Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 31 2019 23:02
    jebeaudet commented #3314
  • Jan 31 2019 22:50
    joakime commented #3314
  • Jan 31 2019 22:50
    joakime commented #3314
  • Jan 31 2019 22:48
    joakime commented #3314
  • Jan 31 2019 22:46
    olamy commented #2878
  • Jan 31 2019 22:45
    jebeaudet commented #3314
  • Jan 31 2019 22:41
    joakime commented #3314
  • Jan 31 2019 22:39
    joakime commented #3314
  • Jan 31 2019 22:26
    jebeaudet edited #3314
  • Jan 31 2019 22:24
    jebeaudet opened #3314
  • Jan 31 2019 17:28
    sbordet commented #3313
  • Jan 31 2019 17:20
    sbordet review_requested #3313
  • Jan 31 2019 17:20
    sbordet review_requested #3313
  • Jan 31 2019 17:20
    sbordet opened #3313
  • Jan 31 2019 17:18

    sbordet on jetty-10.0.x-1350-dynamic_client_transport

    Issue #1350 - Dynamic selection… (compare)

  • Jan 31 2019 16:37

    sbordet on jetty-10.0.x-132_client_connector

    (compare)

  • Jan 31 2019 16:37

    sbordet on jetty-10.0.x

    Issue #132 - ClientConnector ab… Issue #132 - ClientConnector ab… Issue #132 - ClientConnector ab… and 2 more (compare)

  • Jan 31 2019 16:37
    sbordet closed #3267
  • Jan 31 2019 16:15
    sbordet synchronize #3312
  • Jan 31 2019 16:15

    sbordet on jetty-9.4.x-3311-http_https_same_port

    Fixes #3311 - Ability to serve … (compare)

