Uploaded image for project: '[Read Only] - Hippo Site Toolkit 2'
  1. [Read Only] - Hippo Site Toolkit 2
  2. HSTTWO-3034

Add a PlainFilterChainInvokingPipeline which can be used for JAAS login

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • 2.28.06, 2.30.00
    • None
    • Sprint 84, Sprint 85

    Description

      Currently we already have WebApplicationInvokingPipeline which makes it possible to delegate to other web application frameworks after the HST matching and some initial pipeline valve have been done.

      However, this WebApplicationInvokingPipeline contains in the initializationValves and in the processingValves valves like cmsSecurityValve, securityValve, subjectBasedSessionValve, jcrSessionStatefulConcurrencyValve etc. This makes it problematic to use for example in combination with the hst-security module: What we need to support is the following:

      1) remove /login/ from the hst:prefixexclusions from hst:hst/hst:hosts or web.xml
      2) add a sitemap item /login and /login/**
      3) To sitemap item /login add

      • hst:scheme = https
      • hst:namedpipeline = ....

      Now, all URLs for /login will be redirected to https and all HstLink objects will start with https (if current scheme is http and not https). For example
      <hst:link var="loginLink" path="/login/proxy"/> will create a link that starts with https if current request is not over http

      The problem: If we now set

      hst:namedpipeline = WebApplicationInvokingPipeline

      we get problems during login because of the WebApplicationInvokingPipeline contains subjectBasedSessionValve : catch22

      Instead, we need a pipeline which doesn't include subjectBasedSessionValve kind of valves, but is really basic. For that one, I want to add PlainFilterChainInvokingPipeline which is as follows:

      <!-- PlainFilterChainInvokingPipeline Web Application Invocation Pipeline that only does
      initializationValve and cleanup valves and does not have things like securityValve or
      subjectBasedSessionValve
      -->
      <entry key="PlainFilterChainInvokingPipeline">
      <bean class="org.hippoecm.hst.core.container.HstSitePipeline">
      <property name="initializationValves">
      <list>
      <ref bean="initializationValve" />
      </list>
      </property>
      <property name="processingValves">
      <list>
      <ref bean="filterChainInvokingValve" />
      </list>
      </property>
      <property name="cleanupValves">
      <list>
      <ref bean="cleanupValve" />
      <ref bean="diagnosticReportingValve" />
      </list>
      </property>
      </bean>
      </entry>

      Then having

      sitemap item /login

      • hst:scheme = https
      • hst:namedpipeline = PlainFilterChainInvokingPipeline

      makes logging in over https work like a charm

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HSTTWO-3147 By default have a /login over HTTPS setup

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed

          Activity

            People

              Unassigned Unassigned
              aschrijvers Ard Schrijvers
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: