Skip to main content
Jump to: navigation, search

Jetty/Tutorial/Realms

< Jetty‎ | Tutorial
Revision as of 19:29, 23 December 2009 by Michael.webtide.com (Talk | contribs)



Introduction

(required)

Details

This tutorial describes how to configure security realms to provide authentication and access control for web applications running in Jetty. A realm has a unique name, and is composed of a set of users. Each user has authentication information (e.g. a password) and a set of roles associated with him/herself.

You may configure one or many different realms depending on your needs. A single realm would indicate that you wish to share common security information across all of your web applications. Distinct realms allow you to partition your security information webapp by webapp.

Realm definitions in Jetty configuration files are placed in a section like this:

<Set name="UserRealms">
  <Array type="org.eclipse.jetty.security.UserRealm">
    <Item>
      ...
    </Item>
    <Item>
     ...
    </Item>
 
    ...
 
  </Array>
</Set>

Alternatively, you may define a realm for just a single webapp in a ContextDeployer file:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="contextPath">/test</Set>
  <Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/test</Set>
    ...
  <Get name="securityHandler">
    <Set name="userRealm">
      <New class="org.eclipse.jetty.security.HashUserRealm">
            <Set name="name">Test Realm</Set>
            <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
      </New>
    </Set>
  </Get>
</Configure>

Jetty provides a number of different realm types from which you can choose.

HashUserRealm

This realm is a simple realm whose authentication and authorization information is stored in a properties file. Each line in the file contains a username, a password, and 0 or more role assignments. The format is:

username: password[,rolename ...]

where:

  • username is the user's unique identity;
  • password is the user's (possibly obfuscated or MD5 encrypted) password;
  • rolename is the user's role.

For example:

admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
other: OBF:1xmk1w261u9r1w1c1xmq
guest: guest,read-only

The HashUserRealm is configured with a name and a reference to the location of the properties file:

<Item>
  <New class="org.eclipse.jetty.security.HashUserRealm">
     <Set name="name">Test Realm</Set>
    <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
  </New>
</Item>

You can also configure it to check the properties file regularly for changes and reload when changes are detected. The reloadInterval is in seconds:

<Item>
  <New class="org.mortbay.jetty.security.HashUserRealm">
    <Set name="name">Test Realm</Set>
    <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
    <Set name="reloadInterval">5</Set>
    <Call name="start"></Call>
  </New>
</Item>

JDBCUserRealm

In this implementation, authentication and role information is stored in a database accessed via JDBC. A properties file defines the JDBC connection and database table information. Below is an example of a properties file for this realm implementation:

jdbcdriver = org.gjt.mm.mysql.Driver
url = jdbc:mysql://localhost/jetty
username = jetty
password = jetty
usertable = users
usertablekey = id
usertableuserfield = username
usertablepasswordfield = pwd
roletable = roles
roletablekey = id
roletablerolefield = role
userroletable = user_roles
userroletableuserkey = user_id
userroletablerolekey = role_id
cachetime = 300

The format of the database tables is:

{

Additional Resources

See the page on JAAS authentication and authorization with Jetty.

Back to the top