Skip to content

[OSGi] Support JAAS auth in Jetty #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
asfgit merged 9 commits into from
Mar 30, 2016
Merged

[OSGi] Support JAAS auth in Jetty #41

asfgit merged 9 commits into from
Mar 30, 2016

Conversation

@neykov
Copy link
Member

@neykov neykov commented Feb 28, 2016

Replace BrooklynPropertiesSecurityFilter with JAX-RS functionality.

Depends on #31, merge together with apache/brooklyn-ui#10

@neykov neykov mentioned this pull request Feb 28, 2016
Merged
@neykov neykov mentioned this pull request Mar 2, 2016
Merged
ahgittin
ahgittin reviewed Mar 7, 2016
View reviewed changes
rest/rest-server-jersey/src/test/java/org/apache/brooklyn/rest/util/HaMasterCheckResource.java Outdated

@Path("/")
@Produces(MediaType.APPLICATION_JSON)
public class HaMasterCheckResource {
Copy link
Contributor

@ahgittin ahgittin Mar 7, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe call this TestingHaMasterCheckResource (or even DummyTestingResource and change the paths so they don't mimic real ones?)

Copy link
Member Author

@neykov neykov Mar 7, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed with a Testing prefix at neykov@25ff234. Can't use the more generic name because there are a few of them.

/server/shutdown needs to be fixed, because it's testing HaHotCheckResourceFilter.isMasterRequiredForRequest behaviour. The other paths are made up.

@ahgittin
Copy link
Contributor

ahgittin commented Mar 7, 2016

looks reasonable. should we deprecate the old mechanism for handling logout, or at least comment pointing to the new one?

@neykov
Copy link
Member Author

neykov commented Mar 7, 2016

Previous logout mechanism lives at BrooklynPropertiesSecurityFilter which is now deprecated and not used.

@neykov neykov force-pushed the jetty-jaas branch 2 times, most recently from 1d488ad to a8b2c01 Compare March 7, 2016 11:55
@neykov
Copy link
Member Author

neykov commented Mar 7, 2016

Added two additional commits addressing problems that came up during testing.

@neykov
Copy link
Member Author

neykov commented Mar 9, 2016

Fixed newly introduced conflicts here and #31

@neykov neykov changed the title Support JAAS auth in Jetty [OSGi] Support JAAS auth in Jetty Mar 10, 2016
@neykov neykov mentioned this pull request Mar 10, 2016
Merged
@neykov
Copy link
Member Author

neykov commented Mar 10, 2016

Triggering a rebuild

@neykov neykov closed this Mar 10, 2016
@neykov neykov reopened this Mar 10, 2016
@neykov
Copy link
Member Author

neykov commented Mar 11, 2016

Jenkins didn't even start a build for this one, weird. #55 includes the changes from here and is successful.

@m4rkmckenna
Copy link
Member

m4rkmckenna commented Mar 16, 2016

Tested this along with #31 & #55 ... noticed the following

Works as expected with the following in your brooklyn.properties

brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.AnyoneSecurityProvider

OR

brooklyn.webconsole.security.users=superAdmin
brooklyn.webconsole.security.user.superAdmin.password=5up3r4dm1n

but leaving the above out org.apache.brooklyn.rest.security.provider.BrooklynUserWithRandomPasswordSecurityProvider is never invoked so you end up with the below error when login is attempted

2016-03-16 15:13:17,521 | INFO  | qtp26227812-675  | DelegatingSecurityProvider       | 55 - org.apache.brooklyn.rest-resources - 0.9.0.SNAPSHOT | REST using security provider org.apache.brooklyn.rest.security.provider.ExplicitUsersSecurityProvider
2016-03-16 15:13:17,521 | WARN  | qtp26227812-675  | ExplicitUsersSecurityProvider    | 55 - org.apache.brooklyn.rest-resources - 0.9.0.SNAPSHOT | REST has no users configured; no one will be able to log in!

neykov added 9 commits March 17, 2016 15:24
@neykov
JAAS LoginModule delegating to Brooklyn's SecurityProviders
e1e7b20 
An implementation of a JAAS LoginModule, delegating to the SecurityProvider configured in brooklyn.properties. Used as the authentication mechanism for the REST API when running in Karaf.
Currently configured as a separate realm, used only for web.
@neykov
[BROOKLYN-183] Configure Jetty to use JAAS authentication
1de6a8a 
* Implement an OSGi fragment so PAX-WEB code can load Jetty classes dynamically
* Default jetty.xml for karaf, registering the BrooklynLoginModule JAAS implementation
* Register JaasLoginService programatically in classical launcher
* Add support for roles in BrooklynLoginModule
* Register a default jaas.conf for classical launcher if one not already registered externally
* Configure Karaf Jetty to listen on port 8081
@neykov
[BROOKLYN-183] Merge HaMasterCheckFilter (servlet) with HaHotCheckRes…
f59626e 
…ourceFilter (JAX-RS)

Move over missing functionality and deprecate HaMasterCheckFilter.
@neykov
[BROOKLYN-183] ManagementContextProvider support in web.xml files
5aab739 
Support adding the provider in web.xml files. If no management context passed in the constructor look for it in the servlet context.
@neykov
[BROOKLYN-183] Split servlet filter BrooklynPropertiesSecurityFilter …
857fd21 
…into various JAX-RS parts

* LogoutApi & LogoutResource
* RequestTaggingRsFilter - still need a servlet version of it because of the LoggingFilter, so get the tag from the request if one is present, generate otherwise
* EntitlementContextFilter - initialise thread request entitlements
* Support identical functionality in Jersey
* Deprecate BrooklynPropertiesSecurityFilter
@neykov
[BROOKLYN-183] Deprecate setting a security filter in the launcher
9b318cd 
Instead add a new property skipSecurity corresponding to the "--noConsoleSecurity" cli option.
@neykov
Mark resources as testing
3d3216c
@neykov
Fix failing tests because of auth request
ab65c08 
Explicitly disable web server authentication for tests that don't need it.
@neykov
Fix for logout logic - break reauth loop
084c147
@neykov
Copy link
Member Author

neykov commented Mar 17, 2016

Thanks for testing this @m4rkmckenna. Addressed comment in #69 (not directly related to this PR).

@neykov
Copy link
Member Author

neykov commented Mar 17, 2016

Also rebased all related PRs to resolve merge conflicts.

@neykov neykov mentioned this pull request Mar 17, 2016
Merged
ahgittin added a commit to ahgittin/brooklyn-server that referenced this pull request Mar 28, 2016
@ahgittin
This closes apache#41
5970296
@asfgit asfgit merged commit 084c147 into apache:master Mar 30, 2016
@neykov neykov deleted the jetty-jaas branch March 30, 2016 14:56
grkvlt pushed a commit to grkvlt/brooklyn-server that referenced this pull request Jun 12, 2017
@neykov
Merge pull request apache#41 from cloudsoft/riak-on-swarm
d942a07 
Add a Riak backed web cluster upon swarm, and unit tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@neykov @ahgittin @m4rkmckenna @asfgit