If you are using BASIC auth (or DIGEST which is a little more secure) then it is the responsibility of your client to send auth headers with every request and the server will validate every request from scratch and populate the auth fields of the request. Browsers do this by default. but it sounds like you are not using a browser.
There are other methods such as FORM and OPENID that do an authentication conversation and leave the results in a session, so that all following requests in the same session are considered authenticated. Now by default FORM auth does use HTML pages to run a conversation, but ultimately it does not need those pages to do the auth, it just needs: - one GET request to establish a session (could be for anything and could get a 401 response) - a POST request to "/j_security_check" with parameters "j_username" and "j_password" - all subsequent requests carrying the session cookie will then be authenticated. Ultimately our authenticators and authentications are pluggable and you can do all sorts of stuff. It would not be hard to authenticate with BASIC, save that in a session and then all subsequent requests would be authenticated. The login module is used by all of these auth methods to check the credentials - either for every request or once to put in the session. So it is orthogonal to the auth method used. Finally, Webtide LLC is available for commercial services and we can implement a custom auth mechanism for you as part of that.... if none of the standard mechanisms works for you and you don 't want to customize yourself. cheers On Mon, 24 Feb 2020 at 23:46, Wang Yicheng <[email protected]> wrote: > Hi Greg, > > Yes, I've got the point that BASIC is bound to be stateless and work > without session. And we did observe the authentication header in the first > request while the second one didn't carry it. > > I think our question is, we do need sessions to keep users logged in, but > we don't have HTML pages as FORM asks for. In this case, which > authentication method should we use? And I suppose all auth-methods support > JAAS customized login module right? > > Do apologize if any of my previous questions are vague or misleading :) > > On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins <[email protected]> wrote: > >> OK, >> >> so if you are using BASIC auth, then you don't need sessions, so we're >> barking up the wrong tree! >> >> Can you share the headers of your first and second requests? Does the >> second request have the authentication header? >> >> cheers >> >> >> >> On Mon, 24 Feb 2020 at 20:21, Wang Yicheng <[email protected]> >> wrote: >> >>> Sorry for the late reply. Yes we use BASIC as the authentication method. >>> It works fine with WebLogic without extra configuration to create sessions. >>> So I supposed Jetty would do the same at the beginning. The thing is our >>> system doesn't have HTML pages as we only use the web server for >>> remote communication. >>> >>> I've tried to change the <auth-method> to FORM in web.xml but it's >>> prompting that the pages are needed. I simply put "/" for the login page >>> and the error page but then the customized login module is not working >>> properly. We have a servlet for domain "/" but it wouldn't return any HTML >>> pages. I didn't get a chance to do further investigation. >>> >>> Any suggestions would be appreciated! >>> >>> On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins <[email protected]> wrote: >>> >>>> >>>> What auth mechanism are you using? >>>> BASIC and DIGEST send auth information with every request >>>> FORM stores the auth in the session. >>>> >>>> You can have other varieties (eg OPENID) which do either, but you need >>>> to set an authenticator to do whatever auth conversation you want to have. >>>> >>>> So tell us a bit more detail about your actual authentication mechanism. >>>> >>>> cheers >>>> >>>> >>>> >>>> >>>> On Wed, 19 Feb 2020 at 11:23, Jan Bartel <[email protected]> wrote: >>>> >>>>> If you use BASIC authentication, every single request must contain the >>>>> realm, username and password and is authenticated on reception - there is >>>>> no concept of a session maintaining state. >>>>> >>>>> The form login page can be generated by a servlet, it doesn't have to >>>>> be a static html resource. >>>>> >>>>> Jan >>>>> >>>>> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng <[email protected]> >>>>> wrote: >>>>> >>>>>> Thanks Jan! The thing is, my project actually doesn't have any pages. >>>>>> So, is it possible to have FORM authentication without login pages? Or >>>>>> does >>>>>> it mean I should go with BASIC while create sessions myself? >>>>>> >>>>>> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel <[email protected]> wrote: >>>>>> >>>>>>> You need to set up what the authentication method is, ie the >>>>>>> equivalent of the <login-config><auth-method/></login-config> in >>>>>>> web.xml. >>>>>>> The default is basic authentication. If you want to use sessions to >>>>>>> maintain the authentication state, then configure FORM authentication, >>>>>>> either in web.xml or by setting an instance of >>>>>>> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html >>>>>>> on the SecurityHandler. >>>>>>> >>>>>>> Jan >>>>>>> >>>>>>> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Thanks Joakim! >>>>>>>> >>>>>>>> Yes I do have a customized login module following JAAS spec. So it >>>>>>>> seems the missing session is causing the problem. Then my question is: >>>>>>>> With >>>>>>>> default configuration, does Jetty generate session automatically for >>>>>>>> authenticated user? Or is my code responsible for doing that? >>>>>>>> >>>>>>>> I actually published another question here >>>>>>>> <http://jetty.4.x6.nabble.com/HttpServletRequest-Returns-NULL-Principal-After-Logging-In-td4968503.html> >>>>>>>> which contains more details about my issue. Any help is highly >>>>>>>> appreciated! >>>>>>>> >>>>>>>> Best >>>>>>>> >>>>>>>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> If using Servlet authentication (or JAAS) the principal would be >>>>>>>>> set. >>>>>>>>> >>>>>>>>> If you are using a 3rd party web library (like spring) then odds >>>>>>>>> are you are not integrating with Servlet security. >>>>>>>>> >>>>>>>>> Joakim Erdfelt / [email protected] >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi team, >>>>>>>>>> >>>>>>>>>> My question is as the subject state. My issue is the login >>>>>>>>>> request does have >>>>>>>>>> the principal by calling getUserPrincipal. But after logging in, >>>>>>>>>> the second >>>>>>>>>> request has a null principal. Besides, neither of the requests >>>>>>>>>> have >>>>>>>>>> sessions. So I'm wondering if Jetty uses session information to >>>>>>>>>> set the >>>>>>>>>> principal in HTTP request. Do appreciate your help! >>>>>>>>>> >>>>>>>>>> Best >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html >>>>>>>>>> _______________________________________________ >>>>>>>>>> jetty-users mailing list >>>>>>>>>> [email protected] >>>>>>>>>> To change your delivery options, retrieve your password, or >>>>>>>>>> unsubscribe from this list, visit >>>>>>>>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> jetty-users mailing list >>>>>>>>> [email protected] >>>>>>>>> To change your delivery options, retrieve your password, or >>>>>>>>> unsubscribe from this list, visit >>>>>>>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> jetty-users mailing list >>>>>>>> [email protected] >>>>>>>> To change your delivery options, retrieve your password, or >>>>>>>> unsubscribe from this list, visit >>>>>>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Jan Bartel <[email protected]> >>>>>>> www.webtide.com >>>>>>> *Expert assistance from the creators of Jetty and CometD* >>>>>>> >>>>>>> _______________________________________________ >>>>>>> jetty-users mailing list >>>>>>> [email protected] >>>>>>> To change your delivery options, retrieve your password, or >>>>>>> unsubscribe from this list, visit >>>>>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>>>>> >>>>>> _______________________________________________ >>>>>> jetty-users mailing list >>>>>> [email protected] >>>>>> To change your delivery options, retrieve your password, or >>>>>> unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>>>> >>>>> >>>>> >>>>> -- >>>>> Jan Bartel <[email protected]> >>>>> www.webtide.com >>>>> *Expert assistance from the creators of Jetty and CometD* >>>>> >>>>> _______________________________________________ >>>>> jetty-users mailing list >>>>> [email protected] >>>>> To change your delivery options, retrieve your password, or >>>>> unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>>> >>>> >>>> >>>> -- >>>> Greg Wilkins <[email protected]> CTO http://webtide.com >>>> _______________________________________________ >>>> jetty-users mailing list >>>> [email protected] >>>> To change your delivery options, retrieve your password, or unsubscribe >>>> from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/jetty-users >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://www.eclipse.org/mailman/listinfo/jetty-users >> >> >> >> -- >> Greg Wilkins <[email protected]> CTO http://webtide.com >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
