Re: [jetty-users] redirect to https BEFORE basic authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] redirect to https BEFORE basic authentication

From: Gregor Jarisch <gregor@xxxxxxxxxxx>
Date: Wed, 23 Jan 2013 16:17:46 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2

Hi Larry,

indeed this was a very helpful clue. works nice.
Only thing is that I cannot leave it declaratively unconstrained since this leads to a NPE.
Seems like Jetty is expecting a path.
I could use a path which very unlikely will ever be used (like "/msdclk230234scsm"), but I rather would like to have a clean solution.
Any ideas?

On 23.01.2013 14:38, larry mccay wrote:

Hi Gregor -

While I haven't tried this with embedded Jetty, you may try a third approach.

3. Programmatic Security

Leave it declaratively unconstrained but define the login-config for BASIC.

In a filter or directly in a servlet, direct the container to authenticate the user through HttpServletRequest.authenticate().

See: http://docs.oracle.com/javaee/6/tutorial/doc/gjiie.html

HTH.

--larry

On Wed, Jan 23, 2013 at 8:26 AM, Gregor Jarisch <gregor@xxxxxxxxxxx> wrote:

me again.
Still couldn't managed to solve my issue.

I see two possible solutions:
1) Intercept jetty before basic auth, --> redirect to https
(unfortunately, filters get invoked later)
2) Make basic auth for https connections only, therefore skip auth on http

Any ideas how I can achieve one of those two approaches?

thanks.

On 22.01.2013 12:26, Gregor Jarisch wrote:
> Hi there,
>
> I am facing the following problem. I have an embedded jetty (8.1.7) and
> I'd like to run my application on https only.
> Furthermore my users have to authenticate via basic auth. The redirect
> from http to https works fine, the problem is that jetty is asking for
> authentication on http too before the redirect, instead of redirecting
> to https first.
>
> How can I prevent the insecure basic prompt on http?
>
> Thanks.
>
> This is my code:
>
> List<Connector> connectors = new LinkedList<Connector>();
>
> SelectChannelConnector proxyConnector = new
> SelectChannelConnector() {
> @Override
> public void customize(EndPoint endpoint, Request request)
> throws IOException {
> request.setScheme("https");
> super.customize(endpoint, request);
> }
> };
>
> proxyConnector.setHost("localhost");
> proxyConnector.setPort(80);
> proxyConnector.setConfidentialPort(443);
> proxyConnector.setIntegralPort(443);
> if (options.useBehindProxy) {
> proxyConnector.setHostHeader("localhost:443");
> proxyConnector.setForwarded(true);
> }
> connectors.add(proxyConnector);
>
> ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
> csh.setAuthenticator(new BasicAuthenticator());
> csh.setRealmName("realm");
> csh.setLoginService(options.loginService);
>
> Constraint basicAuthConstraint = new Constraint();
> basicAuthConstraint.setName(Constraint.__BASIC_AUTH);
> basicAuthConstraint.setRoles(new String[]{"user"});
> basicAuthConstraint.setAuthenticate(true);
> basicAuthConstraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
>
> ConstraintMapping cm = new ConstraintMapping();
> cm.setConstraint(basicAuthConstraint);
> cm.setPathSpec("/*");
> csh.addConstraintMapping(cm);
> context.setSecurityHandler(csh);
>
> SslSocketConnector sslConnector = new SslSocketConnector();
> sslConnector.setPort(443);
> sslConnector.setPassword("...");
> sslConnector.setKeyPassword("...");
> sslConnector.setKeystore("...");
> sslConnector.setTrustPassword("...");
> connectors.add(sslConnector);
>
> server.setConnectors(connectors.toArray(new
> Connector[connectors.size()]));
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Ing. Gregor Jarisch
entrepreneurship & development

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users

-- 
Ing. Gregor Jarisch
entrepreneurship & development

References:
- [jetty-users] redirect to https BEFORE basic authentication
  - From: Gregor Jarisch
- Re: [jetty-users] redirect to https BEFORE basic authentication
  - From: Gregor Jarisch
- Re: [jetty-users] redirect to https BEFORE basic authentication
  - From: larry mccay

Prev by Date: Re: [jetty-users] redirect to https BEFORE basic authentication
Next by Date: Re: [jetty-users] OSGI and ServletContextListener
Previous by thread: Re: [jetty-users] redirect to https BEFORE basic authentication
Next by thread: [jetty-users] Jetty 9.0.0.M5 available
Index(es):
- Date
- Thread

Breadcrumbs