Re: Basic authentication of WAB using Jaas in Karaf

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Gerald Kallas - mailbox.org
Thanks Alex,

the API now is working after removing the "httpRegistry" part.

Now I've the next issue. My org.ops4j.pax.web.context-admin.cfg looks like

bundle.symbolicName=api.xml
login.config.authMethod=BASIC
login.config.realmName=karaf
context.id=default

security.constraint.1.url = /camel/api/*
security.constraint.1.method = *
security.constraint.1.roles = admin

Saving this creates the log file entries as below.

The return code with this file is now always a HTTP 403 (forbidden). What might be wrong now?

And .. where can I define the roles, users and passwords for each of the routes with a servlet consumer?

Best
- Gerald

2020-05-14T21:15:18,817 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/etc | fileinstall                      | 10 - org.apache.felix.fileinstall - 3.6.4 | Updating configuration from org.ops4j.pax.web.context-admin.cfg
2020-05-14T21:15:18,819 | INFO  | CM Configuration Updater (Update: pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f) | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Updated configuration for pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f
2020-05-14T21:15:18,821 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Found bundle "api.xml", scheduling customization of its WebContainer
2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | HTTP Context Processor {bundle=api.xml [326]}: Restoring WebContainer for bundle api.xml/0.0.0
2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
2020-05-14T21:15:18,823 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
2020-05-14T21:15:18,902 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Customizing WebContainer for bundle api.xml/0.0.0
2020-05-14T21:15:18,906 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering login configuration in WebContainer for bundle "api.xml": method=BASIC, realm=karaf
2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering security mappings in WebContainer for bundle "api.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/api/*', roles=[admin]}
2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}

> Alex Soto <[hidden email]> hat am 14. Mai 2020 18:42 geschrieben:
>
>
> Looks good to me: '/camel/api/say/hello' should be correct.
>
> The only difference I see is that in my case I am not using the ‘httpRegistry'; try removing that part.
>
>
> Best regards,
> Alex soto
>
>
>
>
>
> > On May 14, 2020, at 12:21 PM, Gerald Kallas <[hidden email]> wrote:
> > Thanks Alex.
> >
> > I'm still struggling upfront. I was copying your example and have combined the parts in one Blueprint DSL.
> >
> > See my complete Blueprint DSL file below. I'm always getting a HTTP 404 (not found).
> >
> > I'm assuming that the URL
> >
> > https://localhost:8443/camel/api/say/hello
> >
> > should be the one to call. Do I still miss something? Many thanks in advance.
> >
> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> >  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >  xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> >  https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> >
> > <reference id="httpService" interface="org.osgi.service.http.HttpService" />
> >
> > <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> >
> > <bean class="org.apache.camel.component.servlet.osgi.OsgiServletRegisterer"
> >  init-method="register"
> >  destroy-method="unregister">
> > <property name="servletName" value="MyServlet" />
> > <property name="alias" value="/camel/api" />
> > <property name="httpService" ref="httpService" />
> > <property name="servlet" ref="camelServlet" />
> > </bean>
> >
> > <bean id="httpRegistry" class="org.apache.camel.component.servlet.DefaultHttpRegistry" />
> >
> > <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent">
> > <property name="httpRegistry" ref="httpRegistry" />
> > </bean>
> >
> > <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> > <restConfiguration
> > component="servlet"
> > bindingMode="json"
> > enableCORS="false"
> > skipBindingOnErrorCode="false"
> > clientRequestValidation="true">
> >
> > <componentProperty key="matchOnUriPrefix" value="true" />
> >
> > <endpointProperty key="servletName" value="MyServlet" />
> > <endpointProperty key="disableStreamCache" value="true" />
> >
> > <dataFormatProperty key="contentTypeHeader" value="false" />
> > <dataFormatProperty key="baseUri" value ="/came/api" />
> > </restConfiguration >
> >
> > <rest path="/say">
> > <get uri="/hello">
> > <to uri="direct:hello"/>
> > </get>
> > </rest>
> >
> > <route>
> > <from uri="direct:hello"/>
> > <transform>
> > <constant>Hello World</constant>
> > </transform>
> > </route>
> >
> > </camelContext>
> >
> > </blueprint>
> >
> > Best
> > - Gerald
> >
> >
> > > Alex Soto <[hidden email]> hat am 14. Mai 2020 14:55 geschrieben:
> > >
> > >
> > > Hi Gerald,
> > >
> > > I would put the Servlet in the same bundle; I don’t see the need to separate it for reuse.
> > > Looks like you are missing security constraint in the 'etc/org.ops4j.pax.web.context-admin.cfg' file
> > >
> > > security.constraint.1.url = /camel/services/*
> > > security.constraint.1.method = *
> > > security.constraint.1.roles = admin
> > >
> > >
> > > Best regards,
> > > Alex soto
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On May 13, 2020, at 7:02 PM, Gerald Kallas <[hidden email]> wrote:
> > > > <property name="alias" value="/camel/services" />
> > >
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Alex Soto
Are passing the BASIC Authentication header with user name and password?

The user names and roles are defined in the 'etc/users.properties’  file, check Karaf documentation https://karaf.apache.org/manual/latest/#_security_2 <https://karaf.apache.org/manual/latest/#_security_2>


The 'security.constraint.1.* entries' in your file 'org.ops4j.pax.web.context-admin.cfg’  define the permissions for each route, just need to add new ones replacing 1 with 2, and so on,   the url matching the Camel route.



> On May 14, 2020, at 5:17 PM, Gerald Kallas <[hidden email]> wrote:
>
> Thanks Alex,
>
> the API now is working after removing the "httpRegistry" part.
>
> Now I've the next issue. My org.ops4j.pax.web.context-admin.cfg looks like
>
> bundle.symbolicName=api.xml
> login.config.authMethod=BASIC
> login.config.realmName=karaf
> context.id=default
>
> security.constraint.1.url = /camel/api/*
> security.constraint.1.method = *
> security.constraint.1.roles = admin
>
> Saving this creates the log file entries as below.
>
> The return code with this file is now always a HTTP 403 (forbidden). What might be wrong now?
>
> And .. where can I define the roles, users and passwords for each of the routes with a servlet consumer?
>
> Best
> - Gerald
>
> 2020-05-14T21:15:18,817 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/etc | fileinstall                      | 10 - org.apache.felix.fileinstall - 3.6.4 | Updating configuration from org.ops4j.pax.web.context-admin.cfg
> 2020-05-14T21:15:18,819 | INFO  | CM Configuration Updater (Update: pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f) | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Updated configuration for pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f
> 2020-05-14T21:15:18,821 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Found bundle "api.xml", scheduling customization of its WebContainer
> 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | HTTP Context Processor {bundle=api.xml [326]}: Restoring WebContainer for bundle api.xml/0.0.0
> 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
> 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> 2020-05-14T21:15:18,823 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
> 2020-05-14T21:15:18,902 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
> 2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> 2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Customizing WebContainer for bundle api.xml/0.0.0
> 2020-05-14T21:15:18,906 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering login configuration in WebContainer for bundle "api.xml": method=BASIC, realm=karaf
> 2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
> 2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> 2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering security mappings in WebContainer for bundle "api.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/api/*', roles=[admin]}
> 2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
> 2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
> 2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
>
>> Alex Soto <[hidden email]> hat am 14. Mai 2020 18:42 geschrieben:
>>
>>
>> Looks good to me: '/camel/api/say/hello' should be correct.
>>
>> The only difference I see is that in my case I am not using the ‘httpRegistry'; try removing that part.
>>
>>
>> Best regards,
>> Alex soto
>>
>>
>>
>>
>>
>>> On May 14, 2020, at 12:21 PM, Gerald Kallas <[hidden email]> wrote:
>>> Thanks Alex.
>>>
>>> I'm still struggling upfront. I was copying your example and have combined the parts in one Blueprint DSL.
>>>
>>> See my complete Blueprint DSL file below. I'm always getting a HTTP 404 (not found).
>>>
>>> I'm assuming that the URL
>>>
>>> https://localhost:8443/camel/api/say/hello
>>>
>>> should be the one to call. Do I still miss something? Many thanks in advance.
>>>
>>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
>>> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
>>>
>>> <reference id="httpService" interface="org.osgi.service.http.HttpService" />
>>>
>>> <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
>>>
>>> <bean class="org.apache.camel.component.servlet.osgi.OsgiServletRegisterer"
>>> init-method="register"
>>> destroy-method="unregister">
>>> <property name="servletName" value="MyServlet" />
>>> <property name="alias" value="/camel/api" />
>>> <property name="httpService" ref="httpService" />
>>> <property name="servlet" ref="camelServlet" />
>>> </bean>
>>>
>>> <bean id="httpRegistry" class="org.apache.camel.component.servlet.DefaultHttpRegistry" />
>>>
>>> <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent">
>>> <property name="httpRegistry" ref="httpRegistry" />
>>> </bean>
>>>
>>> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
>>> <restConfiguration
>>> component="servlet"
>>> bindingMode="json"
>>> enableCORS="false"
>>> skipBindingOnErrorCode="false"
>>> clientRequestValidation="true">
>>>
>>> <componentProperty key="matchOnUriPrefix" value="true" />
>>>
>>> <endpointProperty key="servletName" value="MyServlet" />
>>> <endpointProperty key="disableStreamCache" value="true" />
>>>
>>> <dataFormatProperty key="contentTypeHeader" value="false" />
>>> <dataFormatProperty key="baseUri" value ="/came/api" />
>>> </restConfiguration >
>>>
>>> <rest path="/say">
>>> <get uri="/hello">
>>> <to uri="direct:hello"/>
>>> </get>
>>> </rest>
>>>
>>> <route>
>>> <from uri="direct:hello"/>
>>> <transform>
>>> <constant>Hello World</constant>
>>> </transform>
>>> </route>
>>>
>>> </camelContext>
>>>
>>> </blueprint>
>>>
>>> Best
>>> - Gerald
>>>
>>>
>>>> Alex Soto <[hidden email]> hat am 14. Mai 2020 14:55 geschrieben:
>>>>
>>>>
>>>> Hi Gerald,
>>>>
>>>> I would put the Servlet in the same bundle; I don’t see the need to separate it for reuse.
>>>> Looks like you are missing security constraint in the 'etc/org.ops4j.pax.web.context-admin.cfg' file
>>>>
>>>> security.constraint.1.url = /camel/services/*
>>>> security.constraint.1.method = *
>>>> security.constraint.1.roles = admin
>>>>
>>>>
>>>> Best regards,
>>>> Alex soto
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On May 13, 2020, at 7:02 PM, Gerald Kallas <[hidden email]> wrote:
>>>>> <property name="alias" value="/camel/services" />
>>>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Gerald Kallas - mailbox.org
Hi Alex,

yes, I'm passing the HTTP "Authorization" header for basic authentication.

My users.properties looks like

karaf = xxx,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

username1 = password1,admin

I'm testing with the username1 password1 combination, the request looks like

curl --insecure --location --request GET 'https://localhost:8443/camel/api/say/hello' \
--header 'Authorization: Basic dXNlcm5hbWUxOnBhc3N3b3JkMQ=='

With or without the Authorization header I'm always getting a HTTP 403 response.

While trying to access I'm getting a log entry

2020-05-15T15:20:34,031 | WARN  | qtp1611313605-186 | SecurityHandler                  | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No authenticator for: {RoleInfo,C[admin],None}

Again my org.ops4j.pax.web.context-admin.cfg, it looks like

bundle.symbolicName=api.xml
login.config.authMethod=Basic
login.config.realmName=karaf
context.id=default

security.constraint.1.url = /camel/api/*
security.constraint.1.method = *
security.constraint.1.roles = admin

And my route (Blueprint DSL "api.xml") again as well

<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
           https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">

        <reference id="httpService" interface="org.osgi.service.http.HttpService" />

        <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>

        <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
              init-method="register"
              destroy-method="unregister">
                <property name="servletName" value="MyServlet" />
                <property name="alias" value="/camel/api" />
                <property name="httpService" ref="httpService" />
                <property name="servlet" ref="camelServlet" />
        </bean>

        <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent" />

        <camelContext xmlns="http://camel.apache.org/schema/blueprint">
                <restConfiguration
                        component="servlet"
                        bindingMode="json"
                        enableCORS="false"
                        skipBindingOnErrorCode="false"
                        clientRequestValidation="true">

                        <componentProperty key="matchOnUriPrefix" value="true" />

                        <endpointProperty key="servletName" value="MyServlet" />
                        <endpointProperty key="disableStreamCache" value="true" />

                        <dataFormatProperty key="contentTypeHeader" value="false" />
                        <dataFormatProperty key="baseUri" value ="/came/api" />
                </restConfiguration >

                <rest path="/say">
                        <get uri="/hello">
                                <to uri="direct:hello"/>
                        </get>
                </rest>

                <route>
                        <from uri="direct:hello"/>
                        <transform>
                                <constant>Hello World</constant>
                        </transform>
                </route>

        </camelContext>

</blueprint>

Best
- Gerald

> Alex Soto <[hidden email]> hat am 15. Mai 2020 14:35 geschrieben:
>
>  
> Are passing the BASIC Authentication header with user name and password?
>
> The user names and roles are defined in the 'etc/users.properties’  file, check Karaf documentation https://karaf.apache.org/manual/latest/#_security_2 <https://karaf.apache.org/manual/latest/#_security_2>
>
>
> The 'security.constraint.1.* entries' in your file 'org.ops4j.pax.web.context-admin.cfg’  define the permissions for each route, just need to add new ones replacing 1 with 2, and so on,   the url matching the Camel route.
>
>
>
> > On May 14, 2020, at 5:17 PM, Gerald Kallas <[hidden email]> wrote:
> >
> > Thanks Alex,
> >
> > the API now is working after removing the "httpRegistry" part.
> >
> > Now I've the next issue. My org.ops4j.pax.web.context-admin.cfg looks like
> >
> > bundle.symbolicName=api.xml
> > login.config.authMethod=BASIC
> > login.config.realmName=karaf
> > context.id=default
> >
> > security.constraint.1.url = /camel/api/*
> > security.constraint.1.method = *
> > security.constraint.1.roles = admin
> >
> > Saving this creates the log file entries as below.
> >
> > The return code with this file is now always a HTTP 403 (forbidden). What might be wrong now?
> >
> > And .. where can I define the roles, users and passwords for each of the routes with a servlet consumer?
> >
> > Best
> > - Gerald
> >
> > 2020-05-14T21:15:18,817 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/etc | fileinstall                      | 10 - org.apache.felix.fileinstall - 3.6.4 | Updating configuration from org.ops4j.pax.web.context-admin.cfg
> > 2020-05-14T21:15:18,819 | INFO  | CM Configuration Updater (Update: pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f) | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Updated configuration for pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f
> > 2020-05-14T21:15:18,821 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Found bundle "api.xml", scheduling customization of its WebContainer
> > 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | HTTP Context Processor {bundle=api.xml [326]}: Restoring WebContainer for bundle api.xml/0.0.0
> > 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
> > 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > 2020-05-14T21:15:18,823 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
> > 2020-05-14T21:15:18,902 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
> > 2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > 2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Customizing WebContainer for bundle api.xml/0.0.0
> > 2020-05-14T21:15:18,906 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering login configuration in WebContainer for bundle "api.xml": method=BASIC, realm=karaf
> > 2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
> > 2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > 2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering security mappings in WebContainer for bundle "api.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/api/*', roles=[admin]}
> > 2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
> > 2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
> > 2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> >
> >> Alex Soto <[hidden email]> hat am 14. Mai 2020 18:42 geschrieben:
> >>
> >>
> >> Looks good to me: '/camel/api/say/hello' should be correct.
> >>
> >> The only difference I see is that in my case I am not using the ‘httpRegistry'; try removing that part.
> >>
> >>
> >> Best regards,
> >> Alex soto
> >>
> >>
> >>
> >>
> >>
> >>> On May 14, 2020, at 12:21 PM, Gerald Kallas <[hidden email]> wrote:
> >>> Thanks Alex.
> >>>
> >>> I'm still struggling upfront. I was copying your example and have combined the parts in one Blueprint DSL.
> >>>
> >>> See my complete Blueprint DSL file below. I'm always getting a HTTP 404 (not found).
> >>>
> >>> I'm assuming that the URL
> >>>
> >>> https://localhost:8443/camel/api/say/hello
> >>>
> >>> should be the one to call. Do I still miss something? Many thanks in advance.
> >>>
> >>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> >>> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> >>>
> >>> <reference id="httpService" interface="org.osgi.service.http.HttpService" />
> >>>
> >>> <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> >>>
> >>> <bean class="org.apache.camel.component.servlet.osgi.OsgiServletRegisterer"
> >>> init-method="register"
> >>> destroy-method="unregister">
> >>> <property name="servletName" value="MyServlet" />
> >>> <property name="alias" value="/camel/api" />
> >>> <property name="httpService" ref="httpService" />
> >>> <property name="servlet" ref="camelServlet" />
> >>> </bean>
> >>>
> >>> <bean id="httpRegistry" class="org.apache.camel.component.servlet.DefaultHttpRegistry" />
> >>>
> >>> <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent">
> >>> <property name="httpRegistry" ref="httpRegistry" />
> >>> </bean>
> >>>
> >>> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> >>> <restConfiguration
> >>> component="servlet"
> >>> bindingMode="json"
> >>> enableCORS="false"
> >>> skipBindingOnErrorCode="false"
> >>> clientRequestValidation="true">
> >>>
> >>> <componentProperty key="matchOnUriPrefix" value="true" />
> >>>
> >>> <endpointProperty key="servletName" value="MyServlet" />
> >>> <endpointProperty key="disableStreamCache" value="true" />
> >>>
> >>> <dataFormatProperty key="contentTypeHeader" value="false" />
> >>> <dataFormatProperty key="baseUri" value ="/came/api" />
> >>> </restConfiguration >
> >>>
> >>> <rest path="/say">
> >>> <get uri="/hello">
> >>> <to uri="direct:hello"/>
> >>> </get>
> >>> </rest>
> >>>
> >>> <route>
> >>> <from uri="direct:hello"/>
> >>> <transform>
> >>> <constant>Hello World</constant>
> >>> </transform>
> >>> </route>
> >>>
> >>> </camelContext>
> >>>
> >>> </blueprint>
> >>>
> >>> Best
> >>> - Gerald
> >>>
> >>>
> >>>> Alex Soto <[hidden email]> hat am 14. Mai 2020 14:55 geschrieben:
> >>>>
> >>>>
> >>>> Hi Gerald,
> >>>>
> >>>> I would put the Servlet in the same bundle; I don’t see the need to separate it for reuse.
> >>>> Looks like you are missing security constraint in the 'etc/org.ops4j.pax.web.context-admin.cfg' file
> >>>>
> >>>> security.constraint.1.url = /camel/services/*
> >>>> security.constraint.1.method = *
> >>>> security.constraint.1.roles = admin
> >>>>
> >>>>
> >>>> Best regards,
> >>>> Alex soto
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> On May 13, 2020, at 7:02 PM, Gerald Kallas <[hidden email]> wrote:
> >>>>> <property name="alias" value="/camel/services" />
> >>>>
> >>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Alex Soto
I’m not sure what is happening, but I noticed, you have ‘basic’ as lowercase, maybe it is case sensitive.  Try uppercase:


login.config.authMethod = BASIC


Also, what is in your 'etc/jetty.xml’ and ‘etc/org.ops4j.pax.web.cfg’ files ?

Best regards,
Alex soto




> On May 15, 2020, at 11:22 AM, Gerald Kallas <[hidden email]> wrote:
>
> Hi Alex,
>
> yes, I'm passing the HTTP "Authorization" header for basic authentication.
>
> My users.properties looks like
>
> karaf = xxx,_g_:admingroup
> _g_\:admingroup = group,admin,manager,viewer,systembundles,ssh
>
> username1 = password1,admin
>
> I'm testing with the username1 password1 combination, the request looks like
>
> curl --insecure --location --request GET 'https://localhost:8443/camel/api/say/hello' \
> --header 'Authorization: Basic dXNlcm5hbWUxOnBhc3N3b3JkMQ=='
>
> With or without the Authorization header I'm always getting a HTTP 403 response.
>
> While trying to access I'm getting a log entry
>
> 2020-05-15T15:20:34,031 | WARN  | qtp1611313605-186 | SecurityHandler                  | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No authenticator for: {RoleInfo,C[admin],None}
>
> Again my org.ops4j.pax.web.context-admin.cfg, it looks like
>
> bundle.symbolicName=api.xml
> login.config.authMethod=Basic
> login.config.realmName=karaf
> context.id=default
>
> security.constraint.1.url = /camel/api/*
> security.constraint.1.method = *
> security.constraint.1.roles = admin
>
> And my route (Blueprint DSL "api.xml") again as well
>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>           xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
>           https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
>
> <reference id="httpService" interface="org.osgi.service.http.HttpService" />
>
> <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
>
> <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
>      init-method="register"
>      destroy-method="unregister">
> <property name="servletName" value="MyServlet" />
> <property name="alias" value="/camel/api" />
> <property name="httpService" ref="httpService" />
> <property name="servlet" ref="camelServlet" />
> </bean>
>
> <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent" />
>
> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> <restConfiguration
> component="servlet"
> bindingMode="json"
> enableCORS="false"
> skipBindingOnErrorCode="false"
> clientRequestValidation="true">
>
> <componentProperty key="matchOnUriPrefix" value="true" />
>
> <endpointProperty key="servletName" value="MyServlet" />
> <endpointProperty key="disableStreamCache" value="true" />
>
> <dataFormatProperty key="contentTypeHeader" value="false" />
> <dataFormatProperty key="baseUri" value ="/came/api" />
> </restConfiguration >
>
> <rest path="/say">
> <get uri="/hello">
> <to uri="direct:hello"/>
> </get>
> </rest>
>
> <route>
> <from uri="direct:hello"/>
> <transform>
> <constant>Hello World</constant>
> </transform>
> </route>
>
> </camelContext>
>
> </blueprint>
>
> Best
> - Gerald
>
>> Alex Soto <[hidden email]> hat am 15. Mai 2020 14:35 geschrieben:
>>
>>
>> Are passing the BASIC Authentication header with user name and password?
>>
>> The user names and roles are defined in the 'etc/users.properties’  file, check Karaf documentation https://karaf.apache.org/manual/latest/#_security_2 <https://karaf.apache.org/manual/latest/#_security_2>
>>
>>
>> The 'security.constraint.1.* entries' in your file 'org.ops4j.pax.web.context-admin.cfg’  define the permissions for each route, just need to add new ones replacing 1 with 2, and so on,   the url matching the Camel route.
>>
>>
>>
>>> On May 14, 2020, at 5:17 PM, Gerald Kallas <[hidden email]> wrote:
>>>
>>> Thanks Alex,
>>>
>>> the API now is working after removing the "httpRegistry" part.
>>>
>>> Now I've the next issue. My org.ops4j.pax.web.context-admin.cfg looks like
>>>
>>> bundle.symbolicName=api.xml
>>> login.config.authMethod=BASIC
>>> login.config.realmName=karaf
>>> context.id=default
>>>
>>> security.constraint.1.url = /camel/api/*
>>> security.constraint.1.method = *
>>> security.constraint.1.roles = admin
>>>
>>> Saving this creates the log file entries as below.
>>>
>>> The return code with this file is now always a HTTP 403 (forbidden). What might be wrong now?
>>>
>>> And .. where can I define the roles, users and passwords for each of the routes with a servlet consumer?
>>>
>>> Best
>>> - Gerald
>>>
>>> 2020-05-14T21:15:18,817 | INFO  | fileinstall-/opt/apache-karaf-4.2.7/etc | fileinstall                      | 10 - org.apache.felix.fileinstall - 3.6.4 | Updating configuration from org.ops4j.pax.web.context-admin.cfg
>>> 2020-05-14T21:15:18,819 | INFO  | CM Configuration Updater (Update: pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f) | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Updated configuration for pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f
>>> 2020-05-14T21:15:18,821 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Found bundle "api.xml", scheduling customization of its WebContainer
>>> 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | HTTP Context Processor {bundle=api.xml [326]}: Restoring WebContainer for bundle api.xml/0.0.0
>>> 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
>>> 2020-05-14T21:15:18,822 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
>>> 2020-05-14T21:15:18,823 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
>>> 2020-05-14T21:15:18,902 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
>>> 2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
>>> 2020-05-14T21:15:18,905 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Customizing WebContainer for bundle api.xml/0.0.0
>>> 2020-05-14T21:15:18,906 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering login configuration in WebContainer for bundle "api.xml": method=BASIC, realm=karaf
>>> 2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
>>> 2020-05-14T21:15:18,908 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
>>> 2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpContextProcessing            | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering security mappings in WebContainer for bundle "api.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/api/*', roles=[admin]}
>>> 2020-05-14T21:15:18,909 | INFO  | paxweb-context-4-thread-22 | HttpServiceContext               | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
>>> 2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | CamelHttpTransportServlet        | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
>>> 2020-05-14T21:15:19,003 | INFO  | paxweb-context-4-thread-22 | ContextHandler                   | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
>>>
>>>> Alex Soto <[hidden email]> hat am 14. Mai 2020 18:42 geschrieben:
>>>>
>>>>
>>>> Looks good to me: '/camel/api/say/hello' should be correct.
>>>>
>>>> The only difference I see is that in my case I am not using the ‘httpRegistry'; try removing that part.
>>>>
>>>>
>>>> Best regards,
>>>> Alex soto
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On May 14, 2020, at 12:21 PM, Gerald Kallas <[hidden email]> wrote:
>>>>> Thanks Alex.
>>>>>
>>>>> I'm still struggling upfront. I was copying your example and have combined the parts in one Blueprint DSL.
>>>>>
>>>>> See my complete Blueprint DSL file below. I'm always getting a HTTP 404 (not found).
>>>>>
>>>>> I'm assuming that the URL
>>>>>
>>>>> https://localhost:8443/camel/api/say/hello
>>>>>
>>>>> should be the one to call. Do I still miss something? Many thanks in advance.
>>>>>
>>>>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
>>>>> https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
>>>>>
>>>>> <reference id="httpService" interface="org.osgi.service.http.HttpService" />
>>>>>
>>>>> <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
>>>>>
>>>>> <bean class="org.apache.camel.component.servlet.osgi.OsgiServletRegisterer"
>>>>> init-method="register"
>>>>> destroy-method="unregister">
>>>>> <property name="servletName" value="MyServlet" />
>>>>> <property name="alias" value="/camel/api" />
>>>>> <property name="httpService" ref="httpService" />
>>>>> <property name="servlet" ref="camelServlet" />
>>>>> </bean>
>>>>>
>>>>> <bean id="httpRegistry" class="org.apache.camel.component.servlet.DefaultHttpRegistry" />
>>>>>
>>>>> <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent">
>>>>> <property name="httpRegistry" ref="httpRegistry" />
>>>>> </bean>
>>>>>
>>>>> <camelContext xmlns="http://camel.apache.org/schema/blueprint">
>>>>> <restConfiguration
>>>>> component="servlet"
>>>>> bindingMode="json"
>>>>> enableCORS="false"
>>>>> skipBindingOnErrorCode="false"
>>>>> clientRequestValidation="true">
>>>>>
>>>>> <componentProperty key="matchOnUriPrefix" value="true" />
>>>>>
>>>>> <endpointProperty key="servletName" value="MyServlet" />
>>>>> <endpointProperty key="disableStreamCache" value="true" />
>>>>>
>>>>> <dataFormatProperty key="contentTypeHeader" value="false" />
>>>>> <dataFormatProperty key="baseUri" value ="/came/api" />
>>>>> </restConfiguration >
>>>>>
>>>>> <rest path="/say">
>>>>> <get uri="/hello">
>>>>> <to uri="direct:hello"/>
>>>>> </get>
>>>>> </rest>
>>>>>
>>>>> <route>
>>>>> <from uri="direct:hello"/>
>>>>> <transform>
>>>>> <constant>Hello World</constant>
>>>>> </transform>
>>>>> </route>
>>>>>
>>>>> </camelContext>
>>>>>
>>>>> </blueprint>
>>>>>
>>>>> Best
>>>>> - Gerald
>>>>>
>>>>>
>>>>>> Alex Soto <[hidden email]> hat am 14. Mai 2020 14:55 geschrieben:
>>>>>>
>>>>>>
>>>>>> Hi Gerald,
>>>>>>
>>>>>> I would put the Servlet in the same bundle; I don’t see the need to separate it for reuse.
>>>>>> Looks like you are missing security constraint in the 'etc/org.ops4j.pax.web.context-admin.cfg' file
>>>>>>
>>>>>> security.constraint.1.url = /camel/services/*
>>>>>> security.constraint.1.method = *
>>>>>> security.constraint.1.roles = admin
>>>>>>
>>>>>>
>>>>>> Best regards,
>>>>>> Alex soto
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On May 13, 2020, at 7:02 PM, Gerald Kallas <[hidden email]> wrote:
>>>>>>> <property name="alias" value="/camel/services" />
>>>>>>
>>>>

Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Gerald Kallas - mailbox.org
With "BASIC" the same.

2020-05-15T18:20:39,881 | INFO  | CM Configuration Updater (Update: pid=org.ops4j.pax.web.context.f4d0bd8c-6751-447f-8067-2da2e2b7c45a) | HttpContextProcessing            | 264 - org.ops4j.pax.web.pax-web-runtime - 7.2.14 | Updated configuration for pid=org.ops4j.pax.web.context.f4d0bd8c-6751-447f-8067-2da2e2b7c45a
2020-05-15T18:20:39,883 | INFO  | paxweb-context-4-thread-5 | HttpContextProcessing            | 264 - org.ops4j.pax.web.pax-web-runtime - 7.2.14 | Found bundle "api.xml", scheduling customization of its WebContainer
2020-05-15T18:20:39,884 | INFO  | paxweb-context-4-thread-5 | HttpContextProcessing            | 264 - org.ops4j.pax.web.pax-web-runtime - 7.2.14 | HTTP Context Processor {bundle=api.xml [290]}: Restoring WebContainer for bundle api.xml/0.0.0
2020-05-15T18:20:39,885 | INFO  | paxweb-context-4-thread-5 | CamelHttpTransportServlet        | 132 - org.apache.camel.camel-servlet - 3.2.0 | Destroyed CamelHttpTransportServlet[MyServlet]
2020-05-15T18:20:39,885 | INFO  | paxweb-context-4-thread-5 | ContextHandler                   | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [290], contextID=default]}
2020-05-15T18:20:39,886 | INFO  | paxweb-context-4-thread-5 | HttpServiceContext               | 262 - org.ops4j.pax.web.pax-web-jetty - 7.2.14 | registering JasperInitializer
2020-05-15T18:20:40,117 | INFO  | paxweb-context-4-thread-5 | CamelHttpTransportServlet        | 132 - org.apache.camel.camel-servlet - 3.2.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
2020-05-15T18:20:40,117 | INFO  | paxweb-context-4-thread-5 | ContextHandler                   | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [290], contextID=default]}
2020-05-15T18:20:40,118 | INFO  | paxweb-context-4-thread-5 | HttpContextProcessing            | 264 - org.ops4j.pax.web.pax-web-runtime - 7.2.14 | Customizing WebContainer for bundle api.xml/0.0.0
2020-05-15T18:20:40,130 | INFO  | paxweb-context-4-thread-5 | HttpContextProcessing            | 264 - org.ops4j.pax.web.pax-web-runtime - 7.2.14 | Registering login configuration in WebContainer for bundle "api.xml": method=BASIC, realm=karaf
2020-05-15T18:20:40,130 | INFO  | paxweb-context-4-thread-5 | CamelHttpTransportServlet        | 132 - org.apache.camel.camel-servlet - 3.2.0 | Destroyed CamelHttpTransportServlet[MyServlet]
2020-05-15T18:20:40,131 | INFO  | paxweb-context-4-thread-5 | ContextHandler                   | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [290], contextID=default]}
2020-05-15T18:20:40,131 | INFO  | paxweb-context-4-thread-5 | HttpContextProcessing            | 264 - org.ops4j.pax.web.pax-web-runtime - 7.2.14 | Registering security mappings in WebContainer for bundle "api.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/api/*', roles=[admin]}
2020-05-15T18:20:40,132 | INFO  | paxweb-context-4-thread-5 | HttpServiceContext               | 262 - org.ops4j.pax.web.pax-web-jetty - 7.2.14 | registering JasperInitializer
2020-05-15T18:20:40,290 | INFO  | paxweb-context-4-thread-5 | CamelHttpTransportServlet        | 132 - org.apache.camel.camel-servlet - 3.2.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
2020-05-15T18:20:40,290 | INFO  | paxweb-context-4-thread-5 | ContextHandler                   | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [290], contextID=default]}
2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler                  | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No authenticator for: {RoleInfo,C[admin],None}

etc/jetty.xml looks like

<?xml version="1.0"?>

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">

    <!-- =========================================================== -->
    <!-- Set connectors -->
    <!-- =========================================================== -->
    <!-- One of each type! -->
    <!-- =========================================================== -->

    <!-- Use this connector for many frequently idle connections and for
        threadless continuations. -->
        <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
                <Set name="secureScheme">https</Set>
                <Set name="securePort">
                        <Property name="jetty.secure.port" default="8443" />
                </Set>
                <Set name="outputBufferSize">32768</Set>
                <Set name="requestHeaderSize">8192</Set>
                <Set name="responseHeaderSize">8192</Set>
                <Set name="sendServerVersion">true</Set>
                <Set name="sendDateHeader">false</Set>
                <Set name="headerCacheSize">512</Set>
        </New>

    <Call name="addBean">
        <Arg>
            <New class="org.eclipse.jetty.jaas.JAASLoginService">
                <Set name="name">karaf</Set>
                <Set name="loginModuleName">karaf</Set>
                <Set name="roleClassNames">
                    <Array type="java.lang.String">
                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
                        </Item>
                    </Array>
                </Set>
            </New>
        </Arg>
    </Call>
    <Call name="addBean">
        <Arg>
            <New class="org.eclipse.jetty.jaas.JAASLoginService">
                <Set name="name">default</Set>
                <Set name="loginModuleName">karaf</Set>
                <Set name="roleClassNames">
                    <Array type="java.lang.String">
                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
                        </Item>
                    </Array>
                </Set>
            </New>
        </Arg>
    </Call>

</Configure>

etc/org.ops4j.pax.web.cfg looks like


org.osgi.service.http.enabled=true
org.osgi.service.http.port=8181
 
org.ops4j.pax.web.session.cookie.httpOnly=true
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.port.secure=8443
org.ops4j.pax.web.ssl.keystore=${karaf.etc}/keystore.p12
org.ops4j.pax.web.ssl.password=xxxxx
org.ops4j.pax.web.ssl.keypassword=xxxxx

javax.servlet.context.tempdir=${karaf.data}/pax-web-jsp
org.ops4j.pax.web.config.file=${karaf.etc}/jetty.xml
org.apache.karaf.features.configKey = org.ops4j.pax.web

Best
- Gerald

> Alex Soto <[hidden email]> hat am 15. Mai 2020 18:38 geschrieben:
>
>
> I’m not sure what is happening, but I noticed, you have ‘basic’ as lowercase, maybe it is case sensitive. Try uppercase:
>
>
> login.config.authMethod = BASIC
>
>
> Also, what is in your 'etc/jetty.xml’ and ‘etc/org.ops4j.pax.web.cfg’ files ?
>
>
> Best regards,
> Alex soto
>
>
>
>
>
> > On May 15, 2020, at 11:22 AM, Gerald Kallas <[hidden email]> wrote:
> > Hi Alex,
> >
> > yes, I'm passing the HTTP "Authorization" header for basic authentication.
> >
> > My users.properties looks like
> >
> > karaf = xxx,_g_:admingroup
> > _g_\:admingroup = group,admin,manager,viewer,systembundles,ssh
> >
> > username1 = password1,admin
> >
> > I'm testing with the username1 password1 combination, the request looks like
> >
> > curl --insecure --location --request GET 'https://localhost:8443/camel/api/say/hello' \
> > --header 'Authorization: Basic dXNlcm5hbWUxOnBhc3N3b3JkMQ=='
> >
> > With or without the Authorization header I'm always getting a HTTP 403 response.
> >
> > While trying to access I'm getting a log entry
> >
> > 2020-05-15T15:20:34,031 | WARN | qtp1611313605-186 | SecurityHandler | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No authenticator for: {RoleInfo,C[admin],None}
> >
> > Again my org.ops4j.pax.web.context-admin.cfg, it looks like
> >
> > bundle.symbolicName=api.xml
> > login.config.authMethod=Basic
> > login.config.realmName=karaf
> > context.id (http://context.id)=default
> >
> > security.constraint.1.url = /camel/api/*
> > security.constraint.1.method = *
> > security.constraint.1.roles = admin
> >
> > And my route (Blueprint DSL "api.xml") again as well
> >
> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> >  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >  xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> >  https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> >
> > <reference id="httpService" interface="org.osgi.service.http.HttpService" />
> >
> > <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> >
> > <bean class="org.apache.camel.component.osgi.OsgiServletRegisterer"
> >  init-method="register"
> >  destroy-method="unregister">
> > <property name="servletName" value="MyServlet" />
> > <property name="alias" value="/camel/api" />
> > <property name="httpService" ref="httpService" />
> > <property name="servlet" ref="camelServlet" />
> > </bean>
> >
> > <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent" />
> >
> > <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> > <restConfiguration
> > component="servlet"
> > bindingMode="json"
> > enableCORS="false"
> > skipBindingOnErrorCode="false"
> > clientRequestValidation="true">
> >
> > <componentProperty key="matchOnUriPrefix" value="true" />
> >
> > <endpointProperty key="servletName" value="MyServlet" />
> > <endpointProperty key="disableStreamCache" value="true" />
> >
> > <dataFormatProperty key="contentTypeHeader" value="false" />
> > <dataFormatProperty key="baseUri" value ="/came/api" />
> > </restConfiguration >
> >
> > <rest path="/say">
> > <get uri="/hello">
> > <to uri="direct:hello"/>
> > </get>
> > </rest>
> >
> > <route>
> > <from uri="direct:hello"/>
> > <transform>
> > <constant>Hello World</constant>
> > </transform>
> > </route>
> >
> > </camelContext>
> >
> > </blueprint>
> >
> > Best
> > - Gerald
> >
> >
> > > Alex Soto <[hidden email]> hat am 15. Mai 2020 14:35 geschrieben:
> > >
> > >
> > > Are passing the BASIC Authentication header with user name and password?
> > >
> > > The user names and roles are defined in the 'etc/users.properties’ file, check Karaf documentation https://karaf.apache.org/manual/latest/#_security_2 <https://karaf.apache.org/manual/latest/#_security_2>
> > >
> > >
> > > The 'security.constraint.1.* entries' in your file 'org.ops4j.pax.web.context-admin.cfg’ define the permissions for each route, just need to add new ones replacing 1 with 2, and so on, the url matching the Camel route.
> > >
> > >
> > >
> > >
> > > > On May 14, 2020, at 5:17 PM, Gerald Kallas <[hidden email]> wrote:
> > > >
> > > > Thanks Alex,
> > > >
> > > > the API now is working after removing the "httpRegistry" part.
> > > >
> > > > Now I've the next issue. My org.ops4j.pax.web.context-admin.cfg looks like
> > > >
> > > > bundle.symbolicName=api.xml
> > > > login.config.authMethod=BASIC
> > > > login.config.realmName=karaf
> > > > context.id (http://context.id)=default
> > > >
> > > > security.constraint.1.url = /camel/api/*
> > > > security.constraint.1.method = *
> > > > security.constraint.1.roles = admin
> > > >
> > > > Saving this creates the log file entries as below.
> > > >
> > > > The return code with this file is now always a HTTP 403 (forbidden). What might be wrong now?
> > > >
> > > > And .. where can I define the roles, users and passwords for each of the routes with a servlet consumer?
> > > >
> > > > Best
> > > > - Gerald
> > > >
> > > > 2020-05-14T21:15:18,817 | INFO | fileinstall-/opt/apache-karaf-4.2.7/etc | fileinstall | 10 - org.apache.felix.fileinstall - 3.6.4 | Updating configuration from org.ops4j.pax.web.context-admin.cfg
> > > > 2020-05-14T21:15:18,819 | INFO | CM Configuration Updater (Update: pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f) | HttpContextProcessing | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Updated configuration for pid=org.ops4j.pax.web.context.1448dbe9-6e82-4f5f-8176-f306ab16640f
> > > > 2020-05-14T21:15:18,821 | INFO | paxweb-context-4-thread-22 | HttpContextProcessing | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Found bundle "api.xml", scheduling customization of its WebContainer
> > > > 2020-05-14T21:15:18,822 | INFO | paxweb-context-4-thread-22 | HttpContextProcessing | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | HTTP Context Processor {bundle=api.xml [326]}: Restoring WebContainer for bundle api.xml/0.0.0
> > > > 2020-05-14T21:15:18,822 | INFO | paxweb-context-4-thread-22 | CamelHttpTransportServlet | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
> > > > 2020-05-14T21:15:18,822 | INFO | paxweb-context-4-thread-22 | ContextHandler | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > > > 2020-05-14T21:15:18,823 | INFO | paxweb-context-4-thread-22 | HttpServiceContext | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
> > > > 2020-05-14T21:15:18,902 | INFO | paxweb-context-4-thread-22 | CamelHttpTransportServlet | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
> > > > 2020-05-14T21:15:18,905 | INFO | paxweb-context-4-thread-22 | ContextHandler | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > > > 2020-05-14T21:15:18,905 | INFO | paxweb-context-4-thread-22 | HttpContextProcessing | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Customizing WebContainer for bundle api.xml/0.0.0
> > > > 2020-05-14T21:15:18,906 | INFO | paxweb-context-4-thread-22 | HttpContextProcessing | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering login configuration in WebContainer for bundle "api.xml": method=BASIC, realm=karaf
> > > > 2020-05-14T21:15:18,908 | INFO | paxweb-context-4-thread-22 | CamelHttpTransportServlet | 288 - org.apache.camel.camel-servlet - 3.0.0 | Destroyed CamelHttpTransportServlet[MyServlet]
> > > > 2020-05-14T21:15:18,908 | INFO | paxweb-context-4-thread-22 | ContextHandler | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Stopped HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > > > 2020-05-14T21:15:18,909 | INFO | paxweb-context-4-thread-22 | HttpContextProcessing | 258 - org.ops4j.pax.web.pax-web-runtime - 7.2.11 | Registering security mappings in WebContainer for bundle "api.xml": SecurityConstraintsMapping{name='constraint.1', url='/camel/api/*', roles=[admin]}
> > > > 2020-05-14T21:15:18,909 | INFO | paxweb-context-4-thread-22 | HttpServiceContext | 256 - org.ops4j.pax.web.pax-web-jetty - 7.2.11 | registering JasperInitializer
> > > > 2020-05-14T21:15:19,003 | INFO | paxweb-context-4-thread-22 | CamelHttpTransportServlet | 288 - org.apache.camel.camel-servlet - 3.0.0 | Initialized CamelHttpTransportServlet[name=MyServlet, contextPath=]
> > > > 2020-05-14T21:15:19,003 | INFO | paxweb-context-4-thread-22 | ContextHandler | 223 - org.eclipse.jetty.util - 9.4.20.v20190813 | Started HttpServiceContext{httpContext=DefaultHttpContext [bundle=api.xml [326], contextID=default]}
> > > >
> > > >
> > > > > Alex Soto <[hidden email]> hat am 14. Mai 2020 18:42 geschrieben:
> > > > >
> > > > >
> > > > > Looks good to me: '/camel/api/say/hello' should be correct.
> > > > >
> > > > > The only difference I see is that in my case I am not using the ‘httpRegistry'; try removing that part.
> > > > >
> > > > >
> > > > > Best regards,
> > > > > Alex soto
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > On May 14, 2020, at 12:21 PM, Gerald Kallas <[hidden email]> wrote:
> > > > > > Thanks Alex.
> > > > > >
> > > > > > I'm still struggling upfront. I was copying your example and have combined the parts in one Blueprint DSL.
> > > > > >
> > > > > > See my complete Blueprint DSL file below. I'm always getting a HTTP 404 (not found).
> > > > > >
> > > > > > I'm assuming that the URL
> > > > > >
> > > > > > https://localhost:8443/camel/api/say/hello
> > > > > >
> > > > > > should be the one to call. Do I still miss something? Many thanks in advance.
> > > > > >
> > > > > > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > > > > xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0
> > > > > > https://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd">
> > > > > >
> > > > > > <reference id="httpService" interface="org.osgi.service.http.HttpService" />
> > > > > >
> > > > > > <bean id="camelServlet" class="org.apache.camel.component.servlet.CamelHttpTransportServlet"/>
> > > > > >
> > > > > > <bean class="org.apache.camel.component.servlet.osgi.OsgiServletRegisterer"
> > > > > > init-method="register"
> > > > > > destroy-method="unregister">
> > > > > > <property name="servletName" value="MyServlet" />
> > > > > > <property name="alias" value="/camel/api" />
> > > > > > <property name="httpService" ref="httpService" />
> > > > > > <property name="servlet" ref="camelServlet" />
> > > > > > </bean>
> > > > > >
> > > > > > <bean id="httpRegistry" class="org.apache.camel.component.servlet.DefaultHttpRegistry" />
> > > > > >
> > > > > > <bean id="servlet" class="org.apache.camel.component.servlet.ServletComponent">
> > > > > > <property name="httpRegistry" ref="httpRegistry" />
> > > > > > </bean>
> > > > > >
> > > > > > <camelContext xmlns="http://camel.apache.org/schema/blueprint">
> > > > > > <restConfiguration
> > > > > > component="servlet"
> > > > > > bindingMode="json"
> > > > > > enableCORS="false"
> > > > > > skipBindingOnErrorCode="false"
> > > > > > clientRequestValidation="true">
> > > > > >
> > > > > > <componentProperty key="matchOnUriPrefix" value="true" />
> > > > > >
> > > > > > <endpointProperty key="servletName" value="MyServlet" />
> > > > > > <endpointProperty key="disableStreamCache" value="true" />
> > > > > >
> > > > > > <dataFormatProperty key="contentTypeHeader" value="false" />
> > > > > > <dataFormatProperty key="baseUri" value ="/came/api" />
> > > > > > </restConfiguration >
> > > > > >
> > > > > > <rest path="/say">
> > > > > > <get uri="/hello">
> > > > > > <to uri="direct:hello"/>
> > > > > > </get>
> > > > > > </rest>
> > > > > >
> > > > > > <route>
> > > > > > <from uri="direct:hello"/>
> > > > > > <transform>
> > > > > > <constant>Hello World</constant>
> > > > > > </transform>
> > > > > > </route>
> > > > > >
> > > > > > </camelContext>
> > > > > >
> > > > > > </blueprint>
> > > > > >
> > > > > > Best
> > > > > > - Gerald
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Alex Soto <[hidden email]> hat am 14. Mai 2020 14:55 geschrieben:
> > > > > > >
> > > > > > >
> > > > > > > Hi Gerald,
> > > > > > >
> > > > > > > I would put the Servlet in the same bundle; I don’t see the need to separate it for reuse.
> > > > > > > Looks like you are missing security constraint in the 'etc/org.ops4j.pax.web.context-admin.cfg' file
> > > > > > >
> > > > > > > security.constraint.1.url = /camel/services/*
> > > > > > > security.constraint.1.method = *
> > > > > > > security.constraint.1.roles = admin
> > > > > > >
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Alex soto
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > On May 13, 2020, at 7:02 PM, Gerald Kallas <[hidden email]> wrote:
> > > > > > > > <property name="alias" value="/camel/services" />
> > > > > > >
> > > > >
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Alex Soto
I’m sorry, I don’t know why it's not working; it looks correct to me.  Maybe somebody from the Pax-Web team can help you.
The only suspicious thing is the warning:

2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler                  | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No authenticator for: {RoleInfo,C[admin],None}


Which suggest something is misconfigured.

Best regards,
Alex soto




> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]> wrote:
>
> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler                  | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No authenticator for: {RoleInfo,C[admin],None}

Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Achim Nierbeck-2
Hi,

I already also answered Gerald in another mail.
I'm not quite sure but what might be an issue, is that the default
http-context used in his application isn't bound to the underlying security
realm.
Therefore it's quite a possibility that there needs to be a configuration
done in his own application, using his own http-Context.

Can be found here:
https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
and here:
https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java

regards, Achim


Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]>:

> I’m sorry, I don’t know why it's not working; it looks correct to me.
> Maybe somebody from the Pax-Web team can help you.
> The only suspicious thing is the warning:
>
> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
>             | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> authenticator for: {RoleInfo,C[admin],None}
>
>
> Which suggest something is misconfigured.
>
> Best regards,
> Alex soto
>
>
>
>
> > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]> wrote:
> >
> > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
>               | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> authenticator for: {RoleInfo,C[admin],None}
>
>

--

Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Grzegorz Grzybek
Hello

I have some answer. First, the "http context processing" feature was mainly
tested to "inject" Keycloak authenticator and I mostly tested it with
pax-web-undertow.

But I checked how it works with pax-web-jetty in the debugger.

The key problem is that when Jetty's SecurityHandler is starting, it tries
to find/discover org.eclipse.jetty.security.LoginService instance.
With default etc/jetty.xml, there are TWO beans with
org.eclipse.jetty.jaas.JAASLoginService class and
org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
this:

else if (list.size() == 1)
    service = list.iterator().next();

So I simply made it working by ensuring there's only one
org.eclipse.jetty.jaas.JAASLoginService:

list = {java.util.ArrayList@9544}  size = 1
 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
"JAASLoginService@7ba67d0b{STARTED}"
  LOG: org.eclipse.jetty.util.log.Logger  =
{org.eclipse.jetty.util.log.Slf4jLog@9549}
"org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
  DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
"org.eclipse.jetty.jaas.JAASRole"
  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
{java.lang.String[1]@9551}
  _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
  _callbackHandlerClass: java.lang.String  = null
  _realmName: java.lang.String  = "karaf"
  _loginModuleName: java.lang.String  = "karaf"

Now, with your Camel route, I got:

$ curl -v http://localhost:8181/camel/api/say/hello
*   Trying ::1:8181...
* Connected to localhost (::1) port 8181 (#0)
> GET /camel/api/say/hello HTTP/1.1
> Host: localhost:8181
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 456
< Server: Jetty(9.4.22.v20191022)
<

$ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
*   Trying ::1:8181...
* Connected to localhost (::1) port 8181 (#0)
* Server auth using Basic with user 'karaf'
> GET /camel/api/say/hello HTTP/1.1
> Host: localhost:8181
> Authorization: Basic a2FyYWY6a2FyYWY=
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Accept: */*
< Authorization: Basic a2FyYWY6a2FyYWY=
< breadcrumbId: ID-everfree-forest-1589807499756-0-1
< User-Agent: curl/7.69.1
< Transfer-Encoding: chunked
< Server: Jetty(9.4.22.v20191022)
<
* Connection #0 to host localhost left intact
"Hello World"

In theory it should be possible to grab (in etc/jetty.xml, using
<Configure> element) instance of SecurityHandler and simply set there the
"realmName" property to "Karaf", so even with two different beans with
org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
right one. But in Pax Web security handler is part of every
org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
only in Pax Web 8 I'd be able to fix this in more clean way.

So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
etc/jetty.xml

regards
Grzegorz Grzybek

pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]>
napisał(a):

> Hi,
>
> I already also answered Gerald in another mail.
> I'm not quite sure but what might be an issue, is that the default
> http-context used in his application isn't bound to the underlying security
> realm.
> Therefore it's quite a possibility that there needs to be a configuration
> done in his own application, using his own http-Context.
>
> Can be found here:
>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> and here:
>
> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
>
> regards, Achim
>
>
> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]
> >:
>
> > I’m sorry, I don’t know why it's not working; it looks correct to me.
> > Maybe somebody from the Pax-Web team can help you.
> > The only suspicious thing is the warning:
> >
> > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >             | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > authenticator for: {RoleInfo,C[admin],None}
> >
> >
> > Which suggest something is misconfigured.
> >
> > Best regards,
> > Alex soto
> >
> >
> >
> >
> > > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
> wrote:
> > >
> > > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >               | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > authenticator for: {RoleInfo,C[admin],None}
> >
> >
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Alex Soto
Thank you, Grzegorz, this is excellent news!
I'm looking forward for this to be improved in version 8, as it is very useful, and not only for Keycloak.
In particular, for securing Camel Rest services, and perhaps there are many other use cases as well.

Best regards,
Alex soto




> On May 18, 2020, at 9:24 AM, Grzegorz Grzybek <[hidden email]> wrote:
>
> Hello
>
> I have some answer. First, the "http context processing" feature was mainly
> tested to "inject" Keycloak authenticator and I mostly tested it with
> pax-web-undertow.
>
> But I checked how it works with pax-web-jetty in the debugger.
>
> The key problem is that when Jetty's SecurityHandler is starting, it tries
> to find/discover org.eclipse.jetty.security.LoginService instance.
> With default etc/jetty.xml, there are TWO beans with
> org.eclipse.jetty.jaas.JAASLoginService class and
> org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> this:
>
> else if (list.size() == 1)
>    service = list.iterator().next();
>
> So I simply made it working by ensuring there's only one
> org.eclipse.jetty.jaas.JAASLoginService:
>
> list = {java.util.ArrayList@9544}  size = 1
> 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> "JAASLoginService@7ba67d0b{STARTED}"
>  LOG: org.eclipse.jetty.util.log.Logger  =
> {org.eclipse.jetty.util.log.Slf4jLog@9549}
> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
>  DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
> "org.eclipse.jetty.jaas.JAASRole"
>  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
> {java.lang.String[1]@9551}
>  _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
>  _callbackHandlerClass: java.lang.String  = null
>  _realmName: java.lang.String  = "karaf"
>  _loginModuleName: java.lang.String  = "karaf"
>
> Now, with your Camel route, I got:
>
> $ curl -v http://localhost:8181/camel/api/say/hello
> *   Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
>> GET /camel/api/say/hello HTTP/1.1
>> Host: localhost:8181
>> User-Agent: curl/7.69.1
>> Accept: */*
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 404 Not Found
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=iso-8859-1
> < Content-Length: 456
> < Server: Jetty(9.4.22.v20191022)
> <
>
> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> *   Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> * Server auth using Basic with user 'karaf'
>> GET /camel/api/say/hello HTTP/1.1
>> Host: localhost:8181
>> Authorization: Basic a2FyYWY6a2FyYWY=
>> User-Agent: curl/7.69.1
>> Accept: */*
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Content-Type: application/json
> < Accept: */*
> < Authorization: Basic a2FyYWY6a2FyYWY=
> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> < User-Agent: curl/7.69.1
> < Transfer-Encoding: chunked
> < Server: Jetty(9.4.22.v20191022)
> <
> * Connection #0 to host localhost left intact
> "Hello World"
>
> In theory it should be possible to grab (in etc/jetty.xml, using
> <Configure> element) instance of SecurityHandler and simply set there the
> "realmName" property to "Karaf", so even with two different beans with
> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> right one. But in Pax Web security handler is part of every
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> only in Pax Web 8 I'd be able to fix this in more clean way.
>
> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> etc/jetty.xml
>
> regards
> Grzegorz Grzybek
>
> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]>
> napisał(a):
>
>> Hi,
>>
>> I already also answered Gerald in another mail.
>> I'm not quite sure but what might be an issue, is that the default
>> http-context used in his application isn't bound to the underlying security
>> realm.
>> Therefore it's quite a possibility that there needs to be a configuration
>> done in his own application, using his own http-Context.
>>
>> Can be found here:
>>
>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
>>
>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
>> and here:
>>
>> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
>>
>> regards, Achim
>>
>>
>> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]
>>> :
>>
>>> I’m sorry, I don’t know why it's not working; it looks correct to me.
>>> Maybe somebody from the Pax-Web team can help you.
>>> The only suspicious thing is the warning:
>>>
>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
>>>            | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>> authenticator for: {RoleInfo,C[admin],None}
>>>
>>>
>>> Which suggest something is misconfigured.
>>>
>>> Best regards,
>>> Alex soto
>>>
>>>
>>>
>>>
>>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
>> wrote:
>>>>
>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
>>>              | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>> authenticator for: {RoleInfo,C[admin],None}
>>>
>>>
>>
>> --
>>
>> Apache Member
>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
>> Project Lead
>> blog <http://notizblog.nierbeck.de/>
>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Grzegorz Grzybek
Hello

I'm glad you like it.

