[jetty-users] FormAuthenticator redirects with a connector behind extern

[Steven Schlansker <stevenschlansker@xxxxxxxxx>]

Hi jetty-users, happy Monday :)

I am trying to configure FormAuthenticator in Jetty 9.4.40 on a server that serves HTTP terminated behind an external load balancer handling the TLS termination.

Everything works fine in testing, but when it is behind the external TLS termination, Jetty serves up 303 See Other responses to e.g. the login page with an absolute http url, which redirects the user away from the secure site.  The FormAuthenticator seems to allow me to customize the path to the form and error page, but not the scheme.

I tried attaching ForwardedRequestCustomizer to see if parsing the forwarding headers would help, but it did not seem to change anything.

I tried using FormAuthenticator dispatch mode instead of redirect, but that caused all server responses to 404 for reasons I didn't really understand, so I gave up on that pretty quick.

What's the right way to configure FormAuthenticator or its connector in embedded jetty to preserve the https nature of the site, even when Jetty doesn't do TLS termination?  I can't help but feel this should be answered on Google but I must be searching for the wrong thing...

I've attached my handler setup below in case that helps.

Thanks for any advice,

Steven

        final var securityHandler = new ConstraintSecurityHandler();
        securityHandler.setLoginService(loginService);
        securityHandler.addRole("ws");

        final var constraintMapping = new ConstraintMapping();
        final var constraint = new Constraint(Constraint.__FORM_AUTH, "ws");
        constraint.setAuthenticate(true);
        constraintMapping.setConstraint(constraint);
        constraintMapping.setPathSpec("/*");

        securityHandler.addConstraintMapping(constraintMapping);

        final var noAuth = new Constraint();
        noAuth.setName(Constraint.NONE);
        final String loginPath = "/login";
        final String loginErrPath = loginPath + "/error";
        for (final var exclude : new String[] { "/favicon.ico", "/health", "/health/*", loginPath, loginErrPath }) {
            final var noAuthMapping = new ConstraintMapping();
            noAuthMapping.setConstraint(noAuth);
            noAuthMapping.setPathSpec(exclude);
            securityHandler.addConstraintMapping(noAuthMapping);
        }
        securityHandler.setHandler(servletContextHandler);

        securityHandler.setAuthenticator(new FormAuthenticator(loginPath, loginErrPath, false));

        final var sessionHandler = new SessionHandler();
        sessionHandler.setHandler(securityHandler);
        sessionHandler.setMaxInactiveInterval((int) Duration.ofDays(7).toSeconds());

        final var sessionSchema = new SessionTableSchema();
        sessionSchema.setTableName("JettySessions_" + serviceName);

        final var dbAdapt = new DatabaseAdaptor();
        dbAdapt.setDatasource(ds);

        final var dataStoreFactory = new JDBCSessionDataStoreFactory();
        dataStoreFactory.setGracePeriodSec((int) Duration.ofDays(7).toSeconds());
        dataStoreFactory.setSessionTableSchema(sessionSchema);
        dataStoreFactory.setDatabaseAdaptor(dbAdapt);
        server.addBean(dataStoreFactory);

        final var sessionIdMgr = new DefaultSessionIdManager(server);
        sessionIdMgr.setWorkerName(GraphiteTags.pod());
        server.setSessionIdManager(sessionIdMgr);

        return sessionHandler;