Mailing-List: contact issues-help@karaf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@karaf.apache.org
Date: Thu, 4 Aug 2011 21:57:29 +0000 (UTC)
From: "Achim Nierbeck (JIRA)" <jira@apache.org>
To: issues@karaf.apache.org
Message-ID: 
 <471187764.9525.1312495049471.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <2060896847.12907.1311793569793.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Issue Comment Edited] (KARAF-785) Interaction Problem
 Between Karaf Jetty Security and Spring Security - Jetty Exception
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/KARAF-785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079628#comment-13079628 ] 

Achim Nierbeck edited comment on KARAF-785 at 8/4/11 9:55 PM:
--------------------------------------------------------------

Just tested the latest war and it works without any problem. 

- Used the latest 2.2.x-SNAPSHOT version of Karaf
- installed features spring-dm-web (which in sub sequence does install the other spring related features)
- installed the war feature, no war works without that
- installed the transaction bundle
-- install -s mvn:org.springframework/org.springframework.transaction/3.0.5.RELEASE
- installed the needed spring-security bundles: 
-- install -s mvn:org.springframework.security/spring-security-core/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-config/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-acl/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-web/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-taglibs/3.0.5.RELEASE

dropped the provided test war in the deploy folder

called http://localhost:8181/sste
with my browser: 
used wrong credential: 
dummy
dummy
failed to log in

retry with the credentials provided: 
rod
koala

The login works out allright. 

Now if I http://localhost:8181/sste/sst
I do get the information about the credentials. 

But I also see the log statement. 
wich is quite reasonable I'd think. 
In the web.xml there is nothing configured telling Jetty how the credentials are 
given to the server, so it falls back to the configured Karaf JAAS 
mechanism. Btw. a login with working std. karaf credentials doesn't work. 
Now if I do interpret the stack-trace in a correct way jetty doesn't know
how to handle the given credentials since they do not exist in the
Karaf JAAS configuration. Which let's you know by throwing this exception 
in WARN level. 

So I guess this is alright since the initial request of
using the credentials of Spring-Security works for me and
the credentials of the underlying Karaf aren't touched at all. 
The only not so nice about it is the point that Jetty complains
about not beeing able to find the credentials. 

Besides that it seems to me the spring-security bundles 
could be packed into a specialized features descriptor :-)

So if this is OK with you I'd suggest closing this issue. 

regards, Achim 

      was (Author: achim_nierbeck):
    Just tested the latest war and it works without any problem. 

- Used the latest 2.2.x-SNAPSHOT version of Karaf
- installed features spring-dm-web (which in sub sequence does install the other spring related features)
- installed the war feature, no war works without that
- installed the transaction bundle
-- install -s mvn:org.springframework/org.springframework.transaction/3.0.5.RELEASE
- installed the needed spring-security bundles: 
-- install -s mvn:org.springframework.security/spring-security-core/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-config/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-acl/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-web/3.0.5.RELEASE
-- install -s mvn:org.springframework.security/spring-security-taglibs/3.0.5.RELEASE

dropped the provided test war in the deploy folder

called http://localhost:8181/sste
with my browser: 
used wrong credential: 
dummy
dummy
failed to log in

retry with the credentials provided: 
rod
koala

The login works out allright. 

Now if I http://localhost:8181/sste/sst
I do get the information about the credentials. 

But I also see the log statement. 
wich is quite reasonable I'd think. 
In the web.xml there is nothing configured telling Jetty how the credentials are 
given to the server, so it falls back to the configured Karaf JAAS 
mechanism. Btw. a login with working std. karaf credentials doesn't work. 
Now if I do interpret the stack-trace in a correct way jetty doesn't know
how to handle the given credentials since they do not exist in the
Karaf JAAS configuration. Which let's you know by throwing this exception 
in WARN level. 

So I guess this is alright since the initial request of
using the credentials of Spring-Security works for me and
the credentials of the underlying Karaf aren't touched at all. 
The only not so nice about it is the point that Jetty complains
about not beeing able to find the credentials. 

Besides that it seems to me the spring-security bundles 
could be packed into a specialized features descriptor :-)

regards, Achim 
  
> Interaction Problem Between Karaf Jetty Security and Spring Security - Jetty Exception
> --------------------------------------------------------------------------------------
>
>                 Key: KARAF-785
>                 URL: https://issues.apache.org/jira/browse/KARAF-785
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-webcontainer
>    Affects Versions: 2.2.2
>         Environment: Mac Snow Leopard 10.6.8, java version 1.6.0.6. Features installed in Karaf: spring/spring-web(3.0.5.RELEASE), spring-dm/spring-dm-web(1.2.1), config/http/war/webconsole-base/webconsole/ssh/management (2.2.2), hazelcast/hazelcast-monitor (1.9.3), cellar/celar-webconsole (2.2.1), activemq/activemq-spring/activemq-web-console (5.5.0), jetty (7.4.2.v20110526), default karaf jetty configuration.
>            Reporter: Gareth Collins
>            Priority: Minor
>         Attachments: SpringSecurityExtTest.tar.gz, SpringSecurityExtTest.war, SpringSecurityTest.jar.gz, SpringSecurityTest.war
>
>
> Hello,
> This issue has been initiated from a thread in the karaf user forum:
> http://karaf.922171.n3.nabble.com/Mixing-Jetty-Security-and-Spring-Security-In-Karaf-tc3202093.html
> I created a simple web application (which I hope I can attach) with two locations secured with spring security configured for basic authentication:
> http://localhost:8181/sst/index.html - static web page
> http://localhost:8181/sst/sst - executes a test servlet
> To reproduce the jetty exception, I:
> (1) First connect to http://localhost:8181/sst/index.html - a 401 response is returned and I enter username "rod", password "koala" ("rod" is a valid user in my sample app). The index.html page "Hello OSGi World" is displayed.
> (2) Now I repoint my browser at the servlet http://localhost:8181/sst/sst. I get through to my servlet page which displays "Hello OSGi World Servlet. User Principle = <User Principle>". Whilst the page is displayed correctly I also see the following exception from Jetty:
> 14:58:52,909 | WARN  | 56-57 - /sst/sst | log                              | .eclipse.jetty.util.log.Slf4jLog   50 | 46 - org.eclipse.jetty.util - 7.4.2.v20110526 | EXCEPTION 
> javax.security.auth.login.FailedLoginException: User rod does not exist
> 	at org.apache.karaf.jaas.modules.properties.PropertiesLoginModule.login(PropertiesLoginModule.java:98)
> 	at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[karaf-jaas-boot.jar:]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.6.0_26]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)[:1.6.0_26]
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)[:1.6.0_26]
> 	at java.lang.reflect.Method.invoke(Method.java:597)[:1.6.0_26]
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)[:1.6.0_26]
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)[:1.6.0_26]
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> 	at java.security.AccessController.doPrivileged(Native Method)[:1.6.0_26]
> 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.6.0_26]
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)[:1.6.0_26]
> 	at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:203)[59:org.eclipse.jetty.plus:7.4.2.v20110526]
> 	at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:77)[53:org.eclipse.jetty.security:7.4.2.v20110526]
> 	at org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:100)[53:org.eclipse.jetty.security:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.Request.getAuthType(Request.java:353)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at javax.servlet.http.HttpServletRequestWrapper.getAuthType(HttpServletRequestWrapper.java:59)[43:org.apache.geronimo.specs.geronimo-servlet_2.5_spec:1.1.2]
> 	at javax.servlet.http.HttpServletRequestWrapper.getAuthType(HttpServletRequestWrapper.java:59)[43:org.apache.geronimo.specs.geronimo-servlet_2.5_spec:1.1.2]
> 	at com.mytestcompany.sst.SSTServlet.service(SSTServlet.java:36)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)[43:org.apache.geronimo.specs.geronimo-servlet_2.5_spec:1.1.2]
> 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:538)[54:org.eclipse.jetty.servlet:7.4.2.v20110526]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1352)[54:org.eclipse.jetty.servlet:7.4.2.v20110526]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:368)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)[752:com.mytestcompany.spring-security-test:1.0.0]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1323)[54:org.eclipse.jetty.servlet:7.4.2.v20110526]
> 	at org.ops4j.pax.web.service.internal.WelcomeFilesFilter.doFilter(WelcomeFilesFilter.java:169)[62:org.ops4j.pax.web.pax-web-runtime:1.0.4]
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1323)[54:org.eclipse.jetty.servlet:7.4.2.v20110526]
> 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:476)[54:org.eclipse.jetty.servlet:7.4.2.v20110526]
> 	at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:70)[63:org.ops4j.pax.web.pax-web-jetty:1.0.4]
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:480)[53:org.eclipse.jetty.security:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:937)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:116)[63:org.ops4j.pax.web.pax-web-jetty:1.0.4]
> 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)[54:org.eclipse.jetty.servlet:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:871)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:72)[63:org.ops4j.pax.web.pax-web-jetty:1.0.4]
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.Server.handle(Server.java:342)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:589)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1048)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:601)[48:org.eclipse.jetty.http:7.4.2.v20110526]
> 	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:214)[48:org.eclipse.jetty.http:7.4.2.v20110526]
> 	at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:411)[52:org.eclipse.jetty.server:7.4.2.v20110526]
> 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:535)[47:org.eclipse.jetty.io:7.4.2.v20110526]
> 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)[47:org.eclipse.jetty.io:7.4.2.v20110526]
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:529)[46:org.eclipse.jetty.util:7.4.2.v20110526]
> 	at java.lang.Thread.run(Thread.java:680)[:1.6.0_26]

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira