What is the configuration of your ServerConnectors, and the HttpConfiguration + SecureRequestCustomizer settings on those connectors?
Chances are you just haven't set that up properly for your environment. The HttpConfiguration needs to be setup properly to point to the external TLS layer. Optionally, the SecureRequestCustomizer needs to be present and possibly configured to use the Forwarding header that your TLS layer could be adding to the request. Joakim Erdfelt / [email protected] On Mon, May 3, 2021 at 12:30 PM Steven Schlansker < [email protected]> wrote: > Hi again jetty-users, > > I'm still stuck on this problem. Has anyone done something similar, or > have a resource to suggest I could dig deeper to answer my own question? > I'm so close to having the authentication flow work, this is the last > non-working bit... > > Thanks, > Steven > > On Mon, Apr 26, 2021 at 2:48 PM Steven Schlansker < > [email protected]> wrote: > >> Hi jetty-users, happy Monday :) >> I am trying to configure FormAuthenticator in Jetty 9.4.40 on a server >> that serves HTTP terminated behind an external load balancer handling the >> TLS termination. >> >> Everything works fine in testing, but when it is behind the external TLS >> termination, Jetty serves up 303 See Other responses to e.g. the login page >> with an absolute http url, which redirects the user away from the secure >> site. The FormAuthenticator seems to allow me to customize the path to the >> form and error page, but not the scheme. >> >> I tried attaching ForwardedRequestCustomizer to see if parsing the >> forwarding headers would help, but it did not seem to change anything. >> >> I tried using FormAuthenticator dispatch mode instead of redirect, but >> that caused all server responses to 404 for reasons I didn't really >> understand, so I gave up on that pretty quick. >> >> What's the right way to configure FormAuthenticator or its connector in >> embedded jetty to preserve the https nature of the site, even when Jetty >> doesn't do TLS termination? I can't help but feel this should be answered >> on Google but I must be searching for the wrong thing... >> >> I've attached my handler setup below in case that helps. >> Thanks for any advice, >> Steven >> >> final var securityHandler = new ConstraintSecurityHandler(); >> securityHandler.setLoginService(loginService); >> securityHandler.addRole("ws"); >> >> final var constraintMapping = new ConstraintMapping(); >> final var constraint = new Constraint(Constraint.__FORM_AUTH, >> "ws"); >> constraint.setAuthenticate(true); >> constraintMapping.setConstraint(constraint); >> constraintMapping.setPathSpec("/*"); >> >> securityHandler.addConstraintMapping(constraintMapping); >> >> final var noAuth = new Constraint(); >> noAuth.setName(Constraint.NONE); >> final String loginPath = "/login"; >> final String loginErrPath = loginPath + "/error"; >> for (final var exclude : new String[] { "/favicon.ico", >> "/health", "/health/*", loginPath, loginErrPath }) { >> final var noAuthMapping = new ConstraintMapping(); >> noAuthMapping.setConstraint(noAuth); >> noAuthMapping.setPathSpec(exclude); >> securityHandler.addConstraintMapping(noAuthMapping); >> } >> securityHandler.setHandler(servletContextHandler); >> >> securityHandler.setAuthenticator(new FormAuthenticator(loginPath, >> loginErrPath, false)); >> >> final var sessionHandler = new SessionHandler(); >> sessionHandler.setHandler(securityHandler); >> sessionHandler.setMaxInactiveInterval((int) >> Duration.ofDays(7).toSeconds()); >> >> final var sessionSchema = new SessionTableSchema(); >> sessionSchema.setTableName("JettySessions_" + serviceName); >> >> final var dbAdapt = new DatabaseAdaptor(); >> dbAdapt.setDatasource(ds); >> >> final var dataStoreFactory = new JDBCSessionDataStoreFactory(); >> dataStoreFactory.setGracePeriodSec((int) >> Duration.ofDays(7).toSeconds()); >> dataStoreFactory.setSessionTableSchema(sessionSchema); >> dataStoreFactory.setDatabaseAdaptor(dbAdapt); >> server.addBean(dataStoreFactory); >> >> final var sessionIdMgr = new DefaultSessionIdManager(server); >> sessionIdMgr.setWorkerName(GraphiteTags.pod()); >> server.setSessionIdManager(sessionIdMgr); >> >> return sessionHandler; >> > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
