Bump jolokia-war from 1.3.3 to 1.7.1 (#6907)

* Bump jolokia-war from 1.3.3 to 1.7.1

Bumps jolokia-war from 1.3.3 to 1.7.1.

---
updated-dependencies:
- dependency-name: org.jolokia:jolokia-war
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

* Adding HashLoginService to jolokia.xml
* Fixing typo in FQCN for Jetty Password utility
* Using logger to print warning, not ServletContext.log() as it causes an NPE.

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

demos/demo-jetty-webapp/src/test/resources/test-realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

demos/demo-spec/demo-spec-webapp/src/etc/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

demos/embedded/src/main/resources/demo/demo-realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

jetty-deploy/src/test/resources/etc/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

jetty-home/src/main/resources/modules/demo.d/demo-realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

jetty-home/src/main/resources/modules/jolokia.mod

@@ -17,6 +17,7 @@ etc/jolokia.xml
 [files]
 maven://org.jolokia/jolokia-war/${jolokia.version}/war|lib/jolokia/jolokia.war
 basehome:modules/jolokia/jolokia.xml|etc/jolokia.xml
+basehome:modules/jolokia/jolokia-realm.properties|etc/jolokia-realm.properties
 
 [ini]
 jolokia.version?=@jolokia.version@

jetty-home/src/main/resources/modules/jolokia/jolokia-realm.properties

@@ -0,0 +1,31 @@
+#
+# ========================================================================
+# Copyright (c) 1995-2022 Mort Bay Consulting Pty Ltd and others.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v. 2.0 which is available at
+# https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+# which is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+# ========================================================================
+#
+
+#
+# This file defines users passwords and roles for a HashUserRealm
+#
+# The format is
+#  <username>: <password>[,<rolename> ...]
+#
+# Passwords may be clear text, obfuscated or checksummed.  The class
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
+# passwords or password checksums
+#
+# If DIGEST Authentication is used, the password must be in a recoverable
+# format, either plain text or OBF:.
+
+# - Example using MD5 for digest auth (The credential is a MD5 hash of username:realmname:password)
+# jolokia:MD5:164c88b302622e17050af52c89945d44,jolokia
+
+# - Example using plaintext
+# jolokia:jetty,jolokia

jetty-home/src/main/resources/modules/jolokia/jolokia.xml

@@ -10,6 +10,24 @@
         <Set name="extractWAR">true</Set>
         <Set name="copyWebDir">false</Set>
         <Set name="defaultsDescriptor"><Property name="jetty.home" default="."/>/etc/webdefault.xml</Set>
+
+        <!-- comment out this section when you have security configured -->
+        <Call class="org.slf4j.LoggerFactory" name="getLogger">
+          <Arg>org.eclipse.jetty</Arg>
+          <Call name="warn">
+            <Arg>The jolokia webapp is deployed, but does not have users and security configured. (see ${jetty.base}/etc/jolokia.xml)</Arg>
+          </Call>
+        </Call>
+
+        <Get name="securityHandler">
+          <Set name="loginService">
+            <New class="org.eclipse.jetty.security.HashLoginService">
+              <Set name="name">Jolokia Realm</Set>
+              <!-- Edit the contents ot the etc/jolokia-realm.properties -->
+              <Set name="config"><Property name="jetty.base" default="."/>/etc/jolokia-realm.properties</Set>
+            </New>
+          </Set>
+        </Get>
       </New>
     </Arg>
   </Call>

jetty-osgi/test-jetty-osgi/src/test/config/etc/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

jetty-security/src/test/resources/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java

@@ -29,7 +29,7 @@
  * </pre>
  *
  * Passwords that begin with OBF: are de obfuscated. Passwords can be obfuscated
- * by run org.eclipse.util.Password as a main class. Obfuscated password are
+ * by run {@link org.eclipse.jetty.util.security.Password} as a main class. Obfuscated password are
  * required if a system needs to recover the full password (eg. so that it may
  * be passed to another system). They are not secure, but prevent casual
  * observation.

pom.xml

@@ -95,7 +95,7 @@
     <jnr-ffi.version>2.2.11</jnr-ffi.version>
     <jnr-posix.version>3.1.15</jnr-posix.version>
     <jnr-unixsocket.version>0.38.17</jnr-unixsocket.version>
-    <jolokia.version>1.3.3</jolokia.version>
+    <jolokia.version>1.7.1</jolokia.version>
     <json-simple.version>1.1.1</json-simple.version>
     <json-smart.version>2.4.8</json-smart.version>
     <jsp.impl.version>9.0.52</jsp.impl.version>

tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/ThirdPartyModulesTests.java

@@ -138,8 +138,8 @@ public void testjolokia() throws Exception
 
                 startHttpClient();
                 ContentResponse response = client.GET("http://localhost:" + httpPort + "/jolokia");
-                assertEquals(HttpStatus.OK_200, response.getStatus(), new ResponseDetails(response));
-                assertThat(response.getContentAsString(), containsString("\"agentType\":\"servlet\""));
+                // default is no users specified, so this will return a 401.
+                assertEquals(HttpStatus.UNAUTHORIZED_401, response.getStatus(), new ResponseDetails(response));
             }
         }
     }

tests/test-distribution/src/test/resources/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

tests/test-integration/src/test/resources/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

tests/test-quickstart/src/test/resources/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable

tests/test-sessions/test-mongodb-sessions/src/test/resources/realm.properties

@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable