Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-4846

form based security for the web application does not work with Jetty WADI clustering.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.2
    • None
    • Clustering
    • Security Level: public (Regular issues)
    • None

    Description

      This is a part of https://issues.apache.org/jira/browse/GERONIMO-4777, the major issue has been resolved with the patch from Trygve Hardersen. Opening this JIRA to track the remaining problems.

      ----------------------------------------
      However it does not work when combined with form based security for the web application. The first problem is that org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication and org.eclipse.jetty.security.authentication.SessionCachingAuthenticator are not serializable, so they can not be sent across the network. I made these classes serializable, and then login works as long as there is only one member in the cluster (well, not really a cluster...). When there are multiple members in the cluster, login fails because there is no valid constructor for org.eclipse.jetty.security.authentication.SessionCachingAuthenticator$SessionAuthentication. I tried to add a default constructor, but it's an inner class, and it seems to me like theAuthenticator and UserIdentity properties are required for it to work so I did not try to extract the class.

      As I said login works as long as there's only one member in the cluster, but logout does not. Calling javax.servlet.http.HttpSession#invalidate() throws an exception, because the curent session can not be found:

      java.lang.AssertionError: Session [org.apache.geronimo.clustering.wadi.WADISessionAdaptor@7f488ddb] is undefined
      org.codehaus.wadi.replication.manager.ReplicationKeyNotFoundException: Key [ccge2q2w9dz2] does not exist

      I am attaching the patch for the WADIJettyClusteringBuilder (WADIJettyClusteringBuilder.patch) and a sample project JGS (jgs.tar.gz) that demonstrates the security problems I'm experiencing. The web-formlogin-clustering-plugin of the JGS project uses form based security and WADI clustering. The /customer page is protected, and to access it one must login with any username and password, as long as they are the same. Use test/test for instance. To test session invalidation, manually enter the URL /logout.

      It would be very helpful if someone can comment on the usability of WADI clustering in combination with Jetty7. To me it seems like it has not been tested much, and I think going back to Jetty6 again is the best option for us, unless the issues described above can be easily solved.

      Thanks for your help!
      ------------------------------------------------------

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. GERONIMO-4855 Clustering can not work when the application needs login information

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              genspring Lin Quan Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated: