LDAP realm?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP realm?

Dmitri Colebatch
Hi,

I've done a bit of a search, but haven't been able to turn much up on
this.  From what I can see there is no support for LDAP based
authentication in Jetty outo f the box (or JettyPlus).  It seems hard
to believe that this wouldn't be 'supported' out of the box so I
thought I'd check...

Secondly - I wanted to confirm that Jetty's out of the box behaviour
is spec compliant.  I've used Jetty in the past (as part of JBoss) but
for the past couple of years have been working in a WL shop.  An
opportunity has presented itself to replace WLX with Tomcat or Jetty -
a colleague set Tomcat up but I was very surprised by the attitude of
Remy in relation to a non-spec compliance issue (see
http://issues.apache.org/bugzilla/show_bug.cgi?id=37424) and wanted to
check any potential issues here.

Could any replies be cc'd to me as I'm subscribed to the digest.

cheers,
dim


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
<a href="http://ads.osdn.com/?ad_idv37&alloc_id865&op=click">http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm?

jan_bartel
Dmitri,

I'll address the LDAP issue and let Greg reply to the spec compliance.

AFAIK, JettyPlus users seem to be using Sun's LDAP login module. I seem
to recall that there might have been an issue with it, but I think I
fixed it. If I didn't, then if you try it and tell me there's a problem,
I'll be sure and fix it ASAP. Also, if you look back on this list, I
think Russell Howe was writing an LDAP login module for Novell API
that he posted.

We haven't as yet included an LDAP login module with the release, but if
there's enough voices clamouring for it, I'm sure it'll get bumped up
on the TODO list ;-)

cheers
Jan



Dmitri Colebatch wrote:

> Hi,
>
> I've done a bit of a search, but haven't been able to turn much up on
> this.  From what I can see there is no support for LDAP based
> authentication in Jetty outo f the box (or JettyPlus).  It seems hard
> to believe that this wouldn't be 'supported' out of the box so I
> thought I'd check...
>
> Secondly - I wanted to confirm that Jetty's out of the box behaviour
> is spec compliant.  I've used Jetty in the past (as part of JBoss) but
> for the past couple of years have been working in a WL shop.  An
> opportunity has presented itself to replace WLX with Tomcat or Jetty -
> a colleague set Tomcat up but I was very surprised by the attitude of
> Remy in relation to a non-spec compliance issue (see
> http://issues.apache.org/bugzilla/show_bug.cgi?id=37424) and wanted to
> check any potential issues here.
>
> Could any replies be cc'd to me as I'm subscribed to the digest.
>
> cheers,
> dim
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> <a href="http://ads.osdn.com/?ad_idv37&alloc_id865&op=click">http://ads.osdn.com/?ad_idv37&alloc_id865&op=click



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm?

Greg Wilkins-5
In reply to this post by Dmitri Colebatch

Dmitri,

I can't say that Jetty is compliant out-of-the-box for a number of reasons:

Compliance is something given to a specific binary that passes the TCK.
So formally no release of Jetty is compliant as it has not been tested
stand alone.   Jetty-5.1.9 passes the TCK as part of geronimo-1.0, but
I'm not sure if that legally allows me to say that Jetty-5.1.9 is
compliant.


Secondly, there are a number of features required for compliance that
we turn off by default in Jetty:

 + The STUPID request listeners - I see no use for them, but they can
   be enabled by removing the comments around the JSR154 stupidness filter
   in defaultweb.xml

 + The invoker servlet - again no real use for it, but can be enabled
   by editing the defaultweb.xml


So we are close to compliance out of the box and any compliance issues/problems
people have we take very seriously.  


But more importantly....

Within the Jetty project, I hope never to see the scorn you received from
the tomcat developers regarding your issue with Welcome files.

The issue you raised is indeed a difficult part of the spec.  Tomcat has
several non-compliant "features" in it's welcome file handling and there
are actually efforts being made to change the specification to match tomcat!

But in the particular issue that you raised, while the 2.4 spec does
imply that your *.bar servlet should be matched. But this has not been
widely implemented because it would introduce backwards compatibility
problems and stupidness like if you had welcome files of

  index.jsp
  index.html

then index.html would never match even if no index.jsp exists, because
the request will be given to the *.jsp servlet and you will get a JSP
error instead.

The 2.5 spec grappled with this issue and has not really produced
very much clarification at all and in the end punted the resolution to 3.0
and so there is no real standard interpretation of the spec.

So to avoid this disaster, i suggest you use the COMPLIANT filter below
that will happily dispatch to your *.bar servlet as you would like:

public  class WelcomeFilter implements Filter
{
    private String welcome;

    public void init(FilterConfig filterConfig)
    {
        welcome=filterConfig.getInitParameter("welcome");
    }

    /* ------------------------------------------------------------ */
    public void doFilter(ServletRequest request,
                         ServletResponse response,
                         FilterChain chain)
        throws IOException, ServletException
    {
        String path=((HttpServletRequest)request).getServletPath();
        if (welcome!=null && path.endsWith("/"))
            request.getRequestDispatcher(path+welcome).forward(request,response);
        else
            chain.doFilter(request, response);
    }

    public void destroy() {}
}


regards







Dmitri Colebatch wrote:

> Hi,
>
> I've done a bit of a search, but haven't been able to turn much up on
> this.  From what I can see there is no support for LDAP based
> authentication in Jetty outo f the box (or JettyPlus).  It seems hard
> to believe that this wouldn't be 'supported' out of the box so I
> thought I'd check...
>
> Secondly - I wanted to confirm that Jetty's out of the box behaviour
> is spec compliant.  I've used Jetty in the past (as part of JBoss) but
> for the past couple of years have been working in a WL shop.  An
> opportunity has presented itself to replace WLX with Tomcat or Jetty -
> a colleague set Tomcat up but I was very surprised by the attitude of
> Remy in relation to a non-spec compliance issue (see
> http://issues.apache.org/bugzilla/show_bug.cgi?id=37424) and wanted to
> check any potential issues here.
>
> Could any replies be cc'd to me as I'm subscribed to the digest.
>
> cheers,
> dim
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> <a href="http://ads.osdn.com/?ad_idv37&alloc_id865&op=click">http://ads.osdn.com/?ad_idv37&alloc_id865&op=click



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: LDAP realm?

Dmitri Colebatch
Thanks Greg,

That's exactly the sort of response I was hoping for.  I'll continue
following up Jan's suggestions on the LDAP realm and hopefully present
a nice alternative to both WL and Tomcat.

cheers
dim

On 20/12/05, Greg Wilkins <[hidden email]> wrote:

>
> Dmitri,
>
> I can't say that Jetty is compliant out-of-the-box for a number of reasons:
>
> Compliance is something given to a specific binary that passes the TCK.
> So formally no release of Jetty is compliant as it has not been tested
> stand alone.   Jetty-5.1.9 passes the TCK as part of geronimo-1.0, but
> I'm not sure if that legally allows me to say that Jetty-5.1.9 is
> compliant.
>
>
> Secondly, there are a number of features required for compliance that
> we turn off by default in Jetty:
>
>  + The STUPID request listeners - I see no use for them, but they can
>   be enabled by removing the comments around the JSR154 stupidness filter
>   in defaultweb.xml
>
>  + The invoker servlet - again no real use for it, but can be enabled
>   by editing the defaultweb.xml
>
>
> So we are close to compliance out of the box and any compliance issues/problems
> people have we take very seriously.
>
>
> But more importantly....
>
> Within the Jetty project, I hope never to see the scorn you received from
> the tomcat developers regarding your issue with Welcome files.
>
> The issue you raised is indeed a difficult part of the spec.  Tomcat has
> several non-compliant "features" in it's welcome file handling and there
> are actually efforts being made to change the specification to match tomcat!
>
> But in the particular issue that you raised, while the 2.4 spec does
> imply that your *.bar servlet should be matched. But this has not been
> widely implemented because it would introduce backwards compatibility
> problems and stupidness like if you had welcome files of
>
>  index.jsp
>  index.html
>
> then index.html would never match even if no index.jsp exists, because
> the request will be given to the *.jsp servlet and you will get a JSP
> error instead.
>
> The 2.5 spec grappled with this issue and has not really produced
> very much clarification at all and in the end punted the resolution to 3.0
> and so there is no real standard interpretation of the spec.
>
> So to avoid this disaster, i suggest you use the COMPLIANT filter below
> that will happily dispatch to your *.bar servlet as you would like:
>
> public  class WelcomeFilter implements Filter
> {
>    private String welcome;
>
>    public void init(FilterConfig filterConfig)
>    {
>        welcome=filterConfig.getInitParameter("welcome");
>    }
>
>    /* ------------------------------------------------------------ */
>    public void doFilter(ServletRequest request,
>                         ServletResponse response,
>                         FilterChain chain)
>        throws IOException, ServletException
>    {
>        String path=((HttpServletRequest)request).getServletPath();
>        if (welcome!=null && path.endsWith("/"))
>            request.getRequestDispatcher(path+welcome).forward(request,response);
>        else
>            chain.doFilter(request, response);
>    }
>
>    public void destroy() {}
> }
>
>
> regards
>
>
>
>
>
>
>
> Dmitri Colebatch wrote:
> > Hi,
> >
> > I've done a bit of a search, but haven't been able to turn much up on
> > this.  From what I can see there is no support for LDAP based
> > authentication in Jetty outo f the box (or JettyPlus).  It seems hard
> > to believe that this wouldn't be 'supported' out of the box so I
> > thought I'd check...
> >
> > Secondly - I wanted to confirm that Jetty's out of the box behaviour
> > is spec compliant.  I've used Jetty in the past (as part of JBoss) but
> > for the past couple of years have been working in a WL shop.  An
> > opportunity has presented itself to replace WLX with Tomcat or Jetty -
> > a colleague set Tomcat up but I was very surprised by the attitude of
> > Remy in relation to a non-spec compliance issue (see
> > http://issues.apache.org/bugzilla/show_bug.cgi?id=37424) and wanted to
> > check any potential issues here.
> >
> > Could any replies be cc'd to me as I'm subscribed to the digest.
> >
> > cheers,
> > dim
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > <a href="http://ads.osdn.com/?ad_idv37&alloc_id865&op=click">http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
>
>


