Strange behaviour of jetty when accessing a protected resour

wdrai Oct 15, 2003 5:18 PM

I am using a webapp in JBoss 3.2.1 / Jetty with a simple security setup :
/home/* restricted to role 'user'
/admin/* restricted to role 'admin'

When a user with the simple role 'user' logs in, he has access to the /home directory as expected.
When this user then tries to access a page in the /admin directory, he is redirected to the login page instead of getting a HTTP 403 error as specified in the servlet spec.

Is it a configuration problem or a bug in jetty ?

Thanks.
William

1. Re: Strange behaviour of jetty when accessing a protected re

jimbrady Nov 19, 2003 5:31 AM (in response to wdrai)

Did you get an answer to this. I have the same problem.
Actions
2. Re: Strange behaviour of jetty when accessing a protected re

jimbrady Nov 19, 2003 8:22 AM (in response to wdrai)

I found the answer. I have a copy of the source.

The problem lies in org.mortbay.http.SecurityConstraint

if (!inRole)
{
Code.warning("AUTH FAILURE: role for "+user.getName());
if ("BASIC".equalsIgnoreCase (authenticator.getAuthMethod()))
((BasicAuthenticator)authenticator).sendChallenge(realm,response);
else
response.sendErrorHttpResponse.__403_Forbidden,
"User not in required role");
return -1; // role failed.
}

i.e. Jetty is programmed to do this for Basic Authentication. Looks like I will have to change to use ssomething else. (sigh!)
Actions
3. Re: Strange behaviour of jetty when accessing a protected re

jonlee Nov 19, 2003 4:42 PM (in response to wdrai)

You could change the code. You could also ask the Jetty developers via the Jetty forums about the authentication.
Actions

Go to original post