Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 31 2019 23:02
    jebeaudet commented #3314
  • Jan 31 2019 22:50
    joakime commented #3314
  • Jan 31 2019 22:50
    joakime commented #3314
  • Jan 31 2019 22:48
    joakime commented #3314
  • Jan 31 2019 22:46
    olamy commented #2878
  • Jan 31 2019 22:45
    jebeaudet commented #3314
  • Jan 31 2019 22:41
    joakime commented #3314
  • Jan 31 2019 22:39
    joakime commented #3314
  • Jan 31 2019 22:26
    jebeaudet edited #3314
  • Jan 31 2019 22:24
    jebeaudet opened #3314
  • Jan 31 2019 17:28
    sbordet commented #3313
  • Jan 31 2019 17:20
    sbordet review_requested #3313
  • Jan 31 2019 17:20
    sbordet review_requested #3313
  • Jan 31 2019 17:20
    sbordet opened #3313
  • Jan 31 2019 17:18

    sbordet on jetty-10.0.x-1350-dynamic_client_transport

    Issue #1350 - Dynamic selection… (compare)

  • Jan 31 2019 16:37

    sbordet on jetty-10.0.x-132_client_connector

    (compare)

  • Jan 31 2019 16:37

    sbordet on jetty-10.0.x

    Issue #132 - ClientConnector ab… Issue #132 - ClientConnector ab… Issue #132 - ClientConnector ab… and 2 more (compare)

  • Jan 31 2019 16:37
    sbordet closed #3267
  • Jan 31 2019 16:15
    sbordet synchronize #3312
  • Jan 31 2019 16:15

    sbordet on jetty-9.4.x-3311-http_https_same_port

    Fixes #3311 - Ability to serve … (compare)

Joakim Erdfelt
@joakime
@tipsy it's probably better to perform the auth check in the WebSocketCreator (or the ServerEndpointConfig.Configurator if using JSR356), that way the websocket layer can respond according to the RFC6455 (and RFC8441 in future release)
trepidacious
@trepidacious
I'm trying to obfuscate an app that uses jetty (via javalin) using proguard. It seems like there are references to things like org.eclipse.jetty.jmx.ObjectMBean in jetty that are not in the jetty dependencies - I think at least that one is in jetty-jmx. Is that expected? Should I have an explicit dependency on jetty-jmx to let proguard work?
If I should have a dependency on jetty-jmx, which version?
Simone Bordet
@sbordet
same version as the rest of jetty jars
zeeklumpkins
@zeeklumpkins
Hi there. I have an embedded jetty service in a java app, set up with https and a self signed cert...is there any reason when looking at headers in curl that I cannot see anything resembling a session id?
trepidacious
@trepidacious
@sbordet Ah cool, I hadn't realised they were versioned together until I got the dependency graph printed
Joakim Erdfelt
@joakime
@trepidacious Jetty is opensource, don't bother obfuscating it, there's nothing secret / proprietary to hide.
@zeeklumpkins you don't have sessions enabled? or a sessionhandler setup perhaps?
zeeklumpkins
@zeeklumpkins
@joakime that may be the question...what would be the call to establish that? I do set up a SessionHandler (setHttpOnly(true) and setSecure(true)) though do not know if there is a special call to use the session ids
trepidacious
@trepidacious
@joakime Ideally I'd rather just obfuscate everything, not so much to hide the open source code as make it harder to see what the the other code using it is doing
@joakime It might well be easier to just exclude everything in jetty packages though
Joakim Erdfelt
@joakime
@zeeklumpkins ServletContextHandler root = new ServletContextHandler(contexts, "/", ServletContextHandler.SESSIONS);
@trepidacious you are likely already excluding javax.* and java.* and sun.*, excluding org.eclipse.jetty.* is no different.
ProGuard only slows down someone, adds about 15 extra minutes to the process of decoding/deobfuscating.
you can thank the minecraft modding community for that. they have reverse-proguard tooling that a small army of volunteers have been working on for the past 10 years that works shockingly well for all proguarded source now.
zeeklumpkins
@zeeklumpkins
@joakime yeah don't see that call...are session ids required to do https? tbh if I can avoid session ids I would prefer that; I am working on a security SRG and there are an annoying number of session requirements that I think are avoidable if I am not doing IDs...
Joakim Erdfelt
@joakime
"session ids" are an ambiguous term
are you referring to HttpSession (java) for Session (http header)?
or are you referring to Session (TLS/SSL) for encryption?
TLS has "Session ids" as well. but those are handled by the TLS protocol, and are typically managed by the TLS implementation.
You have exposure to it via java, see javax.net.ssl.SSLSocket.getSession()
zeeklumpkins
@zeeklumpkins
@joakime mm whichever would be shared to the client I think...I think it is what would get served up by the SessionIDManager.. the text of an item I am checking says 'Session IDs are tokens generated by web applications to uniquely identify an application user's session'
trepidacious
@trepidacious
@joakime Yes you're right - I'll try that. I don't use proguard much, still trying to find what to do to leave everything in those classes completely unaltered...
zeeklumpkins
@zeeklumpkins
@joakime the server does have a setHandler; it is a ContextHandlerCollection (we have the option to set up http and/or https). it sets up a basic ContextHandler. If I can disable session ids and cookies it would make my life easier lol. I just want to serve up basic files over https...
zeeklumpkins
@zeeklumpkins
Maybe a more general question...if I want a jetty server to just serve up files over https (just need a very lightweight service), do I need session ids (like the JSESSIONID?) or even any cookies enabled?
as far as http vs https, that's just ServerConnector and HttpConfiguration setup.
unrelated to the handler tree
Mike Liu
@mikexliu
Hi, my company uses veracode and as part of the scan, it found that ConfigurableSpnegoLoginService.java:181 may suffer from http://cwe.mitre.org/data/definitions/384.html. Just wanted to check if this may be a concern or if it's a false positive scan?
Joakim Erdfelt
@joakime
Mike Liu
@mikexliu
@joakime filed: eclipse/jetty.project#3627 thanks!
David J. M. Karlsen
@davidkarlsen
usually I see releases on central soon after the tag has been made - is it stuck at staging this time?
a staged potential release (at oss.sonatype.org btw) can take a while to review, sometimes a full week. often a few days at least.
David J. M. Karlsen
@davidkarlsen
:thumbsup:
David (javalin.io)
@tipsy
can i use session to determine if a websocket upgrade request should be allowed or not? (in embedded jetty)
currently my websocket servlet is a org.eclipse.jetty.websocket.servlet.WebSocketServlet, which doesn't seem to have access to the session
Joakim Erdfelt
@joakime
Write a WebSocketCreator to handle the upgrade your way, that's at the HTTP level (which has access to the HttpSession).
@tipsy use jetty-users mailing list , stackoverflow, or the issue tracker please.
Joakim Erdfelt
@joakime
people don't check this often enough.
David (javalin.io)
@tipsy
oh, okay
will do in the future, thank you!
rhuitl
@rhuitl
Hi guys, do you have a rough estimate for the 9.4.28 release date?
Viacheslav Petriaiev
@Viacheslav-Petriaiev

Hi,

I've implemented the Jetty HTTP client logging approach which is described here: https://www.baeldung.com/spring-log-webclient-calls
But spring-cloud-sleuth has no instrumentation support for the Jetty HTTP client

Do you have any suggestions on how to implement Jetty HTTP client support with distributed tracing with sleuth?

Thank you

Anbarasan
@aanbarasan
Anybody knows this error?
java.lang.IllegalStateException: Destroyed container cannot be restarted
Inside karaf container I am getting this exception
Or Goshen
@Oberonc
hi
I've got a new user question