subject:"Re\: \[jetty\-users\] Does Jetty Uses Session to Set the Principal in HTTP Request"

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-03-24 Thread Lachlan Roberts

>
> I suspect it's because I didn't set any roles in the second case, and thus
> an empty role cannot be matched to "**". I tried to add a role in
> getUserInfo but it doesn't work.


The role name "**" should match any authenticated user independent of role
so I don't think this is your problem. I suspect that when using your tool
you are not authenticated properly on subsequent requests after logging the
user in. As Greg said when using BASIC Auth it is the responsibility of
your client to send auth headers with every request, but browsers will do
this by default.

Perhaps the client on your tool is not configured to send the required
authentication headers with every request, which was the original problem.

Cheers,
Lachlan

On Tue, Mar 24, 2020 at 9:00 AM Wang Yicheng 
wrote:

> Sorry for starting this email channel again.
>
> We've successfully built our system with Jetty. Everything is great. The
> system gains noticeable performance improvement. But we've been struggling
> with role constraint.
>
> Our system has 2 using scenarios, 1) REST apis and 2) using our own tool.
> Thus the HTTP request for the former one is generated by the browser and
> the latter is generated programmatically.
>
> As our system doesn't need realm and maintains role information itself, so
> I just removed the role constraint of the root url from web.xml. It does
> work for the second case. But browsers fail to open the url, without a
> prompt to ask for user names and passwords, just showing "logout". So I set
> role-contstraint as "**" to match all roles. Then browsers function
> correctly but our tool is failing. The tool can log user in but any
> following commands will log the user out.
>
> I suspect it's because I didn't set any roles in the second case, and thus
> an empty role cannot be matched to "**". I tried to add a role in
> getUserInfo but it doesn't work. Could anyone help with this urgent issue?
> Thanks!
>
> FYI, this is what I set in web.xml for the role constraint:
> 
> 
> all
> /*
> 
> 
> **
> 
> 
>
> jetty.xml
>   
> 
>   
> 
>   my_login_module
> 
>   
> 
>   
>
> getUserInfo in AbstractLoginModule
>   @Override
>   public UserInfo getUserInfo(String userName) throws Exception {
> List roleNames = new ArrayList<>();
> roleNames.add("dummyrole");
> return new MSUserInfo(userName, null, roleNames);
>   }
>
> On Tue, Feb 25, 2020 at 12:45 AM Greg Wilkins  wrote:
>
>>
>> If you are using BASIC auth (or DIGEST which is a little more secure)
>> then it is the responsibility of your client to send auth headers with
>> every request and the server will validate every request from scratch and
>> populate the auth fields of the request.  Browsers do this by default. but
>> it sounds like you are not using a browser.
>>
>> There are other methods such as FORM and OPENID that do an authentication
>> conversation and leave the results in a session, so that all following
>> requests in the same session are considered authenticated.Now by
>> default FORM auth does use HTML pages to run a conversation, but ultimately
>> it does not need those pages to do the auth, it just needs:
>>
>>- one GET request to establish a session (could be for anything and
>>could get a 401 response)
>>- a POST request to  "/j_security_check" with parameters "j_username"
>>and "j_password"
>>- all subsequent requests carrying the session cookie will then be
>>authenticated.
>>
>> Ultimately our authenticators and authentications are pluggable and you
>> can do all sorts of stuff.  It would not be hard to authenticate with
>> BASIC, save that in a session and then all subsequent requests would be
>> authenticated.
>>
>> The login module is used by all of these auth methods to check the
>> credentials - either for every request or once to put in the session.  So
>> it is orthogonal to the auth method used.
>>
>> Finally,  Webtide LLC is available for commercial services and we can
>> implement a custom auth mechanism for you as part of that if none of
>> the standard mechanisms works for you and  you don 't want to customize
>> yourself.
>>
>> cheers
>>
>>
>> On Mon, 24 Feb 2020 at 23:46, Wang Yicheng 
>> wrote:
>>
>>> Hi Greg,
>>>
>>> Yes, I've got the point that BASIC is bound to be stateless and work
>>> without session. And we did observe the authentication header in the first
>>> request while the second one didn't carry it.
>>>
>>> I think our question is, we do need sessions to keep users logged in,
>>> but we don't have HTML pages as FORM asks for. In this case, which
>>> authentication method should we use? And I suppose all auth-methods support
>>> JAAS customized login module right?
>>>
>>> Do apologize if any of my previous questions are vague or misleading :)
>>>
>>> On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins  wrote:
>>>
 OK,

 so if you are using BASIC

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-03-23 Thread Wang Yicheng

Sorry for starting this email channel again.