Unfortunately it's OSGi specific solution. But the fact that OSGi allows
that may still mean that flat-classpath approach is not the only one left
out there ;)

regards
Grzegorz Grzybek

pon., 18 maj 2020 o 17:01 Alex Soto <[hidden email]> napisał(a):

> Thank you, Grzegorz, this is excellent news!
> I'm looking forward for this to be improved in version 8, as it is very
> useful, and not only for Keycloak.
> In particular, for securing Camel Rest services, and perhaps there are
> many other use cases as well.
>
> Best regards,
> Alex soto
>
>
>
>
> > On May 18, 2020, at 9:24 AM, Grzegorz Grzybek <[hidden email]>
> wrote:
> >
> > Hello
> >
> > I have some answer. First, the "http context processing" feature was
> mainly
> > tested to "inject" Keycloak authenticator and I mostly tested it with
> > pax-web-undertow.
> >
> > But I checked how it works with pax-web-jetty in the debugger.
> >
> > The key problem is that when Jetty's SecurityHandler is starting, it
> tries
> > to find/discover org.eclipse.jetty.security.LoginService instance.
> > With default etc/jetty.xml, there are TWO beans with
> > org.eclipse.jetty.jaas.JAASLoginService class and
> > org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> > this:
> >
> > else if (list.size() == 1)
> >    service = list.iterator().next();
> >
> > So I simply made it working by ensuring there's only one
> > org.eclipse.jetty.jaas.JAASLoginService:
> >
> > list = {java.util.ArrayList@9544}  size = 1
> > 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> > "JAASLoginService@7ba67d0b{STARTED}"
> >  LOG: org.eclipse.jetty.util.log.Logger  =
> > {org.eclipse.jetty.util.log.Slf4jLog@9549}
> > "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> >  DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
> > "org.eclipse.jetty.jaas.JAASRole"
> >  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
> > {java.lang.String[1]@9551}
> >  _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
> >  _callbackHandlerClass: java.lang.String  = null
> >  _realmName: java.lang.String  = "karaf"
> >  _loginModuleName: java.lang.String  = "karaf"
> >
> > Now, with your Camel route, I got:
> >
> > $ curl -v http://localhost:8181/camel/api/say/hello
> > *   Trying ::1:8181...
> > * Connected to localhost (::1) port 8181 (#0)
> >> GET /camel/api/say/hello HTTP/1.1
> >> Host: localhost:8181
> >> User-Agent: curl/7.69.1
> >> Accept: */*
> >>
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 404 Not Found
> > < Cache-Control: must-revalidate,no-cache,no-store
> > < Content-Type: text/html;charset=iso-8859-1
> > < Content-Length: 456
> > < Server: Jetty(9.4.22.v20191022)
> > <
> >
> > $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> > *   Trying ::1:8181...
> > * Connected to localhost (::1) port 8181 (#0)
> > * Server auth using Basic with user 'karaf'
> >> GET /camel/api/say/hello HTTP/1.1
> >> Host: localhost:8181
> >> Authorization: Basic a2FyYWY6a2FyYWY=
> >> User-Agent: curl/7.69.1
> >> Accept: */*
> >>
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 200 OK
> > < Content-Type: application/json
> > < Accept: */*
> > < Authorization: Basic a2FyYWY6a2FyYWY=
> > < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> > < User-Agent: curl/7.69.1
> > < Transfer-Encoding: chunked
> > < Server: Jetty(9.4.22.v20191022)
> > <
> > * Connection #0 to host localhost left intact
> > "Hello World"
> >
> > In theory it should be possible to grab (in etc/jetty.xml, using
> > <Configure> element) instance of SecurityHandler and simply set there the
> > "realmName" property to "Karaf", so even with two different beans with
> > org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> > right one. But in Pax Web security handler is part of every
> > org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> > only in Pax Web 8 I'd be able to fix this in more clean way.
> >
> > So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> > etc/jetty.xml
> >
> > regards
> > Grzegorz Grzybek
> >
> > pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]
> .invalid>
> > napisał(a):
> >
> >> Hi,
> >>
> >> I already also answered Gerald in another mail.
> >> I'm not quite sure but what might be an issue, is that the default
> >> http-context used in his application isn't bound to the underlying
> security
> >> realm.
> >> Therefore it's quite a possibility that there needs to be a
> configuration
> >> done in his own application, using his own http-Context.
> >>
> >> Can be found here:
> >>
> >>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> >>
> >>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> >> and here:
> >>
> >>
> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> >>
> >> regards, Achim
> >>
> >>
> >> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <
> [hidden email]
> >>> :
> >>
> >>> I’m sorry, I don’t know why it's not working; it looks correct to me.
> >>> Maybe somebody from the Pax-Web team can help you.
> >>> The only suspicious thing is the warning:
> >>>
> >>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >>>            | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> >>> authenticator for: {RoleInfo,C[admin],None}
> >>>
> >>>
> >>> Which suggest something is misconfigured.
> >>>
> >>> Best regards,
> >>> Alex soto
> >>>
> >>>
> >>>
> >>>
> >>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
> >> wrote:
> >>>>
> >>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >>>              | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> >>> authenticator for: {RoleInfo,C[admin],None}
> >>>
> >>>
> >>
> >> --
> >>
> >> Apache Member
> >> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> >> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
> Committer &
> >> Project Lead
> >> blog <http://notizblog.nierbeck.de/>
> >> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
> >>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Gerald Kallas - mailbox.org
In reply to this post by Grzegorz Grzybek
Hi Grzegorz,

perfect, removing one org.eclipse.jetty.jaas.JAASLoginService and it works!

Thanks a lot for digging into the details! I really appreciate this.

Is there a reason that in the default jetty.xml exist 2 org.eclipse.jetty.jaas.JAASLoginService definitions?

One further question .. would it be possible to extend Jetty to use an other port additionally and bind the servlets to this additional port only (it's for security reasons because I don't want to expose the web console externally, only the functional servlets).

I tried some other approach too, described here https://www.catshout.de/?p=161. This one is tricky as a Jetty security handler can be bind only once to a port.

You mentioned Undertow. It's also contained in Camel. So I wonder what might be finally the best and straightforward approach for the following requirements

1. Define multiple URIs on on single port
2. Secure the communication with TLS
3. Define independently an authentication for each URI on this single port

Jetty?
Servlet inside Jetty?
Undertow?

I'll test now multiple servlets inside Jetty for independent co-existence.

Best
- Gerald

> Grzegorz Grzybek <[hidden email]> hat am 18. Mai 2020 15:24 geschrieben:
>
>
> Hello
>
> I have some answer. First, the "http context processing" feature was mainly tested to "inject" Keycloak authenticator and I mostly tested it with pax-web-undertow.
>
> But I checked how it works with pax-web-jetty in the debugger.
>
> The key problem is that when Jetty's SecurityHandler is starting, it tries to find/discover org.eclipse.jetty.security.LoginService instance.
>
> With default etc/jetty.xml, there are TWO beans with org.eclipse.jetty.jaas.JAASLoginService class and org.eclipse.jetty.security.SecurityHandler#findLoginService() method does this:
>
> else if (list.size() == 1)
>  service = list.iterator().next();
>
> So I simply made it working by ensuring there's only one org.eclipse.jetty.jaas.JAASLoginService:
>
> list = {java.util.ArrayList@9544} size = 1
>  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547} "JAASLoginService@7ba67d0b{STARTED}"
>  LOG: org.eclipse.jetty.util.log.Logger = {org.eclipse.jetty.util.log.Slf4jLog@9549} "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
>  DEFAULT_ROLE_CLASS_NAME: java.lang.String = "org.eclipse.jetty.jaas.JAASRole"
>  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] = {java.lang.String[1]@9551}
>  _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552}
>  _callbackHandlerClass: java.lang.String = null
>  _realmName: java.lang.String = "karaf"
>  _loginModuleName: java.lang.String = "karaf"
>
> Now, with your Camel route, I got:
>
> $ curl -v http://localhost:8181/camel/api/say/hello
> * Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> > GET /camel/api/say/hello HTTP/1.1
> > Host: localhost:8181
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 404 Not Found
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=iso-8859-1
> < Content-Length: 456
> < Server: Jetty(9.4.22.v20191022)
> <
>
> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> * Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> * Server auth using Basic with user 'karaf'
> > GET /camel/api/say/hello HTTP/1.1
> > Host: localhost:8181
> > Authorization: Basic a2FyYWY6a2FyYWY=
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Content-Type: application/json
> < Accept: */*
> < Authorization: Basic a2FyYWY6a2FyYWY=
> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> < User-Agent: curl/7.69.1
> < Transfer-Encoding: chunked
> < Server: Jetty(9.4.22.v20191022)
> <
> * Connection #0 to host localhost left intact
> "Hello World"
>
> In theory it should be possible to grab (in etc/jetty.xml, using <Configure> element) instance of SecurityHandler and simply set there the "realmName" property to "Karaf", so even with two different beans with org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the right one. But in Pax Web security handler is part of every org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and only in Pax Web 8 I'd be able to fix this in more clean way.
>
> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your etc/jetty.xml
>
> regards
> Grzegorz Grzybek
>
>
> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]> napisał(a):
> > Hi,
> >
> > I already also answered Gerald in another mail.
> > I'm not quite sure but what might be an issue, is that the default
> > http-context used in his application isn't bound to the underlying security
> > realm.
> > Therefore it's quite a possibility that there needs to be a configuration
> > done in his own application, using his own http-Context.
> >
> > Can be found here:
> > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> > and here:
> > https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> >
> > regards, Achim
> >
> >
> > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]>:
> >
> > > I’m sorry, I don’t know why it's not working; it looks correct to me.
> > > Maybe somebody from the Pax-Web team can help you.
> > > The only suspicious thing is the warning:
> > >
> > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
> > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > authenticator for: {RoleInfo,C[admin],None}
> > >
> > >
> > > Which suggest something is misconfigured.
> > >
> > > Best regards,
> > > Alex soto
> > >
> > >
> > >
> > >
> > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]> wrote:
> > > >
> > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
> > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > authenticator for: {RoleInfo,C[admin],None}
> > >
> > >
> >
> > --
> >
> > Apache Member
> > Apache Karaf <http://karaf.apache.org/> Committer & PMC
> > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> > Project Lead
> > blog <http://notizblog.nierbeck.de/>
> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: Basic authentication of WAB using Jaas in Karaf

Gerald Kallas - mailbox.org
And .. is there a way in the servlet approach with Jetty to have multiple properties files for users and roles (eg 1 per servlet)?

---------- Ursprüngliche Nachricht ----------
Von: Gerald Kallas <[hidden email]>
An: Grzegorz Grzybek <[hidden email]>, [hidden email]
Datum: 18. Mai 2020 23:39
Betreff: Re: Basic authentication of WAB using Jaas in Karaf

 
Hi Grzegorz,

perfect, removing one org.eclipse.jetty.jaas.JAASLoginService and it works!

Thanks a lot for digging into the details! I really appreciate this.

Is there a reason that in the default jetty.xml exist 2 org.eclipse.jetty.jaas.JAASLoginService definitions?

One further question .. would it be possible to extend Jetty to use an other port additionally and bind the servlets to this additional port only (it's for security reasons because I don't want to expose the web console externally, only the functional servlets).

I tried some other approach too, described here https://www.catshout.de/?p=161. This one is tricky as a Jetty security handler can be bind only once to a port.

You mentioned Undertow. It's also contained in Camel. So I wonder what might be finally the best and straightforward approach for the following requirements

1. Define multiple URIs on on single port
2. Secure the communication with TLS
3. Define independently an authentication for each URI on this single port

Jetty?
Servlet inside Jetty?
Undertow?

I'll test now multiple servlets inside Jetty for independent co-existence.

Best
- Gerald

> Grzegorz Grzybek <[hidden email]> hat am 18. Mai 2020 15:24 geschrieben:
>
>
> Hello
>
> I have some answer. First, the "http context processing" feature was mainly tested to "inject" Keycloak authenticator and I mostly tested it with pax-web-undertow.
>
> But I checked how it works with pax-web-jetty in the debugger.
>
> The key problem is that when Jetty's SecurityHandler is starting, it tries to find/discover org.eclipse.jetty.security.LoginService instance.
>
> With default etc/jetty.xml, there are TWO beans with org.eclipse.jetty.jaas.JAASLoginService class and org.eclipse.jetty.security.SecurityHandler#findLoginService() method does this:
>
> else if (list.size() == 1)
>  service = list.iterator().next();
>
> So I simply made it working by ensuring there's only one org.eclipse.jetty.jaas.JAASLoginService:
>
> list = {java.util.ArrayList@9544} size = 1
>  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547} "JAASLoginService@7ba67d0b{STARTED}"
>  LOG: org.eclipse.jetty.util.log.Logger = {org.eclipse.jetty.util.log.Slf4jLog@9549} "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
>  DEFAULT_ROLE_CLASS_NAME: java.lang.String = "org.eclipse.jetty.jaas.JAASRole"
>  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] = {java.lang.String[1]@9551}
>  _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552}
>  _callbackHandlerClass: java.lang.String = null
>  _realmName: java.lang.String = "karaf"
>  _loginModuleName: java.lang.String = "karaf"
>
> Now, with your Camel route, I got:
>
> $ curl -v http://localhost:8181/camel/api/say/hello
> * Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> > GET /camel/api/say/hello HTTP/1.1
> > Host: localhost:8181
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 404 Not Found
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=iso-8859-1
> < Content-Length: 456
> < Server: Jetty(9.4.22.v20191022)
> <
>
> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> * Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> * Server auth using Basic with user 'karaf'
> > GET /camel/api/say/hello HTTP/1.1
> > Host: localhost:8181
> > Authorization: Basic a2FyYWY6a2FyYWY=
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Content-Type: application/json
> < Accept: */*
> < Authorization: Basic a2FyYWY6a2FyYWY=
> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> < User-Agent: curl/7.69.1
> < Transfer-Encoding: chunked
> < Server: Jetty(9.4.22.v20191022)
> <
> * Connection #0 to host localhost left intact
> "Hello World"
>
> In theory it should be possible to grab (in etc/jetty.xml, using <Configure> element) instance of SecurityHandler and simply set there the "realmName" property to "Karaf", so even with two different beans with org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the right one. But in Pax Web security handler is part of every org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and only in Pax Web 8 I'd be able to fix this in more clean way.
>
> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your etc/jetty.xml
>
> regards
> Grzegorz Grzybek
>
>
> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]> napisał(a):
> > Hi,
> >
> > I already also answered Gerald in another mail.
> > I'm not quite sure but what might be an issue, is that the default
> > http-context used in his application isn't bound to the underlying security
> > realm.
> > Therefore it's quite a possibility that there needs to be a configuration
> > done in his own application, using his own http-Context.
> >
> > Can be found here:
> > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> > and here:
> > https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> >
> > regards, Achim
> >
> >
> > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]>:
> >
> > > I’m sorry, I don’t know why it's not working; it looks correct to me.
> > > Maybe somebody from the Pax-Web team can help you.
> > > The only suspicious thing is the warning:
> > >
> > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
> > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > authenticator for: {RoleInfo,C[admin],None}
> > >
> > >
> > > Which suggest something is misconfigured.
> > >
> > > Best regards,
> > > Alex soto
> > >
> > >
> > >
> > >
> > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]> wrote:
> > > >
> > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
> > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > authenticator for: {RoleInfo,C[admin],None}
> > >
> > >
> >
> > --
> >
> > Apache Member
> > Apache Karaf <http://karaf.apache.org/> Committer & PMC
> > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> > Project Lead
> > blog <http://notizblog.nierbeck.de/>
> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

jbonofre
In reply to this post by Gerald Kallas - mailbox.org
Hi,

Sorry I was busy with Karaf 4.2.9 preparation and ActiveMQ releases.

About several port, yes, it’s possible:

http://blog.nanthrax.net/?p=352 <http://blog.nanthrax.net/?p=352>

Then you have to assign servlet to port using VirtualHosts (no other way for now). I already created couple of Jira to deal with that easily:

https://issues.apache.org/jira/browse/KARAF-6632 <https://issues.apache.org/jira/browse/KARAF-6632>

I will focus on web improvements for 4.2.10 and 4.3.0.RC2.

Regards
JB

> Le 18 mai 2020 à 23:39, Gerald Kallas <[hidden email]> a écrit :
>
> Hi Grzegorz,
>
> perfect, removing one org.eclipse.jetty.jaas.JAASLoginService and it works!
>
> Thanks a lot for digging into the details! I really appreciate this.
>
> Is there a reason that in the default jetty.xml exist 2 org.eclipse.jetty.jaas.JAASLoginService definitions?
>
> One further question .. would it be possible to extend Jetty to use an other port additionally and bind the servlets to this additional port only (it's for security reasons because I don't want to expose the web console externally, only the functional servlets).
>
> I tried some other approach too, described here https://www.catshout.de/?p=161. This one is tricky as a Jetty security handler can be bind only once to a port.
>
> You mentioned Undertow. It's also contained in Camel. So I wonder what might be finally the best and straightforward approach for the following requirements
>
> 1. Define multiple URIs on on single port
> 2. Secure the communication with TLS
> 3. Define independently an authentication for each URI on this single port
>
> Jetty?
> Servlet inside Jetty?
> Undertow?
>
> I'll test now multiple servlets inside Jetty for independent co-existence.
>
> Best
> - Gerald
>
>> Grzegorz Grzybek <[hidden email]> hat am 18. Mai 2020 15:24 geschrieben:
>>
>>
>> Hello
>>
>> I have some answer. First, the "http context processing" feature was mainly tested to "inject" Keycloak authenticator and I mostly tested it with pax-web-undertow.
>>
>> But I checked how it works with pax-web-jetty in the debugger.
>>
>> The key problem is that when Jetty's SecurityHandler is starting, it tries to find/discover org.eclipse.jetty.security.LoginService instance.
>>
>> With default etc/jetty.xml, there are TWO beans with org.eclipse.jetty.jaas.JAASLoginService class and org.eclipse.jetty.security.SecurityHandler#findLoginService() method does this:
>>
>> else if (list.size() == 1)
>> service = list.iterator().next();
>>
>> So I simply made it working by ensuring there's only one org.eclipse.jetty.jaas.JAASLoginService:
>>
>> list = {java.util.ArrayList@9544} size = 1
>>  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547} "JAASLoginService@7ba67d0b{STARTED}"
>> LOG: org.eclipse.jetty.util.log.Logger = {org.eclipse.jetty.util.log.Slf4jLog@9549} "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
>> DEFAULT_ROLE_CLASS_NAME: java.lang.String = "org.eclipse.jetty.jaas.JAASRole"
>> DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] = {java.lang.String[1]@9551}
>> _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552}
>> _callbackHandlerClass: java.lang.String = null
>> _realmName: java.lang.String = "karaf"
>> _loginModuleName: java.lang.String = "karaf"
>>
>> Now, with your Camel route, I got:
>>
>> $ curl -v http://localhost:8181/camel/api/say/hello
>> * Trying ::1:8181...
>> * Connected to localhost (::1) port 8181 (#0)
>>> GET /camel/api/say/hello HTTP/1.1
>>> Host: localhost:8181
>>> User-Agent: curl/7.69.1
>>> Accept: */*
>>>
>> * Mark bundle as not supporting multiuse
>> < HTTP/1.1 404 Not Found
>> < Cache-Control: must-revalidate,no-cache,no-store
>> < Content-Type: text/html;charset=iso-8859-1
>> < Content-Length: 456
>> < Server: Jetty(9.4.22.v20191022)
>> <
>>
>> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
>> * Trying ::1:8181...
>> * Connected to localhost (::1) port 8181 (#0)
>> * Server auth using Basic with user 'karaf'
>>> GET /camel/api/say/hello HTTP/1.1
>>> Host: localhost:8181
>>> Authorization: Basic a2FyYWY6a2FyYWY=
>>> User-Agent: curl/7.69.1
>>> Accept: */*
>>>
>> * Mark bundle as not supporting multiuse
>> < HTTP/1.1 200 OK
>> < Content-Type: application/json
>> < Accept: */*
>> < Authorization: Basic a2FyYWY6a2FyYWY=
>> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
>> < User-Agent: curl/7.69.1
>> < Transfer-Encoding: chunked
>> < Server: Jetty(9.4.22.v20191022)
>> <
>> * Connection #0 to host localhost left intact
>> "Hello World"
>>
>> In theory it should be possible to grab (in etc/jetty.xml, using <Configure> element) instance of SecurityHandler and simply set there the "realmName" property to "Karaf", so even with two different beans with org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the right one. But in Pax Web security handler is part of every org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and only in Pax Web 8 I'd be able to fix this in more clean way.
>>
>> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your etc/jetty.xml
>>
>> regards
>> Grzegorz Grzybek
>>
>>
>> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]> napisał(a):
>>> Hi,
>>>
>>> I already also answered Gerald in another mail.
>>> I'm not quite sure but what might be an issue, is that the default
>>> http-context used in his application isn't bound to the underlying security
>>> realm.
>>> Therefore it's quite a possibility that there needs to be a configuration
>>> done in his own application, using his own http-Context.
>>>
>>> Can be found here:
>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
>>> and here:
>>> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
>>>
>>> regards, Achim
>>>
>>>
>>> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]>:
>>>
>>>> I’m sorry, I don’t know why it's not working; it looks correct to me.
>>>> Maybe somebody from the Pax-Web team can help you.
>>>> The only suspicious thing is the warning:
>>>>
>>>> 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
>>>> | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>>> authenticator for: {RoleInfo,C[admin],None}
>>>>
>>>>
>>>> Which suggest something is misconfigured.
>>>>
>>>> Best regards,
>>>> Alex soto
>>>>
>>>>
>>>>
>>>>
>>>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]> wrote:
>>>>>
>>>>> 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
>>>> | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>>> authenticator for: {RoleInfo,C[admin],None}
>>>>
>>>>
>>>
>>> --
>>>
>>> Apache Member
>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
>>> Project Lead
>>> blog <http://notizblog.nierbeck.de/>
>>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>

Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Gerald Kallas - mailbox.org
Thanks, that helps also a lot.

So, what's with the other question, is it possible to define roles, users and passwords in multiple files and assign to a HTTP context?

Best
- Gerald

> Jean-Baptiste Onofre <[hidden email]> hat am 19. Mai 2020 07:02 geschrieben:
>
>
> Hi,
>
> Sorry I was busy with Karaf 4.2.9 preparation and ActiveMQ releases.
>
> About several port, yes, it’s possible:
>
> http://blog.nanthrax.net/?p=352
>
> Then you have to assign servlet to port using VirtualHosts (no other way for now). I already created couple of Jira to deal with that easily:
>
> https://issues.apache.org/jira/browse/KARAF-6632
>
> I will focus on web improvements for 4.2.10 and 4.3.0.RC2.
>
> Regards
> JB
>
>
>
> > Le 18 mai 2020 à 23:39, Gerald Kallas <[hidden email]> a écrit :
> > Hi Grzegorz,
> >
> > perfect, removing one org.eclipse.jetty.jaas.JAASLoginService and it works!
> >
> > Thanks a lot for digging into the details! I really appreciate this.
> >
> > Is there a reason that in the default jetty.xml exist 2 org.eclipse.jetty.jaas.JAASLoginService definitions?
> >
> > One further question .. would it be possible to extend Jetty to use an other port additionally and bind the servlets to this additional port only (it's for security reasons because I don't want to expose the web console externally, only the functional servlets).
> >
> > I tried some other approach too, described here https://www.catshout.de/?p=161. This one is tricky as a Jetty security handler can be bind only once to a port.
> >
> > You mentioned Undertow. It's also contained in Camel. So I wonder what might be finally the best and straightforward approach for the following requirements
> >
> > 1. Define multiple URIs on on single port
> > 2. Secure the communication with TLS
> > 3. Define independently an authentication for each URI on this single port
> >
> > Jetty?
> > Servlet inside Jetty?
> > Undertow?
> >
> > I'll test now multiple servlets inside Jetty for independent co-existence.
> >
> > Best
> > - Gerald
> >
> >
> > > Grzegorz Grzybek <[hidden email]> hat am 18. Mai 2020 15:24 geschrieben:
> > >
> > >
> > > Hello
> > >
> > > I have some answer. First, the "http context processing" feature was mainly tested to "inject" Keycloak authenticator and I mostly tested it with pax-web-undertow.
> > >
> > > But I checked how it works with pax-web-jetty in the debugger.
> > >
> > > The key problem is that when Jetty's SecurityHandler is starting, it tries to find/discover org.eclipse.jetty.security.LoginService instance.
> > >
> > > With default etc/jetty.xml, there are TWO beans with org.eclipse.jetty.jaas.JAASLoginService class and org.eclipse.jetty.security.SecurityHandler#findLoginService() method does this:
> > >
> > > else if (list.size() == 1)
> > > service = list.iterator().next();
> > >
> > > So I simply made it working by ensuring there's only one org.eclipse.jetty.jaas.JAASLoginService:
> > >
> > > list = {java.util.ArrayList@9544} size = 1
> > >  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547} "JAASLoginService@7ba67d0b{STARTED}"
> > > LOG: org.eclipse.jetty.util.log.Logger = {org.eclipse.jetty.util.log.Slf4jLog@9549} "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> > > DEFAULT_ROLE_CLASS_NAME: java.lang.String = "org.eclipse.jetty.jaas.JAASRole"
> > > DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] = {java.lang.String[1]@9551}
> > > _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552}
> > > _callbackHandlerClass: java.lang.String = null
> > > _realmName: java.lang.String = "karaf"
> > > _loginModuleName: java.lang.String = "karaf"
> > >
> > > Now, with your Camel route, I got:
> > >
> > > $ curl -v http://localhost:8181/camel/api/say/hello
> > > * Trying ::1:8181...
> > > * Connected to localhost (::1) port 8181 (#0)
> > >
> > > > GET /camel/api/say/hello HTTP/1.1
> > > > Host: localhost:8181
> > > > User-Agent: curl/7.69.1
> > > > Accept: */*
> > > >
> > > * Mark bundle as not supporting multiuse
> > > < HTTP/1.1 404 Not Found
> > > < Cache-Control: must-revalidate,no-cache,no-store
> > > < Content-Type: text/html;charset=iso-8859-1
> > > < Content-Length: 456
> > > < Server: Jetty(9.4.22.v20191022)
> > > <
> > >
> > > $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> > > * Trying ::1:8181...
> > > * Connected to localhost (::1) port 8181 (#0)
> > > * Server auth using Basic with user 'karaf'
> > >
> > > > GET /camel/api/say/hello HTTP/1.1
> > > > Host: localhost:8181
> > > > Authorization: Basic a2FyYWY6a2FyYWY=
> > > > User-Agent: curl/7.69.1
> > > > Accept: */*
> > > >
> > > * Mark bundle as not supporting multiuse
> > > < HTTP/1.1 200 OK
> > > < Content-Type: application/json
> > > < Accept: */*
> > > < Authorization: Basic a2FyYWY6a2FyYWY=
> > > < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> > > < User-Agent: curl/7.69.1
> > > < Transfer-Encoding: chunked
> > > < Server: Jetty(9.4.22.v20191022)
> > > <
> > > * Connection #0 to host localhost left intact
> > > "Hello World"
> > >
> > > In theory it should be possible to grab (in etc/jetty.xml, using <Configure> element) instance of SecurityHandler and simply set there the "realmName" property to "Karaf", so even with two different beans with org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the right one. But in Pax Web security handler is part of every org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and only in Pax Web 8 I'd be able to fix this in more clean way.
> > >
> > > So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your etc/jetty.xml
> > >
> > > regards
> > > Grzegorz Grzybek
> > >
> > >
> > > pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]> napisał(a):
> > >
> > > > Hi,
> > > >
> > > > I already also answered Gerald in another mail.
> > > > I'm not quite sure but what might be an issue, is that the default
> > > > http-context used in his application isn't bound to the underlying security
> > > > realm.
> > > > Therefore it's quite a possibility that there needs to be a configuration
> > > > done in his own application, using his own http-Context.
> > > >
> > > > Can be found here:
> > > > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> > > > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> > > > and here:
> > > > https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> > > >
> > > > regards, Achim
> > > >
> > > >
> > > > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]>:
> > > >
> > > >
> > > > > I’m sorry, I don’t know why it's not working; it looks correct to me.
> > > > > Maybe somebody from the Pax-Web team can help you.
> > > > > The only suspicious thing is the warning:
> > > > >
> > > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
> > > > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > > > authenticator for: {RoleInfo,C[admin],None}
> > > > >
> > > > >
> > > > > Which suggest something is misconfigured.
> > > > >
> > > > > Best regards,
> > > > > Alex soto
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]> wrote:
> > > > > >
> > > > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 | SecurityHandler
> > > > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > > > authenticator for: {RoleInfo,C[admin],None}
> > > > >
> > > > >
> > > >
> > > > --
> > > >
> > > > Apache Member
> > > > Apache Karaf <http://karaf.apache.org/> Committer & PMC
> > > > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> > > > Project Lead
> > > > blog <http://notizblog.nierbeck.de/>
> > > > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf

Grzegorz Grzybek
Hello

wt., 19 maj 2020 o 16:25 Gerald Kallas <[hidden email]> napisał(a):

> Thanks, that helps also a lot.
>
> So, what's with the other question, is it possible to define roles, users
> and passwords in multiple files and assign to a HTTP context?
>

I think it's not the role of this "http context processing" to act as
credential repository. The "connection" is via JAAS realm and you can also
point the context to e.g., LDAP realm and have roles/users defined there.

regards
Grzegorz Grzybek


>
> Best
> - Gerald
>
> > Jean-Baptiste Onofre <[hidden email]> hat am 19. Mai 2020 07:02
> geschrieben:
> >
> >
> > Hi,
> >
> > Sorry I was busy with Karaf 4.2.9 preparation and ActiveMQ releases.
> >
> > About several port, yes, it’s possible:
> >
> > http://blog.nanthrax.net/?p=352
> >
> > Then you have to assign servlet to port using VirtualHosts (no other way
> for now). I already created couple of Jira to deal with that easily:
> >
> > https://issues.apache.org/jira/browse/KARAF-6632
> >
> > I will focus on web improvements for 4.2.10 and 4.3.0.RC2.
> >
> > Regards
> > JB
> >
> >
> >
> > > Le 18 mai 2020 à 23:39, Gerald Kallas <[hidden email]> a écrit :
> > > Hi Grzegorz,
> > >
> > > perfect, removing one org.eclipse.jetty.jaas.JAASLoginService and it
> works!
> > >
> > > Thanks a lot for digging into the details! I really appreciate this.
> > >
> > > Is there a reason that in the default jetty.xml exist 2
> org.eclipse.jetty.jaas.JAASLoginService definitions?
> > >
> > > One further question .. would it be possible to extend Jetty to use an
> other port additionally and bind the servlets to this additional port only
> (it's for security reasons because I don't want to expose the web console
> externally, only the functional servlets).
> > >
> > > I tried some other approach too, described here
> https://www.catshout.de/?p=161. This one is tricky as a Jetty security
> handler can be bind only once to a port.
> > >
> > > You mentioned Undertow. It's also contained in Camel. So I wonder what
> might be finally the best and straightforward approach for the following
> requirements
> > >
> > > 1. Define multiple URIs on on single port
> > > 2. Secure the communication with TLS
> > > 3. Define independently an authentication for each URI on this single
> port
> > >
> > > Jetty?
> > > Servlet inside Jetty?
> > > Undertow?
> > >
> > > I'll test now multiple servlets inside Jetty for independent
> co-existence.
> > >
> > > Best
> > > - Gerald
> > >
> > >
> > > > Grzegorz Grzybek <[hidden email]> hat am 18. Mai 2020 15:24
> geschrieben:
> > > >
> > > >
> > > > Hello
> > > >
> > > > I have some answer. First, the "http context processing" feature was
> mainly tested to "inject" Keycloak authenticator and I mostly tested it
> with pax-web-undertow.
> > > >
> > > > But I checked how it works with pax-web-jetty in the debugger.
> > > >
> > > > The key problem is that when Jetty's SecurityHandler is starting, it
> tries to find/discover org.eclipse.jetty.security.LoginService instance.
> > > >
> > > > With default etc/jetty.xml, there are TWO beans with
> org.eclipse.jetty.jaas.JAASLoginService class and
> org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> this:
> > > >
> > > > else if (list.size() == 1)
> > > > service = list.iterator().next();
> > > >
> > > > So I simply made it working by ensuring there's only one
> org.eclipse.jetty.jaas.JAASLoginService:
> > > >
> > > > list = {java.util.ArrayList@9544} size = 1
> > > >  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> "JAASLoginService@7ba67d0b{STARTED}"
> > > > LOG: org.eclipse.jetty.util.log.Logger =
> {org.eclipse.jetty.util.log.Slf4jLog@9549}
> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> > > > DEFAULT_ROLE_CLASS_NAME: java.lang.String =
> "org.eclipse.jetty.jaas.JAASRole"
> > > > DEFAULT_ROLE_CLASS_NAMES: java.lang.String[] =
> {java.lang.String[1]@9551}
> > > > _roleClassNames: java.lang.String[] = {java.lang.String[2]@9552}
> > > > _callbackHandlerClass: java.lang.String = null
> > > > _realmName: java.lang.String = "karaf"
> > > > _loginModuleName: java.lang.String = "karaf"
> > > >
> > > > Now, with your Camel route, I got:
> > > >
> > > > $ curl -v http://localhost:8181/camel/api/say/hello
> > > > * Trying ::1:8181...
> > > > * Connected to localhost (::1) port 8181 (#0)
> > > >
> > > > > GET /camel/api/say/hello HTTP/1.1
> > > > > Host: localhost:8181
> > > > > User-Agent: curl/7.69.1
> > > > > Accept: */*
> > > > >
> > > > * Mark bundle as not supporting multiuse
> > > > < HTTP/1.1 404 Not Found
> > > > < Cache-Control: must-revalidate,no-cache,no-store
> > > > < Content-Type: text/html;charset=iso-8859-1
> > > > < Content-Length: 456
> > > > < Server: Jetty(9.4.22.v20191022)
> > > > <
> > > >
> > > > $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> > > > * Trying ::1:8181...
> > > > * Connected to localhost (::1) port 8181 (#0)
> > > > * Server auth using Basic with user 'karaf'
> > > >
> > > > > GET /camel/api/say/hello HTTP/1.1
> > > > > Host: localhost:8181
> > > > > Authorization: Basic a2FyYWY6a2FyYWY=
> > > > > User-Agent: curl/7.69.1
> > > > > Accept: */*
> > > > >
> > > > * Mark bundle as not supporting multiuse
> > > > < HTTP/1.1 200 OK
> > > > < Content-Type: application/json
> > > > < Accept: */*
> > > > < Authorization: Basic a2FyYWY6a2FyYWY=
> > > > < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> > > > < User-Agent: curl/7.69.1
> > > > < Transfer-Encoding: chunked
> > > > < Server: Jetty(9.4.22.v20191022)
> > > > <
> > > > * Connection #0 to host localhost left intact
> > > > "Hello World"
> > > >
> > > > In theory it should be possible to grab (in etc/jetty.xml, using
> <Configure> element) instance of SecurityHandler and simply set there the
> "realmName" property to "Karaf", so even with two different beans with
> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> right one. But in Pax Web security handler is part of every
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> only in Pax Web 8 I'd be able to fix this in more clean way.
> > > >
> > > > So, please use only one org.eclipse.jetty.jaas.JAASLoginService in
> your etc/jetty.xml
> > > >
> > > > regards
> > > > Grzegorz Grzybek
> > > >
> > > >
> > > > pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]>
> napisał(a):
> > > >
> > > > > Hi,
> > > > >
> > > > > I already also answered Gerald in another mail.
> > > > > I'm not quite sure but what might be an issue, is that the default
> > > > > http-context used in his application isn't bound to the underlying
> security
> > > > > realm.
> > > > > Therefore it's quite a possibility that there needs to be a
> configuration
> > > > > done in his own application, using his own http-Context.
> > > > >
> > > > > Can be found here:
> > > > >
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> > > > >
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> > > > > and here:
> > > > >
> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> > > > >
> > > > > regards, Achim
> > > > >
> > > > >
> > > > > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <
> [hidden email]>:
> > > > >
> > > > >
> > > > > > I’m sorry, I don’t know why it's not working; it looks correct
> to me.
> > > > > > Maybe somebody from the Pax-Web team can help you.
> > > > > > The only suspicious thing is the warning:
> > > > > >
> > > > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 |
> SecurityHandler
> > > > > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > > > > authenticator for: {RoleInfo,C[admin],None}
> > > > > >
> > > > > >
> > > > > > Which suggest something is misconfigured.
> > > > > >
> > > > > > Best regards,
> > > > > > Alex soto
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <
> [hidden email]> wrote:
> > > > > > >
> > > > > > > 2020-05-15T18:20:50,256 | WARN | qtp1611313605-201 |
> SecurityHandler
> > > > > > | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > > > > authenticator for: {RoleInfo,C[admin],None}
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Apache Member
> > > > > Apache Karaf <http://karaf.apache.org/> Committer & PMC
> > > > > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
> Committer &
> > > > > Project Lead
> > > > > blog <http://notizblog.nierbeck.de/>
> > > > > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf - the trick doesn't work any longer w/ Karaf 4.2.9 and Camel 3.4.0

Gerald Kallas - mailbox.org
In reply to this post by Grzegorz Grzybek
Hi all,

I was updating the runtime to Karaf 4.2.9 and Camel 3.4.0.

after removing one of the org.eclipse.jetty.jaas.JAASLoginService entries in my etc/jetty.xml I'm getting an error as attached below.

