- Configure factory.ini (Put the necessary libraries in the classpath)
- Configure scheduler.xml
- Configure jetty.xml
- Configure web.xml
- Send commands via HTTP (POST|GET)
- Jetty configuration examples. User authentication
JobScheduler currently comes with a proprietary built-in web server. However, it is possible to configure JobScheduler to work with Jetty by using the JobScheduler plugin feature. This document describes what you have to do to run JobScheduler with an underlying Jetty web server.
- Since release 188.8.131.523 the JobScheduler installer contains a plugin for Jetty. Note that this plugin is still under development and is provided "as is".
- The installer generates some symlinks to simulate virtual directories for JOC (JobScheduler Operations Center). The symlink generation is not supported for Windows systems dated before Windows Vista.
- The installer configures the ./config/factory.ini, the ./config/jetty.xml and the ./config/web.xml files as described below.
- The installer does not configure the ./config/scheduler.xml file. If you want to use Jetty then you have to configure ./config/scheduler.xml as described below.
- The installer contains a keystore file for testing https. This keystore is not trusted and does not provide the correct hostname, but can still be used for testing.
Please created your own keystore file jetty.jks.
After the installation you can open JOC with Jetty via:
You can modify these ports in the ./config/jetty.xml.
If you operate multiple JobScheduler installations for the same host then you have to modify the ports of Jetty accordingly to prevent ports from being used twice.
Configure factory.ini (Put the necessary libraries in the classpath)
To run JobScheduler with Jetty instead the built-in web-server you have to use the Jetty plugin. It is a part of the library com.sos.scheduler.engine.plugins.jetty-xxx.jar. Beside the com.sos.scheduler.engine.plugins.jetty-xxx.jar it is necessary to add any dependent libraries for the Jetty plugin to the classpath of JobScheduler. The installer adds them to the ./lib/jetty_ext folder and to the classpath in the ./config/factory.ini file.
To use the Jetty plugin you have to configure this with the file scheduler.xml:
Please note that it is required to specify an empty plugin.config element.
To operate JobScheduler with Jetty it is also required to create two configuration files for the Jetty web server (./config/jetty.xml and ./config/web.xml). The minimum configuration defines a connector for the port for http communication with JobScheduler:
It is important to know that this port (here 40444) is a substitute for the port attribute in the config element of scheduler.xml.
Currently both ports are required.
With a second connector it is possible to define a communication channel via https (SSL):
The SSL connection expects the jetty keystore file jetty.jks in the subfolder $SCHEDULER_DATA/ssl. With the above configuration you can connect to JobScheduler via https at port 48444.
To generate a keystore file use keytool:
where hostname should be the JobScheduler host. Use own values for OU, O and L.
To run JobScheduler with Jetty it is required to create two configuration files for the Jetty web server (jetty.xml and web.xml). The files have to bestored in the $SCHEDULER_DATA/config folder.
You have to configure the JOC servlet with the JobScheduler installation path. Note that you have to use the file protocol.
Send commands via HTTP (POST|GET)
If you use Jetty and you want to send a command (e.g.
<show_state/>) to the JobScheduler then you have to use the URL:
Example for HTTP GET
- The commands that can be sent via HTTP GET have been restricted from JobScheduler version 1.7 onwards.
- See Release Information for further information.
Jetty configuration examples. User authentication
Simple user authentication
It is possible to configure simple user authentication in the plugin configuration of the scheduler.xml, e.g.
SecurityLevel.all are predefined roles for JobScheduler.
SecurityLevel.info allows exclusively permissions to watch jobs but not to start jobs, while
SecurityLevel.all provides the permission to start jobs.
Add a security constraint to the file web.xml like this:
User authentication with a properties file
Beside the Simple user authentication provided by the Jetty plugin you can use a more complex authentification method described by the Jetty configuration. The example below shows the use of the HashLoginService, a mechanism whose authentication and authorization information is stored in a properties file.
First make sure, that your plugin declaration in scheduler.xml does not contain any authentification information:
In the second step you should define the HashLoginService in your Jetty configuration (jetty.xml) as a user realm. That means that you have to configure at least the location of the properties file containing the user information (userid, password, roles) and assign them a name (here myRealm).
The properties file config/realm.properties contains one or more user definitions, e.g.
Please note: In realm.properties you can specify the password like
- You can use the MD5 Key generated by JOE but you have to modify it to lowercase.
- More information can be found at http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords wiki.eclipse.org/Jetty/Howto/Secure_Passwords
You can execute the password utility mentioned there. You will find the jetty-utilxxxx.jar in $SCHEDULER_HOME/lib/jetty_ext.
Finally you have to configure a security constraint and assign your user realm myRealm to a login configuration. To do this you have to update your web.xml:
SecurityLevel.all are predefined roles for JobScheduler.
SecurityLevel.info grants exclusively permissions to watch jobs but not to start jobs, while
SecurityLevel.all grants permissions to start jobs.
To restrict the access for specific hosts you have to define an IPAccessHandler in your jetty.xml:
It is important to store the given handlers in the local variable oldhandler to set them as the handler for the IPAccessHandler (see Jetty handler concept for more details).
You can define a whitelist (as in the example above) or a blacklist. The IPAccessHandler does not allow to use alias names to point to specific IPs.