We've successfully built our system with Jetty. Everything is great. The
system gains noticeable performance improvement. But we've been struggling
with role constraint.

Our system has 2 using scenarios, 1) REST apis and 2) using our own tool.
Thus the HTTP request for the former one is generated by the browser and
the latter is generated programmatically.

As our system doesn't need realm and maintains role information itself, so
I just removed the role constraint of the root url from web.xml. It does
work for the second case. But browsers fail to open the url, without a
prompt to ask for user names and passwords, just showing "logout". So I set
role-contstraint as "**" to match all roles. Then browsers function
correctly but our tool is failing. The tool can log user in but any
following commands will log the user out.

I suspect it's because I didn't set any roles in the second case, and thus
an empty role cannot be matched to "**". I tried to add a role in
getUserInfo but it doesn't work. Could anyone help with this urgent issue?
Thanks!

FYI, this is what I set in web.xml for the role constraint:

all
/*

**

jetty.xml

  my_login_module

getUserInfo in AbstractLoginModule
  @Override
  public UserInfo getUserInfo(String userName) throws Exception {
List roleNames = new ArrayList<>();
roleNames.add("dummyrole");
return new MSUserInfo(userName, null, roleNames);
  }

On Tue, Feb 25, 2020 at 12:45 AM Greg Wilkins  wrote:

>
> If you are using BASIC auth (or DIGEST which is a little more secure) then
> it is the responsibility of your client to send auth headers with every
> request and the server will validate every request from scratch and
> populate the auth fields of the request.  Browsers do this by default. but
> it sounds like you are not using a browser.
>
> There are other methods such as FORM and OPENID that do an authentication
> conversation and leave the results in a session, so that all following
> requests in the same session are considered authenticated.Now by
> default FORM auth does use HTML pages to run a conversation, but ultimately
> it does not need those pages to do the auth, it just needs:
>
>- one GET request to establish a session (could be for anything and
>could get a 401 response)
>- a POST request to  "/j_security_check" with parameters "j_username"
>and "j_password"
>- all subsequent requests carrying the session cookie will then be
>authenticated.
>
> Ultimately our authenticators and authentications are pluggable and you
> can do all sorts of stuff.  It would not be hard to authenticate with
> BASIC, save that in a session and then all subsequent requests would be
> authenticated.
>
> The login module is used by all of these auth methods to check the
> credentials - either for every request or once to put in the session.  So
> it is orthogonal to the auth method used.
>
> Finally,  Webtide LLC is available for commercial services and we can
> implement a custom auth mechanism for you as part of that if none of
> the standard mechanisms works for you and  you don 't want to customize
> yourself.
>
> cheers
>
>
> On Mon, 24 Feb 2020 at 23:46, Wang Yicheng 
> wrote:
>
>> Hi Greg,
>>
>> Yes, I've got the point that BASIC is bound to be stateless and work
>> without session. And we did observe the authentication header in the first
>> request while the second one didn't carry it.
>>
>> I think our question is, we do need sessions to keep users logged in, but
>> we don't have HTML pages as FORM asks for. In this case, which
>> authentication method should we use? And I suppose all auth-methods support
>> JAAS customized login module right?
>>
>> Do apologize if any of my previous questions are vague or misleading :)
>>
>> On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins  wrote:
>>
>>> OK,
>>>
>>> so if you are using BASIC auth, then you don't need sessions, so we're
>>> barking up the wrong tree!
>>>
>>> Can you share the headers of  your first and second requests?  Does the
>>> second request have the authentication header?
>>>
>>> cheers
>>>
>>>
>>>
>>> On Mon, 24 Feb 2020 at 20:21, Wang Yicheng 
>>> wrote:
>>>
 Sorry for the late reply. Yes we use BASIC as the authentication
 method. It works fine with WebLogic without extra configuration to create
 sessions. So I supposed Jetty would do the same at the beginning. The thing
 is our system doesn't have HTML pages as we only use the web server for
 remote communication.