Neither hawtio nor my servlet are working any longer. Seems that now both entries of org.eclipse.jetty.jaas.JAASLoginService are mandatory.

With both entries, as you found Grzegorz, the authentication doesn't work.

Should I create a JIRA ticket and if yes, within Karaf? Or maybe you have another workaround for that behaviour?

Best
- Gerald


2020-06-28T16:06:47,673 | ERROR | FelixStartLevel  | HttpServiceStarted               | 266 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Could not start the servlet context for context path []
java.lang.SecurityException: AuthConfigFactory error: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
        at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:77) ~[?:?]
        at org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory.getAuthenticator(JaspiAuthenticatorFactory.java:90) ~[?:?]
        at org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:394) ~[?:?]
        at org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:419) ~[?:?]
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
        at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
        at org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:504) ~[?:?]
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
        at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
        at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:898) ~[?:?]
        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:356) ~[?:?]
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.startContext(HttpServiceContext.java:396) ~[?:?]
        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:838) ~[?:?]
        at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) ~[?:?]
        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doStart(HttpServiceContext.java:272) ~[?:?]
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
        at org.ops4j.pax.web.service.jetty.internal.JettyServerImpl$1.start(JettyServerImpl.java:329) ~[?:?]
        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:255) [!/:?]
        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:226) [!/:?]
        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:210) [!/:?]
        at org.ops4j.pax.web.service.internal.HttpServiceProxy.registerServlet(HttpServiceProxy.java:69) [!/:?]
        at Proxy92a1a95e_1f66_41cb_8fcd_ed63d983d611.registerServlet(Unknown Source) [?:?]
        at org.apache.camel.component.osgi.OsgiServletRegisterer.register(OsgiServletRegisterer.java:98) [!/:3.4.0]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.apache.aries.blueprint.utils.ReflectionUtils.invoke(ReflectionUtils.java:337) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BeanRecipe.invoke(BeanRecipe.java:835) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BeanRecipe.runBeanProcInit(BeanRecipe.java:591) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BeanRecipe.internalCreate2(BeanRecipe.java:703) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:666) [!/:1.10.2]
        at org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:81) [!/:1.10.2]
        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
        at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:90) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:360) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:190) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:737) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:433) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:298) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:311) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:280) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:276) [!/:1.10.2]
        at org.apache.aries.blueprint.container.BlueprintExtender.modifiedBundle(BlueprintExtender.java:266) [!/:1.10.2]
        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:500) [!/:1.10.2]
        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:433) [!/:1.10.2]
        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$AbstractTracked.track(BundleHookBundleTracker.java:725) [!/:1.10.2]
        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.bundleChanged(BundleHookBundleTracker.java:463) [!/:1.10.2]
        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$BundleEventHook.event(BundleHookBundleTracker.java:422) [!/:1.10.2]
        at org.apache.felix.framework.util.SecureAction.invokeBundleEventHook(SecureAction.java:1179) [org.apache.felix.framework-5.6.12.jar:?]
        at org.apache.felix.framework.EventDispatcher.createWhitelistFromHooks(EventDispatcher.java:730) [org.apache.felix.framework-5.6.12.jar:?]
        at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:485) [org.apache.felix.framework-5.6.12.jar:?]
        at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4579) [org.apache.felix.framework-5.6.12.jar:?]
        at org.apache.felix.framework.Felix.startBundle(Felix.java:2174) [org.apache.felix.framework-5.6.12.jar:?]
        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373) [org.apache.felix.framework-5.6.12.jar:?]
        at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) [org.apache.felix.framework-5.6.12.jar:?]
        at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
        at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1639) ~[?:?]
        at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80) ~[?:?]
        at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2053) ~[?:?]
        at java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[?:?]
        at java.lang.Class.forName0(Native Method) ~[?:?]
        at java.lang.Class.forName(Class.java:398) ~[?:?]
        at org.apache.geronimo.osgi.locator.ProviderLocator.loadClass(ProviderLocator.java:195) ~[?:?]
        at javax.security.auth.message.config.AuthConfigFactory$3.run(AuthConfigFactory.java:68) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
        at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:64) ~[?:?]
        ... 62 more

> Grzegorz Grzybek <[hidden email]> hat am 18.05.2020 15:24 geschrieben:
>
>  
> Hello
>
> I have some answer. First, the "http context processing" feature was mainly
> tested to "inject" Keycloak authenticator and I mostly tested it with
> pax-web-undertow.
>
> But I checked how it works with pax-web-jetty in the debugger.
>
> The key problem is that when Jetty's SecurityHandler is starting, it tries
> to find/discover org.eclipse.jetty.security.LoginService instance.
> With default etc/jetty.xml, there are TWO beans with
> org.eclipse.jetty.jaas.JAASLoginService class and
> org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> this:
>
> else if (list.size() == 1)
>     service = list.iterator().next();
>
> So I simply made it working by ensuring there's only one
> org.eclipse.jetty.jaas.JAASLoginService:
>
> list = {java.util.ArrayList@9544}  size = 1
>  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> "JAASLoginService@7ba67d0b{STARTED}"
>   LOG: org.eclipse.jetty.util.log.Logger  =
> {org.eclipse.jetty.util.log.Slf4jLog@9549}
> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
>   DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
> "org.eclipse.jetty.jaas.JAASRole"
>   DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
> {java.lang.String[1]@9551}
>   _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
>   _callbackHandlerClass: java.lang.String  = null
>   _realmName: java.lang.String  = "karaf"
>   _loginModuleName: java.lang.String  = "karaf"
>
> Now, with your Camel route, I got:
>
> $ curl -v http://localhost:8181/camel/api/say/hello
> *   Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> > GET /camel/api/say/hello HTTP/1.1
> > Host: localhost:8181
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 404 Not Found
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=iso-8859-1
> < Content-Length: 456
> < Server: Jetty(9.4.22.v20191022)
> <
>
> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> *   Trying ::1:8181...
> * Connected to localhost (::1) port 8181 (#0)
> * Server auth using Basic with user 'karaf'
> > GET /camel/api/say/hello HTTP/1.1
> > Host: localhost:8181
> > Authorization: Basic a2FyYWY6a2FyYWY=
> > User-Agent: curl/7.69.1
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 200 OK
> < Content-Type: application/json
> < Accept: */*
> < Authorization: Basic a2FyYWY6a2FyYWY=
> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> < User-Agent: curl/7.69.1
> < Transfer-Encoding: chunked
> < Server: Jetty(9.4.22.v20191022)
> <
> * Connection #0 to host localhost left intact
> "Hello World"
>
> In theory it should be possible to grab (in etc/jetty.xml, using
> <Configure> element) instance of SecurityHandler and simply set there the
> "realmName" property to "Karaf", so even with two different beans with
> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> right one. But in Pax Web security handler is part of every
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> only in Pax Web 8 I'd be able to fix this in more clean way.
>
> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> etc/jetty.xml
>
> regards
> Grzegorz Grzybek
>
> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]>
> napisał(a):
>
> > Hi,
> >
> > I already also answered Gerald in another mail.
> > I'm not quite sure but what might be an issue, is that the default
> > http-context used in his application isn't bound to the underlying security
> > realm.
> > Therefore it's quite a possibility that there needs to be a configuration
> > done in his own application, using his own http-Context.
> >
> > Can be found here:
> >
> > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> >
> > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> > and here:
> >
> > https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> >
> > regards, Achim
> >
> >
> > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]
> > >:
> >
> > > I’m sorry, I don’t know why it's not working; it looks correct to me.
> > > Maybe somebody from the Pax-Web team can help you.
> > > The only suspicious thing is the warning:
> > >
> > > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> > >             | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > authenticator for: {RoleInfo,C[admin],None}
> > >
> > >
> > > Which suggest something is misconfigured.
> > >
> > > Best regards,
> > > Alex soto
> > >
> > >
> > >
> > >
> > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
> > wrote:
> > > >
> > > > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> > >               | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > authenticator for: {RoleInfo,C[admin],None}
> > >
> > >
> >
> > --
> >
> > Apache Member
> > Apache Karaf <http://karaf.apache.org/> Committer & PMC
> > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> > Project Lead
> > blog <http://notizblog.nierbeck.de/>
> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
> >
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf - the trick doesn't work any longer w/ Karaf 4.2.9 and Camel 3.4.0

Gerald Kallas - mailbox.org
I tested the combination Karaf 4.2.8 and Camel 3.3.0, with this the workaround works as expected. Seems that Jetty has been updated in Karaf 4.2.9?

(The combination Karaf 4.2.8 and Camel 3.4.0 doesn't work due to other issues.)

> Gerald Kallas <[hidden email]> hat am 28.06.2020 18:12 geschrieben:
>
>  
> Hi all,
>
> I was updating the runtime to Karaf 4.2.9 and Camel 3.4.0.
>
> after removing one of the org.eclipse.jetty.jaas.JAASLoginService entries in my etc/jetty.xml I'm getting an error as attached below.
>
> Neither hawtio nor my servlet are working any longer. Seems that now both entries of org.eclipse.jetty.jaas.JAASLoginService are mandatory.
>
> With both entries, as you found Grzegorz, the authentication doesn't work.
>
> Should I create a JIRA ticket and if yes, within Karaf? Or maybe you have another workaround for that behaviour?
>
> Best
> - Gerald
>
>
> 2020-06-28T16:06:47,673 | ERROR | FelixStartLevel  | HttpServiceStarted               | 266 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Could not start the servlet context for context path []
> java.lang.SecurityException: AuthConfigFactory error: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
>         at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:77) ~[?:?]
>         at org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory.getAuthenticator(JaspiAuthenticatorFactory.java:90) ~[?:?]
>         at org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:394) ~[?:?]
>         at org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:419) ~[?:?]
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
>         at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
>         at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
>         at org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:504) ~[?:?]
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
>         at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
>         at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
>         at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:898) ~[?:?]
>         at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:356) ~[?:?]
>         at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.startContext(HttpServiceContext.java:396) ~[?:?]
>         at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:838) ~[?:?]
>         at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) ~[?:?]
>         at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doStart(HttpServiceContext.java:272) ~[?:?]
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
>         at org.ops4j.pax.web.service.jetty.internal.JettyServerImpl$1.start(JettyServerImpl.java:329) ~[?:?]
>         at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:255) [!/:?]
>         at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:226) [!/:?]
>         at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:210) [!/:?]
>         at org.ops4j.pax.web.service.internal.HttpServiceProxy.registerServlet(HttpServiceProxy.java:69) [!/:?]
>         at Proxy92a1a95e_1f66_41cb_8fcd_ed63d983d611.registerServlet(Unknown Source) [?:?]
>         at org.apache.camel.component.osgi.OsgiServletRegisterer.register(OsgiServletRegisterer.java:98) [!/:3.4.0]
>         at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
>         at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
>         at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
>         at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
>         at org.apache.aries.blueprint.utils.ReflectionUtils.invoke(ReflectionUtils.java:337) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BeanRecipe.invoke(BeanRecipe.java:835) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BeanRecipe.runBeanProcInit(BeanRecipe.java:591) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BeanRecipe.internalCreate2(BeanRecipe.java:703) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:666) [!/:1.10.2]
>         at org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:81) [!/:1.10.2]
>         at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
>         at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:90) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:360) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:190) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:737) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:433) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:298) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:311) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:280) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:276) [!/:1.10.2]
>         at org.apache.aries.blueprint.container.BlueprintExtender.modifiedBundle(BlueprintExtender.java:266) [!/:1.10.2]
>         at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:500) [!/:1.10.2]
>         at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:433) [!/:1.10.2]
>         at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$AbstractTracked.track(BundleHookBundleTracker.java:725) [!/:1.10.2]
>         at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.bundleChanged(BundleHookBundleTracker.java:463) [!/:1.10.2]
>         at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$BundleEventHook.event(BundleHookBundleTracker.java:422) [!/:1.10.2]
>         at org.apache.felix.framework.util.SecureAction.invokeBundleEventHook(SecureAction.java:1179) [org.apache.felix.framework-5.6.12.jar:?]
>         at org.apache.felix.framework.EventDispatcher.createWhitelistFromHooks(EventDispatcher.java:730) [org.apache.felix.framework-5.6.12.jar:?]
>         at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:485) [org.apache.felix.framework-5.6.12.jar:?]
>         at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4579) [org.apache.felix.framework-5.6.12.jar:?]
>         at org.apache.felix.framework.Felix.startBundle(Felix.java:2174) [org.apache.felix.framework-5.6.12.jar:?]
>         at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373) [org.apache.felix.framework-5.6.12.jar:?]
>         at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) [org.apache.felix.framework-5.6.12.jar:?]
>         at java.lang.Thread.run(Thread.java:834) [?:?]
> Caused by: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
>         at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1639) ~[?:?]
>         at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80) ~[?:?]
>         at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2053) ~[?:?]
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[?:?]
>         at java.lang.Class.forName0(Native Method) ~[?:?]
>         at java.lang.Class.forName(Class.java:398) ~[?:?]
>         at org.apache.geronimo.osgi.locator.ProviderLocator.loadClass(ProviderLocator.java:195) ~[?:?]
>         at javax.security.auth.message.config.AuthConfigFactory$3.run(AuthConfigFactory.java:68) ~[?:?]
>         at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
>         at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:64) ~[?:?]
>         ... 62 more
>
> > Grzegorz Grzybek <[hidden email]> hat am 18.05.2020 15:24 geschrieben:
> >
> >  
> > Hello
> >
> > I have some answer. First, the "http context processing" feature was mainly
> > tested to "inject" Keycloak authenticator and I mostly tested it with
> > pax-web-undertow.
> >
> > But I checked how it works with pax-web-jetty in the debugger.
> >
> > The key problem is that when Jetty's SecurityHandler is starting, it tries
> > to find/discover org.eclipse.jetty.security.LoginService instance.
> > With default etc/jetty.xml, there are TWO beans with
> > org.eclipse.jetty.jaas.JAASLoginService class and
> > org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> > this:
> >
> > else if (list.size() == 1)
> >     service = list.iterator().next();
> >
> > So I simply made it working by ensuring there's only one
> > org.eclipse.jetty.jaas.JAASLoginService:
> >
> > list = {java.util.ArrayList@9544}  size = 1
> >  0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> > "JAASLoginService@7ba67d0b{STARTED}"
> >   LOG: org.eclipse.jetty.util.log.Logger  =
> > {org.eclipse.jetty.util.log.Slf4jLog@9549}
> > "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> >   DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
> > "org.eclipse.jetty.jaas.JAASRole"
> >   DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
> > {java.lang.String[1]@9551}
> >   _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
> >   _callbackHandlerClass: java.lang.String  = null
> >   _realmName: java.lang.String  = "karaf"
> >   _loginModuleName: java.lang.String  = "karaf"
> >
> > Now, with your Camel route, I got:
> >
> > $ curl -v http://localhost:8181/camel/api/say/hello
> > *   Trying ::1:8181...
> > * Connected to localhost (::1) port 8181 (#0)
> > > GET /camel/api/say/hello HTTP/1.1
> > > Host: localhost:8181
> > > User-Agent: curl/7.69.1
> > > Accept: */*
> > >
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 404 Not Found
> > < Cache-Control: must-revalidate,no-cache,no-store
> > < Content-Type: text/html;charset=iso-8859-1
> > < Content-Length: 456
> > < Server: Jetty(9.4.22.v20191022)
> > <
> >
> > $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> > *   Trying ::1:8181...
> > * Connected to localhost (::1) port 8181 (#0)
> > * Server auth using Basic with user 'karaf'
> > > GET /camel/api/say/hello HTTP/1.1
> > > Host: localhost:8181
> > > Authorization: Basic a2FyYWY6a2FyYWY=
> > > User-Agent: curl/7.69.1
> > > Accept: */*
> > >
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 200 OK
> > < Content-Type: application/json
> > < Accept: */*
> > < Authorization: Basic a2FyYWY6a2FyYWY=
> > < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> > < User-Agent: curl/7.69.1
> > < Transfer-Encoding: chunked
> > < Server: Jetty(9.4.22.v20191022)
> > <
> > * Connection #0 to host localhost left intact
> > "Hello World"
> >
> > In theory it should be possible to grab (in etc/jetty.xml, using
> > <Configure> element) instance of SecurityHandler and simply set there the
> > "realmName" property to "Karaf", so even with two different beans with
> > org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> > right one. But in Pax Web security handler is part of every
> > org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> > only in Pax Web 8 I'd be able to fix this in more clean way.
> >
> > So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> > etc/jetty.xml
> >
> > regards
> > Grzegorz Grzybek
> >
> > pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]>
> > napisał(a):
> >
> > > Hi,
> > >
> > > I already also answered Gerald in another mail.
> > > I'm not quite sure but what might be an issue, is that the default
> > > http-context used in his application isn't bound to the underlying security
> > > realm.
> > > Therefore it's quite a possibility that there needs to be a configuration
> > > done in his own application, using his own http-Context.
> > >
> > > Can be found here:
> > >
> > > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> > >
> > > https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> > > and here:
> > >
> > > https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> > >
> > > regards, Achim
> > >
> > >
> > > Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]
> > > >:
> > >
> > > > I’m sorry, I don’t know why it's not working; it looks correct to me.
> > > > Maybe somebody from the Pax-Web team can help you.
> > > > The only suspicious thing is the warning:
> > > >
> > > > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> > > >             | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > > authenticator for: {RoleInfo,C[admin],None}
> > > >
> > > >
> > > > Which suggest something is misconfigured.
> > > >
> > > > Best regards,
> > > > Alex soto
> > > >
> > > >
> > > >
> > > >
> > > > > On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
> > > wrote:
> > > > >
> > > > > 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> > > >               | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> > > > authenticator for: {RoleInfo,C[admin],None}
> > > >
> > > >
> > >
> > > --
> > >
> > > Apache Member
> > > Apache Karaf <http://karaf.apache.org/> Committer & PMC
> > > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> > > Project Lead
> > > blog <http://notizblog.nierbeck.de/>
> > > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
> > >
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf - the trick doesn't work any longer w/ Karaf 4.2.9 and Camel 3.4.0

jbonofre
Hi,

Yes Karaf 4.2.9 upgraded to Pax Web 7.2.15 and Jetty 9.4.28.v20200408.

