324505 – Request.login method must throw ServletException if it cant login.

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 324505 - Request.login method must throw ServletException if it cant login.

Summary: Request.login method must throw ServletException if it cant login.

Status:	RESOLVED FIXED

Alias:	None

Product:	Jetty
Classification:	RT
Component:	server (show other bugs)
Version:	8.0.0
Hardware:	PC Mac OS X - Carbon (unsup.)

Importance:	P3 normal (vote)
Target Milestone:	7.1.x
Assignee:	Jan Bartel
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-09-04 03:30 EDT by David Jencks
Modified:	2011-01-10 11:22 EST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Jencks

2010-09-04 03:30:06 EDT

Request.login method must either successfully newly log in the user or throw a ServletException.  In particular if there is no auth configured or the user is already logged in it must throw a servlet exception.
This does not appear to apply to jetty 7, there is no login method on Request there.

Comment 1 David Jencks

2010-09-04 03:37:32 EDT

Fixed rev 2250.  I included no message in the ServletException since I wonder about leaking information about security failures back to the client.

Comment 2 Michael Gorovoy

2010-09-07 20:59:54 EDT

Greg, for your review.

Comment 3 Sebastian Tusk

2010-11-12 19:00:22 EST

DeferredAuthentication.login isn't implemented. It would be nice having that working. In the meantime Request.login should throw ServletException every time instead of silently not working.

Comment 4 Jan Bartel

2011-01-10 11:22:02 EST

Sebastian, 

We've implemented Request.login() in jetty-8. See svn rev 2645. It would be great if you could test that in your setup.

thanks
Jan