Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 316320

Summary: Digest authentication works in opposite way than set in constraint
Product: [RT] Jetty Reporter: Jonas <ido.public>
Component: serverAssignee: David Jencks <david.a.jencks>
Status: CLOSED FIXED QA Contact:
Severity: minor    
Priority: P3 CC: janb, jetty-inbox
Version: 8.0.0   
Target Milestone: 7.0.2.RC0   
Hardware: All   
OS: All   
Whiteboard:

Description Jonas CLA 2010-06-09 11:12:29 EDT 
Digest authenticator validates request only if constraint authenticate property is set to false.

In org.eclipse.jetty.security.authentication.DigestAuthenticator on line 65 returns deferred authenticator while validation is mandatory.
Comment 1 Jan Bartel CLA 2010-09-27 04:24:00 EDT 
David,

Can you look into this one? The issue has been raised against 8, but it is probably the case for 7 as well.

thanks
Jan
Comment 2 David Jencks CLA 2010-09-27 14:03:02 EDT 
I'm confused by this report.  In both jetty 7 and 8 DigestAuthenticator lines 65-66 read:

        if (!mandatory)
            return _deferred;

which appears to be correct and the opposite of what the report claims.  I need more information to proceed.
Comment 3 Jonas CLA 2010-09-28 01:21:26 EDT 
I checked it once again and found out that it was a bug in version 8.0.0.M0 (the artifact I checked can be found at http://mirrors.ibiblio.org/pub/mirrors/maven2/org/eclipse/jetty/jetty-security/8.0.0.M0/jetty-security-8.0.0.M0-sources.jar), however in version 8.0.0.M1 it is now fixed.
Comment 4 Jan Bartel CLA 2010-09-28 01:58:31 EDT 
Jonas,

Thanks for letting us know. I'm closing this issue.