2 Replies Latest reply on Nov 19, 2003 8:21 AM by jimbrady

    Unexpected behaviour of jetty when accessing a restricted re

    wdrai

      I am using a webapp in JBoss 3.2.1 / Jetty with a simple security setup :
      /home/* restricted to role 'user'
      /admin/* restricted to role 'admin'

      When a user with the simple role 'user' logs in, he has access to the /home directory as expected.
      When this user then tries to access a page in the /admin directory, he is redirected to the login page instead of getting a HTTP 403 error as specified in the servlet spec.

      Is it a configuration problem or a bug in jetty ?


      Tranks.
      William

        • 1. Re: Unexpected behaviour of jetty when accessing a restricte
          jimbrady

          Did you get an answer to this. I have the same problem.

          • 2. Re: Unexpected behaviour of jetty when accessing a restricte
            jimbrady

            I found the answer. I have a copy of the source.

            The problem lies in org.mortbay.http.SecurityConstraint

            if (!inRole)
            {
            Code.warning("AUTH FAILURE: role for "+user.getName());
            if ("BASIC".equalsIgnoreCase (authenticator.getAuthMethod()))
            ((BasicAuthenticator)authenticator).sendChallenge(realm,response);
            else
            response.sendErrorHttpResponse.__403_Forbidden,
            "User not in required role");
            return -1; // role failed.
            }


            i.e. Jetty is programmed to do this for Basic Authentication. Looks like I will have to change to use ssomething else. (sigh!)