Can you please send a private message about issues you have with Karaf 4.2.9 and Camel 3.4.0 (as I’m working on camel karaf for 3.5.0) ?

Thanks,
Regards
JB

> Le 28 juin 2020 à 22:02, Gerald Kallas <[hidden email]> a écrit :
>
> I tested the combination Karaf 4.2.8 and Camel 3.3.0, with this the workaround works as expected. Seems that Jetty has been updated in Karaf 4.2.9?
>
> (The combination Karaf 4.2.8 and Camel 3.4.0 doesn't work due to other issues.)
>
>> Gerald Kallas <[hidden email]> hat am 28.06.2020 18:12 geschrieben:
>>
>>
>> Hi all,
>>
>> I was updating the runtime to Karaf 4.2.9 and Camel 3.4.0.
>>
>> after removing one of the org.eclipse.jetty.jaas.JAASLoginService entries in my etc/jetty.xml I'm getting an error as attached below.
>>
>> Neither hawtio nor my servlet are working any longer. Seems that now both entries of org.eclipse.jetty.jaas.JAASLoginService are mandatory.
>>
>> With both entries, as you found Grzegorz, the authentication doesn't work.
>>
>> Should I create a JIRA ticket and if yes, within Karaf? Or maybe you have another workaround for that behaviour?
>>
>> Best
>> - Gerald
>>
>>
>> 2020-06-28T16:06:47,673 | ERROR | FelixStartLevel  | HttpServiceStarted               | 266 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Could not start the servlet context for context path []
>> java.lang.SecurityException: AuthConfigFactory error: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
>>        at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:77) ~[?:?]
>>        at org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory.getAuthenticator(JaspiAuthenticatorFactory.java:90) ~[?:?]
>>        at org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:394) ~[?:?]
>>        at org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:419) ~[?:?]
>>        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
>>        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
>>        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
>>        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
>>        at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
>>        at org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:504) ~[?:?]
>>        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
>>        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
>>        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
>>        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
>>        at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
>>        at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:898) ~[?:?]
>>        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:356) ~[?:?]
>>        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.startContext(HttpServiceContext.java:396) ~[?:?]
>>        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:838) ~[?:?]
>>        at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) ~[?:?]
>>        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doStart(HttpServiceContext.java:272) ~[?:?]
>>        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
>>        at org.ops4j.pax.web.service.jetty.internal.JettyServerImpl$1.start(JettyServerImpl.java:329) ~[?:?]
>>        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:255) [!/:?]
>>        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:226) [!/:?]
>>        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:210) [!/:?]
>>        at org.ops4j.pax.web.service.internal.HttpServiceProxy.registerServlet(HttpServiceProxy.java:69) [!/:?]
>>        at Proxy92a1a95e_1f66_41cb_8fcd_ed63d983d611.registerServlet(Unknown Source) [?:?]
>>        at org.apache.camel.component.osgi.OsgiServletRegisterer.register(OsgiServletRegisterer.java:98) [!/:3.4.0]
>>        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
>>        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
>>        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
>>        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
>>        at org.apache.aries.blueprint.utils.ReflectionUtils.invoke(ReflectionUtils.java:337) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BeanRecipe.invoke(BeanRecipe.java:835) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BeanRecipe.runBeanProcInit(BeanRecipe.java:591) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BeanRecipe.internalCreate2(BeanRecipe.java:703) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:666) [!/:1.10.2]
>>        at org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:81) [!/:1.10.2]
>>        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
>>        at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:90) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:360) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:190) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:737) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:433) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:298) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:311) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:280) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:276) [!/:1.10.2]
>>        at org.apache.aries.blueprint.container.BlueprintExtender.modifiedBundle(BlueprintExtender.java:266) [!/:1.10.2]
>>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:500) [!/:1.10.2]
>>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:433) [!/:1.10.2]
>>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$AbstractTracked.track(BundleHookBundleTracker.java:725) [!/:1.10.2]
>>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.bundleChanged(BundleHookBundleTracker.java:463) [!/:1.10.2]
>>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$BundleEventHook.event(BundleHookBundleTracker.java:422) [!/:1.10.2]
>>        at org.apache.felix.framework.util.SecureAction.invokeBundleEventHook(SecureAction.java:1179) [org.apache.felix.framework-5.6.12.jar:?]
>>        at org.apache.felix.framework.EventDispatcher.createWhitelistFromHooks(EventDispatcher.java:730) [org.apache.felix.framework-5.6.12.jar:?]
>>        at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:485) [org.apache.felix.framework-5.6.12.jar:?]
>>        at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4579) [org.apache.felix.framework-5.6.12.jar:?]
>>        at org.apache.felix.framework.Felix.startBundle(Felix.java:2174) [org.apache.felix.framework-5.6.12.jar:?]
>>        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373) [org.apache.felix.framework-5.6.12.jar:?]
>>        at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) [org.apache.felix.framework-5.6.12.jar:?]
>>        at java.lang.Thread.run(Thread.java:834) [?:?]
>> Caused by: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
>>        at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1639) ~[?:?]
>>        at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80) ~[?:?]
>>        at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2053) ~[?:?]
>>        at java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[?:?]
>>        at java.lang.Class.forName0(Native Method) ~[?:?]
>>        at java.lang.Class.forName(Class.java:398) ~[?:?]
>>        at org.apache.geronimo.osgi.locator.ProviderLocator.loadClass(ProviderLocator.java:195) ~[?:?]
>>        at javax.security.auth.message.config.AuthConfigFactory$3.run(AuthConfigFactory.java:68) ~[?:?]
>>        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
>>        at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:64) ~[?:?]
>>        ... 62 more
>>
>>> Grzegorz Grzybek <[hidden email]> hat am 18.05.2020 15:24 geschrieben:
>>>
>>>
>>> Hello
>>>
>>> I have some answer. First, the "http context processing" feature was mainly
>>> tested to "inject" Keycloak authenticator and I mostly tested it with
>>> pax-web-undertow.
>>>
>>> But I checked how it works with pax-web-jetty in the debugger.
>>>
>>> The key problem is that when Jetty's SecurityHandler is starting, it tries
>>> to find/discover org.eclipse.jetty.security.LoginService instance.
>>> With default etc/jetty.xml, there are TWO beans with
>>> org.eclipse.jetty.jaas.JAASLoginService class and
>>> org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
>>> this:
>>>
>>> else if (list.size() == 1)
>>>    service = list.iterator().next();
>>>
>>> So I simply made it working by ensuring there's only one
>>> org.eclipse.jetty.jaas.JAASLoginService:
>>>
>>> list = {java.util.ArrayList@9544}  size = 1
>>> 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
>>> "JAASLoginService@7ba67d0b{STARTED}"
>>>  LOG: org.eclipse.jetty.util.log.Logger  =
>>> {org.eclipse.jetty.util.log.Slf4jLog@9549}
>>> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
>>>  DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
>>> "org.eclipse.jetty.jaas.JAASRole"
>>>  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
>>> {java.lang.String[1]@9551}
>>>  _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
>>>  _callbackHandlerClass: java.lang.String  = null
>>>  _realmName: java.lang.String  = "karaf"
>>>  _loginModuleName: java.lang.String  = "karaf"
>>>
>>> Now, with your Camel route, I got:
>>>
>>> $ curl -v http://localhost:8181/camel/api/say/hello
>>> *   Trying ::1:8181...
>>> * Connected to localhost (::1) port 8181 (#0)
>>>> GET /camel/api/say/hello HTTP/1.1
>>>> Host: localhost:8181
>>>> User-Agent: curl/7.69.1
>>>> Accept: */*
>>>>
>>> * Mark bundle as not supporting multiuse
>>> < HTTP/1.1 404 Not Found
>>> < Cache-Control: must-revalidate,no-cache,no-store
>>> < Content-Type: text/html;charset=iso-8859-1
>>> < Content-Length: 456
>>> < Server: Jetty(9.4.22.v20191022)
>>> <
>>>
>>> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
>>> *   Trying ::1:8181...
>>> * Connected to localhost (::1) port 8181 (#0)
>>> * Server auth using Basic with user 'karaf'
>>>> GET /camel/api/say/hello HTTP/1.1
>>>> Host: localhost:8181
>>>> Authorization: Basic a2FyYWY6a2FyYWY=
>>>> User-Agent: curl/7.69.1
>>>> Accept: */*
>>>>
>>> * Mark bundle as not supporting multiuse
>>> < HTTP/1.1 200 OK
>>> < Content-Type: application/json
>>> < Accept: */*
>>> < Authorization: Basic a2FyYWY6a2FyYWY=
>>> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
>>> < User-Agent: curl/7.69.1
>>> < Transfer-Encoding: chunked
>>> < Server: Jetty(9.4.22.v20191022)
>>> <
>>> * Connection #0 to host localhost left intact
>>> "Hello World"
>>>
>>> In theory it should be possible to grab (in etc/jetty.xml, using
>>> <Configure> element) instance of SecurityHandler and simply set there the
>>> "realmName" property to "Karaf", so even with two different beans with
>>> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
>>> right one. But in Pax Web security handler is part of every
>>> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
>>> only in Pax Web 8 I'd be able to fix this in more clean way.
>>>
>>> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
>>> etc/jetty.xml
>>>
>>> regards
>>> Grzegorz Grzybek
>>>
>>> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]>
>>> napisał(a):
>>>
>>>> Hi,
>>>>
>>>> I already also answered Gerald in another mail.
>>>> I'm not quite sure but what might be an issue, is that the default
>>>> http-context used in his application isn't bound to the underlying security
>>>> realm.
>>>> Therefore it's quite a possibility that there needs to be a configuration
>>>> done in his own application, using his own http-Context.
>>>>
>>>> Can be found here:
>>>>
>>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
>>>>
>>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
>>>> and here:
>>>>
>>>> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
>>>>
>>>> regards, Achim
>>>>
>>>>
>>>> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email]
>>>>> :
>>>>
>>>>> I’m sorry, I don’t know why it's not working; it looks correct to me.
>>>>> Maybe somebody from the Pax-Web team can help you.
>>>>> The only suspicious thing is the warning:
>>>>>
>>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
>>>>>            | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>>>> authenticator for: {RoleInfo,C[admin],None}
>>>>>
>>>>>
>>>>> Which suggest something is misconfigured.
>>>>>
>>>>> Best regards,
>>>>> Alex soto
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
>>>> wrote:
>>>>>>
>>>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
>>>>>              | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
>>>>> authenticator for: {RoleInfo,C[admin],None}
>>>>>
>>>>>
>>>>
>>>> --
>>>>
>>>> Apache Member
>>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
>>>> Project Lead
>>>> blog <http://notizblog.nierbeck.de/>
>>>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>>>

Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf - the trick doesn't work any longer w/ Karaf 4.2.9 and Camel 3.4.0

Andrea Cosentino-3
I think it's good to have the details shared in public.

Il lun 29 giu 2020, 07:30 Jean-Baptiste Onofre <[hidden email]> ha scritto:

> Hi,
>
> Yes Karaf 4.2.9 upgraded to Pax Web 7.2.15 and Jetty 9.4.28.v20200408.
>
> Can you please send a private message about issues you have with Karaf
> 4.2.9 and Camel 3.4.0 (as I’m working on camel karaf for 3.5.0) ?
>
> Thanks,
> Regards
> JB
>
> > Le 28 juin 2020 à 22:02, Gerald Kallas <[hidden email]> a écrit :
> >
> > I tested the combination Karaf 4.2.8 and Camel 3.3.0, with this the
> workaround works as expected. Seems that Jetty has been updated in Karaf
> 4.2.9?
> >
> > (The combination Karaf 4.2.8 and Camel 3.4.0 doesn't work due to other
> issues.)
> >
> >> Gerald Kallas <[hidden email]> hat am 28.06.2020 18:12
> geschrieben:
> >>
> >>
> >> Hi all,
> >>
> >> I was updating the runtime to Karaf 4.2.9 and Camel 3.4.0.
> >>
> >> after removing one of the org.eclipse.jetty.jaas.JAASLoginService
> entries in my etc/jetty.xml I'm getting an error as attached below.
> >>
> >> Neither hawtio nor my servlet are working any longer. Seems that now
> both entries of org.eclipse.jetty.jaas.JAASLoginService are mandatory.
> >>
> >> With both entries, as you found Grzegorz, the authentication doesn't
> work.
> >>
> >> Should I create a JIRA ticket and if yes, within Karaf? Or maybe you
> have another workaround for that behaviour?
> >>
> >> Best
> >> - Gerald
> >>
> >>
> >> 2020-06-28T16:06:47,673 | ERROR | FelixStartLevel  |
> HttpServiceStarted               | 266 - org.ops4j.pax.web.pax-web-runtime
> - 7.2.16 | Could not start the servlet context for context path []
> >> java.lang.SecurityException: AuthConfigFactory error:
> java.lang.ClassNotFoundException:
> org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by
> org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
> >>        at
> javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:77)
> ~[?:?]
> >>        at
> org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory.getAuthenticator(JaspiAuthenticatorFactory.java:90)
> ~[?:?]
> >>        at
> org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:394)
> ~[?:?]
> >>        at
> org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:419)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:504)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:898)
> ~[?:?]
> >>        at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:356)
> ~[?:?]
> >>        at
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.startContext(HttpServiceContext.java:396)
> ~[?:?]
> >>        at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:838)
> ~[?:?]
> >>        at
> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275)
> ~[?:?]
> >>        at
> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doStart(HttpServiceContext.java:272)
> ~[?:?]
> >>        at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
> ~[?:?]
> >>        at
> org.ops4j.pax.web.service.jetty.internal.JettyServerImpl$1.start(JettyServerImpl.java:329)
> ~[?:?]
> >>        at
> org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:255)
> [!/:?]
> >>        at
> org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:226)
> [!/:?]
> >>        at
> org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:210)
> [!/:?]
> >>        at
> org.ops4j.pax.web.service.internal.HttpServiceProxy.registerServlet(HttpServiceProxy.java:69)
> [!/:?]
> >>        at
> Proxy92a1a95e_1f66_41cb_8fcd_ed63d983d611.registerServlet(Unknown Source)
> [?:?]
> >>        at
> org.apache.camel.component.osgi.OsgiServletRegisterer.register(OsgiServletRegisterer.java:98)
> [!/:3.4.0]
> >>        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[?:?]
> >>        at
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[?:?]
> >>        at
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[?:?]
> >>        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> >>        at
> org.apache.aries.blueprint.utils.ReflectionUtils.invoke(ReflectionUtils.java:337)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BeanRecipe.invoke(BeanRecipe.java:835)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BeanRecipe.runBeanProcInit(BeanRecipe.java:591)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BeanRecipe.internalCreate2(BeanRecipe.java:703)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:666)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:81)
> [!/:1.10.2]
> >>        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
> >>        at
> org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:90)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:360)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:190)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:737)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:433)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:298)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:311)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:280)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:276)
> [!/:1.10.2]
> >>        at
> org.apache.aries.blueprint.container.BlueprintExtender.modifiedBundle(BlueprintExtender.java:266)
> [!/:1.10.2]
> >>        at
> org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:500)
> [!/:1.10.2]
> >>        at
> org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:433)
> [!/:1.10.2]
> >>        at
> org.apache.aries.util.tracker.hook.BundleHookBundleTracker$AbstractTracked.track(BundleHookBundleTracker.java:725)
> [!/:1.10.2]
> >>        at
> org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.bundleChanged(BundleHookBundleTracker.java:463)
> [!/:1.10.2]
> >>        at
> org.apache.aries.util.tracker.hook.BundleHookBundleTracker$BundleEventHook.event(BundleHookBundleTracker.java:422)
> [!/:1.10.2]
> >>        at
> org.apache.felix.framework.util.SecureAction.invokeBundleEventHook(SecureAction.java:1179)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at
> org.apache.felix.framework.EventDispatcher.createWhitelistFromHooks(EventDispatcher.java:730)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at
> org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:485)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at
> org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4579)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.Felix.startBundle(Felix.java:2174)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at
> org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at
> org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
> [org.apache.felix.framework-5.6.12.jar:?]
> >>        at java.lang.Thread.run(Thread.java:834) [?:?]
> >> Caused by: java.lang.ClassNotFoundException:
> org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by
> org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
> >>        at
> org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1639)
> ~[?:?]
> >>        at
> org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80)
> ~[?:?]
> >>        at
> org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2053)
> ~[?:?]
> >>        at java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[?:?]
> >>        at java.lang.Class.forName0(Native Method) ~[?:?]
> >>        at java.lang.Class.forName(Class.java:398) ~[?:?]
> >>        at
> org.apache.geronimo.osgi.locator.ProviderLocator.loadClass(ProviderLocator.java:195)
> ~[?:?]
> >>        at
> javax.security.auth.message.config.AuthConfigFactory$3.run(AuthConfigFactory.java:68)
> ~[?:?]
> >>        at java.security.AccessController.doPrivileged(Native Method)
> ~[?:?]
> >>        at
> javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:64)
> ~[?:?]
> >>        ... 62 more
> >>
> >>> Grzegorz Grzybek <[hidden email]> hat am 18.05.2020 15:24
> geschrieben:
> >>>
> >>>
> >>> Hello
> >>>
> >>> I have some answer. First, the "http context processing" feature was
> mainly
> >>> tested to "inject" Keycloak authenticator and I mostly tested it with
> >>> pax-web-undertow.
> >>>
> >>> But I checked how it works with pax-web-jetty in the debugger.
> >>>
> >>> The key problem is that when Jetty's SecurityHandler is starting, it
> tries
> >>> to find/discover org.eclipse.jetty.security.LoginService instance.
> >>> With default etc/jetty.xml, there are TWO beans with
> >>> org.eclipse.jetty.jaas.JAASLoginService class and
> >>> org.eclipse.jetty.security.SecurityHandler#findLoginService() method
> does
> >>> this:
> >>>
> >>> else if (list.size() == 1)
> >>>    service = list.iterator().next();
> >>>
> >>> So I simply made it working by ensuring there's only one
> >>> org.eclipse.jetty.jaas.JAASLoginService:
> >>>
> >>> list = {java.util.ArrayList@9544}  size = 1
> >>> 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> >>> "JAASLoginService@7ba67d0b{STARTED}"
> >>>  LOG: org.eclipse.jetty.util.log.Logger  =
> >>> {org.eclipse.jetty.util.log.Slf4jLog@9549}
> >>> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> >>>  DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
> >>> "org.eclipse.jetty.jaas.JAASRole"
> >>>  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
> >>> {java.lang.String[1]@9551}
> >>>  _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
> >>>  _callbackHandlerClass: java.lang.String  = null
> >>>  _realmName: java.lang.String  = "karaf"
> >>>  _loginModuleName: java.lang.String  = "karaf"
> >>>
> >>> Now, with your Camel route, I got:
> >>>
> >>> $ curl -v http://localhost:8181/camel/api/say/hello
> >>> *   Trying ::1:8181...
> >>> * Connected to localhost (::1) port 8181 (#0)
> >>>> GET /camel/api/say/hello HTTP/1.1
> >>>> Host: localhost:8181
> >>>> User-Agent: curl/7.69.1
> >>>> Accept: */*
> >>>>
> >>> * Mark bundle as not supporting multiuse
> >>> < HTTP/1.1 404 Not Found
> >>> < Cache-Control: must-revalidate,no-cache,no-store
> >>> < Content-Type: text/html;charset=iso-8859-1
> >>> < Content-Length: 456
> >>> < Server: Jetty(9.4.22.v20191022)
> >>> <
> >>>
> >>> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello
> >>> *   Trying ::1:8181...
> >>> * Connected to localhost (::1) port 8181 (#0)
> >>> * Server auth using Basic with user 'karaf'
> >>>> GET /camel/api/say/hello HTTP/1.1
> >>>> Host: localhost:8181
> >>>> Authorization: Basic a2FyYWY6a2FyYWY=
> >>>> User-Agent: curl/7.69.1
> >>>> Accept: */*
> >>>>
> >>> * Mark bundle as not supporting multiuse
> >>> < HTTP/1.1 200 OK
> >>> < Content-Type: application/json
> >>> < Accept: */*
> >>> < Authorization: Basic a2FyYWY6a2FyYWY=
> >>> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> >>> < User-Agent: curl/7.69.1
> >>> < Transfer-Encoding: chunked
> >>> < Server: Jetty(9.4.22.v20191022)
> >>> <
> >>> * Connection #0 to host localhost left intact
> >>> "Hello World"
> >>>
> >>> In theory it should be possible to grab (in etc/jetty.xml, using
> >>> <Configure> element) instance of SecurityHandler and simply set there
> the
> >>> "realmName" property to "Karaf", so even with two different beans with
> >>> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> >>> right one. But in Pax Web security handler is part of every
> >>> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> >>> only in Pax Web 8 I'd be able to fix this in more clean way.
> >>>
> >>> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> >>> etc/jetty.xml
> >>>
> >>> regards
> >>> Grzegorz Grzybek
> >>>
> >>> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email]
> .invalid>
> >>> napisał(a):
> >>>
> >>>> Hi,
> >>>>
> >>>> I already also answered Gerald in another mail.
> >>>> I'm not quite sure but what might be an issue, is that the default
> >>>> http-context used in his application isn't bound to the underlying
> security
> >>>> realm.
> >>>> Therefore it's quite a possibility that there needs to be a
> configuration
> >>>> done in his own application, using his own http-Context.
> >>>>
> >>>> Can be found here:
> >>>>
> >>>>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java
> >>>>
> >>>>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java
> >>>> and here:
> >>>>
> >>>>
> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java
> >>>>
> >>>> regards, Achim
> >>>>
> >>>>
> >>>> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <
> [hidden email]
> >>>>> :
> >>>>
> >>>>> I’m sorry, I don’t know why it's not working; it looks correct to me.
> >>>>> Maybe somebody from the Pax-Web team can help you.
> >>>>> The only suspicious thing is the warning:
> >>>>>
> >>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >>>>>            | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> >>>>> authenticator for: {RoleInfo,C[admin],None}
> >>>>>
> >>>>>
> >>>>> Which suggest something is misconfigured.
> >>>>>
> >>>>> Best regards,
> >>>>> Alex soto
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email]>
> >>>> wrote:
> >>>>>>
> >>>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 |
> SecurityHandler
> >>>>>              | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> >>>>> authenticator for: {RoleInfo,C[admin],None}
> >>>>>
> >>>>>
> >>>>
> >>>> --
> >>>>
> >>>> Apache Member
> >>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> >>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
> Committer &
> >>>> Project Lead
> >>>> blog <http://notizblog.nierbeck.de/>
> >>>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
> >>>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication of WAB using Jaas in Karaf - the trick doesn't work any longer w/ Karaf 4.2.9 and Camel 3.4.0

