karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Achim Nierbeck <achim.nierb...@ptv.de>
Subject Re: Karaf Webconsole and JAAS how does it work?
Date Thu, 15 Jul 2010 12:51:26 GMT

I finally found what the problem is, and it is also a problem when using the
"vanilla" Karaf. 
If I switch to use equinox as the karaf.framework the webconsole and
especially the jaas part do not work. Now I would consider this to be a
problem, or am I wrong here. 
Should I create an Issue for this?

cheers, Achim 


Achim Nierbeck wrote:
> 
> I now did some more in detail inspection, the exception is thrown while
> loginContext.login() is executed and somehow it seems to be somewhere 
> 
> 		invokePriv(LOGIN_METHOD);  <<< Here in class LoginContext
> 		invokePriv(COMMIT_METHOD);
> 
> 
>     private void invokePriv(final String methodName) throws LoginException
> {
> 	try {
> 	    java.security.AccessController.doPrivileged
> 		(new java.security.PrivilegedExceptionAction() {
> 		public Object run() throws LoginException {
> 		    invoke(methodName); <<<---- Here 
> 		    return null;
> 		}
> 	    });
> 
> 
>      // instantiate the LoginModule
> 		    Class c = Class.forName        <<< This class is not found :(
> 				(moduleStack[i].entry.getLoginModuleName(),
> 				true,
> 				contextClassLoader);
> 
> 
> This is the contextClassLoader: 
> 
> BundleClassLoader{bundle=org.apache.felix.webconsole_3.1.0
> [95],parent=null}
> 
> parent=null doesn't seem to be right, or am I wrong?
> 
> At least this is the place where the CNF Exception is comming from. 
> When I hit a packages:exports 0 
> 
> I can see the package in question though. 
> 
> ...
> OSGi System Bundle (0): org.apache.karaf.jaas.boot;
> version="1.99.0.SNAPSHOT"
> OSGi System Bundle (0): org.apache.karaf.version;
> version="1.99.0.SNAPSHOT"
> ...
> 
> 
> any ideas so far?
> 
> 
> Achim Nierbeck wrote:
>> 
>> Unfortunately, it still doesn't work. I now use the original
>> config.properties and use the custom.properties to configure to use
>> equinox as osgi framework
>> 
>> 
>> Achim Nierbeck wrote:
>>> 
>>> Ok, somehow i merged the jaas.boot stuff to system.packages.extra and
>>> not to system.packages :(
>>> 
>>> One more thing about the exception, I think a WARN with the Information
>>> that there has been an Exception could be logged. 
>>> 
>>> Now I will try with the "right" configuration. Another PEBKAC :(
>>> 
>>> 
>>> Guillaume Nodet wrote:
>>>> 
>>>> On Tue, Jul 13, 2010 at 4:26 PM, Achim Nierbeck <achim.nierbeck@ptv.de>
>>>> wrote:
>>>>>
>>>>> OK, got it.
>>>>>
>>>>> Got an LoginException which says it can't find the class
>>>>> org.apache.karaf.jaas.boot.ProxyLoginModule
>>>>>
>>>>> but just to mention, I don't think  it is a good style to catch an
>>>>> exception
>>>>> and not to do anything with it.
>>>>> At leas you should log a warning, just for the records :)
>>>> 
>>>> Yes, but the problem is that this is a security related exception, so
>>>> you certainly don't want to expose passwords in the log ...
>>>> We've had users complaining about such exposure of sensitive data.
>>>> 
>>>>>
>>>>> Now, what can I do about the "missing" Class :-)
>>>>>
>>>> 
>>>> I bet you changed the default config.properties.  The
>>>> org.apache.karaf.jaas.boot should be boot delegated.
>>>> 
>>>>>
>>>>> Guillaume Nodet wrote:
>>>>>>
>>>>>> Yeah, debugging is a good solution in that case.
>>>>>> You should try to put a breakpoint in
>>>>>> org.apache.karaf.webconsole.JaasSecurityProvider#authenticate method
>>>>>> and see what happens.
