Error with Basic HTTP Authentication when using karaf realm

Description

I'm trying to implement http basic authentication using karaf realm in servicemix. When i don't use JAAS configuration in jetty.xml and use Jetty security, i'm able to access the protected url. But when JAAS authentication is enabled, i get a 403 error accessing the same page. The error is thrown from java/org/eclipse/jetty/security/SecurityHandler.java at the following location. I'm also attaching the relevant sections from jetty.xml

=======================================================================
if (isAuthMandatory)
{
boolean authorized=checkWebResourcePermissions(pathInContext, baseRequest, base_response, constraintInfo, userAuth.getUserIdentity());
if (!authorized)
{
response.sendError(Response.SC_FORBIDDEN, "!role"); //this is the error that is shown when accessing the url
baseRequest.setHandled(true);
return;
}
}
=======================================================================

The exact error is
=======================================================================
HTTP ERROR 403

Problem accessing /jaas-webapp/index.jsp. Reason:

!role
Powered by Jetty://
=======================================================================

Jetty Security Configuration
=======================================================================
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">RubiconRealm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/rubicon.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
=======================================================================

Karaf configuration
=======================================================================
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
<Set name="name">default</Set>
<Set name="loginModuleName">karaf</Set>
<Set name="roleClassNames">
<Array type="java.lang.String">
<Item>org.apache.karaf.jaas.modules.RolePrincipal</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
=======================================================================

I'm attaching a sample project created to test this along with its source.

Steps to reproduce the error:
1. Download servicemix from http://www.apache.org/dyn/closer.cgi?path=servicemix/servicemix-4/4.4.1/apache-servicemix-full-4.4.1.tar.gz
2. Deploy jaas-webapp.war after starting servicemix
3. Open the URL, http://localhost:8181/jaas-webapp/index.jsp

Ref: http://servicemix.396122.n5.nabble.com/Error-with-Basic-HTTP-Authentication-using-Karaf-td5541934.html

Environment

I'm using Ubuntu 11.10, Apache ServiceMix Full 4.4.1, Sun Java version "1.6.0_30", Apache Maven 3.0.4 (r1232337; 2012-01-17 14:14:56+0530)

Activity

Show:
Achim Nierbeck
March 27, 2012, 8:13 PM

Unfortunately my suspicion about a classloader issue is right.

Following does happen.
The following peace of code is executed with the bundle classloader of the Karaf JAAS Module [Bundle ID 13]

the class which is compared is created with the Thread.currentThread().getContextClassLoader() which happens to be the class-loader of the web-application [Bundle ID 88]

that's why the following code probably doesn't work (it's extraced from Subject.class):

Achim Nierbeck
March 27, 2012, 8:41 PM

To get around this issue it is required have a better suited JAASLoginService Class, either in Karaf or here at pax-web

Achim Nierbeck
March 27, 2012, 8:42 PM

maybe we can add this specialized JAASLoginService for 2.0

Achim Nierbeck
April 2, 2012, 9:25 PM

ok, this can only be fixed inside Karaf
following does need to happen.
The principal classes need to be moved from jaas-module bundle
to the jaas-boot bundle, cause those packages are bootloaded. This way all classes are available to the bootloader and the std. jetty
threadcontext classloader is able to load them.
A new issue is beeing raised at karaf

Achim Nierbeck
April 2, 2012, 9:39 PM

Set it to won't fix cause it's not actually an issue of pax-web or jetty but more an issue of Karaf and the jaas realms and how those user credentials are used.

This issue is fixed in Karaf, see KARAF-1305

Assignee

Achim Nierbeck

Reporter

Irshad Pananilath

Labels

Components

Fix versions

Affects versions

Priority

Major
Configure