...
Code Block | ||
---|---|---|
| ||
... [java] class_path = $\{SCHEDULER_HOME\}/lib/*.jar:$\{SCHEDULER_HOME\}/lib/hibernate/*.jar:<span style="color:red">$\${SCHEDULER_HOME\}/lib/jetty_ext/*.jar</span>jar ... |
Code Block | ||
---|---|---|
| ||
... [java] class_path = $\{SCHEDULER_HOME\}/lib/*.jar;$\{SCHEDULER_HOME\}/lib/hibernate/*.jar;<span style="color:red">$\${SCHEDULER_HOME\}/lib/jetty_ext/*.jar</span>jar ... |
...
. |
...
Configure scheduler.xml
To use the Jetty plugin you have to configure it in this with the file scheduler.xml:
Code Block | ||||
---|---|---|---|---|
| ||||
<spooler> <spooler> <config ...> ... <security ignore_unknown_hosts="yes"> <allowed_host host="localhost" level="all"/> <allowed_host host="192.11.0" level="all"/> </security> <span style="color:red"><plugins><plugins> ... <plugin java_class="com.sos.scheduler.engine.plugins.jetty.JettyPlugin"> <plugin.config /> </plugin> ... </plugins></span>plugins> ... </config> </spooler> |
Please note that it is necessary required to specify an empty plugin.config element.
Simple user authentication
It is possible to configure a simple user authentication in the plugin configuration, e.g.
Configure jetty.xml
To operate JobScheduler with Jetty it is also required to create two configuration files for the Jetty web server (./config/jetty.xml and ./config/web.xml). The minimum configuration defines a connector for the port for http communication with JobScheduler:
Code Block | ||||
---|---|---|---|---|
| ||||
<Configure class="org.eclipse.jetty.server.Server | ||||
Code Block | ||||
<plugins> <plugin java_class="com.sos.scheduler.engine.plugins.jetty.JettyPlugin"> <plugin.config><Call name="addConnector"> <loginService><Arg> <logins><New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> <login<Set name="testName" password="testPassword" roles="SecurityLevel.all"/> port">40444</Set> </logins>New> </loginService>Arg> </plugin.config>Call> </plugin> </plugins> |
SecurityLevel.info and SecurityLevel.all are predefined roles for JobScheduler.
SecurityLevel.info allows only rights for watching but not for starting jobs, while SecurityLevel.all allows additionally the right for starting jobs.
Add a security constraint to the web.xml:
Configure>
|
It is important to know that this port (here 40444) is a substitute for the port attribute in the config element of scheduler.xml.
Currently both ports are required.
SSL Communication Channel
A second connector for the Jetty web server can be used to define a communication channel via HTTPS (SSL):
Code Block | ||||
---|---|---|---|---|
| ||||
<Call name="addConnector">
<Arg> | ||||
Code Block | ||||
<security-constraint> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <web-resource-collection> <Arg> <url-pattern>/*</url-pattern><New class="org.eclipse.jetty.util.ssl.SslContextFactory"> </web-resource-collection> <Set name="keyStore"><SystemProperty name="jetty.home" <auth-constraint>default="." />/ssl/jetty.jks</Set> <role-name>SecurityLevel.info</role-name> <Set name="keyStorePassword">jobscheduler</Set> <Set <role-name>SecurityLevel.all</role-name> name="keyManagerPassword">jobscheduler</Set> <Set name="trustStore"><SystemProperty name="jetty.home" default="." />/ssl/jetty.jks</Set> </auth-constraint> <Set name="trustStorePassword">jobscheduler</Set> </security-constraint> |
</span>
<span id"jetty">
Configure jetty.xml
To run JobScheduler with Jetty it is also necessary to create two configuration files for the Jetty web server (./config/jetty.xml and ./config/web.xml). The minimal declaration defines a connector for the port to communicate with JobScheduler via http:
Code Block |
---|
<Configure class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="port">40444</Set>
</New>
</Arg>
</Call>
</Configure>
|
It is important to know that this port (here 40444) is a substitute for the port attribute in the config element of scheduler.xml.
At the moment both ports are required.
With a second connector it is possible to define a communication channel via https (ssl):
New>
</Arg>
<Set name="port">48444</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
|
The SSL connection expects the jetty keystore file jetty.jks in the subfolder $SCHEDULER_DATA/ssl. With the above configuration you can connect to JobScheduler via https at port 48444.
keystore
To generate a keystore file use keytool:
Code Block | ||
---|---|---|
| ||
keytool -genkey -alias jetty -keyalg RSA -keysize 1024 -dname "CN=[hostname], OU=JobScheduler, O=SOS GmbH, L=Berlin C=DE" -keystore my_jetty.jks -storepass jobscheduler -keypass jobscheduler -validity 1826
|
where hostname should be the JobScheduler host. Use own values for OU, O and L.
Configure web.xml
To run JobScheduler with Jetty it is required to create two configuration files for the Jetty web server (jetty.xml and web.xml). The files have to bestored in the $SCHEDULER_DATA/config folder.
You have to configure the JOC servlet with the JobScheduler installation path. Note that you have to use the file protocol.
For Example:
No Format file:///c:/Program Files (x86)/sos-berlin.com/jobscheduler/[scheduler_id] on Windows
No Format file:///c:/Program Files (x86)/sos-berlin.com/jobscheduler/[scheduler_id] on Linux
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||
Code Block | ||||
<Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <New class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="keyStore"><SystemProperty name="jetty.home" default="." />/ssl/jetty.jks</Set>xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" <Set name="keyStorePassword">jobscheduler</Set>xmlns="http://java.sun.com/xml/ns/j2ee" <Set nameversion="keyManagerPassword">jobscheduler</Set>2.4"> <display-name>JobScheduler test configuration (web.xml)</display-name> <servlet> <Set name="trustStore"><SystemProperty name="jetty.home" default="." />/ssl/jetty.jks</Set> <servlet-name>Default</servlet-name> <Set name="trustStorePassword">jobscheduler</Set><servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class> </New><init-param> </Arg> <Set name="port">48444</Set> <param-name>dirAllowed</param-name> <Set name="maxIdleTime">30000</Set> <param-value>false</param-value> </New>init-param> </Arg>servlet> </Call> |
The SSL connection expects the jetty keystore file jetty.jks in the subfolder ssl (under the JobScheduler data folder). With the configuration above you can connect JobScheduler via https at port 48444.
</span>
<span ih1. "keystore">
keystore
To generate a keystore file use keytool:
Code Block |
---|
keytool -genkey -alias jetty -keyalg RSA -keysize 1024 -dname "CN=[hostname], OU=JobScheduler, O=SOS GmbH, L=Berlin C=DE" -keystore my_jetty.jks -storepass jobscheduler -keypass jobscheduler -validity 1826
|
whereas hostname should be the JobScheduler host.
Use also your own values for OU, h1. _ and _L.
</span>
<span ih1. "web">
Configure web.xml
To run JobScheduler with jetty it is also necessary to create two configuration files for the Jetty web server (jetty.xml and web.xml). It has to place in the root of your config folder.
You must configure the JOC servlet with the JobScheduler installation path. Note that you must use the file protocol.
For Example:
...
No Format |
---|
file:///c:/Program Files (x86)/sos-berlin.com/jobscheduler/[scheduler_id] on Windows |
...
<servlet-mapping> <servlet-name>Default</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <servlet> <servlet-name>JOC</servlet-name> <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class> <init-param> <param-name>resourceBase</param-name> <param-value>file:///c:/Program Files (x86)/sos-berlin.com/jobscheduler |
...
Code Block |
---|
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" /scheduler</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>JOC</servlet-name> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" <url-pattern>/operations_gui/*</url-pattern> xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4"> <display-name>JobScheduler test configuration (web.xml)</display-name> <servlet> <servlet-name>Default</servlet-name> <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class> <init-param> <param-name>dirAllowed</param-name> <param-value>false</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>Default</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <servlet> <servlet-name>JOC</servlet-name> <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class> <init-param> <param-name>resourceBase</param-name> </servlet-mapping> </web-app> |
Send commands via HTTP (POST|GET)
If you use Jetty and you want to send a command (e.g. <show_state/>
) to the JobScheduler then you have to use the URL:
Code Block | ||
---|---|---|
| ||
http://localhost:40444/jobscheduler/engine-cpp/
|
or respectively.
Code Block | ||
---|---|---|
| ||
https://localhost:48444/jobscheduler/engine-cpp/
|
Example for HTTP GET
Code Block | ||
---|---|---|
| ||
http://localhost:40444/jobscheduler/engine-cpp/<show_state/>
|
Note
- The commands that can be sent via HTTP GET have been restricted from JobScheduler version 1.7 onwards.
- See Release Information for further information.
Jetty configuration examples. User authentication
Simple user authentication
It is possible to configure simple user authentication in the plugin configuration of the scheduler.xml, e.g.
Code Block | ||||
---|---|---|---|---|
| ||||
<plugins> <plugin java_class="com.sos.scheduler.engine.plugins.jetty.JettyPlugin"> <plugin.config> <loginService> <logins> <param-value>file:///c:/Program Files (x86)/sos-berlin.com/jobscheduler/scheduler</param-value> <login name="testName" </init-param> password="testPassword" roles="SecurityLevel.all"/> </servlet> <servlet-mapping></logins> <servlet-name>JOC</servlet-name> </loginService> <url-pattern>/operations_gui/*</url-pattern> plugin.config> </servlet-mapping>plugin> </web-app> |
</span>
Send commands via HTTP (POST|GET)
If you use jetty and you want to send a command (e.g. <show_state/>) to the JobScheduler then you must use the URL:
Code Block |
---|
<nowiki>http://localhost:40444/jobscheduler/engine-cpp/</nowiki>
|
or resp.
Code Block |
---|
<nowiki>https://localhost:48444/jobscheduler/engine-cpp/</nowiki>
|
Example for HTTP GET
Code Block |
---|
<nowiki>http://localhost:40444/jobscheduler/engine-cpp/</nowiki><show_state/>
|
Note
The commands that can be sent via HTTP GET have been restricted from JobScheduler version 1.7 onwards.
See our [ news release|http://www.sos-berlin.com/modules/news/article.php?storyid66] for further information.
Jetty configuration examples
...
plugins>
|
SecurityLevel.info
and SecurityLevel.all
are predefined roles for JobScheduler.
SecurityLevel.info
allows exclusively permissions to watch jobs but not to start jobs, while SecurityLevel.all
provides the permission to start jobs.
Add a security constraint to the file web.xml like this:
Code Block | ||||
---|---|---|---|---|
| ||||
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SecurityLevel.info</role-name>
<role-name>SecurityLevel.all</role-name>
</auth-constraint>
</security-constraint> |
User authentication with a properties file
Beside the Simple user authentication provided by the jetty Jetty plugin you can use a more complex authentification method described by the jetty Jetty configuration. The example below shows the use of the HashLoginService, a mechanism whose authentication and authorization information is stored in a properties file.
First make sure, that your plugin declaration in scheduler.xml does not contain any authentification information:
Code Block | ||||
---|---|---|---|---|
| ||||
<plugins> <plugin java_class="com.sos.scheduler.engine.plugins.jetty.JettyPlugin"> <plugin.config /> </plugin> ... </plugins> |
In the second step you should define the HashLoginService in your jetty Jetty configuration (jetty.xml) as a user realm. That means that you have to configure at least the location of the properties file containing the user information (userid, password, roles) and give assign them a name (here myRealm).
Code Block | ||||
---|---|---|---|---|
| ||||
<Call name="addBean"> <Arg> <New class="org.eclipse.jetty.security.HashLoginService"> <Set name="name">myRealm</Set> <Set name="config"><SystemProperty name="jetty.home" default="." />/config/realm.properties</Set> <Set name="refreshInterval">0</Set> </New> </Arg> </Call> |
The properties file config/realm.properties contains one or more user definitions, e.g.
Code Block | ||||
---|---|---|---|---|
| ||||
infouser: test, SecurityLevel.info alluser: test, SecurityLevel.all |
Please note: In realm.properties you can specify the password like
Code Block | ||||
---|---|---|---|---|
| ||||
alluser: MD5:098f6bcd4621d373cade4e832627b4f6, SecurityLevel.all |
Hint:
- You can use the MD5 Key generated by JOE but you have to
...
- modify it to lowercase.
- More
...
- information can be found
...
...
...
You can execute the password utility mentioned there. You can will find the jetty-utilxxxx.jar in scheduler$SCHEDULER_homeHOME/lib/jetty_ext.
Finally you have to configure a security constraint and assign your user realm myRealm to a login configuration. To do this you have to change update your web.xml:
Code Block | ||||
---|---|---|---|---|
| ||||
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>SecurityLevel.info</role-name> <role-name>SecurityLevel.all</role-name> </auth-constraint> </security-constraint> |
Code Block | ||||
---|---|---|---|---|
| ||||
<login-config> <auth-method>BASIC</auth-method> <realm-name>myRealm</realm-name> </login-config> |
SecurityLevel.info
and SecurityLevel.all
are predefined roles for JobScheduler.
SecurityLevel.info
allows only rights for watching but not for starting grants exclusively permissions to watch jobs but not to start jobs, while SecurityLevel.all
allows additionally the right for starting grants permissions to start jobs.
IP authorization
To restrict the access for specific hosts you have to define an IPAccessHandler in your jetty.xml:
Code Block | ||||
---|---|---|---|---|
| ||||
<Get id="oldhandler" name="handler" /> <Set name="handler"> <New class="org.eclipse.jetty.server.handler.IPAccessHandler"> <Set name="handler"><Ref id="oldhandler"/></Set> <Set name="white"> <Array type="java.lang.String"> <Item>127.0.0.1</Item> </Array> </Set> </New> </Set> |
Note
It is important to store the given handlers in the local variable oldhandler to set them as the handler for the IPAccessHandler (see Jetty handler concept for more details).
You can define a whitelist (as in the above example above) or a blacklist. The IPAccessHandler does not allow to use alias names to point to specific IPs.