Return-Path: Delivered-To: apmail-roller-user-archive@www.apache.org Received: (qmail 49942 invoked from network); 18 Jun 2009 15:15:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Jun 2009 15:15:11 -0000 Received: (qmail 58093 invoked by uid 500); 18 Jun 2009 15:15:22 -0000 Delivered-To: apmail-roller-user-archive@roller.apache.org Received: (qmail 58071 invoked by uid 500); 18 Jun 2009 15:15:22 -0000 Mailing-List: contact user-help@roller.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@roller.apache.org Delivered-To: mailing list user@roller.apache.org Received: (qmail 58061 invoked by uid 99); 18 Jun 2009 15:15:22 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Jun 2009 15:15:22 +0000 X-ASF-Spam-Status: No, hits=2.7 required=10.0 tests=NORMAL_HTTP_TO_IP,SPF_NEUTRAL,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [68.142.199.177] (HELO web301.biz.mail.mud.yahoo.com) (68.142.199.177) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 18 Jun 2009 15:15:10 +0000 Received: (qmail 65735 invoked by uid 60001); 18 Jun 2009 15:14:48 -0000 Message-ID: <977226.64975.qm@web301.biz.mail.mud.yahoo.com> X-YMail-OSG: RHbMYV4VM1ngCPYAcdgTByZfBoDz1ylbykpEP_GyWQVgRkPMcsV40JHM82oSoejIsVux_PTra640MZghrrdvI6.tDkz3HovQY.s0IwRhukVT4ylHuD7ENOjTI6593lJZaxTLDm41YALce1ttxyapyEIZLXR1d_Jeddg6BK3B7n0iJQLZPbJz6RpRiMlMSOnp2LMQoqa10AIISyRcMWdBZEFiGZgZJnWp8IfW6r74D58GrdtMvBcRIOxhOcZFC3gGn5g1yslgqGOyBDFTJzJ1Qdg3oAMS0lGvXPKt6HirLoVVsdosDdWxhiC9uPDPnxFkL_Dy7mwUR9WBOtGpZyYaCYw94oqEqhtgVIBs Received: from [70.91.36.9] by web301.biz.mail.mud.yahoo.com via HTTP; Thu, 18 Jun 2009 08:14:47 PDT X-Mailer: YahooMailClassic/5.4.12 YahooMailWebService/0.7.289.10 Date: Thu, 18 Jun 2009 08:14:47 -0700 (PDT) From: "\(David\) Ming Xia" Reply-To: david.ming.xia@ibol.biz Subject: Problem in switching to HTTPS channel To: user@roller.apache.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hi, Everyone, As you can see from the message stack I am testing Acegi security https c= hannel switching. I got a problem with SchemeEnforcementFilter. The reque= st.getServletPath returned empty string for '/roller-ui/login-redirect.rol'= . This is actually a bugs on IBM WebSphere since V6.1. I fixed this bugs = by setting 'com.ibm.ws.webcontainer.removetrailingservletpathslash' to 'tru= e' for web container custom properties. =20 However, it still doesn't work. No error message, something was running h= ard in the background and then it got stalled there. =20 I then did the following test to see how it works just on Acegi itself. I= make following changes: 1. Take out SchemeEnforcementFilter from Roller application 2. Set 'forceHttps' to 'true' in security.xml so we got=20 =20 3. Set SSL switching in security.xml CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /roller_j_security_check=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/login-redirect.jsp=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/login-redirect.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/login.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/register.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/register!save.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/profile.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/profile!save.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/admin/userAdmin.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/admin/createUser.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/admin/createUser!save.rol=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/authoring/userdata=3DREQUIRES_SECURE_CHANNEL =09=09=09=09/roller-ui/authoring/membersInvite.rol=3DREQUIRES_SECURE_CHANNE= L =09=09=09=09/roller-ui/authoring/membersInvite!save.rol=3DREQUIRES_SECURE_C= HANNEL =09=09=09=09/**=3DREQUIRES_INSECURE_CHANNEL =20 Now I got error message directly on browser when I was starting the applica= tion: Status Code 500=20 Message javax.servlet.ServletException Filter [securityFilter]: could not b= e initialized=20 Type =20 Exception Roller????????=20 I took out the line 'CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON ' and I started the application, but I got the following error message on b= rowser when I click on 'Login' link: Status Code 404=20 Message javax.servlet.ServletException: SRVE0190E: File not found: /WEB-INF= /jsps/tiles/tiles-simplepage.jsp=20 Type =20 Exception ??????????=20 And the URL address on browser is: http://localhost/blog/WEB-INF/jsps/tile= s/tiles-simplepage.jsp So what's wrong? I would appreciate if some one could shed some light on t= his. =20 The following are my further questions: 1. I did not see anyhwhere in Acegi security for us to specify the path of = certificate store. This is kind of strange. In a serious production envir= onment, I would use Verisign certificate, and I need specify the path of th= e certificate for Acegi security. Can some one explain about this? 2. I found that WebSphere form based security constraints doesn't guard Str= uts 2 action, but it does guard Struts 1.x action. The reason I believe is= that Struts 2 is filter instead of servlet. I believe that WebSphere form= based login invoked login form through a servlet filter at the bottom of t= he filter stack. So that with Struts 2 filter at above, the http request g= ot forwarded to the action without even touching the web container's securi= ty filter. So it seems J2EE declarative security is not able to guard Stru= ts 2 action. What's your opinion? =20 Thank you very much. David --- On Sat, 6/13/09, (David) Ming Xia wrote: > From: (David) Ming Xia > Subject: Re: Problem in switching to HTTPS channel > To: user@roller.apache.org > Date: Saturday, June 13, 2009, 12:06 AM >=20 > Hi, Greg. >=20 > =A0 Thank you so much for your help.=A0 With the clue > you provided I moved forward a little bit.=A0 The > following is what I got so far.=A0=20 >=20 > =A0 In Roller 4.0.1, the switching between http and > https channels was implemented with > org.apache.roller.weblogger.ui.core.filters.SchemeEnforcementFilter.=A0 > SchemeEnforcementFilter takes four parameters, and the > following are what I have in my roller-custom.properties.=20 >=20 > ----------------------------------------------- > # Added this line to provide https channel > securelogin.http.port=3D9080=A0 <-- I added this > securelogin.https.port=3D9443 <-- I added this > # Enables HTTPS for login page only > securelogin.enabled=3Dtrue=A0=A0=A0<-- I change > this to 'true' > # Enable scheme enforcement? > # Scheme enforcement ensures that specific URLs are viewed > only via HTTPS > schemeenforcement.enabled=3Dtrue=A0 <-- I change this > to 'true' > ----------------------------------------------- >=20 > Also, I have to add some url for https > -------------------------------------------------------- > schemeenforcement.https.urls=3D/roller_j_security_check,\ > /roller-ui/login-redirect.jsp,\ > /roller-ui/login-redirect.rol,\=A0=A0=A0<-- I > added this > -------------------------------------------------------- >=20 >=20 > However, it still doesn't work.=A0 The reason is that in >=20 > req.getServletPath() return empty string for 'http://9080/blog/roller-ui/= login-redirect.rol', so the > process could not find a match for switching channel.=A0 >=20 >=20 > So why req.getServletPath() return empty string for > '/roller-ui/login-redirect.rol'?=A0 I am using WebSphere > 7.0.3.=A0 Will it return '/roller-ui/login-redirect.rol' > in Tomcat?=A0 I don't know.=A0=20 >=20 > But overall, I feel this is not good.=A0 Switching > between http and https channels should by implemented in > service layer and should be handled by web container.=A0 > By Java EE declarative security standard, we only need to > specify user data constraints in web.xml.=A0 Now > SchemeEnforcementFilter moved service layer code to > application layer.=A0 Moreover, SchemeEnforcementFilter > doesn't implement Spring's interface, so it doesn't work > with Spring container.=A0 That means that it doesn't work > with any standard.=A0 This make it too hard to > maintain.=A0 Actually in my case, with the clue from you > I would really get lost. >=20 > I learned Roller will be moved to CMA in 4.1.=A0 I > believe that is a right move.=A0=A0=A0 >=20 >=20 > Any ideas or advices?=A0 Appreciate. >=20 >=20 > Thank you very much. >=20 > David >=20 >=20 > --- On Fri, 6/12/09, Greg.Huber@ricoh.co.uk > > wrote: >=20 > > From: Greg.Huber@ricoh.co.uk > > > Subject: Re: Problem in switching to HTTPS channel > > To: dev@roller.apache.org > > Cc: "Mailing List Apache Roller Developer" , > "Mailing List Apache Roller User" > > Date: Friday, June 12, 2009, 7:44 AM > > Hello, > >=20 > > What you could try and do is add > > "securelogin.https.port=3D9443"=A0 (as it=20 > > looks like you are using a non standard port) to > either the > >=20 > > roller.properties or your custom > roller-custom.properties > > file.=20 > >=20 > > Make sure also that the https is switched on also via > the=20 > > roller.properties schemeenforcement.enabled=3Dtrue and=20 > > securelogin.enabled=3Dtrue properties. > >=20 > >=20 > > Cheers Greg > >=20 > >=20 > >=20 > >=20 > >=20 > > "(David) Ming Xia" > >=20 > > 11/06/2009 16:06 > > Please respond to > > dev@roller.apache.org > >=20 > >=20 > > To > > Mailing List Apache Roller User , > > Mailing List=20 > > Apache Roller Developer > > cc > >=20 > > Subject > > Problem in switching to HTTPS channel > >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > > Hi, Everyone.=20 > > =A0=20 > > =A0 I could not set up switching to HTTPS channel for > > login.=A0=A0=A0I added=20 > > couple of line into security.xml as illustrated in > the > > following sample=20 > > code.=A0 I started the application and tried to login > at > >=20 > > https://localhost:9443/blog/roller-ui/login.rol.=A0 > > The login page was not=20 > > load up. > >=A0=20 > >=A0=20 > > =A0 I would appreciate if some one could give some > > advices.=A0 Do I need to=20 > > something in addition to change security.xml?=A0=20 > > =A0=20 > > =A0=20 > > =A0=20 > > Thank you for your help.=A0=20 > > =A0=20 > > David=20 > > =A0=20 > > =20 > > > > class=3D"org.acegisecurity.securechannel.ChannelProcessingFilter"> > >=20 > > > ref=3D"channelDecisionManager"/>=20 > > name=3D"filterInvocationDefinitionSource">=20 > > =20 > > CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON=20 > > PATTERN_TYPE_APACHE_ANT=20 > > /roller_j_security_check=3DREQUIRES_SECURE_CHANNEL=20 > > /roller-ui/login.rol=3DREQUIRES_SECURE_CHANNEL=20 > > /roller-ui/login-redirect.rol=3DREQUIRES_SECURE_CHANNEL >=20 > > /**=3DREQUIRES_INSECURE_CHANNEL=20 > > =20 > > =20 > > =20 > > > > class=3D"org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> > >=20 > > =20 > > =20 > > > > class=3D"org.acegisecurity.securechannel.SecureChannelProcessor"/> > >=20 > > > > class=3D"org.acegisecurity.securechannel.InsecureChannelProcessor"/> > >=20 > > =20 > > =20 > > =20 > >=A0=20 > >=20 > > Share our environment commitment - conserve resources > and > > contribute to the reduction of CO2 emissions by not > printing > > the email unless absolutely necessary to do so.=20 > >=20 > > Any opinions expressed are those of the author, not > Ricoh > > UK Ltd. This communication does not constitute either > offer > > or acceptance of any contractually binding agreement. > Such > > offer or acceptance must be communicated in writing. > It is > > the responsibility of the recipient to ensure this > email and > > attachments are free from computer viruses before use > and > > the sender accepts no responsibility or liability for > any > > such computer viruses.=20 > >=20 > > Ricoh UK Ltd. may monitor the content of emails sent > and > > received via its network for the purpose of ensuring > > compliance with its policies and procedures. This > > communication contains information, which may be > > confidential or privileged. The information is > intended > > solely for the use of the individual or entity named > above. > > If you are not the intended recipient, be aware that > any > > disclosure, copying, distribution or use of the > contents of > > this information is prohibited. If you have received > this > > communication in error, please notify the sender > immediately > > by return email with a copy to=A0 postmaster@ricoh.co.uk > > . Please contact us on +44 (0) 208 261 4000 if you > need > > assistance.=20 > >=20 > > Registered in England No: 473236=20 > > VAT No: GB524161280=A0 >