[jetty-users] problem with security constraint

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-users] problem with security constraint

Mario Georgiev
Hi,

I have migrated an application from Jetty6 to Jetty7 and everything
works fine for the moment except that the security constraint that is
set as:

<security-constraint>
        <web-resource-collection>
                <web-resource-name>SecureConnection</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

does not work.

When accessing files/resources from the server it never redirects me
to HTTPS. In Jetty6 that works just fine.

Any ideas why this doesn't work?

--
Regards,
Mario Georgiev
Senior Web Developer

Trading 212
www.trading212.com

E-mail: [hidden email]
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Thomas Becker
Hi Mario,

I just recently had to do the same thing with jetty and your config
looks just fine and should work. Are you sure that you've properly
prepared your new jetty7 installation for ssl? Does https work fine when
you try to access it directly or is it only the redirect from http to
https which does not work?

Here's the guides for ssl: http://wiki.eclipse.org/Jetty/Howto/Configure_SSL

Cheers,
Thomas

On 1/10/12 2:22 PM, Mario Georgiev wrote:

> Hi,
>
> I have migrated an application from Jetty6 to Jetty7 and everything
> works fine for the moment except that the security constraint that is
> set as:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>SecureConnection</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> does not work.
>
> When accessing files/resources from the server it never redirects me
> to HTTPS. In Jetty6 that works just fine.
>
> Any ideas why this doesn't work?
>

--
thomas becker
[hidden email]

http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)

_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Mario Georgiev
Hi Thomas,

The SSL connector is setup as it should and works like a charm. I have
working SSL environment and I can open pages/access resources on https
with no problems at all.
The redirect from http to https that should happen from the
configuration with this security constraint - that is not working.

I forgot to tell: Jetty version I use is 7.5.4.v20111024

On Wed, Jan 11, 2012 at 10:40, Thomas Becker <[hidden email]> wrote:

> Hi Mario,
>
> I just recently had to do the same thing with jetty and your config looks
> just fine and should work. Are you sure that you've properly prepared your
> new jetty7 installation for ssl? Does https work fine when you try to access
> it directly or is it only the redirect from http to https which does not
> work?
>
> Here's the guides for ssl: http://wiki.eclipse.org/Jetty/Howto/Configure_SSL
>
> Cheers,
> Thomas
>
>
> On 1/10/12 2:22 PM, Mario Georgiev wrote:
>>
>> Hi,
>>
>> I have migrated an application from Jetty6 to Jetty7 and everything
>> works fine for the moment except that the security constraint that is
>> set as:
>>
>> <security-constraint>
>>        <web-resource-collection>
>>                <web-resource-name>SecureConnection</web-resource-name>
>>                <url-pattern>/*</url-pattern>
>>        </web-resource-collection>
>>        <user-data-constraint>
>>                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>        </user-data-constraint>
>> </security-constraint>
>>
>> does not work.
>>
>> When accessing files/resources from the server it never redirects me
>> to HTTPS. In Jetty6 that works just fine.
>>
>> Any ideas why this doesn't work?
>>
>
> --
> thomas becker
> [hidden email]
>
> http://webtide.com / http://intalio.com
> (the folks behind jetty and cometd)
>
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Regards,
Mario Georgiev
Senior Web Developer

Trading 212
www.trading212.com

E-mail: [hidden email]
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Simone Bordet-2
Hi,

On Wed, Jan 11, 2012 at 10:05, Mario Georgiev <[hidden email]> wrote:
> Hi Thomas,
>
> The SSL connector is setup as it should and works like a charm. I have
> working SSL environment and I can open pages/access resources on https
> with no problems at all.
> The redirect from http to https that should happen from the
> configuration with this security constraint - that is not working.
>
> I forgot to tell: Jetty version I use is 7.5.4.v20111024

Did you specify the confidentialPort in the non-SSL connector ?
Otherwise Jetty will not know where to redirect to.

Simon
--
http://cometd.org
http://intalio.com
http://bordet.blogspot.com
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Mario Georgiev
Hi,

Yes I have "confidentialPort" set in the config.
Here are the configurations for the connectors:

<New id="sslContextFactory"
class="org.eclipse.jetty.http.ssl.SslContextFactory">
  <Set name="KeyStore"><Property name="jetty.home" default="."
/>mykey.keystore</Set>
  <Set name="KeyStorePassword">pass</Set>
  <Set name="KeyManagerPassword">pass</Set>
  <Set name="TrustStore"><Property name="jetty.home" default="."
/>mytruststore.keystore</Set>
  <Set name="TrustStorePassword">pass</Set>
</New>

    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                <Arg><Ref id="sslContextFactory" /></Arg>
                <Set name="Port">8443</Set>

                <Set name="maxIdleTime">45000</Set>
                <Set name="AcceptQueueSize">100</Set>
                <Set name="Acceptors">2</Set>
                <Set name="lowResourcesConnections">11000</Set>
                <Set name="lowResourcesMaxIdleTime">1000</Set>
            </New>
        </Arg>
    </Call>

    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
                <Set name="host">
                    <Property name="jetty.host" />
                </Set>
                <Set name="port">
                    <Property name="jetty.port" default="8080" />
                </Set>
                <Set name="maxIdleTime">45000</Set>
                <Set name="Acceptors">2</Set>
                <Set name="statsOn">false</Set>
                <Set name="confidentialPort">8443</Set>
                <Set name="lowResourcesConnections">10000</Set>
                <Set name="lowResourcesMaxIdleTime">5000</Set>
                <Set name="ThreadPool">
                    <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
                        <Set name="name">SSL Thread Pool</Set>
                        <Set name="minThreads">10</Set>
                        <Set name="maxThreads">400</Set>
                    </New>
                </Set>
            </New>
        </Arg>
    </Call>


Do you know where in the code to look for these settings?
I can try to debug it and see what is going on, I just need some
direction to look for.


On Wed, Jan 11, 2012 at 11:15, Simone Bordet <[hidden email]> wrote:

> Hi,
>
> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev <[hidden email]> wrote:
>> Hi Thomas,
>>
>> The SSL connector is setup as it should and works like a charm. I have
>> working SSL environment and I can open pages/access resources on https
>> with no problems at all.
>> The redirect from http to https that should happen from the
>> configuration with this security constraint - that is not working.
>>
>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>
> Did you specify the confidentialPort in the non-SSL connector ?
> Otherwise Jetty will not know where to redirect to.
>
> Simon
> --
> http://cometd.org
> http://intalio.com
> http://bordet.blogspot.com
> ----
> Finally, no matter how good the architecture and design are,
> to deliver bug-free software with optimal performance and reliability,
> the implementation technique must be flawless.   Victoria Livschitz
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Regards,
Mario Georgiev
Senior Web Developer

Trading 212
www.trading212.com

E-mail: [hidden email]
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Thomas Becker
Hi Mario,

at a first glimpse your config looks completely ok to me. If I will find
some time to do so, I will see if I can put a config together that works
and paste it to you. You can then start with a config that is known to
work and if it still doesn't work for you, we at least know it's not the
config.

Cheers,
Thomas

On 1/11/12 12:42 PM, Mario Georgiev wrote:

> Hi,
>
> Yes I have "confidentialPort" set in the config.
> Here are the configurations for the connectors:
>
> <New id="sslContextFactory"
> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>    <Set name="KeyStore"><Property name="jetty.home" default="."
> />mykey.keystore</Set>
>    <Set name="KeyStorePassword">pass</Set>
>    <Set name="KeyManagerPassword">pass</Set>
>    <Set name="TrustStore"><Property name="jetty.home" default="."
> />mytruststore.keystore</Set>
>    <Set name="TrustStorePassword">pass</Set>
> </New>
>
>      <Call name="addConnector">
>          <Arg>
>              <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>                  <Arg><Ref id="sslContextFactory" /></Arg>
>                  <Set name="Port">8443</Set>
>
>                  <Set name="maxIdleTime">45000</Set>
>                  <Set name="AcceptQueueSize">100</Set>
>                  <Set name="Acceptors">2</Set>
>                  <Set name="lowResourcesConnections">11000</Set>
>                  <Set name="lowResourcesMaxIdleTime">1000</Set>
>              </New>
>          </Arg>
>      </Call>
>
>      <Call name="addConnector">
>          <Arg>
>              <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>                  <Set name="host">
>                      <Property name="jetty.host" />
>                  </Set>
>                  <Set name="port">
>                      <Property name="jetty.port" default="8080" />
>                  </Set>
>                  <Set name="maxIdleTime">45000</Set>
>                  <Set name="Acceptors">2</Set>
>                  <Set name="statsOn">false</Set>
>                  <Set name="confidentialPort">8443</Set>
>                  <Set name="lowResourcesConnections">10000</Set>
>                  <Set name="lowResourcesMaxIdleTime">5000</Set>
>                  <Set name="ThreadPool">
>                      <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>                          <Set name="name">SSL Thread Pool</Set>
>                          <Set name="minThreads">10</Set>
>                          <Set name="maxThreads">400</Set>
>                      </New>
>                  </Set>
>              </New>
>          </Arg>
>      </Call>
>
>
> Do you know where in the code to look for these settings?
> I can try to debug it and see what is going on, I just need some
> direction to look for.
>
>
> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>  wrote:
>> Hi,
>>
>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>  wrote:
>>> Hi Thomas,
>>>
>>> The SSL connector is setup as it should and works like a charm. I have
>>> working SSL environment and I can open pages/access resources on https
>>> with no problems at all.
>>> The redirect from http to https that should happen from the
>>> configuration with this security constraint - that is not working.
>>>
>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>> Did you specify the confidentialPort in the non-SSL connector ?
>> Otherwise Jetty will not know where to redirect to.
>>
>> Simon
>> --
>> http://cometd.org
>> http://intalio.com
>> http://bordet.blogspot.com
>> ----
>> Finally, no matter how good the architecture and design are,
>> to deliver bug-free software with optimal performance and reliability,
>> the implementation technique must be flawless.   Victoria Livschitz
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>

--
thomas becker
[hidden email]

http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)

_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Thomas Becker
Hi Mario,

I've setup the same thing again within 5 min. by just using the standard
jetty config files, creating a keystore and enabling jetty-ssl.xml in
start.ini. It works just fine.

Here's the web.xml excerpt I've used.

<!-- redirect everything to confidential port -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Pretty much the same thing as you have and it simply works. All calls to
this webapp get redirected to https. So I don't have a clue why this is
not working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't
make a difference in this case.

Cheers,
Thomas
On 1/12/12 10:20 AM, Thomas Becker wrote:

