Enabling authentication realm in jetty 8 - authentication

I tried to follow the offical tutorial to enable MD5 authentication for my only web-app running on jetty. Nginx manages ssl and redirects to jetty
I placed
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">My Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
In jetty.xml, and the content of realm.properties are :
test: MD5:098f6bcd4621d373cade4e832627b4f6,user
In the tutorial they do not tell where to assign the realm to a context so I don't know where to place this :
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="realmName">My Realm</Set>
</Get>
</Configure>
I tried to put in in jetty-context.xml, and in web.xml, but it is still not working. I receive a 502 (bad gateway) when I place this in jetty.xml, in the other cases I get a normal json result from the web service (Shouldn't I get a 503 - not authorized ?)

A "Context XML File" (as outlined in Configuring Security Realms) refers Webapp deployment using the ContextProvider (enabled by default on jetty-distribution).
This deploys webapps by using a XML file, usually found in ${jetty.home}/contexts/ with a description of where that webapp is located on disk, and some details on how you want that webapp deployed.
You can also use the WEB-INF/jetty-web.xml to embed this Context configuration within your WAR file.

Related

Jetty - ipaccess per connector?

Let's say I am enabling the ipaccess module on jetty:
jetty-ipaccess.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- =============================================================== -->
<!-- The IP Access Handler -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="insertHandler">
<Arg>
<New id="IPAccessHandler" class="org.eclipse.jetty.server.handler.IPAccessHandler">
<Set name="white">
<Array type="String">
<Item>127.0.0.1</Item>
<Item>192.168.1.168</Item>
</Array>
</Set>
<Set name="whiteListByPath">false</Set>
</New>
</Arg>
</Call>
</Configure>
Then I enable it with jetty/home/start.jar --add-to-start=ipaccess
But I want this filter to only apply to the http connector. I do not want it to apply to my https connector.
How do I configure it so that it only affects the http module, not the https module?
NOTE: In Jetty 10 this ipaccess module is replaced with another module:
https://github.com/eclipse/jetty.project/commit/3a4da94e1a69ee4c9cd3c936f50d58ee3440188e
The answer is this is not yet possible because assigning an IPAccessHandler or InetAccessHandler is only possible when you use the programmatic version of jetty. Not when you are starting it with start.jar.
So I created issue: https://github.com/eclipse/jetty.project/issues/3562
I created a PR to fix this: https://github.com/eclipse/jetty.project/pull/3572
And gregw#github took it and extended upon it here https://github.com/eclipse/jetty.project/pull/3576
Once this is in a 9.4.x release I'll be all set.

How to configure jetty to request client certificate for specified resources?

sslConfig:
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath">../conf/jetty/etc/keystore</Set>
<Set name="KeyStorePassword">secretpass</Set>
<Set name="KeyManagerPassword">test</Set>
<Set name="TrustStorePath">../conf/jetty/etc/truststore</Set>
<Set name="TrustStorePassword">secretpass</Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth">true</Set>
<Set name="WantClientAuth">true</Set>
</New>
Setting NeedClientAuth to true requires client to provide certificate for all resources. But in my case I want to request certificate only for specified resources.
For example I need to request certificate for /resource1/*
And use just HTTPS for /resource2/*
How can I achieve this?
Not possible, as the SSL/TLS negotiation step occurs way before the request is actually made.
No web server can apply different SSL/TLS rules based on the resource being requested, as the information present in the http request hasn't even been sent yet at the time of the SSL/TLS negotiation.
If this is important, set up 2 different ServerConnectors, on different ports.
ServerConnector with Client Auth - the /resource1/* content is served from here
ServerConnector without Client Auth - all other web resources that don't need the client auth requirement (and doesn't even have the /resource1/* content)

Custom resources equivalent to jetty JNDI resource

I have a web application which is until now deployed to a jetty server but now in order to use other JavaEE services I'm shifting to Payara (Glassfish) container. However I can't find how to provide additional JNDI resources as configuration to paraya.
Currently I have some resources like this defined in my jetty's context.xml file:
<New id="some_resource" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg>
<Ref refid='wac'/>
</Arg>
<Arg>resource/path</Arg>
<Arg>
<New class="com.example.some.Class">
<!-- constructor parameters -->
<Arg type="java.lang.String">some string</Arg>
<Arg type="java.lang.Integer">0</Arg>
</New>
</Arg>
</New>
this simply calls the custom class constructor with given parameters and puts the result into given resource/path address.
Is this possible to be done in payara micro?
It's possible to create a custom resource that is exposed via JNDI, though GlassFish/Payara support only primitive types by default. For other types you would need to add a custom factory in the server classpath.
Custom resources in Payara/GlassFish are defined in domain.xml, in element custom-resource. Best way to define a custom resource is either using Admin Console (Resources -> JNDI -> Custom resources) or asadmin command.
For a string value "some string" under a JNDI resource/path, the asadmin would look like this:
asadmin> create-custom-resource --restype java.lang.String --factoryclass org.glassfish.resources.custom.factory.PrimitivesAndStringFactory --property value="some string" "resource/path"
In Payara Micro, you can either pass domain.xml using --domainConfig argument, or you can execute the same asadmin command from within your application, using PayaraMicroRuntime.run() (documented here)

Apache Solr - Unable to access admin page

On mac snow leopard, I have installed Apache Solr 4.2.0 using brew and triggered the server using the below commands,
Usage: $ solr path/to/config/dir
When I try to access the admin page in browser using below link and the page with SolrCore Initialization failure occurs as below,
http://localhost:8983/solr/admin
collection1: org.apache.solr.common.SolrException:org.apache.solr.common.SolrException: Could not load config for solrconfig.xml
The page also has message,
There are no SolrCores running.
Using the Solr Admin UI currently requires at least one SolrCore.
Any help regarding this is greatly appreciated.
In the root for the Solr config directory, there is a file called solr.xml. This file configures Solr cores. The file might contain:
<cores adminPath="/admin/cores" host="${host:}" hostPort="${jetty.port:}" hostContext="${hostContext:}" zkClientTimeout="${zkClientTimeout:15000}">
<core default="true" name="auction" instanceDir="auctionConfigDir" />
</cores>
The important point is to match instanceDir="auctionConfigDir" with the actual path/to/config/dir. If Solr can't find the location of you configuration files, it wont be able to start a core.
sudo vim /opt/solr-4.8.1/example/etc/jetty.xml
change
<!-- This connector is currently being used for Solr because it
showed better performance than nio.SelectChannelConnector
for typical Solr requests. -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.bio.SocketConnector">
<Set name="host">127.0.0.1</Set>
<Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set>
<Set name="maxIdleTime">50000</Set>
<Set name="lowResourceMaxIdleTime">1500</Set>
<Set name="statsOn">false</Set>
</New>
</Arg>
</Call>
to
<!-- This connector is currently being used for Solr because it
showed better performance than nio.SelectChannelConnector
for typical Solr requests. -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.bio.SocketConnector">
<Set name="host">0.0.0.0</Set>
<Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set>
<Set name="maxIdleTime">50000</Set>
<Set name="lowResourceMaxIdleTime">1500</Set>
<Set name="statsOn">false</Set>
</New>
</Arg>
</Call>
then
sudo service solrd restart

Configuring DataSources with IDEA IntelliJ Jetty Plugin (jetty-env.xml)

I'm trying to getting started with the IDEA IntelliJ Jetty Plugin. In our application we use a JNDI DataSource to access the actual database.
For development therefore we generate a jetty-env.xml and include this in the WEB-INF directory during development deploys:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
<!-- Add an JNDI resource -->
<New class="org.mortbay.jetty.plus.naming.Resource">
<Arg>datasource_pbv</Arg>
<Arg>
<New class="org.apache.commons.dbcp.BasicDataSource">
<Set name="DriverClassName">oracle.jdbc.driver.OracleDriver</Set>
<Set name="Url">jdbc:oracle:thin:#dbserver:1521:DATABASE</Set>
<Set name="Username">user</Set>
<Set name="Password">pass</Set>
</New>
</Arg>
</New>
</Configure>
I reconfigured the Jetty WebAppDeployer in jetty.xml that way, so it uses the org.mortbay.jetty.plus.webapp.EnvConfiguration which reads and processes the jetty-env.xml:
<Configure id="Server" class="org.mortbay.jetty.Server">
...
<Array id="plusConfig" type="java.lang.String">
<Item>org.mortbay.jetty.webapp.WebInfConfiguration</Item>
<Item>org.mortbay.jetty.plus.webapp.EnvConfiguration</Item>
<Item>org.mortbay.jetty.plus.webapp.Configuration</Item>
<Item>org.mortbay.jetty.webapp.JettyWebXmlConfiguration</Item>
<Item>org.mortbay.jetty.webapp.TagLibConfiguration</Item>
</Array>
...
<Call name="addLifeCycle">
<Arg>
<New class="org.mortbay.jetty.deployer.WebAppDeployer">
...
<Set name="configurationClasses"><Ref id="plusConfig"/></Set>
</New>
</Arg>
</Call>
...
</Configure>
Unfortunately this doesn't work with the IDEA Jetty plugin. The IDEA Jetty Plugin generates a context-config.xml and a subsequent war-exploded.xml which does not add the EnvConfiguration. Therefore the jetty-env.xml is ignored when deploying with the Jetty IDEA Plugin.
How can I make this work or are the other ways to provide custom JNDI entries when deploying using the IDEA Jetty Plugin?
I haven't checked myself, but since IDEA Jetty integration relies on ContextDeployer, the following should work (if added to jetty.xml):
<Call name="addLifeCycle">
<Arg>
<New class="org.mortbay.jetty.deployer.ContextDeployer">
...
<Set name="configurationClasses"><Ref id="plusConfig"/></Set>
</New>
</Arg>
</Call>