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
<a href="http://ads.osdn.com/?ad_idv37&alloc_id865&op=click">http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Re: LDAP realm?

Russell Howe
In reply to this post by jan_bartel
Jan Bartel wrote:

> Dmitri,
>
> I'll address the LDAP issue and let Greg reply to the spec compliance.
>
> AFAIK, JettyPlus users seem to be using Sun's LDAP login module. I seem
> to recall that there might have been an issue with it, but I think I
> fixed it. If I didn't, then if you try it and tell me there's a problem,
> I'll be sure and fix it ASAP. Also, if you look back on this list, I
> think Russell Howe was writing an LDAP login module for Novell API
> that he posted.

Uh, yeah, I was, wasn't I? :)

Well, I've got one, and it's working a treat here. The code is pretty
much as I posted before, I think, with the same disclaimer as I included
before.

> We haven't as yet included an LDAP login module with the release, but if
> there's enough voices clamouring for it, I'm sure it'll get bumped up
> on the TODO list ;-)

Yeah, I wrote one, mainly because I didn't like the way Sun's worked:

* It always logged into the LDAP server as the same user, with
credentials specified in the configuration. This user needed to be able
to read the userPassword attribute of the user entries in the LDAP tree.
* It took the user-supplied credentials, and encoded them using the same
method used by the userPassword attribute, and then compared the encoded
version it had just created with that found in the LDAP tree. This
breaks horribly if userPassword is encoded in a way the LoginModule
doesn't know about, and also means that the LoginModule is
reimplementing the encoding function of the LDAP server, which is a
possible source of bugs. Bad, bad, bad.

Instead, I took the approach of:

1) Log into the LDAP server using the supplied credentials
  * This automatically means you gain support for whatever
authentication method your LDAP server uses (not limited to 'a password
stored in the userPassword attribute of the user entry)

2) Search for the user's entry
  * If we logged in and the entry was found, then the credentials were
valid. (currently this isn't quite what happens, and it should also do
what one of the apache modules does - check that one and only one result
is found in the search for the user)

3) Search for group memberships for the user, handling whatever layout
your LDAP schema uses for groups.

What I really want is an equivalent for Apache, but last time I looked,
I couldn't find one that allowed multiple totally different LDAP servers
to be used for the same authentication step.

I might try getting PAM to do what I want, and then get Apache to auth
against PAM.. maybe that'll work (IIRC JAAS is somewhat modelled upon
PAM?). I'm currently playing with Hibernate though, and quite enjoying
it, so this LoginModule isn't at the forefront of my mind :)

The LDAP module I have was fairly easy to write, but it's missing some
rather critical things:

1) Support for SSL connections to the LDAP server
2) Caching of results to reduce load on the LDAP server (important if
we're using expensive-to-setup SSL connections, I wager)
3) Pooling of LDAP connections (hm, maybe not so important..)
4) Clearer authentication logic
5) Removal of the role mapping code (I'm not convinced it's needed, and
I think someone told me that it could be done in web.xml).

It also seems that I need to write the LoginModule to be Jetty-specific.
If I can find a way to make it totally generic, that'd be cool.

I based it very loosely on the JDBCLoginModule which ships with Jetty,
although I tidied the code to make it much clearer. I should submit a
patch for that too.

Bug me about it, repeatedly, please :)

--
Russell Howe
[hidden email]


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss