You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by siv vasan <sv...@gmail.com> on 2013/02/21 16:35:28 UTC
Use same JAAS module for web app and cxf rest application
I have facing an security configuration issue with karaf.
1. I have a JAAS Login module blueprint bundle deployed in karaf.
2. Jetty is configured with JAASLoginSerivce, and the configuration file is
deployed as fragment bundle.
Now have 2 applications
1. Web application which use container(jetty) based authentication
2. I have another application, which is cfx rest application. For this i am
using authentication filter as described here
http://cxf.apache.org/docs/secure-jax-rs-services.html
My plan is to use same jaas module configurations for both applications.(web
application used JAASLoginService and rest uses authentication filter)
But the problem is, for rest application login request is going to Jetty
JAASLoginSerivce instead of coming filter. and it is throwing below
exception.
h3>Caused by:
<pre>java.lang.ClassNotFoundException:
org.apache.karaf.jaas.boot.principal.RolePrincipal not found by
org.apache.cxf.cxf-rt-transports-http [122]
at
org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1460)
at
org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:72)
at
org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1843)
....
at
org.eclipse.jetty.plus.jaas.JAASLoginService.getGroups(JAASLoginService.java:315)
at
org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:244)
at
org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:88)
at
org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:108)
at
org.eclipse.jetty.server.Request.getUserPrincipal(Request.java:1251)
If remove JAASLoginSerivce then authentication is happening thorough filter.
I assume that JAASLoginSerivce i configured is applied for all the web
applications deployed in jetty.
Is there a way to restrict the JAASLoginSerivce to specific web app ? or
How can i bypass JAASLoginSerivce for rest application.
--
View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by siv vasan <sv...@gmail.com>.
Is the fix you mentioned available available for 2.3.0 or 2.3.1 ?
I cold not successfully set LoginService specific to my web application. If
possible, can give some pointers to how this can be done ?
--
View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027866.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
FYI, the error
java.lang.ClassNotFoundException:
org.apache.karaf.jaas.boot.principal.RolePrincipal not found by
org.apache.cxf.cxf-rt-transports-http
is caused by CXF not set correct context class loader for rest service, it was fixed very recently in CXF[1], with this fix, the Principal class import correctly defer download to your customer bundle, but not from cxf-rt-transports-http bundle.
And about org.eclipse.jetty.plus.jaas.JAASLoginService, currently it's configuration is globally so it apply for all context path, but my gut feeling is that jetty configuration should be able to provide a way to specify a context path, which means jetty JAASLoginService can only apply for some certain context path, not really sure though.
[1]http://svn.apache.org/viewvc?view=revision&revision=r1448177
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-2-22, at 上午3:29, siv vasan wrote:
> Do you mean I should use JAASLoginInterceptor even for my web application ?
> Currently I am using JAASLoginInterceptor for rest application only.
>
> One thing I don't understand is why is the JAASLoginService invoked even for
> rest application ? This is getting invoked even when I add 2 different karaf
> modules and JAASLoginService mapps to one of the realm only. This sound like
> a bug to me. What do you think is happening ?
>
> <Call name="addBean">
> <Arg>
> <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
> <Set name="name">LDAP</Set>
> <Set name="loginModuleName">LDAP</Set>
> <Set name="roleClassNames">
> <Array type="java.lang.String">
> <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal</Item>
> </Array>
> </Set>
> </New>
> </Arg>
> </Call>
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027848.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by Łukasz Dywicki <lu...@code-house.org>.
JAASLoginService is part of Jetty and it's called by servlet container before servlet (I guess), thus it behaves different than JAASLoginInterceptor called from CXF. During handling request by CXF servlet.
Kind regards,
Łukasz Dywicki
--
luke@code-house.org
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org
Wiadomość napisana przez siv vasan <sv...@gmail.com> w dniu 21 lut 2013, o godz. 20:29:
> Do you mean I should use JAASLoginInterceptor even for my web application ?
> Currently I am using JAASLoginInterceptor for rest application only.
>
> One thing I don't understand is why is the JAASLoginService invoked even for
> rest application ? This is getting invoked even when I add 2 different karaf
> modules and JAASLoginService mapps to one of the realm only. This sound like
> a bug to me. What do you think is happening ?
>
> <Call name="addBean">
> <Arg>
> <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
> <Set name="name">LDAP</Set>
> <Set name="loginModuleName">LDAP</Set>
> <Set name="roleClassNames">
> <Array type="java.lang.String">
> <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal</Item>
> </Array>
> </Set>
> </New>
> </Arg>
> </Call>
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027848.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by siv vasan <sv...@gmail.com>.
Do you mean I should use JAASLoginInterceptor even for my web application ?
Currently I am using JAASLoginInterceptor for rest application only.
One thing I don't understand is why is the JAASLoginService invoked even for
rest application ? This is getting invoked even when I add 2 different karaf
modules and JAASLoginService mapps to one of the realm only. This sound like
a bug to me. What do you think is happening ?
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">LDAP</Set>
<Set name="loginModuleName">LDAP</Set>
<Set name="roleClassNames">
<Array type="java.lang.String">
<Item>org.apache.karaf.jaas.boot.principal.RolePrincipal</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
--
View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027848.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by Łukasz Dywicki <lu...@code-house.org>.
It might be an workaround for your problem. Change transport from http to http-osgi if you may. Publish adress must be then set to '/something'. Your services will be listed at http://localhost:8181/cxf. I tested my configuration with Karaf 2.2.9, but I don't use JAAS from Jetty level. Instead I have it inside CXF with org.apache.cxf.interceptor.security.JAASLoginInterceptor. This gives additional benefit with role based access restrictions. All you need to enable this is configured SecureAnnotationsInterceptor.
Singular JAAS context can be used from anywhere. There is no way to restrict its visibility in Karaf. Issue fixed in 2.3.0 that I was reffering to is KARAF-1305.
Łukasz Dywicki
luke@code-house.org
--
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org
Wiadomość napisana przez siv vasan <sv...@gmail.com> w dniu 21 lut 2013, o godz. 17:48:
> Is there a way to restrict JAASLoginService to one specific web application
> only. I tried having configuration in jetty-web.xml but this configuration
> is not taken.
>
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027844.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by siv vasan <sv...@gmail.com>.
Is there a way to restrict JAASLoginService to one specific web application
only. I tried having configuration in jetty-web.xml but this configuration
is not taken.
--
View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027844.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by siv vasan <sv...@gmail.com>.
Yes, I am using karaf 2.3.0.
/ >> fixed in Karaf 2.3.0 / -- Do you mean ClassNotFound exception with
org.apache.cxf.cxf-rt-transports-http bundle ?
--
View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838p4027843.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: Use same JAAS module for web app and cxf rest application
Posted by Łukasz Dywicki <lu...@code-house.org>.
FYI it should be fixed in Karaf 2.3.0. Do you use this version?
Łukasz Dywicki
luke@code-house.org
--
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org
Wiadomość napisana przez siv vasan <sv...@gmail.com> w dniu 21 lut 2013, o godz. 16:35:
> I have facing an security configuration issue with karaf.
>
> 1. I have a JAAS Login module blueprint bundle deployed in karaf.
> 2. Jetty is configured with JAASLoginSerivce, and the configuration file is
> deployed as fragment bundle.
>
> Now have 2 applications
> 1. Web application which use container(jetty) based authentication
>
> 2. I have another application, which is cfx rest application. For this i am
> using authentication filter as described here
> http://cxf.apache.org/docs/secure-jax-rs-services.html
>
> My plan is to use same jaas module configurations for both applications.(web
> application used JAASLoginService and rest uses authentication filter)
>
> But the problem is, for rest application login request is going to Jetty
> JAASLoginSerivce instead of coming filter. and it is throwing below
> exception.
> h3>Caused by:
> <pre>java.lang.ClassNotFoundException:
> org.apache.karaf.jaas.boot.principal.RolePrincipal not found by
> org.apache.cxf.cxf-rt-transports-http [122]
> at
> org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1460)
> at
> org.apache.felix.framework.BundleWiringImpl.access$400(BundleWiringImpl.java:72)
> at
> org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1843)
> ....
> at
> org.eclipse.jetty.plus.jaas.JAASLoginService.getGroups(JAASLoginService.java:315)
> at
> org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:244)
> at
> org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:88)
> at
> org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:108)
> at
> org.eclipse.jetty.server.Request.getUserPrincipal(Request.java:1251)
>
>
> If remove JAASLoginSerivce then authentication is happening thorough filter.
> I assume that JAASLoginSerivce i configured is applied for all the web
> applications deployed in jetty.
>
> Is there a way to restrict the JAASLoginSerivce to specific web app ? or
> How can i bypass JAASLoginSerivce for rest application.
>
>
>
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/Use-same-JAAS-module-for-web-app-and-cxf-rest-application-tp4027838.html
> Sent from the Karaf - User mailing list archive at Nabble.com.