From dev-return-77911-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org Mon Nov 02 15:25:29 2009 Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 48176 invoked from network); 2 Nov 2009 15:25:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Nov 2009 15:25:25 -0000 Received: (qmail 45095 invoked by uid 500); 2 Nov 2009 15:25:25 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 44978 invoked by uid 500); 2 Nov 2009 15:25:24 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 44818 invoked by uid 99); 2 Nov 2009 15:25:24 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Nov 2009 15:25:24 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Nov 2009 15:25:20 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 73B93234C4AA for ; Mon, 2 Nov 2009 07:24:59 -0800 (PST) Message-ID: <192229175.1257175499472.JavaMail.jira@brutus> Date: Mon, 2 Nov 2009 15:24:59 +0000 (UTC) From: "Trygve Hardersen (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Commented: (GERONIMO-4846) form based security for the web application does not work with Jetty WADI clustering. In-Reply-To: <224295384.1252046817556.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-4846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12772536#action_12772536 ] Trygve Hardersen commented on GERONIMO-4846: -------------------------------------------- I'll try to get this tested sometime later this week. Thanks! > form based security for the web application does not work with Jetty WADI clustering. > ------------------------------------------------------------------------------------- > > Key: GERONIMO-4846 > URL: https://issues.apache.org/jira/browse/GERONIMO-4846 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Clustering > Affects Versions: 2.2 > Reporter: Shawn Jiang > > This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777, the major issue has been resolved with the patch from Trygve Hardersen. Opening this JIRA to track the remaining problems. > ---------------------------------------- > However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class. > As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found: > java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined > org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist > I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout. > It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved. > Thanks for your help! > ------------------------------------------------------ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.