONIMO-4846:
-------------------------------------

    Assignee:     (was: Shawn Jiang)

Don't have time to look into it for now.

> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "Rex Wang (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755936#action_12755936 ] 

Rex Wang commented on GERONIMO-4846:
------------------------------------

Form based security relies on the built in "j_security_check". Java EE Servlet spec has some descriptions on this function, but not very detailed. Basically, all the mainstream web containers have their implemetation on this. So, this is really vendor specific.
And it is not a problem when you keep session affinity. We have tested on both Jetty6 and Jetty7, and they have the same behavior.
I plan to close this jira, any thoughts?

-Rex

> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
    [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12771973#action_12771973 ] 

Trygve Hardersen commented on GERONIMO-4846:
--------------------------------------------

I've not tested WADI with Jetty7 for a while now but last time I checked it behaved very differently from Jetty6. With Jetty7 I can't used form-based security, with Jetty6 I can. 

You're right this is not part of the spec but if you can't use WADI with form-based security it must be documented as a change between 2.1 and 2.2 I think. I can do another test if you like.

> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "Shawn Jiang (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shawn Jiang reassigned GERONIMO-4846:
-------------------------------------

    Assignee: Shawn Jiang

> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>            Assignee: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.

Posted by "Shawn Jiang (JIRA)" <ji...@apache.org>.
     [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shawn Jiang updated GERONIMO-4846:
----------------------------------

    Description: 
This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.

----------------------------------------
However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!
------------------------------------------------------

  was:
This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.

{noformat}

However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!
{noformat}


> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.