>>>>>> If you don't hit that breakpoint, it means the webconsole does not
>>>>>> see
>>>>>> karaf authenticator, else you should see an exception in that method.
>>>>>>
>>>>>> On Tue, Jul 13, 2010 at 2:30 PM, Achim Nierbeck
>>>>>> <achim.nierbeck@ptv.de>
>>>>>> wrote:
>>>>>>>
>>>>>>> That's what is driving me nuts, I do not have any exceptions.
>>>>>>> It asks me for the credentials over and over again :(
>>>>>>>
>>>>>>> I just started the whole server with DEBUG log level and the
sift
>>>>>>> logger
>>>>>>> enabled.
>>>>>>> It looks like I'm not authorized, I'll attach the
>>>>>>> org.ops4j.pax.web.pax-web-jetty.log file
>>>>>>>
>>>>>>> http://karaf.922171.n3.nabble.com/file/n963228/org.ops4j.pax.web.pax-web-jetty.log
>>>>>>> org.ops4j.pax.web.pax-web-jetty.log
>>>>>>>
>>>>>>>
>>>>>>> Guillaume Nodet wrote:
>>>>>>>>
>>>>>>>> Any exception in the log ? Also, I'm not sure to understand
what
>>>>>>>> you
>>>>>>>> see, is the http request denied ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 13, 2010 at 2:03 PM, Achim Nierbeck
>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I already did that, and I also configured
>>>>>>>>> the pax-web Container with the following file:
>>>>>>>>>
>>>>>>>>> org.ops4j.pax.web.cfg
>>>>>>>>>
>>>>>>>>> and the following properties:
>>>>>>>>>
>>>>>>>>> org.apache.karaf.features.configKey=org.ops4j.pax.web
>>>>>>>>> org.osgi.service.http.port=8080
>>>>>>>>> org.ops4j.pax.web.session.timeout=30
>>>>>>>>>
>>>>>>>>> so if I call
>>>>>>>>>
>>>>>>>>> http://localhost:8080/system/console
>>>>>>>>>
>>>>>>>>> i do get the request for username and passwort, but I'm
still not
>>>>>>>>> able
>>>>>>>>> to
>>>>>>>>> get to the webconsole,
>>>>>>>>> which is quite strange since I did this also with the
Karaf 1.6.0
>>>>>>>>> release
>>>>>>>>> where it did work.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Guillaume Nodet wrote:
>>>>>>>>>>
>>>>>>>>>> I think that' s because the webconsole feature has
some
>>>>>>>>>> additional
>>>>>>>>>> config:
>>>>>>>>>>
>>>>>>>>>>         <config name="org.apache.karaf.webconsole">
>>>>>>>>>>           realm=karaf
>>>>>>>>>>         </config>
>>>>>>>>>>
>>>>>>>>>> If you put a file named org.apache.karaf.webconsole.cfg
in the
>>>>>>>>>> etc dir
>>>>>>>>>> with the above properties, it should work.
>>>>>>>>>>
>>>>>>>>>> On Tue, Jul 13, 2010 at 10:35 AM, Achim Nierbeck
>>>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> Right now I'm repackaging the Karaf 1.99 with
some additional
>>>>>>>>>>> bundles.
>>>>>>>>>>> Basically it is the same as if I would use the
features
>>>>>>>>>>> spring
>>>>>>>>>>> spring-dm
>>>>>>>>>>> http
>>>>>>>>>>> war
>>>>>>>>>>> webconsole
>>>>>>>>>>>
>>>>>>>>>>> and some additional bundles for all kinds of
apache commons
>>>>>>>>>>> stuff.
>>>>>>>>>>>
>>>>>>>>>>> when i call the webconsole I do get the prompt
for the
>>>>>>>>>>> credentials,
>>>>>>>>>>> but
>>>>>>>>>>> they
>>>>>>>>>>> are not accepted.
>>>>>>>>>>>
>>>>>>>>>>> If i use the "Vanilla" Karaf 1.99 and install
those features
>>>>>>>>>>> later it
>>>>>>>>>>> works,
>>>>>>>>>>> so I don't know right now where the
>>>>>>>>>>> problem is.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance :)
>>>>>>>>>>>
>>>>>>>>>>> Achim
>>>>>>>>>>> --
>>>>>>>>>>> View this message in context:
>>>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p962815.html
>>>>>>>>>>> Sent from the Karaf - Dev mailing list archive
at Nabble.com.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Cheers,
>>>>>>>>>> Guillaume Nodet
>>>>>>>>>> ------------------------
>>>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>>>> ------------------------
>>>>>>>>>> Open Source SOA
>>>>>>>>>> http://fusesource.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> View this message in context:
>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963158.html
>>>>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Cheers,
>>>>>>>> Guillaume Nodet
>>>>>>>> ------------------------
>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>> ------------------------
>>>>>>>> Open Source SOA
>>>>>>>> http://fusesource.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> View this message in context:
>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963228.html
>>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cheers,
>>>>>> Guillaume Nodet
>>>>>> ------------------------
>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>> ------------------------
>>>>>> Open Source SOA
>>>>>> http://fusesource.com
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963549.html
>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Cheers,
>>>> Guillaume Nodet
>>>> ------------------------
>>>> Blog: http://gnodet.blogspot.com/
>>>> ------------------------
>>>> Open Source SOA
>>>> http://fusesource.com
>>>> 
>>>> 
>>> 
>>> Guillaume Nodet wrote:
>>>> 
>>>> On Tue, Jul 13, 2010 at 4:26 PM, Achim Nierbeck <achim.nierbeck@ptv.de>
>>>> wrote:
>>>>>
>>>>> OK, got it.
>>>>>
>>>>> Got an LoginException which says it can't find the class
>>>>> org.apache.karaf.jaas.boot.ProxyLoginModule
>>>>>
>>>>> but just to mention, I don't think  it is a good style to catch an
>>>>> exception
>>>>> and not to do anything with it.
>>>>> At leas you should log a warning, just for the records :)
>>>> 
>>>> Yes, but the problem is that this is a security related exception, so
>>>> you certainly don't want to expose passwords in the log ...
>>>> We've had users complaining about such exposure of sensitive data.
>>>> 
>>>>>
>>>>> Now, what can I do about the "missing" Class :-)
>>>>>
>>>> 
>>>> I bet you changed the default config.properties.  The
>>>> org.apache.karaf.jaas.boot should be boot delegated.
>>>> 
>>>>>
>>>>> Guillaume Nodet wrote:
>>>>>>
>>>>>> Yeah, debugging is a good solution in that case.
>>>>>> You should try to put a breakpoint in
>>>>>> org.apache.karaf.webconsole.JaasSecurityProvider#authenticate method
>>>>>> and see what happens.
>>>>>> If you don't hit that breakpoint, it means the webconsole does not
>>>>>> see
>>>>>> karaf authenticator, else you should see an exception in that method.
>>>>>>
>>>>>> On Tue, Jul 13, 2010 at 2:30 PM, Achim Nierbeck
>>>>>> <achim.nierbeck@ptv.de>
>>>>>> wrote:
>>>>>>>
>>>>>>> That's what is driving me nuts, I do not have any exceptions.
>>>>>>> It asks me for the credentials over and over again :(
>>>>>>>
>>>>>>> I just started the whole server with DEBUG log level and the
sift
>>>>>>> logger
>>>>>>> enabled.
>>>>>>> It looks like I'm not authorized, I'll attach the
>>>>>>> org.ops4j.pax.web.pax-web-jetty.log file
>>>>>>>
>>>>>>> http://karaf.922171.n3.nabble.com/file/n963228/org.ops4j.pax.web.pax-web-jetty.log
>>>>>>> org.ops4j.pax.web.pax-web-jetty.log
>>>>>>>
>>>>>>>
>>>>>>> Guillaume Nodet wrote:
>>>>>>>>
>>>>>>>> Any exception in the log ? Also, I'm not sure to understand
what
>>>>>>>> you
>>>>>>>> see, is the http request denied ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 13, 2010 at 2:03 PM, Achim Nierbeck
>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I already did that, and I also configured
>>>>>>>>> the pax-web Container with the following file:
>>>>>>>>>
>>>>>>>>> org.ops4j.pax.web.cfg
>>>>>>>>>
>>>>>>>>> and the following properties:
>>>>>>>>>
>>>>>>>>> org.apache.karaf.features.configKey=org.ops4j.pax.web
>>>>>>>>> org.osgi.service.http.port=8080
>>>>>>>>> org.ops4j.pax.web.session.timeout=30
>>>>>>>>>
>>>>>>>>> so if I call
>>>>>>>>>
>>>>>>>>> http://localhost:8080/system/console
>>>>>>>>>
>>>>>>>>> i do get the request for username and passwort, but I'm
still not
>>>>>>>>> able
>>>>>>>>> to
>>>>>>>>> get to the webconsole,
>>>>>>>>> which is quite strange since I did this also with the
Karaf 1.6.0
>>>>>>>>> release
>>>>>>>>> where it did work.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Guillaume Nodet wrote:
>>>>>>>>>>
>>>>>>>>>> I think that' s because the webconsole feature has
some
>>>>>>>>>> additional
>>>>>>>>>> config:
>>>>>>>>>>
>>>>>>>>>>         <config name="org.apache.karaf.webconsole">
>>>>>>>>>>           realm=karaf
>>>>>>>>>>         </config>
>>>>>>>>>>
>>>>>>>>>> If you put a file named org.apache.karaf.webconsole.cfg
in the
>>>>>>>>>> etc dir
>>>>>>>>>> with the above properties, it should work.
>>>>>>>>>>
>>>>>>>>>> On Tue, Jul 13, 2010 at 10:35 AM, Achim Nierbeck
>>>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> Right now I'm repackaging the Karaf 1.99 with
some additional
>>>>>>>>>>> bundles.
>>>>>>>>>>> Basically it is the same as if I would use the
features
>>>>>>>>>>> spring
>>>>>>>>>>> spring-dm
>>>>>>>>>>> http
>>>>>>>>>>> war
>>>>>>>>>>> webconsole
>>>>>>>>>>>
>>>>>>>>>>> and some additional bundles for all kinds of
apache commons
>>>>>>>>>>> stuff.
>>>>>>>>>>>
>>>>>>>>>>> when i call the webconsole I do get the prompt
for the
>>>>>>>>>>> credentials,
>>>>>>>>>>> but
>>>>>>>>>>> they
>>>>>>>>>>> are not accepted.
>>>>>>>>>>>
>>>>>>>>>>> If i use the "Vanilla" Karaf 1.99 and install
those features
>>>>>>>>>>> later it
>>>>>>>>>>> works,
>>>>>>>>>>> so I don't know right now where the
>>>>>>>>>>> problem is.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance :)
>>>>>>>>>>>
>>>>>>>>>>> Achim
>>>>>>>>>>> --
>>>>>>>>>>> View this message in context:
>>>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p962815.html
>>>>>>>>>>> Sent from the Karaf - Dev mailing list archive
at Nabble.com.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Cheers,
>>>>>>>>>> Guillaume Nodet
>>>>>>>>>> ------------------------
>>>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>>>> ------------------------
>>>>>>>>>> Open Source SOA
>>>>>>>>>> http://fusesource.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> View this message in context:
>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963158.html
>>>>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Cheers,
>>>>>>>> Guillaume Nodet
>>>>>>>> ------------------------
>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>> ------------------------
>>>>>>>> Open Source SOA
>>>>>>>> http://fusesource.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> View this message in context:
>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963228.html
>>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cheers,
>>>>>> Guillaume Nodet
>>>>>> ------------------------
>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>> ------------------------
>>>>>> Open Source SOA
>>>>>> http://fusesource.com
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963549.html
>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Cheers,
>>>> Guillaume Nodet
>>>> ------------------------
>>>> Blog: http://gnodet.blogspot.com/
>>>> ------------------------
>>>> Open Source SOA
>>>> http://fusesource.com
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p969456.html
Sent from the Karaf - Dev mailing list archive at Nabble.com.

Mime
View raw message