geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trygve Hardersen (JIRA)" <j...@apache.org>
Subject [jira] Created: (GERONIMO-4777) WADI clustering does not work with Jetty7
Date Thu, 30 Jul 2009 16:11:14 GMT
WADI clustering does not work with Jetty7
-----------------------------------------

                 Key: GERONIMO-4777
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4777
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: Jetty
    Affects Versions: 2.2
         Environment: Tested on OS X 10.5 and Ubuntu 8.10, both running 64-bit Java 1.6
            Reporter: Trygve Hardersen
         Attachments: WADIJettyClusteringBuilder.patch

I've been trying to get WADI clustering to work with Jetty7, but I've found numerous issues:

The first problem is that a Geronimo plugin that uses WADI clustering and Jetty7 cannot be
built. The WADIJettyClusteringBuilder is unable to locate the web module in the deployment,
so the build fails with the following error:

org.apache.maven.lifecycle.LifecycleExecutionException: could not package plugin
Caused by: org.apache.maven.plugin.MojoExecutionException: could not package plugin
Caused by: org.apache.geronimo.common.DeploymentException: Could not locate web module gbean
in web app configuration

I was able to resolve this by copying the code that creates the webModuleQuery from the equivalent
Jetty6 module into the Jetty7 module, see WADIJettyClusteringBuilder.patch. With this the
build succeeds, and I'm able to deploy the plugin. I don't know if it breaks anything else,
but I've not seen issues with it.

AFAICT normal session replication works fine with this. However it does not work when combined
with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable,
so they can not be sent across the network. I made these classes serializable, and then login
works as long as there is only one member in the cluster (well, not really a cluster...).
When there are multiple members in the cluster, login fails because there is no valid constructor
for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator
and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not.
Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent
session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb]
is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2]
does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch)
and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing.
The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering.
The /customer page is protected, and to access it one must login with any username and password,
as long as they are the same. Use test/test for instance. To test session invalidation, manually
enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination
with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6
again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message