 I've tried to change the  to FORM in web.xml but it's
 prompting that the pages are needed. I simply put "/" for the login page
 and the error page but then the customized login module is not working
 properly. We have a servlet for domain "/" but it wouldn't return any HTML
 pages. I didn't get a

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-25 Thread Greg Wilkins

If you are using BASIC auth (or DIGEST which is a little more secure) then
it is the responsibility of your client to send auth headers with every
request and the server will validate every request from scratch and
populate the auth fields of the request.  Browsers do this by default. but
it sounds like you are not using a browser.

There are other methods such as FORM and OPENID that do an authentication
conversation and leave the results in a session, so that all following
requests in the same session are considered authenticated.Now by
default FORM auth does use HTML pages to run a conversation, but ultimately
it does not need those pages to do the auth, it just needs:

   - one GET request to establish a session (could be for anything and
   could get a 401 response)
   - a POST request to  "/j_security_check" with parameters "j_username"
   and "j_password"
   - all subsequent requests carrying the session cookie will then be
   authenticated.

Ultimately our authenticators and authentications are pluggable and you can
do all sorts of stuff.  It would not be hard to authenticate with BASIC,
save that in a session and then all subsequent requests would be
authenticated.

The login module is used by all of these auth methods to check the
credentials - either for every request or once to put in the session.  So
it is orthogonal to the auth method used.

Finally,  Webtide LLC is available for commercial services and we can
implement a custom auth mechanism for you as part of that if none of
the standard mechanisms works for you and  you don 't want to customize
yourself.

cheers


On Mon, 24 Feb 2020 at 23:46, Wang Yicheng 
wrote:

> Hi Greg,
>
> Yes, I've got the point that BASIC is bound to be stateless and work
> without session. And we did observe the authentication header in the first
> request while the second one didn't carry it.
>
> I think our question is, we do need sessions to keep users logged in, but
> we don't have HTML pages as FORM asks for. In this case, which
> authentication method should we use? And I suppose all auth-methods support
> JAAS customized login module right?
>
> Do apologize if any of my previous questions are vague or misleading :)
>
> On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins  wrote:
>
>> OK,
>>
>> so if you are using BASIC auth, then you don't need sessions, so we're
>> barking up the wrong tree!
>>
>> Can you share the headers of  your first and second requests?  Does the
>> second request have the authentication header?
>>
>> cheers
>>
>>
>>
>> On Mon, 24 Feb 2020 at 20:21, Wang Yicheng 
>> wrote:
>>
>>> Sorry for the late reply. Yes we use BASIC as the authentication method.
>>> It works fine with WebLogic without extra configuration to create sessions.
>>> So I supposed Jetty would do the same at the beginning. The thing is our
>>> system doesn't have HTML pages as we only use the web server for
>>> remote communication.
>>>
>>> I've tried to change the  to FORM in web.xml but it's
>>> prompting that the pages are needed. I simply put "/" for the login page
>>> and the error page but then the customized login module is not working
>>> properly. We have a servlet for domain "/" but it wouldn't return any HTML
>>> pages. I didn't get a chance to do further investigation.
>>>
>>> Any suggestions would be appreciated!
>>>
>>> On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:
>>>

 What auth mechanism are you using?
 BASIC and DIGEST send auth information with every request
 FORM stores the auth in the session.

 You can have other varieties (eg OPENID) which do either, but you need
 to set an authenticator to do whatever auth conversation you want to have.

