New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: update jetty to address CVE #8639
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
import org.eclipse.jetty.jaas.callback.ObjectCallback; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
class BasicCallbackHandler implements CallbackHandler { | ||
public class BasicCallbackHandler extends DefaultCallbackHandler { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, can you say more about why this PR changes from the javax.security.auth.callback.CallbackHandler
to the org.eclipse.jetty.jaas.callback.DefaultCallbackHandler
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DefaultCallbackHandler
is an implementation of javax.security.auth.callback.CallbackHandler
that "knows" how to handle username/password combos when used in conjunction with JAASLoginService
:
CallbackHandler callbackHandler = null;
if (_callbackHandlerClass == null)
callbackHandler = new DefaultCallbackHandler();
else
{
Class<?> clazz = Loader.loadClass(_callbackHandlerClass);
callbackHandler = (CallbackHandler)clazz.getDeclaredConstructor().newInstance();
}
if (callbackHandler instanceof DefaultCallbackHandler)
{
DefaultCallbackHandler dch = (DefaultCallbackHandler)callbackHandler;
if (request instanceof Request)
dch.setRequest((Request)request);
dch.setCredential(credentials);
dch.setUserName(username);
}
Using LoginContext
directly no longer directly works with the PropertyFileLoginModule
(see jetty/jetty.project#5518 - requires you to use the JAASLoginService
) and the JAASLoginService
doesn't let you pass in instantiated callbacks, it requires passing in just the callback class. That means that I had to take advantage of the code snippet above to get the code properly wired through.
Honestly documentation here is close to impossible to find, so I had to inspect the jetty source code to figure out how to wire this through properly and I very well could be doing something wrong.
@@ -51,7 +50,7 @@ | |||
private final String contextName; | |||
|
|||
public JaasAuthProvider(final Server server, final KsqlRestConfig config) { | |||
this(server, config, LoginContext::new); | |||
this(server, config, () -> new JAASLoginService()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IntelliJ pointed out that this can be JAASLoginService::new
instead if you like. 🤷
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yes! I had that at first, and then added params, and then removed params and the auto-refactoring got me 😉 I'll make that change
Description
Fixes PRISMA-2021-0182
As part of this we need to change the code to address jetty/jetty.project#5518
Testing done
Will let the tests run, jetty is only used in testing
Reviewer checklist