Servlet security genericheader auth #463

Closed
wants to merge 2 commits into from

4 participants

@jsight

Do not merge yet

  • Please review... this is a quickstart from (glamperi@redhat.com). I have simply modified the README and pom to more closely match the other quickstarts, and added a unit test.
@sgilda sgilda commented on an outdated diff Mar 28, 2013
servlet-security-genericheader-auth/README.md
@@ -0,0 +1,107 @@
+servlet-security-genericheader-auth: Authenticate via external SSO system using HTTP request headers
+====================
+Author: Sherif F. Makary
+
@sgilda
sgilda added a note Mar 28, 2013

This is missing some metadata tags:
Level:
Technologies:
Summary: (this will be displayed in a generated table)
Target Product: EAP
Source: https://github.com/jboss-jdf/jboss-as-quickstart/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda sgilda and 1 other commented on an outdated diff Mar 28, 2013
servlet-security-genericheader-auth/README.md
@@ -0,0 +1,107 @@
+servlet-security-genericheader-auth: Authenticate via external SSO system using HTTP request headers
+====================
+Author: Sherif F. Makary
+
+
+What is it?
+-----------
+
+This example demonstrates the use of a custom request Valve that provides HTTP authentication based upon a provided HTTP header and cookie.
+
@sgilda
sgilda added a note Mar 28, 2013

I have never heard of a 'custom request Valve'. I understand pulling information from cookies and the request header, but have never heard the term valve. ;-)

Can you expand a little on this?

@jsight
jsight added a note Apr 16, 2013

I have updated the README to further clarify. However, there will be more updates shortly, as I am updating the quickstart based upon feedback from Gary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda

I ran this through the QS Tool checker and it reports quite a few errors with formatting, mainly tabs and incorrect indentation. Can you run this through the QS Tool checker and fix any errors? You can find more information on how to run the tool here: https://github.com/jboss-jdf/jboss-as-quickstart/blob/master/CONTRIBUTING.md

@sgilda sgilda commented on an outdated diff May 8, 2013
servlet-security-genericheader-auth/README.md
+
+System requirements
+-------------------
+
+All you need to build this project is Java 6.0 (Java SDK 1.6) or better and Maven 3.0 or better.
+
+The application this project produces is designed to be run on JBoss Enterprise Application Platform 6 or JBoss AS 7.
+
+
+Configure Maven
+---------------
+
+If you have not yet done so, you must [Configure Maven](../README.md#mavenconfiguration) before testing the quickstarts.
+
+
+Add the GenericHeaderAuth Security Domain
@sgilda
sgilda added a note May 8, 2013

For consistency with the other quickstarts that configure the server using the jboss-cli command, would you mind changing this to:

Configure the JBoss Enterprise Application Platform 6.1 server or JBoss AS 7.2 server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda sgilda commented on an outdated diff May 8, 2013
servlet-security-genericheader-auth/README.md
+
+
+Configure Maven
+---------------
+
+If you have not yet done so, you must [Configure Maven](../README.md#mavenconfiguration) before testing the quickstarts.
+
+
+Add the GenericHeaderAuth Security Domain
+---------------
+
+This quickstart requires a custom security domain be enabled in order to trust the remote proxy server's username header.
+
+To setup the GenericHeaderAuth security domain, take the following steps:
+
+1. Open a command line and navigate to the root of the JBoss server directory.
@sgilda
sgilda added a note May 8, 2013

You must start the server before you can issue the CLI commands.

Configure the JBoss Enterprise Application Platform 6.1 server or JBoss AS 7.2 server

  1. Start the JBoss Enterprise Application Platform 6 or JBoss AS 7 Server by typing the following:

    For Linux:  JBOSS_HOME_SERVER_1/bin/standalone.sh
    For Windows:  JBOSS_HOME_SERVER_1\bin\standalone.bat
    
  2. To start the JBoss CLI tool, open a new command line, navigate to the JBOSS_HOME directory, and type the following:

    For Linux: bin/jboss-cli.sh --connect
    For Windows: bin\jboss-cli.bat --connect
    
  3. At the prompt, enter the following commands

    • Create the security domain.

      /subsystem=security/security-domain=GenericHeaderAuth:add

      You should see:

      {"outcome" => "success"}

    • Configure the security domain:

      /subsystem=security/security-domain=GenericHeaderAuth/authentication=classic:add(login-modules=[{"code" => "org.jboss.security.auth.spi.RemoteHostTrustLoginModule", "flag" => "required", "module-options" => [ ("trustedHosts" => "127.0.0.1"),("roles" => "guest") ] } ])

      You should see:

      {
      "outcome" => "success",
      "response-headers" => {
      "operation-requires-reload" => true,
      "process-state" => "reload-required"
      }
      }

You might want to consider creating a CLI script to save user typing :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda sgilda commented on an outdated diff May 8, 2013
servlet-security-genericheader-auth/README.md
+3. Create the security domain:
+/subsystem=security/security-domain=GenericHeaderAuth:add
+
+4. Add the authentication module:
+
+/subsystem=security/security-domain=GenericHeaderAuth/authentication=classic:add(login-modules= \
+[ \
+ { \
+ "code" => "org.jboss.security.auth.spi.RemoteHostTrustLoginModule", \
+ "flag" => "required", \
+ "module-options" => [ \
+ ("trustedHosts" => "127.0.0.1"), \
+ ("roles" => "guest"), \
+ ] \
+ } \
+])
@sgilda
sgilda added a note May 8, 2013

When I paste this into the jboss-cli prompt, I get this error:
$ bin/jboss-cli.sh --connect
[standalone@localhost:9999 /] /subsystem=security/security-domain=GenericHeaderAuth/authentication=classic:add(login-modules= \
\
{ \
rg.jboss.security.auth.spi.RemoteHostTrustLoginModule", \
\ "flag" => "required",

"module-options" => [ \
\ => "127.0.0.1"),

("roles" => "guest"), \
\
} \
])

Operation 'add' does not expect any property.
[standalone@localhost:9999 /]

I was able to get it to work using the string in my comment above though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda sgilda commented on an outdated diff May 8, 2013
servlet-security-genericheader-auth/README.md
+Run tests from JBDS
+-----------------------
+
+To be able to run the tests from JBDS, first set the active Maven profile in project properties to be either 'arq-jbossas-managed' for running on
+managed server or 'arq-jbossas-remote' for running on remote server.
+
+To run the tests, right click on the project or individual classes and select Run As --> JUnit Test in the context menu.
+
+
+Investigate the Console Output
+----------------------------
+
+
+### Maven
+
+Maven prints summary of performed tests into the console:
@sgilda
sgilda added a note May 8, 2013

Maven prints a summary of the performed tests in the console:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda

When I run mvn clean test -Parq-jbossas-remote, I get this error:

SEVERE: Failed: org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator.testAuthentication
java.lang.NoClassDefFoundError: org/jboss/as/osgi/OSGiConstants
at org.jboss.as.arquillian.service.ArquillianConfig.loadClass(ArquillianConfig.java:112)
....
Caused by: java.lang.ClassNotFoundException: org.jboss.as.osgi.OSGiConstants from [Module "deployment.arquillian-service:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)

I will try to investigate.

@sgilda

@jsight : Does the test run successfully for you against JBoss AS 7.1.1.Final "Brontes"?

@jsight

@sgilda - I have committed updates to the readme to use CLI scripts, as well as an undeploy script. I have not tried it with 7.1.1, but it should work. I expect that the cli commands themselves may fail, though, due to the formatting.

@sgilda

@jsight : I got errors trying to run your JBoss CLI configuratiion script. I modified the script as follows to get it to run successfully:

    # Batch jboss-cli script to configure the GenericHeaderAuth security domain

    # Start the batch process
    batch

    # Create and configure the security domain
    /subsystem=security/security-domain=GenericHeaderAuth:add
    /subsystem=security/security-domain=GenericHeaderAuth/authentication=classic:add(login-modules=[{"code" => "org.jboss.security.auth.spi.RemoteHostTrustLoginModule", "flag" => "required", "module-options" => [("trustedHosts" => "127.0.0.1"), ("roles" => "guest"),]}])

    # Excecute the batch commands
    run-batch

    :reload
@sgilda

I am not able to run the tests. I also can't run the QS Tools utility against your quickstart. Both hang on this statement:

Downloading: http://repo.maven.apache.org/maven2/org/jboss/as/jboss-as-parent/7.1.3.Final/jboss-as-parent-7.1.3.Final.pom

The <version.jboss.as> should be 7.2.0.Final in the pom.xml file.

@sgilda sgilda commented on an outdated diff Jun 10, 2013
servlet-security-genericheader-auth/README.md
+This quickstart requires a custom security domain be enabled in order to trust the remote proxy server's username header.
+
+To setup the GenericHeaderAuth security domain, take the following steps:
+
+1. Start the JBoss Enterprise Application Platform 6 or JBoss AS 7 Server by typing the following:
+
+ For Linux: JBOSS_HOME_SERVER_1/bin/standalone.sh
+ For Windows: JBOSS_HOME_SERVER_1\bin\standalone.bat
+
+2. Open a command line and navigate to the root of the JBoss server directory.
+3. Open a command line, navigate to the root directory of this quickstart, and run the following command to run the script:
+
+ For Linux: JBOSS_HOME/bin/jboss-cli.sh --connect --file=install-security-domain.cli
+ For Windows: JBOSS_HOME\bin\jboss-cli.bat --connect --file=install-security-domain.cli
+
+ You should see "outcome" => "success" for all of the commands.
@sgilda
sgilda added a note Jun 10, 2013

The other quickstarts demonstate 3 ways to configure the server:

    Configure the Security Domain by Running the JBoss CLI Script
    Configure the Security Domain Using the JBoss CLI Interactively
    Configure the Security Domain by Manually Editing the Server Configuration File

Take a look at the ejb-security-interceptors for an example. I'm not sure how important it is to have all methods. The scripts are probably the most important, but it would be a good idea to show the resulting XML that's created in the standalone.xml file:

            <security-domain name="GenericHeaderAuth">
                <authentication>
                    <login-module code="org.jboss.security.auth.spi.RemoteHostTrustLoginModule" flag="required">
                        <module-option name="trustedHosts" value="127.0.0.1"/>
                        <module-option name="roles" value="guest"/>
                    </login-module>
                </authentication>
            </security-domain>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda

After I fixed the version-jboss-as in the pom.xml file, the tests still don't work. I see the following errors (repeated as it retries). Do you know what I might be doing wrong?

Jun 10, 2013 10:18:17 AM org.apache.maven.wagon.providers.http.httpclient.impl.client.DefaultRequestDirector tryExecute
INFO: I/O exception (org.apache.maven.wagon.providers.http.httpclient.NoHttpResponseException) caught when processing request: The target server failed to respond
Jun 10, 2013 10:18:17 AM org.apache.maven.wagon.providers.http.httpclient.impl.client.DefaultRequestDirector tryExecute
INFO: Retrying request

@sgilda

@jsight:
Have you tried this quickstart lately? I thought I would try this again today. I ran the CLI scripts, updated the POM <version.jboss.as> from 7.1.3.Final to 7.2.0.Final, but now I run into a different error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project jboss-as-servlet-security-genericheader-auth: Compilation failure: Compilation failure:
[ERROR] /home/sgilda/GitRepos/quickstart-jdf/servlet-security-genericheader-auth/src/main/java/org/jboss/as/quickstarts/servlet_security_genericheader_auth/SecuredServlet.java:[31,16] error: package org.slf4j does not exist
[ERROR]

@jsight
@sgilda

@jsight : Sorry. I wasn't clear. The scripts run fine. It's the Maven test command that fails to compile. It failed with version 7.1.3.Final of the JBoss AS BOM. so I tried upgrading it to version 7.2.0.Final. It just fails with a different error.

Can you run the Maven test? I will try it again today.

@jsight

@sgilda - Hmm, I thought I pasted a mvn test in there as well, but I don't see it. Oops. Trying again:

mvn clean test -Parq-jbossas-remote
[INFO] Scanning for projects...
[INFO]

[INFO] ------------------------------------------------------------------------
[INFO] Building JBoss AS Quickstarts: Generic Header Authenticator 7.1.2-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.4.1:clean (default-clean) @ jboss-as-servlet-security-genericheader-auth ---
[INFO] Deleting /home/jsightler/project/jbossoss/jdf/jboss-as-quickstart/servlet-security-genericheader-auth/target
[INFO]
[INFO] --- maven-resources-plugin:2.5:resources (default-resources) @ jboss-as-servlet-security-genericheader-auth ---
[debug] execute contextualize
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/jsightler/project/jbossoss/jdf/jboss-as-quickstart/servlet-security-genericheader-auth/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:2.3.1:compile (default-compile) @ jboss-as-servlet-security-genericheader-auth ---
[INFO] Compiling 2 source files to /home/jsightler/project/jbossoss/jdf/jboss-as-quickstart/servlet-security-genericheader-auth/target/classes
[INFO]
[INFO] --- maven-resources-plugin:2.5:testResources (default-testResources) @ jboss-as-servlet-security-genericheader-auth ---
[debug] execute contextualize
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/jsightler/project/jbossoss/jdf/jboss-as-quickstart/servlet-security-genericheader-auth/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ jboss-as-servlet-security-genericheader-auth ---
[INFO] Compiling 1 source file to /home/jsightler/project/jbossoss/jdf/jboss-as-quickstart/servlet-security-genericheader-auth/target/test-classes
[INFO]
[INFO] --- maven-surefire-plugin:2.10:test (default-test) @ jboss-as-servlet-security-genericheader-auth ---
[INFO] Surefire report directory: /home/jsightler/project/jbossoss/jdf/jboss-as-quickstart/servlet-security-genericheader-auth/target/surefire-reports


T E S T S

Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.616 sec

Results :

Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 13.200s
[INFO] Finished at: Mon Jun 17 13:04:08 EDT 2013
[INFO] Final Memory: 38M/330M
[INFO] ------------------------------------------------------------------------

@jsight

@sgilda - Also, I will try it with 7.2.0 shortly.

@sgilda

@jsight : What version of the server are you running?

When I run the Maven tests using the code in this pull, I see this error :
Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator
Jun 17, 2013 2:19:50 PM org.jboss.arquillian.protocol.jmx.JMXMethodExecutor invoke
SEVERE: Failed: org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator.testAuthentication
java.lang.NoClassDefFoundError: org/jboss/as/osgi/OSGiConstants
at org.jboss.as.arquillian.service.ArquillianConfig.loadClass(ArquillianConfig.java:112)
at org.jboss.as.arquillian.service.ArquillianService$ExtendedTestClassLoader.loadTestClass(ArquillianService.java:247)
at org.jboss.arquillian.protocol.jmx.JMXTestRunner.runTestMethodInternal(JMXTestRunner.java:125)
at org.jboss.arquillian.protocol.jmx.JMXTestRunner.runTestMethod(JMXTestRunner.java:108)
at org.jboss.as.arquillian.service.ArquillianService$ExtendedJMXTestRunner.runTestMethod(ArquillianService.java:214)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:111)
at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:45)
at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:235)
at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:138)
at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:250)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:791)
at org.jboss.as.jmx.PluggableMBeanServerImpl$TcclMBeanServer.invoke(PluggableMBeanServerImpl.java:498)
at org.jboss.as.jmx.PluggableMBeanServerImpl.invoke(PluggableMBeanServerImpl.java:246)
at org.jboss.remotingjmx.protocol.v1.ServerProxy$InvokeHandler.handle(ServerProxy.java:1034)
at org.jboss.remotingjmx.protocol.v1.ServerProxy$MessageReciever$1.run(ServerProxy.java:215)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.lang.ClassNotFoundException: org.jboss.as.osgi.OSGiConstants from [Module "deployment.arquillian-service:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
... 23 more

Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 5.218 sec <<< FAILURE!

Results :

Tests in error:
testAuthentication(org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator): org/jboss/as/osgi/OSGiConstants

@sgilda

@jsight : Could I ask a favor. If you have time, would you mind modifying the CLI scripts as follows?

  1. Rename the install-security-domain.cli script to configure-security-domain.cli to be consistent with the other quickstarts.

  2. Modify the contents of that file to include the batch, run-batch, and comments as follows (the second command in your script fails for me):

    # Batch jboss-cli script to configure the GenericHeaderAuth security domain
    
    # Start the batch process
    batch
    
    # Create and configure the security domain
    /subsystem=security/security-domain=GenericHeaderAuth:add
    /subsystem=security/security-domain=GenericHeaderAuth/authentication=classic:add(login-modules=[{"code" => "org.jboss.security.auth.spi.RemoteHostTrustLoginModule", "flag" => "required", "module-options" => [("trustedHosts" => "127.0.0.1"), ("roles" => "guest"),]}])
    
    # Excecute the batch commands
    run-batch
    
    :reload
    
  3. Modify the remove-security-domain.cli script to include the batch, run-batch, and comments as follows:

    # Batch jboss-cli script to remove the GenericHeaderAuth security domain
    
    # Start the batch process
    batch
    
    # Remove the security domain
    /subsystem=security/security-domain=GenericHeaderAuth:remove
    
    # Excecute the batch commands
    run-batch
    
  4. Also, would you mind squashing the commits?

@jsight

@sgilda - Please try it again... I have pushed an update with 7.2.0.Final that appears to be working.

@jsight
@sgilda

Aren't the versions different for EAP 6? We usually create the quickstarts for the community with instructions on how to modify them for product. I'll try this against EAP 6.

@jsight

@sgilda - I have checked in the script name and content changes.

@sgilda

@jsight : I tried testing this again with your changes. The scripts now run fine!

When I run the mvn test against jboss-as-7.1.1.Final, it hangs at this point and never completes and I have to kill ther JBoss server:

    -------------------------------------------------------
     T E S T S
    -------------------------------------------------------
    Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator

Since you said you tested it against EAP 6.1, I tried running the test against jboss-eap-6.1, but there I get an exception:

    -------------------------------------------------------
     T E S T S
    -------------------------------------------------------
    Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator
    Jun 18, 2013 9:51:45 AM org.jboss.arquillian.protocol.jmx.JMXMethodExecutor invoke
    SEVERE: Failed: org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator.testAuthentication

java.lang.AssertionError: Authentication test connection failed!
at org.junit.Assert.fail(Assert.java:93)
at org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator.testAuthentication(TestGenericHeaderAuthenticator.java:120)

You say this works for you? Do you have any idea what I might be doing wrong?

@sgilda sgilda commented on an outdated diff Jun 18, 2013
servlet-security-genericheader-auth/README.md
+---------------
+
+This quickstart requires a custom security domain be enabled in order to trust the remote proxy server's username header.
+
+To setup the GenericHeaderAuth security domain, take the following steps:
+
+1. Start the JBoss Enterprise Application Platform 6 or JBoss AS 7 Server by typing the following:
+
+ For Linux: JBOSS_HOME_SERVER_1/bin/standalone.sh
+ For Windows: JBOSS_HOME_SERVER_1\bin\standalone.bat
+
+2. Open a command line and navigate to the root of the JBoss server directory.
+3. Open a command line, navigate to the root directory of this quickstart, and run the following command to run the script:
+
+ For Linux: JBOSS_HOME/bin/jboss-cli.sh --connect --file=install-security-domain.cli
+ For Windows: JBOSS_HOME\bin\jboss-cli.bat --connect --file=install-security-domain.cli
@sgilda
sgilda added a note Jun 18, 2013

The name of the script has changed to configure-security-domain.cli :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jsight

Is your server bound to localhost? Or to a different IP?

@jsight

Unfortunately, without a better way to bring in the dependencies, I don't see a way to fix this for AS 7.1.1. It should work with EAP 6.1, though.

I have added a src/test/resources/test.properties file for configuring the serverUrl, if you are using a non-localhost bind address.

@jsight

(if that isn't the issue, then can you send the sure-fire report output? Perhaps it will have a more detailed stacktrace)

@sgilda

@jsight : Yes, my server is bound to localhost. All the other quickstart tests work fine. With your latst code, it now fails on EAP 6.1 with an authentication error.

Failed tests: testAuthentication(org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator): Authentication test connection failed!

The server log shows this:
07:39:49,671 INFO org.jboss.as.server.deployment JBAS015876: Starting deployment of "jboss-as-servlet-security-genericheader-auth.war" (runtime-name: "jboss-as-servlet-security-genericheader-auth.war")
07:39:49,842 WARN org.jboss.weld.deployer JBAS016012: Deployment deployment "jboss-as-servlet-security-genericheader-auth.war" contains CDI annotations but beans.xml was not found.
07:39:49,853 INFO org.jboss.web JBAS018210: Register web context: /jboss-as-servlet-security-genericheader-auth
07:39:49,979 INFO org.jboss.as.server JBAS018559: Deployed "jboss-as-servlet-security-genericheader-auth.war" (runtime-name : "jboss-as-servlet-security-genericheader-auth.war")
07:39:50,489 INFO org.jboss.arquillian.testenricher.cdi.container.BeanManagerProducer BeanManager not found.
07:39:50,504 INFO stdout --------------------------------------
07:39:50,504 INFO stdout ________________________ DEPLOYMENT URL: http://localhost:8080/
07:39:50,504 INFO stdout --------------------------------------
07:39:50,572 INFO org.jboss.web JBAS018224: Unregister web context: /jboss-as-servlet-security-genericheader-auth
07:39:50,590 INFO org.jboss.as.server.deployment JBAS015877: Stopped deployment jboss-as-servlet-security-genericheader-auth.war (runtime-name: jboss-as-servlet-security-genericheader-auth.war) in 19ms
07:39:50,682 INFO org.jboss.as.repository JBAS014901: Content removed from location /home/sgilda/tools/jboss-eap-6.1/standalone/data/content/b1/bdbdf24cb4103fd192c1731c2e270a4538b553/content
07:39:50,683 INFO org.jboss.as.server JBAS018558: Undeployed "jboss-as-servlet-security-genericheader-auth.war" (runtime-name: "jboss-as-servlet-security-genericheader-auth.war")

I do have a number of users defined on this server that were created for other quickstarts. Am I supposed to define a user for this quickstart? Could there be a conflict?

I can email the reports and logs if you are interested.

I am still not clear why this won't work against 7.1.1.Final.

@jsight
@sgilda

@jsight : I just tried with a clean EAP 6.1 server and it worked! Could the tests fail if there are users defined by other quickstarts for the server?

Do you know why this doesn't work for AS 7.1.1.Final?

@sgilda

@jsight: I am sorry to be such a pain, but I just want to make sure we're clear how to run it so it works easily for other developers. I think it's a great quickstart. I just need to figure out what I'm doing wrong.

I just tried your latest quickstart updates against a clean AS 7.1.1.Final server, and it still hangs on this call and never comes back:

    -------------------------------------------------------
     T E S T S
    -------------------------------------------------------
    Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator

In the server log, I see this:

    09:11:40,147 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015876: Starting deployment of "jboss-as-servlet-security-genericheader-auth.war"
    09:11:40,644 INFO  [org.jboss.web] (MSC service thread 1-4) JBAS018210: Registering web context: /jboss-as-servlet-security-genericheader-auth
    09:11:40,745 INFO  [org.jboss.as.server] (management-handler-thread - 1) JBAS018559: Deployed "jboss-as-servlet-security-genericheader-auth.war"

When you say it works on every server you try, does it work on AS 7.1.1.Final for you? If so, I'll get someone else to try it and if it works for them, it should be good to go.

@jsight

Oh, you're not being a pain at all. I appreciate the feedback, and I totally understand where you are coming from in testing this. We obviously don't want quickstarts that are broken. :) I just (unfortunately) have a very limited number of hours to look into issues with this. :(

I have tried a number of different scenarios, and I haven't been able to make it fail with EAP 6.1. I am not sure what the issue is there. If you can come up with a way to debug that, I'd love to hear it. Honestly, if you could pass me your whole EAP 6.1 instance, I'd be glad to run it here. I'm not sure how hard that would be to send, though.