David (javalin.io)
@tipsy
i want to add auth to websockets. my approach is to hook into the service() of a WebSocketServlet and only do the upgrade if the request is valid:
class MyWsSevlet : WebSocketServlet() {
    override fun service(req: HttpServletRequest, res: HttpServletResponse) {
        if (valid(req)) {
            super.service(req, res)
        } else {
            res.sendError(401, "Unauthorized")
        }
    }
}
is this an okay approach? can it be bypassed somehow?
Simone Bordet
@sbordet
@tipsy it's probably better to use a servlet filter so you have authn factored out into a single component
David
@david-wg2
this is pretty much all the code @sbordet (there is also a two-line override of configure), it seems a bit excessive to split this up
the main thing i need to know is if there are any cases where service will not be called when upgrading to WS, or if it will always be called
Simone Bordet
@sbordet
@david-wg2 I can't tell you if it's going to be called, depends on what you have in front of the servlet and how's mapped. If all things normal, yes it will be called
David
@david-wg2
nothing of note in front of it, it's mapped to /*
thank you!
Joakim Erdfelt
@joakime
@tipsy it's probably better to perform the auth check in the WebSocketCreator (or the ServerEndpointConfig.Configurator if using JSR356), that way the websocket layer can respond according to the RFC6455 (and RFC8441 in future release)
trepidacious
@trepidacious
I'm trying to obfuscate an app that uses jetty (via javalin) using proguard. It seems like there are references to things like org.eclipse.jetty.jmx.ObjectMBean in jetty that are not in the jetty dependencies - I think at least that one is in jetty-jmx. Is that expected? Should I have an explicit dependency on jetty-jmx to let proguard work?
If I should have a dependency on jetty-jmx, which version?
Simone Bordet
@sbordet
same version as the rest of jetty jars
zeeklumpkins
@zeeklumpkins
Hi there. I have an embedded jetty service in a java app, set up with https and a self signed cert...is there any reason when looking at headers in curl that I cannot see anything resembling a session id?
trepidacious
@trepidacious
@sbordet Ah cool, I hadn't realised they were versioned together until I got the dependency graph printed
Joakim Erdfelt
@joakime
@trepidacious Jetty is opensource, don't bother obfuscating it, there's nothing secret / proprietary to hide.
@zeeklumpkins you don't have sessions enabled? or a sessionhandler setup perhaps?
zeeklumpkins
@zeeklumpkins
@joakime that may be the question...what would be the call to establish that? I do set up a SessionHandler (setHttpOnly(true) and setSecure(true)) though do not know if there is a special call to use the session ids
trepidacious
@trepidacious
@joakime Ideally I'd rather just obfuscate everything, not so much to hide the open source code as make it harder to see what the the other code using it is doing
@joakime It might well be easier to just exclude everything in jetty packages though
Joakim Erdfelt
@joakime
@zeeklumpkins ServletContextHandler root = new ServletContextHandler(contexts, "/", ServletContextHandler.SESSIONS);
@trepidacious you are likely already excluding javax.* and java.* and sun.*, excluding org.eclipse.jetty.* is no different.
ProGuard only slows down someone, adds about 15 extra minutes to the process of decoding/deobfuscating.
you can thank the minecraft modding community for that. they have reverse-proguard tooling that a small army of volunteers have been working on for the past 10 years that works shockingly well for all proguarded source now.
@zeeklumpkins see also https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/examples/embedded/src/main/java/org/eclipse/jetty/embedded/OneServletContextWithSession.java
zeeklumpkins
@zeeklumpkins
@joakime yeah don't see that call...are session ids required to do https? tbh if I can avoid session ids I would prefer that; I am working on a security SRG and there are an annoying number of session requirements that I think are avoidable if I am not doing IDs...
Joakim Erdfelt
@joakime
"session ids" are an ambiguous term
are you referring to HttpSession (java) for Session (http header)?
or are you referring to Session (TLS/SSL) for encryption?
TLS has "Session ids" as well. but those are handled by the TLS protocol, and are typically managed by the TLS implementation.
You have exposure to it via java, see javax.net.ssl.SSLSocket.getSession()
zeeklumpkins
@zeeklumpkins
@joakime mm whichever would be shared to the client I think...I think it is what would get served up by the SessionIDManager.. the text of an item I am checking says 'Session IDs are tokens generated by web applications to uniquely identify an application user's session'
trepidacious
@trepidacious
@joakime Yes you're right - I'll try that. I don't use proguard much, still trying to find what to do to leave everything in those classes completely unaltered...
zeeklumpkins
@zeeklumpkins
@joakime the server does have a setHandler; it is a ContextHandlerCollection (we have the option to set up http and/or https). it sets up a basic ContextHandler. If I can disable session ids and cookies it would make my life easier lol. I just want to serve up basic files over https...
zeeklumpkins
@zeeklumpkins
Maybe a more general question...if I want a jetty server to just serve up files over https (just need a very lightweight service), do I need session ids (like the JSESSIONID?) or even any cookies enabled?
Joakim Erdfelt
@joakime
@zeeklumpkins you can use a ResourceHandler like https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/examples/embedded/src/main/java/org/eclipse/jetty/embedded/FileServer.java
or a DefaultServlet (superior choice) like https://github.com/jetty-project/embedded-jetty-cookbook/blob/master/src/main/java/org/eclipse/jetty/cookbook/DefaultServletFileServer.java
as far as http vs https, that's just ServerConnector and HttpConfiguration setup.
unrelated to the handler tree
Mike Liu
@mikexliu
Hi, my company uses veracode and as part of the scan, it found that ConfigurableSpnegoLoginService.java:181 may suffer from http://cwe.mitre.org/data/definitions/384.html. Just wanted to check if this may be a concern or if it's a false positive scan?
Joakim Erdfelt
@joakime
@mikexliu file an issue here https://github.com/eclipse/jetty.project/issues
Mike Liu
@mikexliu
@joakime filed: eclipse/jetty.project#3627 thanks!
David J. M. Karlsen
@davidkarlsen
usually I see releases on central soon after the tag has been made - is it stuck at staging this time?
Joakim Erdfelt
@joakime
@davidkarlsen https://github.com/eclipse/jetty.project/issues/3546#issuecomment-482092475 - https://github.com/eclipse/jetty.project/issues/2566#issuecomment-391253740
a staged potential release (at oss.sonatype.org btw) can take a while to review, sometimes a full week. often a few days at least.
David J. M. Karlsen
@davidkarlsen
:thumbsup:
David (javalin.io)
@tipsy
can i use session to determine if a websocket upgrade request should be allowed or not? (in embedded jetty)
currently my websocket servlet is a org.eclipse.jetty.websocket.servlet.WebSocketServlet, which doesn't seem to have access to the session
Joakim Erdfelt
@joakime
Write a WebSocketCreator to handle the upgrade your way, that's at the HTTP level (which has access to the HttpSession).
@tipsy use jetty-users mailing list , stackoverflow, or the issue tracker please.
Joakim Erdfelt
@joakime
people don't check this often enough.