Hi jetty-users, happy Monday :)
I am trying to configure FormAuthenticator in Jetty 9.4.40 on a server that
serves HTTP terminated behind an external load balancer handling the TLS
termination.
Everything works fine in testing, but when it is behind the external TLS
termination, Jetty serves up 303 See Other responses to e.g. the login page
with an absolute http url, which redirects the user away from the secure
site. The FormAuthenticator seems to allow me to customize the path to the
form and error page, but not the scheme.
I tried attaching ForwardedRequestCustomizer to see if parsing the
forwarding headers would help, but it did not seem to change anything.
I tried using FormAuthenticator dispatch mode instead of redirect, but that
caused all server responses to 404 for reasons I didn't really understand,
so I gave up on that pretty quick.
What's the right way to configure FormAuthenticator or its connector in
embedded jetty to preserve the https nature of the site, even when Jetty
doesn't do TLS termination? I can't help but feel this should be answered
on Google but I must be searching for the wrong thing...
I've attached my handler setup below in case that helps.
Thanks for any advice,
Steven
final var securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(loginService);
securityHandler.addRole("ws");
final var constraintMapping = new ConstraintMapping();
final var constraint = new Constraint(Constraint.__FORM_AUTH, "ws");
constraint.setAuthenticate(true);
constraintMapping.setConstraint(constraint);
constraintMapping.setPathSpec("/*");
securityHandler.addConstraintMapping(constraintMapping);
final var noAuth = new Constraint();
noAuth.setName(Constraint.NONE);
final String loginPath = "/login";
final String loginErrPath = loginPath + "/error";
for (final var exclude : new String[] { "/favicon.ico", "/health",
"/health/*", loginPath, loginErrPath }) {
final var noAuthMapping = new ConstraintMapping();
noAuthMapping.setConstraint(noAuth);
noAuthMapping.setPathSpec(exclude);
securityHandler.addConstraintMapping(noAuthMapping);
}
securityHandler.setHandler(servletContextHandler);
securityHandler.setAuthenticator(new FormAuthenticator(loginPath,
loginErrPath, false));
final var sessionHandler = new SessionHandler();
sessionHandler.setHandler(securityHandler);
sessionHandler.setMaxInactiveInterval((int)
Duration.ofDays(7).toSeconds());
final var sessionSchema = new SessionTableSchema();
sessionSchema.setTableName("JettySessions_" + serviceName);
final var dbAdapt = new DatabaseAdaptor();
dbAdapt.setDatasource(ds);
final var dataStoreFactory = new JDBCSessionDataStoreFactory();
dataStoreFactory.setGracePeriodSec((int)
Duration.ofDays(7).toSeconds());
dataStoreFactory.setSessionTableSchema(sessionSchema);
dataStoreFactory.setDatabaseAdaptor(dbAdapt);
server.addBean(dataStoreFactory);
final var sessionIdMgr = new DefaultSessionIdManager(server);
sessionIdMgr.setWorkerName(GraphiteTags.pod());
server.setSessionIdManager(sessionIdMgr);
return sessionHandler;
_______________________________________________
jetty-users mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