jbonofre
I thought Gerald already explained it on the mailing list. My intention is more to create the Jira with the details.

Regards
JB

> Le 29 juin 2020 à 07:33, Andrea Cosentino <[hidden email]> a écrit :
>
> I think it's good to have the details shared in public.
>
> Il lun 29 giu 2020, 07:30 Jean-Baptiste Onofre <[hidden email] <mailto:[hidden email]>> ha scritto:
> Hi,
>
> Yes Karaf 4.2.9 upgraded to Pax Web 7.2.15 and Jetty 9.4.28.v20200408.
>
> Can you please send a private message about issues you have with Karaf 4.2.9 and Camel 3.4.0 (as I’m working on camel karaf for 3.5.0) ?
>
> Thanks,
> Regards
> JB
>
> > Le 28 juin 2020 à 22:02, Gerald Kallas <[hidden email] <mailto:[hidden email]>> a écrit :
> >
> > I tested the combination Karaf 4.2.8 and Camel 3.3.0, with this the workaround works as expected. Seems that Jetty has been updated in Karaf 4.2.9?
> >
> > (The combination Karaf 4.2.8 and Camel 3.4.0 doesn't work due to other issues.)
> >
> >> Gerald Kallas <[hidden email] <mailto:[hidden email]>> hat am 28.06.2020 18:12 geschrieben:
> >>
> >>
> >> Hi all,
> >>
> >> I was updating the runtime to Karaf 4.2.9 and Camel 3.4.0.
> >>
> >> after removing one of the org.eclipse.jetty.jaas.JAASLoginService entries in my etc/jetty.xml I'm getting an error as attached below.
> >>
> >> Neither hawtio nor my servlet are working any longer. Seems that now both entries of org.eclipse.jetty.jaas.JAASLoginService are mandatory.
> >>
> >> With both entries, as you found Grzegorz, the authentication doesn't work.
> >>
> >> Should I create a JIRA ticket and if yes, within Karaf? Or maybe you have another workaround for that behaviour?
> >>
> >> Best
> >> - Gerald
> >>
> >>
> >> 2020-06-28T16:06:47,673 | ERROR | FelixStartLevel  | HttpServiceStarted               | 266 - org.ops4j.pax.web.pax-web-runtime - 7.2.16 | Could not start the servlet context for context path []
> >> java.lang.SecurityException: AuthConfigFactory error: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
> >>        at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:77) ~[?:?]
> >>        at org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory.getAuthenticator(JaspiAuthenticatorFactory.java:90) ~[?:?]
> >>        at org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:394) ~[?:?]
> >>        at org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:419) ~[?:?]
> >>        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
> >>        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
> >>        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
> >>        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
> >>        at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
> >>        at org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:504) ~[?:?]
> >>        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
> >>        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[?:?]
> >>        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110) ~[?:?]
> >>        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97) ~[?:?]
> >>        at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) ~[?:?]
> >>        at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:898) ~[?:?]
> >>        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:356) ~[?:?]
> >>        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.startContext(HttpServiceContext.java:396) ~[?:?]
> >>        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:838) ~[?:?]
> >>        at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275) ~[?:?]
> >>        at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doStart(HttpServiceContext.java:272) ~[?:?]
> >>        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) ~[?:?]
> >>        at org.ops4j.pax.web.service.jetty.internal.JettyServerImpl$1.start(JettyServerImpl.java:329) ~[?:?]
> >>        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:255) [!/:?]
> >>        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:226) [!/:?]
> >>        at org.ops4j.pax.web.service.internal.HttpServiceStarted.registerServlet(HttpServiceStarted.java:210) [!/:?]
> >>        at org.ops4j.pax.web.service.internal.HttpServiceProxy.registerServlet(HttpServiceProxy.java:69) [!/:?]
> >>        at Proxy92a1a95e_1f66_41cb_8fcd_ed63d983d611.registerServlet(Unknown Source) [?:?]
> >>        at org.apache.camel.component.osgi.OsgiServletRegisterer.register(OsgiServletRegisterer.java:98) [!/:3.4.0]
> >>        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
> >>        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
> >>        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
> >>        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> >>        at org.apache.aries.blueprint.utils.ReflectionUtils.invoke(ReflectionUtils.java:337) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BeanRecipe.invoke(BeanRecipe.java:835) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BeanRecipe.runBeanProcInit(BeanRecipe.java:591) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BeanRecipe.internalCreate2(BeanRecipe.java:703) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BeanRecipe.internalCreate(BeanRecipe.java:666) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.di.AbstractRecipe$1.call(AbstractRecipe.java:81) [!/:1.10.2]
> >>        at java.util.concurrent.FutureTask.run(FutureTask.java:264) [?:?]
> >>        at org.apache.aries.blueprint.di.AbstractRecipe.create(AbstractRecipe.java:90) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintRepository.createInstances(BlueprintRepository.java:360) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintRepository.createAll(BlueprintRepository.java:190) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintContainerImpl.instantiateEagerComponents(BlueprintContainerImpl.java:737) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintContainerImpl.doRun(BlueprintContainerImpl.java:433) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintContainerImpl.run(BlueprintContainerImpl.java:298) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:311) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:280) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintExtender.createContainer(BlueprintExtender.java:276) [!/:1.10.2]
> >>        at org.apache.aries.blueprint.container.BlueprintExtender.modifiedBundle(BlueprintExtender.java:266) [!/:1.10.2]
> >>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:500) [!/:1.10.2]
> >>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.customizerModified(BundleHookBundleTracker.java:433) [!/:1.10.2]
> >>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$AbstractTracked.track(BundleHookBundleTracker.java:725) [!/:1.10.2]
> >>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$Tracked.bundleChanged(BundleHookBundleTracker.java:463) [!/:1.10.2]
> >>        at org.apache.aries.util.tracker.hook.BundleHookBundleTracker$BundleEventHook.event(BundleHookBundleTracker.java:422) [!/:1.10.2]
> >>        at org.apache.felix.framework.util.SecureAction.invokeBundleEventHook(SecureAction.java:1179) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.EventDispatcher.createWhitelistFromHooks(EventDispatcher.java:730) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:485) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4579) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.Felix.startBundle(Felix.java:2174) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) [org.apache.felix.framework-5.6.12.jar:?]
> >>        at java.lang.Thread.run(Thread.java:834) [?:?]
> >> Caused by: java.lang.ClassNotFoundException: org.apache.geronimo.components.jaspi.AuthConfigFactoryImpl not found by org.apache.geronimo.specs.geronimo-jaspic_1.0_spec [169]
> >>        at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1639) ~[?:?]
> >>        at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80) ~[?:?]
> >>        at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2053) ~[?:?]
> >>        at java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[?:?]
> >>        at java.lang.Class.forName0(Native Method) ~[?:?]
> >>        at java.lang.Class.forName(Class.java:398) ~[?:?]
> >>        at org.apache.geronimo.osgi.locator.ProviderLocator.loadClass(ProviderLocator.java:195) ~[?:?]
> >>        at javax.security.auth.message.config.AuthConfigFactory$3.run(AuthConfigFactory.java:68) ~[?:?]
> >>        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> >>        at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:64) ~[?:?]
> >>        ... 62 more
> >>
> >>> Grzegorz Grzybek <[hidden email] <mailto:[hidden email]>> hat am 18.05.2020 15:24 geschrieben:
> >>>
> >>>
> >>> Hello
> >>>
> >>> I have some answer. First, the "http context processing" feature was mainly
> >>> tested to "inject" Keycloak authenticator and I mostly tested it with
> >>> pax-web-undertow.
> >>>
> >>> But I checked how it works with pax-web-jetty in the debugger.
> >>>
> >>> The key problem is that when Jetty's SecurityHandler is starting, it tries
> >>> to find/discover org.eclipse.jetty.security.LoginService instance.
> >>> With default etc/jetty.xml, there are TWO beans with
> >>> org.eclipse.jetty.jaas.JAASLoginService class and
> >>> org.eclipse.jetty.security.SecurityHandler#findLoginService() method does
> >>> this:
> >>>
> >>> else if (list.size() == 1)
> >>>    service = list.iterator().next();
> >>>
> >>> So I simply made it working by ensuring there's only one
> >>> org.eclipse.jetty.jaas.JAASLoginService:
> >>>
> >>> list = {java.util.ArrayList@9544}  size = 1
> >>> 0 = {org.eclipse.jetty.jaas.JAASLoginService@9547}
> >>> "JAASLoginService@7ba67d0b{STARTED}"
> >>>  LOG: org.eclipse.jetty.util.log.Logger  =
> >>> {org.eclipse.jetty.util.log.Slf4jLog@9549}
> >>> "org.ops4j.pax.logging.slf4j.Slf4jLogger@43ea82d7"
> >>>  DEFAULT_ROLE_CLASS_NAME: java.lang.String  =
> >>> "org.eclipse.jetty.jaas.JAASRole"
> >>>  DEFAULT_ROLE_CLASS_NAMES: java.lang.String[]  =
> >>> {java.lang.String[1]@9551}
> >>>  _roleClassNames: java.lang.String[]  = {java.lang.String[2]@9552}
> >>>  _callbackHandlerClass: java.lang.String  = null
> >>>  _realmName: java.lang.String  = "karaf"
> >>>  _loginModuleName: java.lang.String  = "karaf"
> >>>
> >>> Now, with your Camel route, I got:
> >>>
> >>> $ curl -v http://localhost:8181/camel/api/say/hello <http://localhost:8181/camel/api/say/hello>
> >>> *   Trying ::1:8181...
> >>> * Connected to localhost (::1) port 8181 (#0)
> >>>> GET /camel/api/say/hello HTTP/1.1
> >>>> Host: localhost:8181
> >>>> User-Agent: curl/7.69.1
> >>>> Accept: */*
> >>>>
> >>> * Mark bundle as not supporting multiuse
> >>> < HTTP/1.1 404 Not Found
> >>> < Cache-Control: must-revalidate,no-cache,no-store
> >>> < Content-Type: text/html;charset=iso-8859-1
> >>> < Content-Length: 456
> >>> < Server: Jetty(9.4.22.v20191022)
> >>> <
> >>>
> >>> $ curl -v -u karaf:karaf http://localhost:8181/camel/api/say/hello <http://localhost:8181/camel/api/say/hello>
> >>> *   Trying ::1:8181...
> >>> * Connected to localhost (::1) port 8181 (#0)
> >>> * Server auth using Basic with user 'karaf'
> >>>> GET /camel/api/say/hello HTTP/1.1
> >>>> Host: localhost:8181
> >>>> Authorization: Basic a2FyYWY6a2FyYWY=
> >>>> User-Agent: curl/7.69.1
> >>>> Accept: */*
> >>>>
> >>> * Mark bundle as not supporting multiuse
> >>> < HTTP/1.1 200 OK
> >>> < Content-Type: application/json
> >>> < Accept: */*
> >>> < Authorization: Basic a2FyYWY6a2FyYWY=
> >>> < breadcrumbId: ID-everfree-forest-1589807499756-0-1
> >>> < User-Agent: curl/7.69.1
> >>> < Transfer-Encoding: chunked
> >>> < Server: Jetty(9.4.22.v20191022)
> >>> <
> >>> * Connection #0 to host localhost left intact
> >>> "Hello World"
> >>>
> >>> In theory it should be possible to grab (in etc/jetty.xml, using
> >>> <Configure> element) instance of SecurityHandler and simply set there the
> >>> "realmName" property to "Karaf", so even with two different beans with
> >>> org.eclipse.jetty.jaas.JAASLoginService class, Jetty would pick up the
> >>> right one. But in Pax Web security handler is part of every
> >>> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext created and
> >>> only in Pax Web 8 I'd be able to fix this in more clean way.
> >>>
> >>> So, please use only one org.eclipse.jetty.jaas.JAASLoginService in your
> >>> etc/jetty.xml
> >>>
> >>> regards
> >>> Grzegorz Grzybek
> >>>
> >>> pon., 18 maj 2020 o 10:25 Achim Nierbeck <[hidden email] <mailto:[hidden email]>.invalid>
> >>> napisał(a):
> >>>
> >>>> Hi,
> >>>>
> >>>> I already also answered Gerald in another mail.
> >>>> I'm not quite sure but what might be an issue, is that the default
> >>>> http-context used in his application isn't bound to the underlying security
> >>>> realm.
> >>>> Therefore it's quite a possibility that there needs to be a configuration
> >>>> done in his own application, using his own http-Context.
> >>>>
> >>>> Can be found here:
> >>>>
> >>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java <https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/internal/Activator.java>
> >>>>
> >>>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java <https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/authentication/src/main/java/org/ops4j/pax/web/samples/authentication/AuthHttpContext.java>
> >>>> and here:
> >>>>
> >>>> https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java <https://github.com/jgoodyear/ApacheKarafCookbook/blob/master/chapter4/chapter4-recipe4/chapter4-recipe4-whiteboard/src/main/java/com/packt/internal/Activator.java>
> >>>>
> >>>> regards, Achim
> >>>>
> >>>>
> >>>> Am Fr., 15. Mai 2020 um 21:06 Uhr schrieb Alex Soto <[hidden email] <mailto:[hidden email]>
> >>>>> :
> >>>>
> >>>>> I’m sorry, I don’t know why it's not working; it looks correct to me.
> >>>>> Maybe somebody from the Pax-Web team can help you.
> >>>>> The only suspicious thing is the warning:
> >>>>>
> >>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >>>>>            | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> >>>>> authenticator for: {RoleInfo,C[admin],None}
> >>>>>
> >>>>>
> >>>>> Which suggest something is misconfigured.
> >>>>>
> >>>>> Best regards,
> >>>>> Alex soto
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On May 15, 2020, at 2:23 PM, Gerald Kallas <[hidden email] <mailto:[hidden email]>>
> >>>> wrote:
> >>>>>>
> >>>>>> 2020-05-15T18:20:50,256 | WARN  | qtp1611313605-201 | SecurityHandler
> >>>>>              | 229 - org.eclipse.jetty.util - 9.4.22.v20191022 | No
> >>>>> authenticator for: {RoleInfo,C[admin],None}
> >>>>>
> >>>>>
> >>>>
> >>>> --
> >>>>
> >>>> Apache Member
> >>>> Apache Karaf <http://karaf.apache.org/ <http://karaf.apache.org/>> Committer & PMC
> >>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/ <http://wiki.ops4j.org/display/paxweb/Pax+Web/>> Committer &
> >>>> Project Lead
> >>>> blog <http://notizblog.nierbeck.de/ <http://notizblog.nierbeck.de/>>
> >>>> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS <http://bit.ly/1ps9rkS>>
> >>>>
>

12