Jetty vs JettyPlus Authentication

Discussion in 'Java' started by Sam Zin, May 19, 2004.

  1. Sam Zin

    Sam Zin Guest

    Hi,

    I have a simple web application. Here is some of my web.xml:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>user/*</web-resource-name>
    <url-pattern>/user/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>userRole</role-name>
    </auth-constraint>
    </security-constraint>

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>admin</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>adminRole</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>MyRealm</realm-name>
    <form-login-config>
    <form-login-page>/login</form-login-page>
    <form-error-page>/login-error</form-error-page>
    </form-login-config>
    </login-config>

    I login as a user with only userRole so I only have access to files
    under /user, then when I click on a link /admin/index.html Jetty
    simply forwards me to the /login-error which prompted me to enter
    username and password (login again). When this is done, Jetty
    forwarded me to the /admin/index.html page.

    Then I moved to JettyPlus and this behaviour changed. Now JettyPlus
    simply
    gives me a "403 User not in require role" error. If I actually define
    an
    error-page for error-code 403 I get to that page but my requestURI is
    not
    preserved. So when I relogin from that page, I don't get forwarded to
    /admin/index.html as I should be. Instead I go to / with the new login
    info.

    I'm sure this is a configuration issue since no one had this problem.
    What have I missed?

    Thanks in advance

    Sam Zin
    Sam Zin, May 19, 2004
    #1
    1. Advertising

  2. Sam Zin

    Sam Zin Guest

    To answer my own questions,

    1- as of Jetty 4.2.10, the error page for 403 errors is not by default
    the form-error-page

    2- only javax.servlet.error.request_uri is set when you get a 403
    error.

    3- org.mortbay.jetty.com is not set, therefore if you set the
    error-page to the login page, you have to manually set the session
    attribute for org.mortbay.jetty.com to that of
    javax.servlet.error.request_uri.

    Then when you relogin using a different username/password, jetty
    forwards you to the link you wanted.

    In a way this is very dangerous since now you're using the same
    session for two different logins. I guess this is why mortbay removed
    this "feature".

    We decided to simply have a static 403.html page that said:

    You don't have permissions, ...
    Please logout and login again as a different user...

    peace.

    (Sam Zin) wrote in message news:<>...
    > Hi,
    >
    > I have a simple web application. Here is some of my web.xml:
    >
    > <security-constraint>
    > <web-resource-collection>
    > <web-resource-name>user/*</web-resource-name>
    > <url-pattern>/user/*</url-pattern>
    > </web-resource-collection>
    > <auth-constraint>
    > <role-name>userRole</role-name>
    > </auth-constraint>
    > </security-constraint>
    >
    > <security-constraint>
    > <web-resource-collection>
    > <web-resource-name>admin</web-resource-name>
    > <url-pattern>/admin/*</url-pattern>
    > </web-resource-collection>
    > <auth-constraint>
    > <role-name>adminRole</role-name>
    > </auth-constraint>
    > </security-constraint>
    >
    > <login-config>
    > <auth-method>FORM</auth-method>
    > <realm-name>MyRealm</realm-name>
    > <form-login-config>
    > <form-login-page>/login</form-login-page>
    > <form-error-page>/login-error</form-error-page>
    > </form-login-config>
    > </login-config>
    >
    > I login as a user with only userRole so I only have access to files
    > under /user, then when I click on a link /admin/index.html Jetty
    > simply forwards me to the /login-error which prompted me to enter
    > username and password (login again). When this is done, Jetty
    > forwarded me to the /admin/index.html page.
    >
    > Then I moved to JettyPlus and this behaviour changed. Now JettyPlus
    > simply
    > gives me a "403 User not in require role" error. If I actually define
    > an
    > error-page for error-code 403 I get to that page but my requestURI is
    > not
    > preserved. So when I relogin from that page, I don't get forwarded to
    > /admin/index.html as I should be. Instead I go to / with the new login
    > info.
    >
    > I'm sure this is a configuration issue since no one had this problem.
    > What have I missed?
    >
    > Thanks in advance
    >
    > Sam Zin
    Sam Zin, May 21, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. charly

    Help !! Jetty won't deploy

    charly, Jun 30, 2003, in forum: Java
    Replies:
    0
    Views:
    1,960
    charly
    Jun 30, 2003
  2. Maciek Zywno
    Replies:
    0
    Views:
    853
    Maciek Zywno
    Sep 3, 2003
  3. Richard Smol

    Jetty Plus in Eclipse

    Richard Smol, Apr 9, 2004, in forum: Java
    Replies:
    0
    Views:
    866
    Richard Smol
    Apr 9, 2004
  4. Sam Zin
    Replies:
    0
    Views:
    570
    Sam Zin
    May 21, 2004
  5. Bastian
    Replies:
    0
    Views:
    589
    Bastian
    Oct 24, 2005
Loading...

Share This Page