You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <ji...@apache.org> on 2009/07/20 18:27:15 UTC
[jira] Created: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
jetty 7 ignores default subject settings unless authentication is set up
------------------------------------------------------------------------
Key: GERONIMO-4756
URL: https://issues.apache.org/jira/browse/GERONIMO-4756
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Affects Versions: 2.2
Reporter: David Jencks
Assignee: David Jencks
Fix For: 2.2
Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734550#action_12734550 ]
Trygve Hardersen commented on GERONIMO-4756:
--------------------------------------------
Please feel free to do whatever you like with the sample project, nice that it's useful. I think I uploaded it under the ASF license.
The behavior you're describing sound correct. For the non-authenticated the user has to specify their name using the "name" parameter in the request, or they will be greeted as "null". I was getting EJBAccessExceptions. Has your fix been made available somewhere? I'd love to test it.
When trying to build the web-plugin project with the ServerAuthModule enable, which does not do anything useful it must be said, I get ClassNotFoundException for no.jotta.jgs.web.DummyServerAuthModule. I tried to put it in both the web-classes and realm-classes projects. When I add a direct dependency between the web-plugin and web-classes projects, web-plugin won't start because the ejb-classes EJB archive cannot be found in the local Maven repository. Here Geronimo is searching for a ".ejb" file, but the file is named ".jar". This might have to do with the way I've packaged the EAR and CAR, not sure.
Thanks for looking at this so quickly.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733303#action_12733303 ]
David Jencks commented on GERONIMO-4756:
----------------------------------------
I think rev 795937 should fix this but I don't have a test case handy.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "Ivan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ivan updated GERONIMO-4756:
---------------------------
Attachment: Geronimo-4766.patch
The issue is that, while only defaultsubject configurations exist in the plan file, we will use the NoneAuthenticator, and Jetty's SecurityHandler will not invoke the UserIdentity.associate method twice due to the return value of the NoneAuthenticator, so I think we need to set the default subject explicitly in this scenario.
Wish that I did not miss anything, please help to review it, thanks !
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "Ivan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734540#action_12734540 ]
Ivan commented on GERONIMO-4756:
--------------------------------
Shall we do some judgements before we create the UserAuthentication, I think if no default subject exists, return the NoAuthorized is more reasonable?
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734020#action_12734020 ]
David Jencks commented on GERONIMO-4756:
----------------------------------------
In rev 796620 I modified NoneAuthenticator to return a Authentication.User containing the default subject, so now the default subject should get set on the thread. Could you post details of how to see the problems with this, on the tck list if necessary?
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up [SAMPLE APP]
Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12852188#action_12852188 ]
Trygve Hardersen commented on GERONIMO-4756:
--------------------------------------------
Jeg jobber ikke lengre i Jotta!
I no longer work at Jotta!
Trygve Hardersen
trygve@hypobytes.com
> jetty 7 ignores default subject settings unless authentication is set up [SAMPLE APP]
> -------------------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: Wish List
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734857#action_12734857 ]
David Jencks commented on GERONIMO-4756:
----------------------------------------
rev 797291 reverts the previous changes to NoneAuthenticator and pulls in the jetty snapshot with the fixes there. This should now all work (except perhaps for the jaspic ServerAuthModule).
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734026#action_12734026 ]
David Jencks commented on GERONIMO-4756:
----------------------------------------
Actually I think the best solution is for jetty to call identitySolution.associate with the unauthenticated identity..... need to talk to greg about this.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734412#action_12734412 ]
David Jencks commented on GERONIMO-4756:
----------------------------------------
This is a great sample! I'd like to add it as a testsuite program...
I have a simple change to jetty that AFAICT fixes the problem, I'm discussing it with the jetty community. With it I get responses like
hello null
for the non-authenticated non-system pages,
hello foo after I log in as foo to customer,
and
Secure service saying hello to null
for system.
Is this what you expect?
I can also take a look at the ServerAuthModule to see why it might not be working properly.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up [SAMPLE APP]
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks updated GERONIMO-4756:
-----------------------------------
Fix Version/s: (was: 2.2)
Wish List
Summary: jetty 7 ignores default subject settings unless authentication is set up [SAMPLE APP] (was: jetty 7 ignores default subject settings unless authentication is set up)
Bug is fixed, would be great to get sample into testsuite.
> jetty 7 ignores default subject settings unless authentication is set up [SAMPLE APP]
> -------------------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: Wish List
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735533#action_12735533 ]
Trygve Hardersen commented on GERONIMO-4756:
--------------------------------------------
I've confirmed that the sample app works as expected with r798013. Many thanks for fixing this so quickly!
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Trygve Hardersen updated GERONIMO-4756:
---------------------------------------
Attachment: jgs.tar.gz
The JGS sample project.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up
Posted by "Trygve Hardersen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734105#action_12734105 ]
Trygve Hardersen commented on GERONIMO-4756:
--------------------------------------------
Hi
I've been trying to upgrade our application to use Jetty7, but can't get the run-as security to work. Since our application is rather complex and big, I've created a sample project that illustrates the problem in a more controlled environment using the current Geronimo trunk (rev 796620) without any modifications.
The sample project is called JGS (Jotta Geronimo Security) and has 3 components that are deployed as Geronimo plugins:
realm-plugin - Holds the security realm and credential store
ejb-plugin - Holds the EJB service layer
web-plugin - Holds the WAR HTTP layer
The realm-plugin uses a custom login module TestLoginModule that checks that the supplied username matches the supplied password. If the username is "admin", "anonymous" or "system", the username will also be used as role name. If not, the role name will be set to "customer". The realm-plugin also holds a credential store that gives the username and password for the "anonymous" and "system" run-as users.
The ejb-plugin has two stateless sessions beans; TestServiceEJB and SecureServiceEJB. Both EJBs are set to run-as "system". TestServiceEJB declares the roles "admin", "anonymous", "customer" and "system", and references the SecureServiceEJB. TestServiceEJB has three "hello" methods:
sayHello(String) - Says hello to admin, anonymous, customer and system users.
sayHello() - Says hello customer users.
secureHello(String) - Says hello to admin, customer and system users using SecureSeviceEJB to demonstrate run-as security.
The SecureServiceEJB declares the same roles as TestServiceEJB, but only has one method:
sayHello(String) - Says hello only to system components.
In other words SecureServiceEJB can only be used by callers in the "system" role, such as TestServiceEJB.
All of this work as expected including run-as security, at least when I use remote EJB to test the services directly. See RemoteEJBTest in the ejb-test module. The problem starts when I try to use run-as security in the web-plugin. This is what I want:
/welcome - WelcomeServlet says hello to the user identified by a parameter called "name". Set to run-as "anonymous".
/default - DefaultServlet does the same as WelcomeServlet, but does not declare run-as and should use the default run-as identity with is also "anonymous".
/customer - Customer servlet is only accessible by "customer" users, and does not use run-as.
/system - SystemServlet should run-as system because it is a secure system component.
Of these 4 URLs I can only get /customer to work properly. When the URL is used the BASIC authentication triggers and the user can log in as "test"/"test" or whatever they like. The username is picked up all the way down to the EJB that greets the customer.
The 3 other URLs generally do not work. I've tried many configuration combinations, such as using run-as annotations, defining security constraints for the "run-as" URLs, disabling the default run-as subject and only using a single servlet, but I can't get things to run-as anything consistently. Strangely I'm 99% sure I've seen the run-as security work a couple of times, at least after doing normal authentication first. Could there be a concurrency issue somewhere?
I'm attaching the sample project. Thanks a lot for looking into this, and please let me know if you have questions.
> jetty 7 ignores default subject settings unless authentication is set up
> ------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 2.2
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4756) jetty 7 ignores default subject
settings unless authentication is set up [SAMPLE APP]
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks updated GERONIMO-4756:
-----------------------------------
Component/s: Jetty
> jetty 7 ignores default subject settings unless authentication is set up [SAMPLE APP]
> -------------------------------------------------------------------------------------
>
> Key: GERONIMO-4756
> URL: https://issues.apache.org/jira/browse/GERONIMO-4756
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Jetty
> Affects Versions: 2.2
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: Wish List
>
> Attachments: Geronimo-4766.patch, jgs.tar.gz
>
>
> Jetty 7 should be setting up security stuff if a <security-realm-name> is definied, not only if authentication is specifically configured: this will make default subjects work when no auth is configured. Should not be a problem for tomcat.... for some reason I found this problem there already :-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.