Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 368773

Summary: http -> https redirect via security-constrained in web.xml only works with jetty-testrealm.xml enabled
Product: [RT] Jetty Reporter: Thomas Becker <tbecker>
Component: serverAssignee: Shirley Boulay <boulay>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: gregw, janb, jetty-inbox
Version: unspecified   
Target Milestone: 7.5.x   
Hardware: All   
OS: All   
Whiteboard:
Attachments:
Description Flags
possible fix none

Description Thomas Becker CLA 2012-01-16 16:06:51 EST 
Build Identifier: 

Find out if there's a good reason for that behaviour and if not fix the darn thing! 

Reproducible: Always
Comment 1 Greg Wilkins CLA 2012-01-16 17:01:20 EST 
Part of the issue appears to the be the method: SecurityHander@findLoginService - which if it can't find a realm matching by name, just picks the first realm.

This would seam moderately dangerous! It should at least warn.   But I'm thinking we should just not have this default and provide a new LoginService type that wraps another LoginService and gives it a new name (in case aliases are needed).

So what is happening with hightide, is that because there is a JAAS login service provided to the server, any webapp needing a realm is matching that JAAS login service as the first login service.    This allows the context to deploy.

The redirection issue then needs to be looked at, as to why it is different with the jaas login service rather than with others.
Comment 2 Greg Wilkins CLA 2012-01-17 02:38:15 EST 
Created attachment 209602 [details]
possible fix

This fix allows for data constraints to be tested when there is not an authenticator.
Comment 3 Greg Wilkins CLA 2012-01-17 06:54:11 EST 
patch applied
Comment 4 Jan Bartel CLA 2012-02-02 17:34:36 EST 
Hi Shirley,

Could you update the wiki page on Configuring Security Realms (http://wiki.eclipse.org/Jetty/Tutorial/Realms) with the new behaviour that was introduced to fix the bug. Here's an extract from an answer to a user on the jetty mailing list that you can use as a basis:

 --- ---

The upshot of this is that you need to explicitly tell a context which
realm (aka LoginService) to use if you have more than one of them
defined in the Server. You give the SecurityHandler for a context
either the name of the realm you want to use (that you already added
to the Server), or you give it the actual LoginService.

Eg in xml:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
 <Get name="securityHandler">
   <!-- Either: -->
   <Set name="loginService">
     <New class="org.eclipse.jetty.security.HashLoginService">
           <Set name="name">Test Realm</Set>
     </New>
   </Set>

   <!-- or if you defined a LoginService called "Test Realm" in jetty.xml : -->
   <Set name="realmName">Test Realm</Set>

 </Get>

  --- ---

thanks
Jan
Comment 5 Jan Bartel CLA 2012-02-02 17:35:43 EST 
Shirley,

BTW this was fixed in 7.6.0 and 8.1.0.

thanks
Jan
Comment 6 Shirley Boulay CLA 2012-03-01 14:05:44 EST 
Added this information to http://wiki.eclipse.org/Jetty/Tutorial/Realms on 3/1/2012. Sorry that this one slipped by me until now.
Comment 7 Shirley Boulay CLA 2012-03-01 14:06:17 EST 
Resolved.