karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Achim Nierbeck <achim.nierb...@ptv.de>
Subject Re: Karaf Webconsole and JAAS how does it work?
Date Thu, 15 Jul 2010 15:31:37 GMT

Ok, I filed the following bug entry to jira: 

https://issues.apache.org/jira/browse/KARAF-122




Achim Nierbeck wrote:
> 
> I finally found what the problem is, and it is also a problem when using
> the "vanilla" Karaf. 
> If I switch to use equinox as the karaf.framework the webconsole and
> especially the jaas part do not work. Now I would consider this to be a
> problem, or am I wrong here. 
> Should I create an Issue for this?
> 
> cheers, Achim 
> 
> 
> Achim Nierbeck wrote:
>> 
>> I now did some more in detail inspection, the exception is thrown while
>> loginContext.login() is executed and somehow it seems to be somewhere 
>> 
>> 		invokePriv(LOGIN_METHOD);  <<< Here in class LoginContext
>> 		invokePriv(COMMIT_METHOD);
>> 
>> 
>>     private void invokePriv(final String methodName) throws
>> LoginException {
>> 	try {
>> 	    java.security.AccessController.doPrivileged
>> 		(new java.security.PrivilegedExceptionAction() {
>> 		public Object run() throws LoginException {
>> 		    invoke(methodName); <<<---- Here 
>> 		    return null;
>> 		}
>> 	    });
>> 
>> 
>>      // instantiate the LoginModule
>> 		    Class c = Class.forName        <<< This class is not found :(
>> 				(moduleStack[i].entry.getLoginModuleName(),
>> 				true,
>> 				contextClassLoader);
>> 
>> 
>> This is the contextClassLoader: 
>> 
>> BundleClassLoader{bundle=org.apache.felix.webconsole_3.1.0
>> [95],parent=null}
>> 
>> parent=null doesn't seem to be right, or am I wrong?
>> 
>> At least this is the place where the CNF Exception is comming from. 
>> When I hit a packages:exports 0 
>> 
>> I can see the package in question though. 
>> 
>> ...
>> OSGi System Bundle (0): org.apache.karaf.jaas.boot;
>> version="1.99.0.SNAPSHOT"
>> OSGi System Bundle (0): org.apache.karaf.version;
>> version="1.99.0.SNAPSHOT"
>> ...
>> 
>> 
>> any ideas so far?
>> 
>> 
>> Achim Nierbeck wrote:
>>> 
>>> Unfortunately, it still doesn't work. I now use the original
>>> config.properties and use the custom.properties to configure to use
>>> equinox as osgi framework
>>> 
>>> 
>>> Achim Nierbeck wrote:
>>>> 
>>>> Ok, somehow i merged the jaas.boot stuff to system.packages.extra and
>>>> not to system.packages :(
>>>> 
>>>> One more thing about the exception, I think a WARN with the Information
>>>> that there has been an Exception could be logged. 
>>>> 
>>>> Now I will try with the "right" configuration. Another PEBKAC :(
>>>> 
>>>> 
>>>> Guillaume Nodet wrote:
>>>>> 
>>>>> On Tue, Jul 13, 2010 at 4:26 PM, Achim Nierbeck
>>>>> <achim.nierbeck@ptv.de> wrote:
>>>>>>
>>>>>> OK, got it.
>>>>>>
>>>>>> Got an LoginException which says it can't find the class
>>>>>> org.apache.karaf.jaas.boot.ProxyLoginModule
>>>>>>
>>>>>> but just to mention, I don't think  it is a good style to catch
an
>>>>>> exception
>>>>>> and not to do anything with it.
>>>>>> At leas you should log a warning, just for the records :)
>>>>> 
>>>>> Yes, but the problem is that this is a security related exception, so
>>>>> you certainly don't want to expose passwords in the log ...
>>>>> We've had users complaining about such exposure of sensitive data.
>>>>> 
>>>>>>
>>>>>> Now, what can I do about the "missing" Class :-)
>>>>>>
>>>>> 
>>>>> I bet you changed the default config.properties.  The
>>>>> org.apache.karaf.jaas.boot should be boot delegated.
>>>>> 
>>>>>>
>>>>>> Guillaume Nodet wrote:
>>>>>>>
>>>>>>> Yeah, debugging is a good solution in that case.
>>>>>>> You should try to put a breakpoint in
>>>>>>> org.apache.karaf.webconsole.JaasSecurityProvider#authenticate
method
>>>>>>> and see what happens.
>>>>>>> If you don't hit that breakpoint, it means the webconsole does
not
>>>>>>> see
>>>>>>> karaf authenticator, else you should see an exception in that
>>>>>>> method.
>>>>>>>
>>>>>>> On Tue, Jul 13, 2010 at 2:30 PM, Achim Nierbeck
>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> That's what is driving me nuts, I do not have any exceptions.
>>>>>>>> It asks me for the credentials over and over again :(
>>>>>>>>
>>>>>>>> I just started the whole server with DEBUG log level and
the sift
>>>>>>>> logger
>>>>>>>> enabled.
>>>>>>>> It looks like I'm not authorized, I'll attach the
>>>>>>>> org.ops4j.pax.web.pax-web-jetty.log file
>>>>>>>>
>>>>>>>> http://karaf.922171.n3.nabble.com/file/n963228/org.ops4j.pax.web.pax-web-jetty.log
>>>>>>>> org.ops4j.pax.web.pax-web-jetty.log
>>>>>>>>
>>>>>>>>
>>>>>>>> Guillaume Nodet wrote:
>>>>>>>>>
>>>>>>>>> Any exception in the log ? Also, I'm not sure to understand
what
>>>>>>>>> you
>>>>>>>>> see, is the http request denied ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jul 13, 2010 at 2:03 PM, Achim Nierbeck
>>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I already did that, and I also configured
>>>>>>>>>> the pax-web Container with the following file:
>>>>>>>>>>
>>>>>>>>>> org.ops4j.pax.web.cfg
>>>>>>>>>>
>>>>>>>>>> and the following properties:
>>>>>>>>>>
>>>>>>>>>> org.apache.karaf.features.configKey=org.ops4j.pax.web
>>>>>>>>>> org.osgi.service.http.port=8080
>>>>>>>>>> org.ops4j.pax.web.session.timeout=30
>>>>>>>>>>
>>>>>>>>>> so if I call
>>>>>>>>>>
>>>>>>>>>> http://localhost:8080/system/console
>>>>>>>>>>
>>>>>>>>>> i do get the request for username and passwort, but
I'm still not
>>>>>>>>>> able
>>>>>>>>>> to
>>>>>>>>>> get to the webconsole,
>>>>>>>>>> which is quite strange since I did this also with
the Karaf 1.6.0
>>>>>>>>>> release
>>>>>>>>>> where it did work.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Guillaume Nodet wrote:
>>>>>>>>>>>
>>>>>>>>>>> I think that' s because the webconsole feature
has some
>>>>>>>>>>> additional
>>>>>>>>>>> config:
>>>>>>>>>>>
>>>>>>>>>>>         <config name="org.apache.karaf.webconsole">
>>>>>>>>>>>           realm=karaf
>>>>>>>>>>>         </config>
>>>>>>>>>>>
>>>>>>>>>>> If you put a file named org.apache.karaf.webconsole.cfg
in the
>>>>>>>>>>> etc dir
>>>>>>>>>>> with the above properties, it should work.
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Jul 13, 2010 at 10:35 AM, Achim Nierbeck
>>>>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> Right now I'm repackaging the Karaf 1.99
with some additional
>>>>>>>>>>>> bundles.
>>>>>>>>>>>> Basically it is the same as if I would use
the features
>>>>>>>>>>>> spring
>>>>>>>>>>>> spring-dm
>>>>>>>>>>>> http
>>>>>>>>>>>> war
>>>>>>>>>>>> webconsole
>>>>>>>>>>>>
>>>>>>>>>>>> and some additional bundles for all kinds
of apache commons
>>>>>>>>>>>> stuff.
>>>>>>>>>>>>
>>>>>>>>>>>> when i call the webconsole I do get the prompt
for the
>>>>>>>>>>>> credentials,
>>>>>>>>>>>> but
>>>>>>>>>>>> they
>>>>>>>>>>>> are not accepted.
>>>>>>>>>>>>
>>>>>>>>>>>> If i use the "Vanilla" Karaf 1.99 and install
those features
>>>>>>>>>>>> later it
>>>>>>>>>>>> works,
>>>>>>>>>>>> so I don't know right now where the
>>>>>>>>>>>> problem is.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance :)
>>>>>>>>>>>>
>>>>>>>>>>>> Achim
>>>>>>>>>>>> --
>>>>>>>>>>>> View this message in context:
>>>>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p962815.html
>>>>>>>>>>>> Sent from the Karaf - Dev mailing list archive
at Nabble.com.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Guillaume Nodet
>>>>>>>>>>> ------------------------
>>>>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>>>>> ------------------------
>>>>>>>>>>> Open Source SOA
>>>>>>>>>>> http://fusesource.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> View this message in context:
>>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963158.html
>>>>>>>>>> Sent from the Karaf - Dev mailing list archive at
Nabble.com.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Cheers,
>>>>>>>>> Guillaume Nodet
>>>>>>>>> ------------------------
>>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>>> ------------------------
>>>>>>>>> Open Source SOA
>>>>>>>>> http://fusesource.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> View this message in context:
>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963228.html
>>>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Cheers,
>>>>>>> Guillaume Nodet
>>>>>>> ------------------------
>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>> ------------------------
>>>>>>> Open Source SOA
>>>>>>> http://fusesource.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> View this message in context:
>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963549.html
>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Cheers,
>>>>> Guillaume Nodet
>>>>> ------------------------
>>>>> Blog: http://gnodet.blogspot.com/
>>>>> ------------------------
>>>>> Open Source SOA
>>>>> http://fusesource.com
>>>>> 
>>>>> 
>>>> 
>>>> Guillaume Nodet wrote:
>>>>> 
>>>>> On Tue, Jul 13, 2010 at 4:26 PM, Achim Nierbeck
>>>>> <achim.nierbeck@ptv.de> wrote:
>>>>>>
>>>>>> OK, got it.
>>>>>>
>>>>>> Got an LoginException which says it can't find the class
>>>>>> org.apache.karaf.jaas.boot.ProxyLoginModule
>>>>>>
>>>>>> but just to mention, I don't think  it is a good style to catch
an
>>>>>> exception
>>>>>> and not to do anything with it.
>>>>>> At leas you should log a warning, just for the records :)
>>>>> 
>>>>> Yes, but the problem is that this is a security related exception, so
>>>>> you certainly don't want to expose passwords in the log ...
>>>>> We've had users complaining about such exposure of sensitive data.
>>>>> 
>>>>>>
>>>>>> Now, what can I do about the "missing" Class :-)
>>>>>>
>>>>> 
>>>>> I bet you changed the default config.properties.  The
>>>>> org.apache.karaf.jaas.boot should be boot delegated.
>>>>> 
>>>>>>
>>>>>> Guillaume Nodet wrote:
>>>>>>>
>>>>>>> Yeah, debugging is a good solution in that case.
>>>>>>> You should try to put a breakpoint in
>>>>>>> org.apache.karaf.webconsole.JaasSecurityProvider#authenticate
method
>>>>>>> and see what happens.
>>>>>>> If you don't hit that breakpoint, it means the webconsole does
not
>>>>>>> see
>>>>>>> karaf authenticator, else you should see an exception in that
>>>>>>> method.
>>>>>>>
>>>>>>> On Tue, Jul 13, 2010 at 2:30 PM, Achim Nierbeck
>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> That's what is driving me nuts, I do not have any exceptions.
>>>>>>>> It asks me for the credentials over and over again :(
>>>>>>>>
>>>>>>>> I just started the whole server with DEBUG log level and
the sift
>>>>>>>> logger
>>>>>>>> enabled.
>>>>>>>> It looks like I'm not authorized, I'll attach the
>>>>>>>> org.ops4j.pax.web.pax-web-jetty.log file
>>>>>>>>
>>>>>>>> http://karaf.922171.n3.nabble.com/file/n963228/org.ops4j.pax.web.pax-web-jetty.log
>>>>>>>> org.ops4j.pax.web.pax-web-jetty.log
>>>>>>>>
>>>>>>>>
>>>>>>>> Guillaume Nodet wrote:
>>>>>>>>>
>>>>>>>>> Any exception in the log ? Also, I'm not sure to understand
what
>>>>>>>>> you
>>>>>>>>> see, is the http request denied ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jul 13, 2010 at 2:03 PM, Achim Nierbeck
>>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I already did that, and I also configured
>>>>>>>>>> the pax-web Container with the following file:
>>>>>>>>>>
>>>>>>>>>> org.ops4j.pax.web.cfg
>>>>>>>>>>
>>>>>>>>>> and the following properties:
>>>>>>>>>>
>>>>>>>>>> org.apache.karaf.features.configKey=org.ops4j.pax.web
>>>>>>>>>> org.osgi.service.http.port=8080
>>>>>>>>>> org.ops4j.pax.web.session.timeout=30
>>>>>>>>>>
>>>>>>>>>> so if I call
>>>>>>>>>>
>>>>>>>>>> http://localhost:8080/system/console
>>>>>>>>>>
>>>>>>>>>> i do get the request for username and passwort, but
I'm still not
>>>>>>>>>> able
>>>>>>>>>> to
>>>>>>>>>> get to the webconsole,
>>>>>>>>>> which is quite strange since I did this also with
the Karaf 1.6.0
>>>>>>>>>> release
>>>>>>>>>> where it did work.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Guillaume Nodet wrote:
>>>>>>>>>>>
>>>>>>>>>>> I think that' s because the webconsole feature
has some
>>>>>>>>>>> additional
>>>>>>>>>>> config:
>>>>>>>>>>>
>>>>>>>>>>>         <config name="org.apache.karaf.webconsole">
>>>>>>>>>>>           realm=karaf
>>>>>>>>>>>         </config>
>>>>>>>>>>>
>>>>>>>>>>> If you put a file named org.apache.karaf.webconsole.cfg
in the
>>>>>>>>>>> etc dir
>>>>>>>>>>> with the above properties, it should work.
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Jul 13, 2010 at 10:35 AM, Achim Nierbeck
>>>>>>>>>>> <achim.nierbeck@ptv.de>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> Right now I'm repackaging the Karaf 1.99
with some additional
>>>>>>>>>>>> bundles.
>>>>>>>>>>>> Basically it is the same as if I would use
the features
>>>>>>>>>>>> spring
>>>>>>>>>>>> spring-dm
>>>>>>>>>>>> http
>>>>>>>>>>>> war
>>>>>>>>>>>> webconsole
>>>>>>>>>>>>
>>>>>>>>>>>> and some additional bundles for all kinds
of apache commons
>>>>>>>>>>>> stuff.
>>>>>>>>>>>>
>>>>>>>>>>>> when i call the webconsole I do get the prompt
for the
>>>>>>>>>>>> credentials,
>>>>>>>>>>>> but
>>>>>>>>>>>> they
>>>>>>>>>>>> are not accepted.
>>>>>>>>>>>>
>>>>>>>>>>>> If i use the "Vanilla" Karaf 1.99 and install
those features
>>>>>>>>>>>> later it
>>>>>>>>>>>> works,
>>>>>>>>>>>> so I don't know right now where the
>>>>>>>>>>>> problem is.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance :)
>>>>>>>>>>>>
>>>>>>>>>>>> Achim
>>>>>>>>>>>> --
>>>>>>>>>>>> View this message in context:
>>>>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p962815.html
>>>>>>>>>>>> Sent from the Karaf - Dev mailing list archive
at Nabble.com.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Guillaume Nodet
>>>>>>>>>>> ------------------------
>>>>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>>>>> ------------------------
>>>>>>>>>>> Open Source SOA
>>>>>>>>>>> http://fusesource.com
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> View this message in context:
>>>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963158.html
>>>>>>>>>> Sent from the Karaf - Dev mailing list archive at
Nabble.com.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Cheers,
>>>>>>>>> Guillaume Nodet
>>>>>>>>> ------------------------
>>>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>>>> ------------------------
>>>>>>>>> Open Source SOA
>>>>>>>>> http://fusesource.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> View this message in context:
>>>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963228.html
>>>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Cheers,
>>>>>>> Guillaume Nodet
>>>>>>> ------------------------
>>>>>>> Blog: http://gnodet.blogspot.com/
>>>>>>> ------------------------
>>>>>>> Open Source SOA
>>>>>>> http://fusesource.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> View this message in context:
>>>>>> http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p963549.html
>>>>>> Sent from the Karaf - Dev mailing list archive at Nabble.com.
>>>>>>
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Cheers,
>>>>> Guillaume Nodet
>>>>> ------------------------
>>>>> Blog: http://gnodet.blogspot.com/
>>>>> ------------------------
>>>>> Open Source SOA
>>>>> http://fusesource.com
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: http://karaf.922171.n3.nabble.com/Karaf-Webconsole-and-JAAS-how-does-it-work-tp962815p969882.html
Sent from the Karaf - Dev mailing list archive at Nabble.com.

Mime
View raw message