From 6b25c271b1034abf57bf277b72e2ffdbd635275f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 29 Mar 2022 21:04:35 -0500
Subject: [PATCH] Bump jolokia-war from 1.3.3 to 1.7.1 (#6907)

* Bump jolokia-war from 1.3.3 to 1.7.1

Bumps jolokia-war from 1.3.3 to 1.7.1.

---
updated-dependencies:
- dependency-name: org.jolokia:jolokia-war
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

* Adding HashLoginService to jolokia.xml
* Fixing typo in FQCN for Jetty Password utility
* Using logger to print warning, not ServletContext.log() as it causes an NPE.

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
---
 .../src/test/resources/test-realm.properties  |  2 +-
 .../demo-spec-webapp/src/etc/realm.properties |  2 +-
 .../main/resources/demo/demo-realm.properties |  2 +-
 .../src/test/resources/etc/realm.properties   |  2 +-
 .../modules/demo.d/demo-realm.properties      |  2 +-
 .../src/main/resources/modules/jolokia.mod    |  1 +
 .../modules/jolokia/jolokia-realm.properties  | 31 +++++++++++++++++++
 .../resources/modules/jolokia/jolokia.xml     | 18 +++++++++++
 .../src/test/config/etc/realm.properties      |  2 +-
 .../src/test/resources/realm.properties       |  2 +-
 .../eclipse/jetty/util/security/Password.java |  2 +-
 pom.xml                                       |  2 +-
 .../distribution/ThirdPartyModulesTests.java  |  4 +--
 .../src/test/resources/realm.properties       |  2 +-
 .../src/test/resources/realm.properties       |  2 +-
 .../src/test/resources/realm.properties       |  2 +-
 .../src/test/resources/realm.properties       |  2 +-
 17 files changed, 65 insertions(+), 15 deletions(-)
 create mode 100644 jetty-home/src/main/resources/modules/jolokia/jolokia-realm.properties

diff --git a/demos/demo-jetty-webapp/src/test/resources/test-realm.properties b/demos/demo-jetty-webapp/src/test/resources/test-realm.properties
index 9d9bc368493..f4b3490e910 100644
--- a/demos/demo-jetty-webapp/src/test/resources/test-realm.properties
+++ b/demos/demo-jetty-webapp/src/test/resources/test-realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/demos/demo-spec/demo-spec-webapp/src/etc/realm.properties b/demos/demo-spec/demo-spec-webapp/src/etc/realm.properties
index 9d88b852b7f..556117fcdbc 100644
--- a/demos/demo-spec/demo-spec-webapp/src/etc/realm.properties
+++ b/demos/demo-spec/demo-spec-webapp/src/etc/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/demos/embedded/src/main/resources/demo/demo-realm.properties b/demos/embedded/src/main/resources/demo/demo-realm.properties
index 9d88b852b7f..556117fcdbc 100644
--- a/demos/embedded/src/main/resources/demo/demo-realm.properties
+++ b/demos/embedded/src/main/resources/demo/demo-realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/jetty-deploy/src/test/resources/etc/realm.properties b/jetty-deploy/src/test/resources/etc/realm.properties
index cbf905de9fb..492ffdb580a 100644
--- a/jetty-deploy/src/test/resources/etc/realm.properties
+++ b/jetty-deploy/src/test/resources/etc/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/jetty-home/src/main/resources/modules/demo.d/demo-realm.properties b/jetty-home/src/main/resources/modules/demo.d/demo-realm.properties
index 9d88b852b7f..556117fcdbc 100644
--- a/jetty-home/src/main/resources/modules/demo.d/demo-realm.properties
+++ b/jetty-home/src/main/resources/modules/demo.d/demo-realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/jetty-home/src/main/resources/modules/jolokia.mod b/jetty-home/src/main/resources/modules/jolokia.mod
index ee4875d5d24..fe428211d01 100644
--- a/jetty-home/src/main/resources/modules/jolokia.mod
+++ b/jetty-home/src/main/resources/modules/jolokia.mod
@@ -17,6 +17,7 @@ etc/jolokia.xml
 [files]
 maven://org.jolokia/jolokia-war/${jolokia.version}/war|lib/jolokia/jolokia.war
 basehome:modules/jolokia/jolokia.xml|etc/jolokia.xml
+basehome:modules/jolokia/jolokia-realm.properties|etc/jolokia-realm.properties
 
