geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Jiang (JIRA)" <j...@apache.org>
Subject [jira] Updated: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.
Date Fri, 04 Sep 2009 06:50:57 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Shawn Jiang updated GERONIMO-4846:
----------------------------------

    Description: 
This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has
been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining
problems.

----------------------------------------
However it does not work when combined with form based security for the web application. The
first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable,
so they can not be sent across the network. I made these classes serializable, and then login
works as long as there is only one member in the cluster (well, not really a cluster...).
When there are multiple members in the cluster, login fails because there is no valid constructor
for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator
and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not.
Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent
session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb]
is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2]
does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch)
and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing.
The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering.
The /customer page is protected, and to access it one must login with any username and password,
as long as they are the same. Use test/test for instance. To test session invalidation, manually
enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination
with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6
again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!
------------------------------------------------------

  was:
This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue has
been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining
problems.

{noformat}

However it does not work when combined with form based security for the web application. The
first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable,
so they can not be sent across the network. I made these classes serializable, and then login
works as long as there is only one member in the cluster (well, not really a cluster...).
When there are multiple members in the cluster, login fails because there is no valid constructor
for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator
and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not.
Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent
session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb]
is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2]
does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch)
and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing.
The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering.
The /customer page is protected, and to access it one must login with any username and password,
as long as they are the same. Use test/test for instance. To test session invalidation, manually
enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination
with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6
again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!
{noformat}


> form based security for the web application does not work with Jetty WADI clustering.
> -------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4846
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4846
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Clustering
>    Affects Versions: 2.2
>            Reporter: Shawn Jiang
>
> This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777,  the major issue
has been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the
remaining problems.
> ----------------------------------------
> However it does not work when combined with form based security for the web application.
The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication
and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable,
so they can not be sent across the network. I made these classes serializable, and then login
works as long as there is only one member in the cluster (well, not really a cluster...).
When there are multiple members in the cluster, login fails because there is no valid constructor
for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication.
I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator
and UserIdentity properties are required for it to work so I did not try to extract the class.
> As I said login works as long as there's only one member in the cluster, but logout does
not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the
curent session can not be found:
> java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb]
is undefined
> org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2]
does not exist
> I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch)
and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing.
The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering.
The /customer page is protected, and to access it one must login with any username and password,
as long as they are the same. Use test/test for instance. To test session invalidation, manually
enter the URL /logout.
> It would be very helpful if someone can comment on the usability of WADI clustering in
combination with Jetty7. To me it seems like it has not been tested much, and I think going
back to Jetty6 again is the best option for us, unless the issues described above can be easily
solved.
> Thanks for your help!
> ------------------------------------------------------

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message