shibboleth idp webapp under jetty 12.0.7

[janbartel]

Reported in email to jetty-users list Subject: shibboleth idp webapp under jetty 12.0.7

12.0.7

ee-9

Description

I'm currently running the shibboleth idp webapp 4 under jetty 9, and
trying to migrate to idp 5 using jetty 12. I've run into an odd problem,
I get the following error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowRegistry' defined in class path resource [net/shibboleth/idp/conf/webflow-config.xml]: Illegal attempt to register pre-existing flow ID 'authn/DuoOIDC'via resource: URL [jar:file:/var/lib/jetty/tmp/jetty-127_0_0_1-80-idp_war-_idp-any-10824638488520165161/webapp/WEB-INF/lib/idp-plugin-duo-impl-2.0.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-flow.xml]

This generally occurs if there are multiple copies of the jar on the
classpath, such as if the war accidentally included more than one (which
isn't the case here).

The deployment descriptor for the idp app is:

/opt/shibboleth-idp/war/idp.war /idp false false true

which is the recommended config per the idp documentation. With this
config, I see two separate copies of the jar in the jetty tmp directory,
one in webapp and one in webinf:

# find | grep duo
./webapp/WEB-INF/lib/idp-plugin-duo-nimbus-client-impl-2.0.0.jar
./webapp/WEB-INF/lib/idp-plugin-duo-impl-2.0.0.jar
./webapp/WEB-INF/lib/idp-plugin-duo-api-2.0.0.jar
./webinf/WEB-INF/lib/idp-plugin-duo-nimbus-client-impl-2.0.0.jar
./webinf/WEB-INF/lib/idp-plugin-duo-impl-2.0.0.jar
./webinf/WEB-INF/lib/idp-plugin-duo-api-2.0.0.jar

If I update the config and set copyWebInf=false, there's only one copy
of the jar in the tmp directory (in webapp) and everything works fine.

Looking at my existing jetty 9 deployment, there's only the webinf
directory in the tmp dir, not the webapp one. If I update my jetty 9
config and set extractWAR=true, then I get the same multiple copies (one
in webapp, one in webinf) as I do with extractWAR=false in jetty 12,
although this doesn't cause an error under jetty 9. If I set
extractWAR=true under jetty 12, I see no change in the content of the
tmp directory as compared to extractWAR=false.

So I'm confused. Why is jetty 12 apparently extracting the war when
extractWAR=false? And when it does, how come the same jar file seems to
get processed twice, when that doesn't occur under jetty 9 with
extractWAR=true?

I'm not sure if I'm hitting a bug or have something misconfigured. It
seems to be working now with copyWebInf=false, but that also seems more
of a workaround than a resolution. This feels buggy, that jetty is
extracting the war when it shouldn't be, and also loading the same jars
from two different places when the war is extracted and copyWebInf=true.
But I'm far from a jetty expert :).

Thanks for any hints...

[janbartel]

Raised PR #11575