 [ini]
 jolokia.version?=@jolokia.version@
diff --git a/jetty-home/src/main/resources/modules/jolokia/jolokia-realm.properties b/jetty-home/src/main/resources/modules/jolokia/jolokia-realm.properties
new file mode 100644
index 00000000000..32717337b52
--- /dev/null
+++ b/jetty-home/src/main/resources/modules/jolokia/jolokia-realm.properties
@@ -0,0 +1,31 @@
+#
+# ========================================================================
+# Copyright (c) 1995-2022 Mort Bay Consulting Pty Ltd and others.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v. 2.0 which is available at
+# https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+# which is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+# ========================================================================
+#
+
+#
+# This file defines users passwords and roles for a HashUserRealm
+#
+# The format is
+#  <username>: <password>[,<rolename> ...]
+#
+# Passwords may be clear text, obfuscated or checksummed.  The class
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
+# passwords or password checksums
+#
+# If DIGEST Authentication is used, the password must be in a recoverable
+# format, either plain text or OBF:.
+
+# - Example using MD5 for digest auth (The credential is a MD5 hash of username:realmname:password)
+# jolokia:MD5:164c88b302622e17050af52c89945d44,jolokia
+
+# - Example using plaintext
+# jolokia:jetty,jolokia
diff --git a/jetty-home/src/main/resources/modules/jolokia/jolokia.xml b/jetty-home/src/main/resources/modules/jolokia/jolokia.xml
index 5c46f501a55..a7f9b9a92fd 100644
--- a/jetty-home/src/main/resources/modules/jolokia/jolokia.xml
+++ b/jetty-home/src/main/resources/modules/jolokia/jolokia.xml
@@ -10,6 +10,24 @@
         <Set name="extractWAR">true</Set>
         <Set name="copyWebDir">false</Set>
         <Set name="defaultsDescriptor"><Property name="jetty.home" default="."/>/etc/webdefault.xml</Set>
+
+        <!-- comment out this section when you have security configured -->
+        <Call class="org.slf4j.LoggerFactory" name="getLogger">
+          <Arg>org.eclipse.jetty</Arg>
+          <Call name="warn">
+            <Arg>The jolokia webapp is deployed, but does not have users and security configured. (see ${jetty.base}/etc/jolokia.xml)</Arg>
+          </Call>
+        </Call>
+
+        <Get name="securityHandler">
+          <Set name="loginService">
+            <New class="org.eclipse.jetty.security.HashLoginService">
+              <Set name="name">Jolokia Realm</Set>
+              <!-- Edit the contents ot the etc/jolokia-realm.properties -->
+              <Set name="config"><Property name="jetty.base" default="."/>/etc/jolokia-realm.properties</Set>
+            </New>
+          </Set>
+        </Get>
       </New>
     </Arg>
   </Call>
diff --git a/jetty-osgi/test-jetty-osgi/src/test/config/etc/realm.properties b/jetty-osgi/test-jetty-osgi/src/test/config/etc/realm.properties
index cbf905de9fb..492ffdb580a 100644
--- a/jetty-osgi/test-jetty-osgi/src/test/config/etc/realm.properties
+++ b/jetty-osgi/test-jetty-osgi/src/test/config/etc/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/jetty-security/src/test/resources/realm.properties b/jetty-security/src/test/resources/realm.properties
index 1a441165817..9dcf59b60c3 100644
--- a/jetty-security/src/test/resources/realm.properties
+++ b/jetty-security/src/test/resources/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java
index 8c214f3e80d..4c1028d4180 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java
@@ -29,7 +29,7 @@ import java.util.Locale;
  * </pre>
  *
  * Passwords that begin with OBF: are de obfuscated. Passwords can be obfuscated
- * by run org.eclipse.util.Password as a main class. Obfuscated password are
+ * by run {@link org.eclipse.jetty.util.security.Password} as a main class. Obfuscated password are
  * required if a system needs to recover the full password (eg. so that it may
  * be passed to another system). They are not secure, but prevent casual
  * observation.
diff --git a/pom.xml b/pom.xml
index 8cfddc996b6..7f88426b211 100644
--- a/pom.xml
+++ b/pom.xml
@@ -95,7 +95,7 @@
     <jnr-ffi.version>2.2.11</jnr-ffi.version>
     <jnr-posix.version>3.1.15</jnr-posix.version>
     <jnr-unixsocket.version>0.38.17</jnr-unixsocket.version>
-    <jolokia.version>1.3.3</jolokia.version>
+    <jolokia.version>1.7.1</jolokia.version>
     <json-simple.version>1.1.1</json-simple.version>
     <json-smart.version>2.4.8</json-smart.version>
     <jsp.impl.version>9.0.52</jsp.impl.version>
diff --git a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/ThirdPartyModulesTests.java b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/ThirdPartyModulesTests.java
index 15151871aa7..c225f46e768 100644
--- a/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/ThirdPartyModulesTests.java
+++ b/tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/ThirdPartyModulesTests.java
@@ -138,8 +138,8 @@ public class ThirdPartyModulesTests extends AbstractJettyHomeTest
 
                 startHttpClient();
                 ContentResponse response = client.GET("http://localhost:" + httpPort + "/jolokia");
-                assertEquals(HttpStatus.OK_200, response.getStatus(), new ResponseDetails(response));
-                assertThat(response.getContentAsString(), containsString("\"agentType\":\"servlet\""));
+                // default is no users specified, so this will return a 401.
+                assertEquals(HttpStatus.UNAUTHORIZED_401, response.getStatus(), new ResponseDetails(response));
             }
         }
     }
diff --git a/tests/test-distribution/src/test/resources/realm.properties b/tests/test-distribution/src/test/resources/realm.properties
index 66f70541621..75fa0eab9a6 100644
--- a/tests/test-distribution/src/test/resources/realm.properties
+++ b/tests/test-distribution/src/test/resources/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/tests/test-integration/src/test/resources/realm.properties b/tests/test-integration/src/test/resources/realm.properties
index cbf905de9fb..492ffdb580a 100644
--- a/tests/test-integration/src/test/resources/realm.properties
+++ b/tests/test-integration/src/test/resources/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/tests/test-quickstart/src/test/resources/realm.properties b/tests/test-quickstart/src/test/resources/realm.properties
index 9d88b852b7f..556117fcdbc 100644
--- a/tests/test-quickstart/src/test/resources/realm.properties
+++ b/tests/test-quickstart/src/test/resources/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable
diff --git a/tests/test-sessions/test-mongodb-sessions/src/test/resources/realm.properties b/tests/test-sessions/test-mongodb-sessions/src/test/resources/realm.properties
index 6cd8ffa4012..b759b36b744 100644
--- a/tests/test-sessions/test-mongodb-sessions/src/test/resources/realm.properties
+++ b/tests/test-sessions/test-mongodb-sessions/src/test/resources/realm.properties
@@ -5,7 +5,7 @@
 #  <username>: <password>[,<rolename> ...]
 #
 # Passwords may be clear text, obfuscated or checksummed.  The class 
-# org.eclipse.util.Password should be used to generate obfuscated
+# org.eclipse.jetty.util.security.Password should be used to generate obfuscated
 # passwords or password checksums
 #
 # If DIGEST Authentication is used, the password must be in a recoverable