The AS 7.1.1 hang is related to the dependency on org.jboss.as:jboss-as-web. It brings in a bunch of transitive dependencies that break Arquillian, causing it to hang in a management call when used with 7.1.1. The way I see it, this could be resolved in one of two ways:

  1. Use a big list of dependency exclusions to fix the conflict (somewhat difficult to setup, and very brittle)
  2. Rework the test not to use Arquillian. This should be fairly easy with this test case
  3. Don't use a unit test at all (I don't like this approach, for fairly obvious reasons)

Let me know your thoughts, please.

Thanks,
Jess

@sgilda

@jsight : Hi Jess,

Thanks for putting all this work into the quickstart. I am concerned that it doesn't run against AS 7.1.1.Final as it is currently configured. I will defer to Pete on how he wants to proceed.

@pmuir: What are your thoughts on the 3 options Jess lists in the previous comment?

In the meantime, I will see if I can recreate the "Authentication test connection failed!" with EAP 6.1 so we have a better idea what caused the problem.

Thanks again,
Sande

@sgilda

@jsight :

Problem solved. The version of EAP 6.1 was CR2, not final, and the CLI command was not configuring the login-modules for the GenericAuthHeader domain. Sorry for the confusion.

Now we just need to find out what to do about AS 7.1.1.Final.

Thanks,
Sande

@pmuir
JBoss Developer member

We can just not support it, and point at EAP 6.1?

@sgilda

I'm fine with that as long as we make it clear in the README that it only works on EAP 6.1 and greater.

@jsight : Does that work for you? If you can squash your commits, I don't mind modifying the README for you.

@pmuir: Do you need to do a code review?

@jsight
@jsight

@sgilda - Commits Squashed! :)

@sgilda

@pmuir: Do you need to review this one?

@pmuir pmuir commented on an outdated diff Jun 21, 2013
servlet-security-genericheader-auth/pom.xml
+ You can actually use this stack with any version of JBoss AS that implements
+ Java EE 6, not just JBoss AS 7! -->
+ <dependency>
+ <groupId>org.jboss.spec</groupId>
+ <artifactId>jboss-javaee-6.0</artifactId>
+ <version>${version.jboss.spec.javaee.6.0}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.bom</groupId>
+ <artifactId>jboss-javaee-6.0-with-logging</artifactId>
+ <version>${version.jboss.bom}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
@pmuir
JBoss Developer member
pmuir added a note Jun 21, 2013

This BOM includes the one above it - no need to specify both. We can also remove the version property for the one above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@pmuir
JBoss Developer member

@darranl could you review this please?

@jsight jsight Added servlet-security-genericheader-auth QuickStart, based upon code…
… from Gary Lamperillo. Many thanks to him and sgilda for their work on validating and improving this QuickStart.
517d14a
@jsight

I have consolidated it down to the only BOM that it needs (-with-tools).

@jsight

I have removed the unnecessary BOMs.

@sgilda

@darranl will try to get to this next week. He is currently heads down trying to get access control into WildFly alpha.

@jamezp jamezp commented on an outdated diff Aug 6, 2013
servlet-security-genericheader-auth/pom.xml
+ <dependencies>
+ <!-- Import the Servlet API, we use provided scope as the API is included in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.servlet</groupId>
+ <artifactId>jboss-servlet-api_3.0_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.as</groupId>
+ <artifactId>jboss-as-web</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.xnio</groupId>
+ <artifactId>xnio-api</artifactId>
+ <version>3.0.7.GA</version>
@jamezp
jamezp added a note Aug 6, 2013

Why do we need XNIO for testing? Also any versions should use properties so they can be overridden.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
...rvlet_security_genericheader_auth/SecuredServlet.java
+@ServletSecurity(@HttpConstraint(rolesAllowed = { "guest" }))
+public class SecuredServlet extends HttpServlet {
+
+ private static Logger log = Logger.getLogger(SecuredServlet.class.getSimpleName());
+
+ private static final String PARAM_UNIT_TEST = "unitTest";
+
+ private static String PAGE_HEADER = "<html><head /><body>";
+
+ private static String PAGE_FOOTER = "</body></html>";
+
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ PrintWriter writer = resp.getWriter();
+
+ if ("true".equalsIgnoreCase(req.getParameter(PARAM_UNIT_TEST))) {
@jamezp
jamezp added a note Aug 6, 2013

There should be a comment that states this test is for the example only and should not be used in production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+/**
+ * JBAS-2283: Provide custom header based authentication support
+ *
+ * Header Authenticator that deals with userid from the request header Requires
+ * two attributes configured on the Tomcat Service - one for the http header
+ * denoting the authenticated identity and the other is the SESSION cookie
+ *
+ * @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
+ * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
+ * @version $Revision$
+ * @since Sep 11, 2006
+ */
+public class GenericHeaderAuthenticator extends ExtendedFormAuthenticator {
+ protected static Logger log = Logger.getLogger(GenericHeaderAuthenticator.class);
+
+ protected boolean trace = log.isTraceEnabled();
@jamezp
jamezp added a note Aug 6, 2013

This is bad, don't ever ever do this :) It breaks any kind of runtime changes to a logging configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ * JBoss, Home of Professional Open Source
+ * Copyright 2012, Red Hat, Inc. and/or its affiliates, and individual
+ * contributors by the @authors tag. See the copyright.txt in the
+ * distribution for a full listing of individual contributors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jboss.web.tomcat.security;
@jamezp
jamezp added a note Aug 6, 2013

Seems odd to me to use tomcat in the package name. I know JBoss Web is based on Tomcat, but I don't think we should use it in the package name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ */
+ public GenericHeaderAuthenticator() {
+ super();
+ }
+
+ public boolean authenticate(Request request, HttpServletResponse response,
+ LoginConfig config) throws IOException {
+ // set remote host value
+ HostThreadLocal.set(request.getRemoteAddr());
+
+ log.trace("Authenticating user");
+
+ Principal principal = request.getUserPrincipal();
+ if (principal != null) {
+ if (trace)
+ log.trace("Already authenticated '" + principal.getName() + "'");
@jamezp
jamezp added a note Aug 6, 2013

No need to check if trace is enabled. Also this should probably use the vararg version.

log.tracef("Already authenticated '%s'", principal.getName());
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ */
+ protected String getUserId(Request request) {
+ String ssoid = null;
+ // We can have a comma-separated ids
+ String ids = "";
+ try {
+ ids = this.getIdentityHeaderId();
+ } catch (JMException e) {
+ if (trace)
+ log.trace("getUserId exception", e);
+ }
+ if (ids == null || ids.length() == 0)
+ throw new IllegalStateException(
+ "Http headers configuration in tomcat service missing");
+
+ StringTokenizer st = new StringTokenizer(ids, ",");
@jamezp
jamezp added a note Aug 6, 2013

We should be using String.split() here.

final String[] tokens = ids.split(",");
for (String id : tokens) {
    ssoid = request.getHeader(id);
    if (ssoid != null) break;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ } catch (JMException e) {
+ if (trace)
+ log.trace("getUserId exception", e);
+ }
+ if (ids == null || ids.length() == 0)
+ throw new IllegalStateException(
+ "Http headers configuration in tomcat service missing");
+
+ StringTokenizer st = new StringTokenizer(ids, ",");
+ while (st.hasMoreTokens()) {
+ ssoid = request.getHeader(st.nextToken());
+ if (ssoid != null)
+ break;
+ }
+ if (trace)
+ log.trace("SSOID-" + ssoid);
@jamezp
jamezp added a note Aug 6, 2013

Again remove the trace check and use the Logger.tracef() vararg format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ }
+
+ /**
+ * Get the username from the request header
+ *
+ * @param request
+ * @return
+ */
+ protected String getUserId(Request request) {
+ String ssoid = null;
+ // We can have a comma-separated ids
+ String ids = "";
+ try {
+ ids = this.getIdentityHeaderId();
+ } catch (JMException e) {
+ if (trace)
@jamezp
jamezp added a note Aug 6, 2013

Again, just remove this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ int numCookies = cookies != null ? cookies.length : 0;
+
+ // We can have comma-separated ids
+ String ids = "";
+ try {
+ ids = this.getSessionCookieId();
+ log.trace("Session Cookie Ids=" + ids);
+ } catch (JMException e) {
+ if (trace)
+ log.trace("checkSessionCookie exception", e);
+ }
+ if (ids == null || ids.length() == 0)
+ throw new IllegalStateException(
+ "Session cookies configuration in tomcat service missing");
+
+ StringTokenizer st = new StringTokenizer(ids, ",");
@jamezp
jamezp added a note Aug 6, 2013

Same note here, use String.split().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ } catch (JMException e) {
+ if (trace)
+ log.trace("checkSessionCookie exception", e);
+ }
+ if (ids == null || ids.length() == 0)
+ throw new IllegalStateException(
+ "Session cookies configuration in tomcat service missing");
+
+ StringTokenizer st = new StringTokenizer(ids, ",");
+ while (st.hasMoreTokens()) {
+ String cookieToken = st.nextToken();
+ String val = getCookieValue(cookies, numCookies, cookieToken);
+ if (val != null)
+ return val;
+ }
+ if (trace)
@jamezp
jamezp added a note Aug 6, 2013

Remove check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ *
+ * @param request
+ * @return
+ */
+ protected String getSessionCookie(Request request) {
+ Cookie[] cookies = request.getCookies();
+ log.trace("Cookies:" + cookies);
+ int numCookies = cookies != null ? cookies.length : 0;
+
+ // We can have comma-separated ids
+ String ids = "";
+ try {
+ ids = this.getSessionCookieId();
+ log.trace("Session Cookie Ids=" + ids);
+ } catch (JMException e) {
+ if (trace)
@jamezp
jamezp added a note Aug 6, 2013

remove check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ * Get the value of a cookie if the name matches the token
+ *
+ * @param cookies
+ * array of cookies
+ * @param numCookies
+ * number of cookies in the array
+ * @param token
+ * Key
+ * @return value of cookie
+ */
+ protected String getCookieValue(Cookie[] cookies, int numCookies,
+ String token) {
+ for (int i = 0; i < numCookies; i++) {
+ Cookie cookie = cookies[i];
+ log.trace("Matching cookieToken:" + token + " with cookie name="
+ + cookie.getName());
@jamezp
jamezp added a note Aug 6, 2013

Use the Logger.tracef() format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on an outdated diff Aug 6, 2013
...s/web/tomcat/security/GenericHeaderAuthenticator.java
+ * array of cookies
+ * @param numCookies
+ * number of cookies in the array
+ * @param token
+ * Key
+ * @return value of cookie
+ */
+ protected String getCookieValue(Cookie[] cookies, int numCookies,
+ String token) {
+ for (int i = 0; i < numCookies; i++) {
+ Cookie cookie = cookies[i];
+ log.trace("Matching cookieToken:" + token + " with cookie name="
+ + cookie.getName());
+ if (token.equals(cookie.getName())) {
+ if (trace)
+ log.trace("Cookie-" + token + " value=" + cookie.getValue());
@jamezp
jamezp added a note Aug 6, 2013

Remove the check and use the Logger.tracef() format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
...enericheader_auth/TestGenericHeaderAuthenticator.java
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.shrinkwrap.api.Archive;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.web.tomcat.security.GenericHeaderAuthenticator;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Simple set of tests to demonstrate the GenericHeaderAuthenticator functionality.
+ */
+@RunWith(Arquillian.class)
+public class TestGenericHeaderAuthenticator {
@jamezp
jamezp added a note Aug 6, 2013

This entire test seems rather fragile. The hard-coded paths are not a good idea. The URL deploymentUrl can be replaced with an @ArquillianResource.

Actually the test method itself looks okay, but the setup needs to be cleaned up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp jamezp commented on the diff Aug 6, 2013
servlet-security-genericheader-auth/pom.xml
+ </dependency>
+
+ <!-- Testing dependencies and arquillian -->
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.arquillian.junit</groupId>
+ <artifactId>arquillian-junit-container</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.arquillian.protocol</groupId>
+ <artifactId>arquillian-protocol-servlet</artifactId>
@jamezp
jamezp added a note Aug 6, 2013

Missing <scope>test</scope>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jamezp

There is no reference to this in the parent POM. I think we should probably add a profile like

        <profile>
            <id>jboss-eap61</id>
            <activation>
                <activeByDefault>false</activeByDefault>
            </activation>
            <modules>
                <module>servlet-security-genericheader-auth</module>
            </modules>
        </profile>

Also the Arquillian test didn't work for me at all. It might be worth just not having as it doesn't look right to me anyway.

I also may have missed some tests when checking if trace logging is enabled. There is no reason to do this and since JBoss Logging is being used it's better to use the vararg (Logger.infof(), tracef(), etc.) methods rather than string concatenation.

@sgilda

The tests don't work for me either. It hangs on:
Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator

I see this in the server log:
15:23:14,775 INFO org.jboss.as.server.deployment JBAS015876: Starting deployment of "jboss-as-servlet-security-genericheader-auth.war"
15:23:15,522 INFO org.jboss.web JBAS018210: Registering web context: /jboss-as-servlet-security-genericheader-auth
15:23:15,682 INFO org.jboss.as.server JBAS018559: Deployed "jboss-as-servlet-security-genericheader-auth.war"

I will try again with a fresh copy of the server.

@sgilda

Same result with a clean server. Tests hang on that last output.

@jsight

Tests pass:

T E S T S

Running org.jboss.as.quickstarts.servlet_security_genericheader_auth.TestGenericHeaderAuthenticator
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.183 sec

Results :

Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

Most of this code is directly from the Apache header authentication valve.

@jsight jsight closed this Aug 21, 2013
@sgilda

Reopening so I can try this again.

@sgilda sgilda reopened this Aug 23, 2013
@sgilda

@jsight : What version of the server are you using?

@jsight
@sgilda

@jsight : Thanks. I will try EAP 6.1 first thing in the morning.

@sgilda

@jsight : Looks good!

I fixed the following issues reported by QS tools utility :

pom.xml file:
BomVersionChecker BOM MavenDependency [groupId=org.jboss.bom, artifactId=jboss-javaee-6.0-with-tools, declaredVersion=${version.jboss.bom}, interpoledVersion=1.0.6.Final, type=pom, scope=import] isn't using the expected version 1.0.7.CR8 (line 89)
UnusedPropertiesChecker Property [version.jboss.spec.javaee.6.0] was declared but was never used (line 57)

src/test/resources/arquillian.xml:
FileHeaderChecker Line does not match expected header line of '^\WJBoss, Home of Professional Open Source.$'.

src/test/resources/test.properties:
FileHeaderChecker Missing a header - not enough lines in file.

Also added the quickstart to the root POM file.

Merged.

@sgilda sgilda closed this Aug 26, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment