Community
Participate
Working Groups
Build Identifier: HttpServletRequest.login() always throws ServletException after invoking HttpServletRequest.isUserInRole(). The issue could be reproduced by the following code snippet: public class LoginServlet extends javax.servlet.http.HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { if (!request.isUserInRole("user")) { try { request.login("user", "password"); } catch(ServletException se) { // ServletException is always thrown here } } } } Reproducible: Always
The issue appears to be caused by calls like isUserInRole forcing the authentication to be changed from deferred to unauthenticated. A simple change will be to make Deferred.authenticate(...) return this if authentication fails. But I'm concerned than unauthenticated might be set other ways and thus using it as a tunnel to the login service may not be the best idea.
tentative fix in r3109