chore: update jetty to address CVE #8639
Conversation
| import org.eclipse.jetty.jaas.callback.ObjectCallback; | ||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| class BasicCallbackHandler implements CallbackHandler { | ||
| public class BasicCallbackHandler extends DefaultCallbackHandler { |
There was a problem hiding this comment.
Ok, can you say more about why this PR changes from the javax.security.auth.callback.CallbackHandler to the org.eclipse.jetty.jaas.callback.DefaultCallbackHandler?
There was a problem hiding this comment.
DefaultCallbackHandler is an implementation of javax.security.auth.callback.CallbackHandler that "knows" how to handle username/password combos when used in conjunction with JAASLoginService:
CallbackHandler callbackHandler = null;
if (_callbackHandlerClass == null)
callbackHandler = new DefaultCallbackHandler();
else
{
Class<?> clazz = Loader.loadClass(_callbackHandlerClass);
callbackHandler = (CallbackHandler)clazz.getDeclaredConstructor().newInstance();
}
if (callbackHandler instanceof DefaultCallbackHandler)
{
DefaultCallbackHandler dch = (DefaultCallbackHandler)callbackHandler;
if (request instanceof Request)
dch.setRequest((Request)request);
dch.setCredential(credentials);
dch.setUserName(username);
}Using LoginContext directly no longer directly works with the PropertyFileLoginModule (see jetty/jetty.project#5518 - requires you to use the JAASLoginService) and the JAASLoginService doesn't let you pass in instantiated callbacks, it requires passing in just the callback class. That means that I had to take advantage of the code snippet above to get the code properly wired through.
Honestly documentation here is close to impossible to find, so I had to inspect the jetty source code to figure out how to wire this through properly and I very well could be doing something wrong.
| @@ -51,7 +50,7 @@ | |||
| private final String contextName; | |||
|
|
|||
| public JaasAuthProvider(final Server server, final KsqlRestConfig config) { | |||
| this(server, config, LoginContext::new); | |||
| this(server, config, () -> new JAASLoginService()); | |||
There was a problem hiding this comment.
IntelliJ pointed out that this can be JAASLoginService::new instead if you like. 🤷
There was a problem hiding this comment.
ah yes! I had that at first, and then added params, and then removed params and the auto-refactoring got me 😉 I'll make that change
Description
Fixes PRISMA-2021-0182
As part of this we need to change the code to address jetty/jetty.project#5518
Testing done
Will let the tests run, jetty is only used in testing
Reviewer checklist