368773 – http -> https redirect via security-constrained in web.xml only works with jetty-testrealm.xml enabled

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 368773 - http -> https redirect via security-constrained in web.xml only works with jetty-testrealm.xml enabled

Summary: http -> https redirect via security-constrained in web.xml only works with je...

Status:	RESOLVED FIXED

Alias:	None

Product:	Jetty
Classification:	RT
Component:	server (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	7.5.x
Assignee:	Shirley Boulay
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-01-16 16:06 EST by Thomas Becker
Modified:	2012-03-01 14:06 EST (History)
CC List:	3 users (show)

See Also:

Attachments
possible fix (13.00 KB, patch) 2012-01-17 02:38 EST, Greg Wilkins	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Becker

2012-01-16 16:06:51 EST

Build Identifier: 

Find out if there's a good reason for that behaviour and if not fix the darn thing! 

Reproducible: Always

Comment 1 Greg Wilkins

2012-01-16 17:01:20 EST

Part of the issue appears to the be the method: SecurityHander@findLoginService - which if it can't find a realm matching by name, just picks the first realm.

This would seam moderately dangerous! It should at least warn.   But I'm thinking we should just not have this default and provide a new LoginService type that wraps another LoginService and gives it a new name (in case aliases are needed).

So what is happening with hightide, is that because there is a JAAS login service provided to the server, any webapp needing a realm is matching that JAAS login service as the first login service.    This allows the context to deploy.

The redirection issue then needs to be looked at, as to why it is different with the jaas login service rather than with others.

Comment 2 Greg Wilkins

2012-01-17 02:38:15 EST

Created attachment 209602 [details]
possible fix

This fix allows for data constraints to be tested when there is not an authenticator.

Comment 3 Greg Wilkins

2012-01-17 06:54:11 EST

patch applied

Comment 4 Jan Bartel

2012-02-02 17:34:36 EST

Hi Shirley,

Could you update the wiki page on Configuring Security Realms (http://wiki.eclipse.org/Jetty/Tutorial/Realms) with the new behaviour that was introduced to fix the bug. Here's an extract from an answer to a user on the jetty mailing list that you can use as a basis:

 --- ---

The upshot of this is that you need to explicitly tell a context which
realm (aka LoginService) to use if you have more than one of them
defined in the Server. You give the SecurityHandler for a context
either the name of the realm you want to use (that you already added
to the Server), or you give it the actual LoginService.

Eg in xml:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
 <Get name="securityHandler">
   <!-- Either: -->
   <Set name="loginService">
     <New class="org.eclipse.jetty.security.HashLoginService">
           <Set name="name">Test Realm</Set>
     </New>
   </Set>

   <!-- or if you defined a LoginService called "Test Realm" in jetty.xml : -->
   <Set name="realmName">Test Realm</Set>

 </Get>

  --- ---

thanks
Jan

Comment 5 Jan Bartel

2012-02-02 17:35:43 EST

Shirley,

BTW this was fixed in 7.6.0 and 8.1.0.

thanks
Jan

Comment 6 Shirley Boulay

2012-03-01 14:05:44 EST

Added this information to http://wiki.eclipse.org/Jetty/Tutorial/Realms on 3/1/2012. Sorry that this one slipped by me until now.

Comment 7 Shirley Boulay

2012-03-01 14:06:17 EST

Resolved.