geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Jiang (JIRA)" <>
Subject [jira] Created: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering.
Date Fri, 04 Sep 2009 06:46:57 GMT
form based security for the web application does not work with Jetty WADI clustering.

                 Key: GERONIMO-4846
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: Clustering
    Affects Versions: 2.2
            Reporter: Shawn Jiang

This is a part of,  the major issue has
been resolved with the patch from  	 Trygve Hardersen.  Opening this JIRA to track the remaining


However it does not work when combined with form based security for the web application. The
first problem is that$SessionAuthentication
and are not serializable,
so they can not be sent across the network. I made these classes serializable, and then login
works as long as there is only one member in the cluster (well, not really a cluster...).
When there are multiple members in the cluster, login fails because there is no valid constructor
I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator
and UserIdentity properties are required for it to work so I did not try to extract the class.

As I said login works as long as there's only one member in the cluster, but logout does not.
Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent
session can not be found:

java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb]
is undefined
org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2]
does not exist

I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch)
and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing.
The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering.
The /customer page is protected, and to access it one must login with any username and password,
as long as they are the same. Use test/test for instance. To test session invalidation, manually
enter the URL /logout.

It would be very helpful if someone can comment on the usability of WADI clustering in combination
with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6
again is the best option for us, unless the issues described above can be easily solved.

Thanks for your help!

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message