I am attempting to add Digest Authentication to an API being made available over HTTP, using embedding Jetty. I have no web.xml, this is not a webapp. The application starts up by creating a ClassPathXmlApplicationContext object from my file "spring-config.xml". In "spring-config.xml" I define lots of beans for services, etc, and also a bean to start a Jetty server.
The Jetty server is configured with a DispatcherServlet (actually a DispatcherServletWrapper class that implements ApplicationContextAware and sets the ClassPathXmlApplicationContext object as the parent of the GenericWebApplicationContext it creates, this way it can access the beans defined in my spring-config.xml file).
That all works, where it breaks down is trying to add authentication. I add all of the spring-security configs for setting up digest auth, but I don't know how to make Jetty aware of the filter chain.
The relevant sections of my spring-config.xml look like this:
<bean id="restApiController" class="com.company.project.api.controllers.RESTfulController">
<property name="broker" ref="broker"/>
</bean>
<mvc:annotation-driven/>
<!--++++++++++++++++++++++
JETTY BEANS
+++++++++++++++++++++++-->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service id="userService">
<security:user name="apiUser" password="apiPassword" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
<property name="realmName" value="Digest Auth Realm"/>
<property name="key" value="acegi"/>
</bean>
<bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
<property name="userDetailsService" ref="userService"/>
<property name="authenticationEntryPoint" ref="digestEntryPoint"/>
</bean>
<security:http create-session="stateless" use-expressions="true" entry-point-ref="digestEntryPoint">
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:custom-filter ref="digestFilter" position="FIRST"/>
</security:http>
<bean id="JettyServer" class="org.eclipse.jetty.server.Server" init-method="start" destroy-method="stop">
<constructor-arg>
<bean id="threadPool" class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<property name="minThreads" value="2"/>
<property name="maxThreads" value="10"/>
</bean>
</constructor-arg>
<property name="connectors">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="JettyServer"/>
<property name="port" value="8090"/>
</bean>
</list>
</property>
<property name="handler">
<bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<bean id="servletContextHandler" class="org.eclipse.jetty.servlet.ServletContextHandler">
<property name="contextPath" value="/"/>
<property name="servletHandler">
<bean class="org.eclipse.jetty.servlet.ServletHandler">
<property name="filters">
<list>
<bean class="org.eclipse.jetty.servlet.FilterHolder">
<property name="name" value="springSecurityFilterChain"/>
<property name="filter">
<bean class="org.springframework.web.filter.DelegatingFilterProxy"/>
</property>
<!--<property name="filter" ref="digestFilter"/>-->
</bean>
</list>
</property>
<property name="filterMappings">
<list>
<bean class="org.eclipse.jetty.servlet.FilterMapping">
<property name="filterName" value="springSecurityFilterChain"/>
<property name="pathSpec"><value>/*</value></property>
</bean>
</list>
</property>
<property name="servlets">
<list>
<bean class="org.eclipse.jetty.servlet.ServletHolder">
<property name="name" value="DefaultServlet"/>
<property name="servlet">
<!--<bean class="org.springframework.web.servlet.DispatcherServlet"/>-->
<bean class="com.impulse.sessiontracker.api.DispatcherServletWrapper"/>
</property>
<!--
<property name="initParameters">
<map>
<entry key="contextConfigLocation" value="classpath:./spring-security.xml" />
</map>
</property>
-->
</bean>
</list>
</property>
<property name="servletMappings">
<list>
<bean class="org.eclipse.jetty.servlet.ServletMapping">
<property name="pathSpecs">
<list><value>/</value></list>
</property>
<property name="servletName" value="DefaultServlet"/>
</bean>
</list>
</property>
</bean>
</property>
</bean>
<bean class="org.eclipse.jetty.server.handler.RequestLogHandler">
<property name="requestLog">
<bean class="org.eclipse.jetty.server.NCSARequestLog">
<constructor-arg value="/opt/impulse/logs/jetty-yyyy_mm_dd.log"/>
<property name="extended" value="false" />
</bean>
</property>
</bean>
</list>
</property>
</bean>
</property>
</bean>
I've tried referencing the DigestAuthenticationFilter directly in jetty's filter list, which doesn't seem to cause anything to happen. And I've tried the method shown above, where I try to reference a DelegatingFilterProxy, which results in a "ServletContext must not be null" exception. Trying that and naming it "springSecurityFilterChain" are complete guesses, based on some spring-docs and other questions I've read.
Can anyone tell me how to get these authentication configs used by Jetty? Does what I'm trying to do make sense?
For reference, my DispatcherServletWrapper looks like this:
public class DispatcherServletWrapper extends DispatcherServlet implements ApplicationContextAware {
private static final long serialVersionUID = -2281511575328213502L;
private ApplicationContext appContext;
@Override
public void setApplicationContext(ApplicationContext arg0)
throws BeansException {
this.appContext = arg0;
}
protected WebApplicationContext createWebApplicationContext(WebApplicationContext arg0) {
GenericWebApplicationContext wac = new GenericWebApplicationContext();
wac.setParent(appContext);
wac.refresh();
return wac;
}
}
