Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 343472

Summary: HttpServletRequest.login() always throws ServletException after invoking HttpServletRequest.isUserInRole()
Product: [RT] Jetty Reporter: michael1224.fang
Component: serverAssignee: Greg Wilkins <gregw>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: jetty-inbox
Version: 8.0.0   
Target Milestone: 7.2.x   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description michael1224.fang CLA 2011-04-20 23:17:57 EDT 
Build Identifier: 

HttpServletRequest.login() always throws ServletException after invoking HttpServletRequest.isUserInRole().

The issue could be reproduced by the following code snippet: 

public class LoginServlet extends javax.servlet.http.HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        if (!request.isUserInRole("user")) {
            try {
                request.login("user", "password");
            } catch(ServletException se) {
                // ServletException is always thrown here
            }
        }
    }
}


Reproducible: Always
Comment 1 Greg Wilkins CLA 2011-05-10 03:08:01 EDT 
The issue appears to be caused by calls like isUserInRole forcing the authentication to be changed from deferred to unauthenticated.

A simple change will be to make Deferred.authenticate(...) return this if authentication fails.  But I'm concerned than unauthenticated might be set other ways and thus using it as a tunnel to the login service may not be the best idea.
Comment 2 Greg Wilkins CLA 2011-05-10 03:44:11 EDT 
tentative fix in r3109