> Hi Mario,
>
> at a first glimpse your config looks completely ok to me. If I will
> find some time to do so, I will see if I can put a config together
> that works and paste it to you. You can then start with a config that
> is known to work and if it still doesn't work for you, we at least
> know it's not the config.
>
> Cheers,
> Thomas
>
> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>> Hi,
>>
>> Yes I have "confidentialPort" set in the config.
>> Here are the configurations for the connectors:
>>
>> <New id="sslContextFactory"
>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>> <Set name="KeyStore"><Property name="jetty.home" default="."
>> />mykey.keystore</Set>
>> <Set name="KeyStorePassword">pass</Set>
>> <Set name="KeyManagerPassword">pass</Set>
>> <Set name="TrustStore"><Property name="jetty.home" default="."
>> />mytruststore.keystore</Set>
>> <Set name="TrustStorePassword">pass</Set>
>> </New>
>>
>> <Call name="addConnector">
>> <Arg>
>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>> <Arg><Ref id="sslContextFactory" /></Arg>
>> <Set name="Port">8443</Set>
>>
>> <Set name="maxIdleTime">45000</Set>
>> <Set name="AcceptQueueSize">100</Set>
>> <Set name="Acceptors">2</Set>
>> <Set name="lowResourcesConnections">11000</Set>
>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>> </New>
>> </Arg>
>> </Call>
>>
>> <Call name="addConnector">
>> <Arg>
>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>> <Set name="host">
>> <Property name="jetty.host" />
>> </Set>
>> <Set name="port">
>> <Property name="jetty.port" default="8080" />
>> </Set>
>> <Set name="maxIdleTime">45000</Set>
>> <Set name="Acceptors">2</Set>
>> <Set name="statsOn">false</Set>
>> <Set name="confidentialPort">8443</Set>
>> <Set name="lowResourcesConnections">10000</Set>
>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>> <Set name="ThreadPool">
>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>> <Set name="name">SSL Thread Pool</Set>
>> <Set name="minThreads">10</Set>
>> <Set name="maxThreads">400</Set>
>> </New>
>> </Set>
>> </New>
>> </Arg>
>> </Call>
>>
>>
>> Do you know where in the code to look for these settings?
>> I can try to debug it and see what is going on, I just need some
>> direction to look for.
>>
>>
>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>  
>> wrote:
>>> Hi,
>>>
>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>  
>>> wrote:
>>>> Hi Thomas,
>>>>
>>>> The SSL connector is setup as it should and works like a charm. I have
>>>> working SSL environment and I can open pages/access resources on https
>>>> with no problems at all.
>>>> The redirect from http to https that should happen from the
>>>> configuration with this security constraint - that is not working.
>>>>
>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>> Did you specify the confidentialPort in the non-SSL connector ?
>>> Otherwise Jetty will not know where to redirect to.
>>>
>>> Simon
>>> --
>>> http://cometd.org
>>> http://intalio.com
>>> http://bordet.blogspot.com
>>> ----
>>> Finally, no matter how good the architecture and design are,
>>> to deliver bug-free software with optimal performance and reliability,
>>> the implementation technique must be flawless.   Victoria Livschitz
>>> _______________________________________________
>>> jetty-users mailing list
>>> [hidden email]
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>>
>

--
thomas becker
[hidden email]

http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)

_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Mario Georgiev
Hi,

So I've been busy with other stuff and a colleague of mine have been
taken the issue and here is what he found so far.

If there is "securityHandler" enabled the redirect works. So when we
add this in the context configuration it works:

<Get name="securityHandler">
    <Set name="loginService">
      <New class="org.eclipse.jetty.security.HashLoginService">
            <Set name="name">Test Realm</Set>
            <Set name="config"><SystemProperty name="jetty.home"
default="."/>/etc/realm.properties</Set>
            <!-- To enable reload of realm when properties change,
uncomment the following lines -->
            <!-- changing refreshInterval (in seconds) as desired
                          -->
            <!--
            <Set name="refreshInterval">5</Set>
            <Call name="start"></Call>
            -->
      </New>
    </Set>
    <Set name="checkWelcomeFiles">true</Set>
  </Get>

So my questions are
1. Why do we need a "securityHandler"?
and
2. What is the right configuration when I need only to redirect users
but not to authenticate them?

On Fri, Jan 13, 2012 at 13:17, Thomas Becker <[hidden email]> wrote:

> Hi Mario,
>
> I've setup the same thing again within 5 min. by just using the standard
> jetty config files, creating a keystore and enabling jetty-ssl.xml in
> start.ini. It works just fine.
>
> Here's the web.xml excerpt I've used.
>
> <!-- redirect everything to confidential port -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Context</web-resource-name>
>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Pretty much the same thing as you have and it simply works. All calls to
> this webapp get redirected to https. So I don't have a clue why this is not
> working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make a
> difference in this case.
>
> Cheers,
> Thomas
>
> On 1/12/12 10:20 AM, Thomas Becker wrote:
>>
>> Hi Mario,
>>
>> at a first glimpse your config looks completely ok to me. If I will find
>> some time to do so, I will see if I can put a config together that works and
>> paste it to you. You can then start with a config that is known to work and
>> if it still doesn't work for you, we at least know it's not the config.
>>
>> Cheers,
>> Thomas
>>
>> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>>>
>>> Hi,
>>>
>>> Yes I have "confidentialPort" set in the config.
>>> Here are the configurations for the connectors:
>>>
>>> <New id="sslContextFactory"
>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>> <Set name="KeyStore"><Property name="jetty.home" default="."
>>> />mykey.keystore</Set>
>>> <Set name="KeyStorePassword">pass</Set>
>>> <Set name="KeyManagerPassword">pass</Set>
>>> <Set name="TrustStore"><Property name="jetty.home" default="."
>>> />mytruststore.keystore</Set>
>>> <Set name="TrustStorePassword">pass</Set>
>>> </New>
>>>
>>> <Call name="addConnector">
>>> <Arg>
>>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>> <Arg><Ref id="sslContextFactory" /></Arg>
>>> <Set name="Port">8443</Set>
>>>
>>> <Set name="maxIdleTime">45000</Set>
>>> <Set name="AcceptQueueSize">100</Set>
>>> <Set name="Acceptors">2</Set>
>>> <Set name="lowResourcesConnections">11000</Set>
>>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>> <Call name="addConnector">
>>> <Arg>
>>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>> <Set name="host">
>>> <Property name="jetty.host" />
>>> </Set>
>>> <Set name="port">
>>> <Property name="jetty.port" default="8080" />
>>> </Set>
>>> <Set name="maxIdleTime">45000</Set>
>>> <Set name="Acceptors">2</Set>
>>> <Set name="statsOn">false</Set>
>>> <Set name="confidentialPort">8443</Set>
>>> <Set name="lowResourcesConnections">10000</Set>
>>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>>> <Set name="ThreadPool">
>>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>>> <Set name="name">SSL Thread Pool</Set>
>>> <Set name="minThreads">10</Set>
>>> <Set name="maxThreads">400</Set>
>>> </New>
>>> </Set>
>>> </New>
>>> </Arg>
>>> </Call>
>>>
>>>
>>> Do you know where in the code to look for these settings?
>>> I can try to debug it and see what is going on, I just need some
>>> direction to look for.
>>>
>>>
>>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>  wrote:
>>>>
>>>> Hi,
>>>>
>>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>
>>>>  wrote:
>>>>>
>>>>> Hi Thomas,
>>>>>
>>>>> The SSL connector is setup as it should and works like a charm. I have
>>>>> working SSL environment and I can open pages/access resources on https
>>>>> with no problems at all.
>>>>> The redirect from http to https that should happen from the
>>>>> configuration with this security constraint - that is not working.
>>>>>
>>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>>>
>>>> Did you specify the confidentialPort in the non-SSL connector ?
>>>> Otherwise Jetty will not know where to redirect to.
>>>>
>>>> Simon
>>>> --
>>>> http://cometd.org
>>>> http://intalio.com
>>>> http://bordet.blogspot.com
>>>> ----
>>>> Finally, no matter how good the architecture and design are,
>>>> to deliver bug-free software with optimal performance and reliability,
>>>> the implementation technique must be flawless.   Victoria Livschitz
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> [hidden email]
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>>
>>>
>>
>
> --
> thomas becker
> [hidden email]
>
> http://webtide.com / http://intalio.com
> (the folks behind jetty and cometd)
>
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Regards,
Mario Georgiev
Senior Web Developer

