Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 365947 - HttpSpiContextHandler fails to send Www-authenticate header
Summary: HttpSpiContextHandler fails to send Www-authenticate header
Status: RESOLVED FIXED
Alias: None
Product: Jetty
Classification: RT
Component: server (show other bugs)
Version: unspecified   Edit
Hardware: Macintosh Mac OS X - Carbon (unsup.)
: P3 major (vote)
Target Milestone: 7.5.x   Edit
Assignee: Greg Wilkins CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-07 13:55 EST by Henrik Gustafsson CLA
Modified: 2011-12-22 07:15 EST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Henrik Gustafsson CLA 2011-12-07 13:55:34 EST 
Build Identifier: jetty-http-spi-7.5.4.v20111024.jar

When using Jetty as my HttpServerProvider and I set an authenticator for the context (ctx.setAuthenticator(new BasicAuthenticator() {...})) to enable Basic HTTP auth Jetty does not emit the Www-authenticate:-header in the 401-response, causing the client  not to attempt to authenticate

Typical Jetty exchange looks like this:

GET /soap/3.1?wsdl HTTP/1.1
Host: localhost:7627
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.1 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: undefined=%2C%2Fcdr; stay_login=1; id=je3LtszL8vomw

HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1281
Server: Jetty(7.5.4.v20111024)

<html>
...stuff...
</html>

When switching to the stock Java HttpServerProvider the expected header is emitted:

GET /soap/3.1?wsdl HTTP/1.1
Host: localhost:7627
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.1 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: undefined=%2C%2Fcdr; stay_login=1; id=je3LtszL8vomw

HTTP/1.1 401 Unauthorized
Content-length: 0
Www-authenticate: Basic realm="SomeService"

From what I can tell, in HttpSpiContextHandler.handleAuthentication() jettytHttpExchange.responseHeaders contains the missing header, but it's never sent when it reaches resp.sendError(rc) of the (result instanceof Authenticator.Retry) branch.


Reproducible: Always

Steps to Reproduce:
1. This:

server = new JettyHttpServerProvider().createHttpServer(new InetSocketAddress(host, port), 10);
server.start();
final HttpContext httpContext = server.createContext("/fnord");
httpContext.setAuthenticator(new BasicAuthenticator("PSMService") {
  @Override
  public boolean checkCredentials(String username, String password) {
    if (Util.equals(username, "fnord") && Util.equals(password, "fnord"))
      return true;
    return false;
  }
});

final Endpoint endpoint = Endpoint.create(…);
endpoint.publish(httpContext);

2. Access the context
Comment 1 Greg Wilkins CLA 2011-12-22 01:35:41 EST 
We were not copying the headers over.  Fixed now in HEAD and will be in 7.6.0

Note that the http-spi is little used and little tested, so we would appreciate any feedback you can give.  Keep the issues coming and feel free to write some test harnesses if you want.

cheers
Comment 2 Henrik Gustafsson CLA 2011-12-22 03:34:52 EST 
Thanks a bunch!

I'm assuming it will reach the jetty-8 branch too?
Comment 3 Jesse McConnell CLA 2011-12-22 07:15:09 EST 
also need to factor in 359784 or put into a new modules, but just a heads up incase your looking for ws spi support as well, just trying to iron out cq's atm

cheers