Jetty vs JettyPlus Authentication

S

Sam Zin

Hi,

I have a simple web application. Here is some of my web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>user/*</web-resource-name>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>userRole</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adminRole</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login-error</form-error-page>
</form-login-config>
</login-config>

I login as a user with only userRole so I only have access to files
under /user, then when I click on a link /admin/index.html Jetty
simply forwards me to the /login-error which prompted me to enter
username and password (login again). When this is done, Jetty
forwarded me to the /admin/index.html page.

Then I moved to JettyPlus and this behaviour changed. Now JettyPlus
simply
gives me a "403 User not in require role" error. If I actually define
an
error-page for error-code 403 I get to that page but my requestURI is
not
preserved. So when I relogin from that page, I don't get forwarded to
/admin/index.html as I should be. Instead I go to / with the new login
info.

I'm sure this is a configuration issue since no one had this problem.
What have I missed?

Thanks in advance

Sam Zin
 
S

Sam Zin

To answer my own questions,

1- as of Jetty 4.2.10, the error page for 403 errors is not by default
the form-error-page

2- only javax.servlet.error.request_uri is set when you get a 403
error.

3- org.mortbay.jetty.com is not set, therefore if you set the
error-page to the login page, you have to manually set the session
attribute for org.mortbay.jetty.com to that of
javax.servlet.error.request_uri.

Then when you relogin using a different username/password, jetty
forwards you to the link you wanted.

In a way this is very dangerous since now you're using the same
session for two different logins. I guess this is why mortbay removed
this "feature".

We decided to simply have a static 403.html page that said:

You don't have permissions, ...
Please logout and login again as a different user...

peace.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Java Application 1
Glassfish and Windows Active Directory 1
Authentication without authorization in tomcat 5.5 0
JDBC realm and form authentication 0
tomcat datasource realm and form based authentication 3
glassfish and faces security 0
form based login in jboss using login-config not working 1
Jetty fails to forward properly when using Struts Modules 0

Members online

No members online now.
Total: 24 (members: 0, guests: 24)
Robots: 467

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top