Trading 212
www.trading212.com

E-mail: [hidden email]
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Thomas Becker
Hi Mario,

this is a bug in jetty which we recently have fixed:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=368773
Sorry, didn't remember your email. Otherwise I would have reported that
to you earlier.

Cheers,
Thomas

On 1/23/12 3:41 PM, Mario Georgiev wrote:

> Hi,
>
> So I've been busy with other stuff and a colleague of mine have been
> taken the issue and here is what he found so far.
>
> If there is "securityHandler" enabled the redirect works. So when we
> add this in the context configuration it works:
>
> <Get name="securityHandler">
>      <Set name="loginService">
>        <New class="org.eclipse.jetty.security.HashLoginService">
> <Set name="name">Test Realm</Set>
> <Set name="config"><SystemProperty name="jetty.home"
> default="."/>/etc/realm.properties</Set>
>              <!-- To enable reload of realm when properties change,
> uncomment the following lines -->
>              <!-- changing refreshInterval (in seconds) as desired
>                            -->
>              <!--
>              <Set name="refreshInterval">5</Set>
>              <Call name="start"></Call>
>              -->
>        </New>
>      </Set>
>      <Set name="checkWelcomeFiles">true</Set>
>    </Get>
>
> So my questions are
> 1. Why do we need a "securityHandler"?
> and
> 2. What is the right configuration when I need only to redirect users
> but not to authenticate them?
>
> On Fri, Jan 13, 2012 at 13:17, Thomas Becker<[hidden email]>  wrote:
>> Hi Mario,
>>
>> I've setup the same thing again within 5 min. by just using the standard
>> jetty config files, creating a keystore and enabling jetty-ssl.xml in
>> start.ini. It works just fine.
>>
>> Here's the web.xml excerpt I've used.
>>
>> <!-- redirect everything to confidential port -->
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected Context</web-resource-name>
>>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> Pretty much the same thing as you have and it simply works. All calls to
>> this webapp get redirected to https. So I don't have a clue why this is not
>> working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make a
>> difference in this case.
>>
>> Cheers,
>> Thomas
>>
>> On 1/12/12 10:20 AM, Thomas Becker wrote:
>>> Hi Mario,
>>>
>>> at a first glimpse your config looks completely ok to me. If I will find
>>> some time to do so, I will see if I can put a config together that works and
>>> paste it to you. You can then start with a config that is known to work and
>>> if it still doesn't work for you, we at least know it's not the config.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>>>> Hi,
>>>>
>>>> Yes I have "confidentialPort" set in the config.
>>>> Here are the configurations for the connectors:
>>>>
>>>> <New id="sslContextFactory"
>>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>> <Set name="KeyStore"><Property name="jetty.home" default="."
>>>> />mykey.keystore</Set>
>>>> <Set name="KeyStorePassword">pass</Set>
>>>> <Set name="KeyManagerPassword">pass</Set>
>>>> <Set name="TrustStore"><Property name="jetty.home" default="."
>>>> />mytruststore.keystore</Set>
>>>> <Set name="TrustStorePassword">pass</Set>
>>>> </New>
>>>>
>>>> <Call name="addConnector">
>>>> <Arg>
>>>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>> <Arg><Ref id="sslContextFactory" /></Arg>
>>>> <Set name="Port">8443</Set>
>>>>
>>>> <Set name="maxIdleTime">45000</Set>
>>>> <Set name="AcceptQueueSize">100</Set>
>>>> <Set name="Acceptors">2</Set>
>>>> <Set name="lowResourcesConnections">11000</Set>
>>>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>>>> </New>
>>>> </Arg>
>>>> </Call>
>>>>
>>>> <Call name="addConnector">
>>>> <Arg>
>>>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>>> <Set name="host">
>>>> <Property name="jetty.host" />
>>>> </Set>
>>>> <Set name="port">
>>>> <Property name="jetty.port" default="8080" />
>>>> </Set>
>>>> <Set name="maxIdleTime">45000</Set>
>>>> <Set name="Acceptors">2</Set>
>>>> <Set name="statsOn">false</Set>
>>>> <Set name="confidentialPort">8443</Set>
>>>> <Set name="lowResourcesConnections">10000</Set>
>>>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>>>> <Set name="ThreadPool">
>>>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>>>> <Set name="name">SSL Thread Pool</Set>
>>>> <Set name="minThreads">10</Set>
>>>> <Set name="maxThreads">400</Set>
>>>> </New>
>>>> </Set>
>>>> </New>
>>>> </Arg>
>>>> </Call>
>>>>
>>>>
>>>> Do you know where in the code to look for these settings?
>>>> I can try to debug it and see what is going on, I just need some
>>>> direction to look for.
>>>>
>>>>
>>>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>    wrote:
>>>>> Hi,
>>>>>
>>>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>
>>>>>   wrote:
>>>>>> Hi Thomas,
>>>>>>
>>>>>> The SSL connector is setup as it should and works like a charm. I have
>>>>>> working SSL environment and I can open pages/access resources on https
>>>>>> with no problems at all.
>>>>>> The redirect from http to https that should happen from the
>>>>>> configuration with this security constraint - that is not working.
>>>>>>
>>>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>>>> Did you specify the confidentialPort in the non-SSL connector ?
>>>>> Otherwise Jetty will not know where to redirect to.
>>>>>
>>>>> Simon
>>>>> --
>>>>> http://cometd.org
>>>>> http://intalio.com
>>>>> http://bordet.blogspot.com
>>>>> ----
>>>>> Finally, no matter how good the architecture and design are,
>>>>> to deliver bug-free software with optimal performance and reliability,
>>>>> the implementation technique must be flawless.   Victoria Livschitz
>>>>> _______________________________________________
>>>>> jetty-users mailing list
>>>>> [hidden email]
>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>
>>>>
>> --
>> thomas becker
>> [hidden email]
>>
>> http://webtide.com / http://intalio.com
>> (the folks behind jetty and cometd)
>>
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>

--
thomas becker
[hidden email]

http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)

_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Mario Georgiev
Hi Thomas,

OK, that sounds good that the bug is found and fixed :)
Do you know is it going to be in Jetty 7.6?

On Mon, Jan 23, 2012 at 16:46, Thomas Becker <[hidden email]> wrote:

> Hi Mario,
>
> this is a bug in jetty which we recently have fixed:
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=368773
> Sorry, didn't remember your email. Otherwise I would have reported that to
> you earlier.
>
> Cheers,
> Thomas
>
>
> On 1/23/12 3:41 PM, Mario Georgiev wrote:
>>
>> Hi,
>>
>> So I've been busy with other stuff and a colleague of mine have been
>> taken the issue and here is what he found so far.
>>
>> If there is "securityHandler" enabled the redirect works. So when we
>> add this in the context configuration it works:
>>
>> <Get name="securityHandler">
>>     <Set name="loginService">
>>       <New class="org.eclipse.jetty.security.HashLoginService">
>>        <Set name="name">Test Realm</Set>
>>        <Set name="config"><SystemProperty name="jetty.home"
>> default="."/>/etc/realm.properties</Set>
>>             <!-- To enable reload of realm when properties change,
>> uncomment the following lines -->
>>             <!-- changing refreshInterval (in seconds) as desired
>>                           -->
>>             <!--
>>             <Set name="refreshInterval">5</Set>
>>             <Call name="start"></Call>
>>             -->
>>       </New>
>>     </Set>
>>     <Set name="checkWelcomeFiles">true</Set>
>>   </Get>
>>
>> So my questions are
>> 1. Why do we need a "securityHandler"?
>> and
>> 2. What is the right configuration when I need only to redirect users
>> but not to authenticate them?
>>
>> On Fri, Jan 13, 2012 at 13:17, Thomas Becker<[hidden email]>  wrote:
>>>
>>> Hi Mario,
>>>
>>> I've setup the same thing again within 5 min. by just using the standard
>>> jetty config files, creating a keystore and enabling jetty-ssl.xml in
>>> start.ini. It works just fine.
>>>
>>> Here's the web.xml excerpt I've used.
>>>
>>> <!-- redirect everything to confidential port -->
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Protected Context</web-resource-name>
>>>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <user-data-constraint>
>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>> </user-data-constraint>
>>> </security-constraint>
>>>
>>> Pretty much the same thing as you have and it simply works. All calls to
>>> this webapp get redirected to https. So I don't have a clue why this is
>>> not
>>> working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make
>>> a
>>> difference in this case.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> On 1/12/12 10:20 AM, Thomas Becker wrote:
>>>>
>>>> Hi Mario,
>>>>
>>>> at a first glimpse your config looks completely ok to me. If I will find
>>>> some time to do so, I will see if I can put a config together that works
>>>> and
>>>> paste it to you. You can then start with a config that is known to work
>>>> and
>>>> if it still doesn't work for you, we at least know it's not the config.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Yes I have "confidentialPort" set in the config.
>>>>> Here are the configurations for the connectors:
>>>>>
>>>>> <New id="sslContextFactory"
>>>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>>> <Set name="KeyStore"><Property name="jetty.home" default="."
>>>>> />mykey.keystore</Set>
>>>>> <Set name="KeyStorePassword">pass</Set>
>>>>> <Set name="KeyManagerPassword">pass</Set>
>>>>> <Set name="TrustStore"><Property name="jetty.home" default="."
>>>>> />mytruststore.keystore</Set>
>>>>> <Set name="TrustStorePassword">pass</Set>
>>>>> </New>
>>>>>
>>>>> <Call name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>>> <Arg><Ref id="sslContextFactory" /></Arg>
>>>>> <Set name="Port">8443</Set>
>>>>>
>>>>> <Set name="maxIdleTime">45000</Set>
>>>>> <Set name="AcceptQueueSize">100</Set>
>>>>> <Set name="Acceptors">2</Set>
>>>>> <Set name="lowResourcesConnections">11000</Set>
>>>>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>> <Call name="addConnector">
>>>>> <Arg>
>>>>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>>>> <Set name="host">
>>>>> <Property name="jetty.host" />
>>>>> </Set>
>>>>> <Set name="port">
>>>>> <Property name="jetty.port" default="8080" />
>>>>> </Set>
>>>>> <Set name="maxIdleTime">45000</Set>
>>>>> <Set name="Acceptors">2</Set>
>>>>> <Set name="statsOn">false</Set>
>>>>> <Set name="confidentialPort">8443</Set>
>>>>> <Set name="lowResourcesConnections">10000</Set>
>>>>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>>>>> <Set name="ThreadPool">
>>>>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>>>>> <Set name="name">SSL Thread Pool</Set>
>>>>> <Set name="minThreads">10</Set>
>>>>> <Set name="maxThreads">400</Set>
>>>>> </New>
>>>>> </Set>
>>>>> </New>
>>>>> </Arg>
>>>>> </Call>
>>>>>
>>>>>
>>>>> Do you know where in the code to look for these settings?
>>>>> I can try to debug it and see what is going on, I just need some
>>>>> direction to look for.
>>>>>
>>>>>
>>>>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>
>>>>>  wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>
>>>>>>  wrote:
>>>>>>>
>>>>>>> Hi Thomas,
>>>>>>>
>>>>>>> The SSL connector is setup as it should and works like a charm. I
>>>>>>> have
>>>>>>> working SSL environment and I can open pages/access resources on
>>>>>>> https
>>>>>>> with no problems at all.
>>>>>>> The redirect from http to https that should happen from the
>>>>>>> configuration with this security constraint - that is not working.
>>>>>>>
>>>>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>>>>>
>>>>>> Did you specify the confidentialPort in the non-SSL connector ?
>>>>>> Otherwise Jetty will not know where to redirect to.
>>>>>>
>>>>>> Simon
>>>>>> --
>>>>>> http://cometd.org
>>>>>> http://intalio.com
>>>>>> http://bordet.blogspot.com
>>>>>> ----
>>>>>> Finally, no matter how good the architecture and design are,
>>>>>> to deliver bug-free software with optimal performance and reliability,
>>>>>> the implementation technique must be flawless.   Victoria Livschitz
>>>>>> _______________________________________________
>>>>>> jetty-users mailing list
>>>>>> [hidden email]
>>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>>
>>>>>
>>>>>
>>> --
>>> thomas becker
>>> [hidden email]
>>>
>>> http://webtide.com / http://intalio.com
>>> (the folks behind jetty and cometd)
>>>
>>> _______________________________________________
>>> jetty-users mailing list
>>> [hidden email]
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>
>>
>>
>
> --
> thomas becker
> [hidden email]
>
> http://webtide.com / http://intalio.com
> (the folks behind jetty and cometd)
>
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Regards,
Mario Georgiev
Senior Web Developer

Trading 212
www.trading212.com

E-mail: [hidden email]
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Thomas Becker
Hi Mario,

hope you didn't spent too much time on it. Wasn't quite trivial to
identify this bug. It'll be in 7.6 RC5 and then in the final release,
yes. Until then a workaround is to define a SecurityHandler as you've
already found out.

Cheers,
Thomas

On 1/23/12 3:57 PM, Mario Georgiev wrote:

> Hi Thomas,
>
> OK, that sounds good that the bug is found and fixed :)
> Do you know is it going to be in Jetty 7.6?
>
> On Mon, Jan 23, 2012 at 16:46, Thomas Becker<[hidden email]>  wrote:
>> Hi Mario,
>>
>> this is a bug in jetty which we recently have fixed:
>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=368773
>> Sorry, didn't remember your email. Otherwise I would have reported that to
>> you earlier.
>>
>> Cheers,
>> Thomas
>>
>>
>> On 1/23/12 3:41 PM, Mario Georgiev wrote:
>>> Hi,
>>>
>>> So I've been busy with other stuff and a colleague of mine have been
>>> taken the issue and here is what he found so far.
>>>
>>> If there is "securityHandler" enabled the redirect works. So when we
>>> add this in the context configuration it works:
>>>
>>> <Get name="securityHandler">
>>>      <Set name="loginService">
>>>        <New class="org.eclipse.jetty.security.HashLoginService">
>>>         <Set name="name">Test Realm</Set>
>>>         <Set name="config"><SystemProperty name="jetty.home"
>>> default="."/>/etc/realm.properties</Set>
>>>              <!-- To enable reload of realm when properties change,
>>> uncomment the following lines -->
>>>              <!-- changing refreshInterval (in seconds) as desired
>>>                            -->
>>>              <!--
>>>              <Set name="refreshInterval">5</Set>
>>>              <Call name="start"></Call>
>>>              -->
>>>        </New>
>>>      </Set>
>>>      <Set name="checkWelcomeFiles">true</Set>
>>>    </Get>
>>>
>>> So my questions are
>>> 1. Why do we need a "securityHandler"?
>>> and
>>> 2. What is the right configuration when I need only to redirect users
>>> but not to authenticate them?
>>>
>>> On Fri, Jan 13, 2012 at 13:17, Thomas Becker<[hidden email]>    wrote:
>>>> Hi Mario,
>>>>
>>>> I've setup the same thing again within 5 min. by just using the standard
>>>> jetty config files, creating a keystore and enabling jetty-ssl.xml in
>>>> start.ini. It works just fine.
>>>>
>>>> Here's the web.xml excerpt I've used.
>>>>
>>>> <!-- redirect everything to confidential port -->
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>Protected Context</web-resource-name>
>>>>
>>>> <url-pattern>/*</url-pattern>
>>>> </web-resource-collection>
>>>> <user-data-constraint>
>>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>> </user-data-constraint>
>>>> </security-constraint>
>>>>
>>>> Pretty much the same thing as you have and it simply works. All calls to
>>>> this webapp get redirected to https. So I don't have a clue why this is
>>>> not
>>>> working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make
>>>> a
>>>> difference in this case.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On 1/12/12 10:20 AM, Thomas Becker wrote:
>>>>> Hi Mario,
>>>>>
>>>>> at a first glimpse your config looks completely ok to me. If I will find
>>>>> some time to do so, I will see if I can put a config together that works
>>>>> and
>>>>> paste it to you. You can then start with a config that is known to work
>>>>> and
>>>>> if it still doesn't work for you, we at least know it's not the config.
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Yes I have "confidentialPort" set in the config.
>>>>>> Here are the configurations for the connectors:
>>>>>>
>>>>>> <New id="sslContextFactory"
>>>>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>>>> <Set name="KeyStore"><Property name="jetty.home" default="."
>>>>>> />mykey.keystore</Set>
>>>>>> <Set name="KeyStorePassword">pass</Set>
>>>>>> <Set name="KeyManagerPassword">pass</Set>
>>>>>> <Set name="TrustStore"><Property name="jetty.home" default="."
>>>>>> />mytruststore.keystore</Set>
>>>>>> <Set name="TrustStorePassword">pass</Set>
>>>>>> </New>
>>>>>>
>>>>>> <Call name="addConnector">
>>>>>> <Arg>
>>>>>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>>>> <Arg><Ref id="sslContextFactory" /></Arg>
>>>>>> <Set name="Port">8443</Set>
>>>>>>
>>>>>> <Set name="maxIdleTime">45000</Set>
>>>>>> <Set name="AcceptQueueSize">100</Set>
>>>>>> <Set name="Acceptors">2</Set>
>>>>>> <Set name="lowResourcesConnections">11000</Set>
>>>>>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>>>>>> </New>
>>>>>> </Arg>
>>>>>> </Call>
>>>>>>
>>>>>> <Call name="addConnector">
>>>>>> <Arg>
>>>>>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>>>>> <Set name="host">
>>>>>> <Property name="jetty.host" />
>>>>>> </Set>
>>>>>> <Set name="port">
>>>>>> <Property name="jetty.port" default="8080" />
>>>>>> </Set>
>>>>>> <Set name="maxIdleTime">45000</Set>
>>>>>> <Set name="Acceptors">2</Set>
>>>>>> <Set name="statsOn">false</Set>
>>>>>> <Set name="confidentialPort">8443</Set>
>>>>>> <Set name="lowResourcesConnections">10000</Set>
>>>>>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>>>>>> <Set name="ThreadPool">
>>>>>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>>>>>> <Set name="name">SSL Thread Pool</Set>
>>>>>> <Set name="minThreads">10</Set>
>>>>>> <Set name="maxThreads">400</Set>
>>>>>> </New>
>>>>>> </Set>
>>>>>> </New>
>>>>>> </Arg>
>>>>>> </Call>
>>>>>>
>>>>>>
>>>>>> Do you know where in the code to look for these settings?
>>>>>> I can try to debug it and see what is going on, I just need some
>>>>>> direction to look for.
>>>>>>
>>>>>>
>>>>>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>
>>>>>>   wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>
>>>>>>>   wrote:
>>>>>>>> Hi Thomas,
>>>>>>>>
>>>>>>>> The SSL connector is setup as it should and works like a charm. I
>>>>>>>> have
>>>>>>>> working SSL environment and I can open pages/access resources on
>>>>>>>> https
>>>>>>>> with no problems at all.
>>>>>>>> The redirect from http to https that should happen from the
>>>>>>>> configuration with this security constraint - that is not working.
>>>>>>>>
>>>>>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>>>>>> Did you specify the confidentialPort in the non-SSL connector ?
>>>>>>> Otherwise Jetty will not know where to redirect to.
>>>>>>>
>>>>>>> Simon
>>>>>>> --
>>>>>>> http://cometd.org
>>>>>>> http://intalio.com
>>>>>>> http://bordet.blogspot.com
>>>>>>> ----
>>>>>>> Finally, no matter how good the architecture and design are,
>>>>>>> to deliver bug-free software with optimal performance and reliability,
>>>>>>> the implementation technique must be flawless.   Victoria Livschitz
>>>>>>> _______________________________________________
>>>>>>> jetty-users mailing list
>>>>>>> [hidden email]
>>>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>>>
>>>>>>
>>>> --
>>>> thomas becker
>>>> [hidden email]
>>>>
>>>> http://webtide.com / http://intalio.com
>>>> (the folks behind jetty and cometd)
>>>>
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> [hidden email]
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>>
>> --
>> thomas becker
>> [hidden email]
>>
>> http://webtide.com / http://intalio.com
>> (the folks behind jetty and cometd)
>>
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>

--
thomas becker
[hidden email]

http://webtide.com / http://intalio.com
(the folks behind jetty and cometd)

_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-users] problem with security constraint

Jesse McConnell
In reply to this post by Mario Georgiev
yes, and it should be in the RC5 binaries available in maven central
and for download from eclipse.

jesse

--
jesse mcconnell
[hidden email]



On Mon, Jan 23, 2012 at 08:57, Mario Georgiev <[hidden email]> wrote:

> Hi Thomas,
>
> OK, that sounds good that the bug is found and fixed :)
> Do you know is it going to be in Jetty 7.6?
>
> On Mon, Jan 23, 2012 at 16:46, Thomas Becker <[hidden email]> wrote:
>> Hi Mario,
>>
>> this is a bug in jetty which we recently have fixed:
>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=368773
>> Sorry, didn't remember your email. Otherwise I would have reported that to
>> you earlier.
>>
>> Cheers,
>> Thomas
>>
>>
>> On 1/23/12 3:41 PM, Mario Georgiev wrote:
>>>
>>> Hi,
>>>
>>> So I've been busy with other stuff and a colleague of mine have been
>>> taken the issue and here is what he found so far.
>>>
>>> If there is "securityHandler" enabled the redirect works. So when we
>>> add this in the context configuration it works:
>>>
>>> <Get name="securityHandler">
>>>     <Set name="loginService">
>>>       <New class="org.eclipse.jetty.security.HashLoginService">
>>>        <Set name="name">Test Realm</Set>
>>>        <Set name="config"><SystemProperty name="jetty.home"
>>> default="."/>/etc/realm.properties</Set>
>>>             <!-- To enable reload of realm when properties change,
>>> uncomment the following lines -->
>>>             <!-- changing refreshInterval (in seconds) as desired
>>>                           -->
>>>             <!--
>>>             <Set name="refreshInterval">5</Set>
>>>             <Call name="start"></Call>
>>>             -->
>>>       </New>
>>>     </Set>
>>>     <Set name="checkWelcomeFiles">true</Set>
>>>   </Get>
>>>
>>> So my questions are
>>> 1. Why do we need a "securityHandler"?
>>> and
>>> 2. What is the right configuration when I need only to redirect users
>>> but not to authenticate them?
>>>
>>> On Fri, Jan 13, 2012 at 13:17, Thomas Becker<[hidden email]>  wrote:
>>>>
>>>> Hi Mario,
>>>>
>>>> I've setup the same thing again within 5 min. by just using the standard
>>>> jetty config files, creating a keystore and enabling jetty-ssl.xml in
>>>> start.ini. It works just fine.
>>>>
>>>> Here's the web.xml excerpt I've used.
>>>>
>>>> <!-- redirect everything to confidential port -->
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>Protected Context</web-resource-name>
>>>>
>>>> <url-pattern>/*</url-pattern>
>>>> </web-resource-collection>
>>>> <user-data-constraint>
>>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>> </user-data-constraint>
>>>> </security-constraint>
>>>>
>>>> Pretty much the same thing as you have and it simply works. All calls to
>>>> this webapp get redirected to https. So I don't have a clue why this is
>>>> not
>>>> working for you. I've tested with 7.6.0-SNAPSHOT, but that shouldn't make
>>>> a
>>>> difference in this case.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> On 1/12/12 10:20 AM, Thomas Becker wrote:
>>>>>
>>>>> Hi Mario,
>>>>>
>>>>> at a first glimpse your config looks completely ok to me. If I will find
>>>>> some time to do so, I will see if I can put a config together that works
>>>>> and
>>>>> paste it to you. You can then start with a config that is known to work
>>>>> and
>>>>> if it still doesn't work for you, we at least know it's not the config.
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> On 1/11/12 12:42 PM, Mario Georgiev wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Yes I have "confidentialPort" set in the config.
>>>>>> Here are the configurations for the connectors:
>>>>>>
>>>>>> <New id="sslContextFactory"
>>>>>> class="org.eclipse.jetty.http.ssl.SslContextFactory">
>>>>>> <Set name="KeyStore"><Property name="jetty.home" default="."
>>>>>> />mykey.keystore</Set>
>>>>>> <Set name="KeyStorePassword">pass</Set>
>>>>>> <Set name="KeyManagerPassword">pass</Set>
>>>>>> <Set name="TrustStore"><Property name="jetty.home" default="."
>>>>>> />mytruststore.keystore</Set>
>>>>>> <Set name="TrustStorePassword">pass</Set>
>>>>>> </New>
>>>>>>
>>>>>> <Call name="addConnector">
>>>>>> <Arg>
>>>>>> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
>>>>>> <Arg><Ref id="sslContextFactory" /></Arg>
>>>>>> <Set name="Port">8443</Set>
>>>>>>
>>>>>> <Set name="maxIdleTime">45000</Set>
>>>>>> <Set name="AcceptQueueSize">100</Set>
>>>>>> <Set name="Acceptors">2</Set>
>>>>>> <Set name="lowResourcesConnections">11000</Set>
>>>>>> <Set name="lowResourcesMaxIdleTime">1000</Set>
>>>>>> </New>
>>>>>> </Arg>
>>>>>> </Call>
>>>>>>
>>>>>> <Call name="addConnector">
>>>>>> <Arg>
>>>>>> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
>>>>>> <Set name="host">
>>>>>> <Property name="jetty.host" />
>>>>>> </Set>
>>>>>> <Set name="port">
>>>>>> <Property name="jetty.port" default="8080" />
>>>>>> </Set>
>>>>>> <Set name="maxIdleTime">45000</Set>
>>>>>> <Set name="Acceptors">2</Set>
>>>>>> <Set name="statsOn">false</Set>
>>>>>> <Set name="confidentialPort">8443</Set>
>>>>>> <Set name="lowResourcesConnections">10000</Set>
>>>>>> <Set name="lowResourcesMaxIdleTime">5000</Set>
>>>>>> <Set name="ThreadPool">
>>>>>> <New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
>>>>>> <Set name="name">SSL Thread Pool</Set>
>>>>>> <Set name="minThreads">10</Set>
>>>>>> <Set name="maxThreads">400</Set>
>>>>>> </New>
>>>>>> </Set>
>>>>>> </New>
>>>>>> </Arg>
>>>>>> </Call>
>>>>>>
>>>>>>
>>>>>> Do you know where in the code to look for these settings?
>>>>>> I can try to debug it and see what is going on, I just need some
>>>>>> direction to look for.
>>>>>>
>>>>>>
>>>>>> On Wed, Jan 11, 2012 at 11:15, Simone Bordet<[hidden email]>
>>>>>>  wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Wed, Jan 11, 2012 at 10:05, Mario Georgiev<[hidden email]>
>>>>>>>  wrote:
>>>>>>>>
>>>>>>>> Hi Thomas,
>>>>>>>>
>>>>>>>> The SSL connector is setup as it should and works like a charm. I
>>>>>>>> have
>>>>>>>> working SSL environment and I can open pages/access resources on
>>>>>>>> https
>>>>>>>> with no problems at all.
>>>>>>>> The redirect from http to https that should happen from the
>>>>>>>> configuration with this security constraint - that is not working.
>>>>>>>>
>>>>>>>> I forgot to tell: Jetty version I use is 7.5.4.v20111024
>>>>>>>
>>>>>>> Did you specify the confidentialPort in the non-SSL connector ?
>>>>>>> Otherwise Jetty will not know where to redirect to.
>>>>>>>
>>>>>>> Simon
>>>>>>> --
>>>>>>> http://cometd.org
>>>>>>> http://intalio.com
>>>>>>> http://bordet.blogspot.com
>>>>>>> ----
>>>>>>> Finally, no matter how good the architecture and design are,
>>>>>>> to deliver bug-free software with optimal performance and reliability,
>>>>>>> the implementation technique must be flawless.   Victoria Livschitz
>>>>>>> _______________________________________________
>>>>>>> jetty-users mailing list
>>>>>>> [hidden email]
>>>>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>>>>
>>>>>>
>>>>>>
>>>> --
>>>> thomas becker
>>>> [hidden email]
>>>>
>>>> http://webtide.com / http://intalio.com
>>>> (the folks behind jetty and cometd)
>>>>
>>>> _______________________________________________
>>>> jetty-users mailing list
>>>> [hidden email]
>>>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>>>
>>>
>>>
>>
>> --
>> thomas becker
>> [hidden email]
>>
>> http://webtide.com / http://intalio.com
>> (the folks behind jetty and cometd)
>>
>> _______________________________________________
>> jetty-users mailing list
>> [hidden email]
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> --
> Regards,
> Mario Georgiev
> Senior Web Developer
>
> Trading 212
> www.trading212.com
>
> E-mail: [hidden email]
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[hidden email]
https://dev.eclipse.org/mailman/listinfo/jetty-users