 So tell us a bit more detail about your actual authentication mechanism.

 cheers




 On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:

> If you use BASIC authentication, every single request must contain the
> realm, username and password and is authenticated on reception - there is
> no concept of a session maintaining state.
>
> The form login page can be generated by a servlet, it doesn't have to
> be a static html resource.
>
> Jan
>
> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
> wrote:
>
>> Thanks Jan! The thing is, my project actually doesn't have any pages.
>> So, is it possible to have FORM authentication without login pages? Or 
>> does
>> it mean I should go with BASIC while create sessions myself?
>>
>> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>>
>>> You need to set up what the authentication method is, ie the
>>> equivalent of the  in 
>>> web.xml.
>>> The default is basic authentication. If you want to use sessions to
>>> maintain the authentication state, then configure FORM authentication,
>>> either in web.xml or by setting an instance of
>>>

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-24 Thread Wang Yicheng

Hi Greg,

Yes, I've got the point that BASIC is bound to be stateless and work
without session. And we did observe the authentication header in the first
request while the second one didn't carry it.

I think our question is, we do need sessions to keep users logged in, but
we don't have HTML pages as FORM asks for. In this case, which
authentication method should we use? And I suppose all auth-methods support
JAAS customized login module right?

Do apologize if any of my previous questions are vague or misleading :)

On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins  wrote:

> OK,
>
> so if you are using BASIC auth, then you don't need sessions, so we're
> barking up the wrong tree!
>
> Can you share the headers of  your first and second requests?  Does the
> second request have the authentication header?
>
> cheers
>
>
>
> On Mon, 24 Feb 2020 at 20:21, Wang Yicheng 
> wrote:
>
>> Sorry for the late reply. Yes we use BASIC as the authentication method.
>> It works fine with WebLogic without extra configuration to create sessions.
>> So I supposed Jetty would do the same at the beginning. The thing is our
>> system doesn't have HTML pages as we only use the web server for
>> remote communication.
>>
>> I've tried to change the  to FORM in web.xml but it's
>> prompting that the pages are needed. I simply put "/" for the login page
>> and the error page but then the customized login module is not working
>> properly. We have a servlet for domain "/" but it wouldn't return any HTML
>> pages. I didn't get a chance to do further investigation.
>>
>> Any suggestions would be appreciated!
>>
>> On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:
>>
>>>
>>> What auth mechanism are you using?
>>> BASIC and DIGEST send auth information with every request
>>> FORM stores the auth in the session.
>>>
>>> You can have other varieties (eg OPENID) which do either, but you need
>>> to set an authenticator to do whatever auth conversation you want to have.
>>>
>>> So tell us a bit more detail about your actual authentication mechanism.
>>>
>>> cheers
>>>
>>>
>>>
>>>
>>> On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:
>>>
 If you use BASIC authentication, every single request must contain the
 realm, username and password and is authenticated on reception - there is
 no concept of a session maintaining state.

 The form login page can be generated by a servlet, it doesn't have to
 be a static html resource.

 Jan

 On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
 wrote:

> Thanks Jan! The thing is, my project actually doesn't have any pages.
> So, is it possible to have FORM authentication without login pages? Or 
> does
> it mean I should go with BASIC while create sessions myself?
>
> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>
>> You need to set up what the authentication method is, ie the
>> equivalent of the  in web.xml.
>> The default is basic authentication. If you want to use sessions to
>> maintain the authentication state, then configure FORM authentication,
>> either in web.xml or by setting an instance of
>> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
>> on the SecurityHandler.
>>
>> Jan
>>
>> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
>> wrote:
>>
>>> Thanks Joakim!
>>>
>>> Yes I do have a customized login module following JAAS spec. So it
>>> seems the missing session is causing the problem. Then my question is: 
>>> With
>>> default configuration, does Jetty generate session automatically for
>>> authenticated user? Or is my code responsible for doing that?
>>>
>>> I actually published another question here
>>> 
>>> which contains more details about my issue. Any help is highly 
>>> appreciated!
>>>
>>> Best
>>>
>>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
>>> wrote:
>>>
 If using Servlet authentication (or JAAS) the principal would be
 set.

 If you are using a 3rd party web library (like spring) then odds
 are you are not integrating with Servlet security.

 Joakim Erdfelt / joa...@webtide.com


 On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
 wangyicheng1...@gmail.com> wrote:

> Hi team,
>
> My question is as the subject state. My issue is the login request
> does have
> the principal by calling getUserPrincipal. But after logging in,
> the second
> request has a null principal. Besides, neither of the requests have
> sessions. So I'm wondering if Jetty uses session information to
> set the
> principal in HTTP request. Do appreciate your help!

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-24 Thread Greg Wilkins

OK,

so if you are using BASIC auth, then you don't need sessions, so we're
barking up the wrong tree!

Can you share the headers of  your first and second requests?  Does the
second request have the authentication header?

cheers



On Mon, 24 Feb 2020 at 20:21, Wang Yicheng 
wrote:

> Sorry for the late reply. Yes we use BASIC as the authentication method.
> It works fine with WebLogic without extra configuration to create sessions.
> So I supposed Jetty would do the same at the beginning. The thing is our
> system doesn't have HTML pages as we only use the web server for
> remote communication.
>
> I've tried to change the  to FORM in web.xml but it's
> prompting that the pages are needed. I simply put "/" for the login page
> and the error page but then the customized login module is not working
> properly. We have a servlet for domain "/" but it wouldn't return any HTML
> pages. I didn't get a chance to do further investigation.
>
> Any suggestions would be appreciated!
>
> On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:
>
>>
>> What auth mechanism are you using?
>> BASIC and DIGEST send auth information with every request
>> FORM stores the auth in the session.
>>
>> You can have other varieties (eg OPENID) which do either, but you need to
>> set an authenticator to do whatever auth conversation you want to have.
>>
>> So tell us a bit more detail about your actual authentication mechanism.
>>
>> cheers
>>
>>
>>
>>
>> On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:
>>
>>> If you use BASIC authentication, every single request must contain the
>>> realm, username and password and is authenticated on reception - there is
>>> no concept of a session maintaining state.
>>>
>>> The form login page can be generated by a servlet, it doesn't have to be
>>> a static html resource.
>>>
>>> Jan
>>>
>>> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
>>> wrote:
>>>
 Thanks Jan! The thing is, my project actually doesn't have any pages.
 So, is it possible to have FORM authentication without login pages? Or does
 it mean I should go with BASIC while create sessions myself?

 On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:

> You need to set up what the authentication method is, ie the
> equivalent of the  in web.xml.
> The default is basic authentication. If you want to use sessions to
> maintain the authentication state, then configure FORM authentication,
> either in web.xml or by setting an instance of
> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
> on the SecurityHandler.
>
> Jan
>
> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
> wrote:
>
>> Thanks Joakim!
>>
>> Yes I do have a customized login module following JAAS spec. So it
>> seems the missing session is causing the problem. Then my question is: 
>> With
>> default configuration, does Jetty generate session automatically for
>> authenticated user? Or is my code responsible for doing that?
>>
>> I actually published another question here
>> 
>> which contains more details about my issue. Any help is highly 
>> appreciated!
>>
>> Best
>>
>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
>> wrote:
>>
>>> If using Servlet authentication (or JAAS) the principal would be set.
>>>
>>> If you are using a 3rd party web library (like spring) then odds are
>>> you are not integrating with Servlet security.
>>>
>>> Joakim Erdfelt / joa...@webtide.com
>>>
>>>
>>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
>>> wangyicheng1...@gmail.com> wrote:
>>>
 Hi team,

 My question is as the subject state. My issue is the login request
 does have
 the principal by calling getUserPrincipal. But after logging in,
 the second
 request has a null principal. Besides, neither of the requests have
 sessions. So I'm wondering if Jetty uses session information to set
 the
 principal in HTTP request. Do appreciate your help!

 Best



 --
 Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
 ___
 jetty-users mailing list
 jetty-users@eclipse.org
 To change your delivery options, retrieve your password, or
 unsubscribe from this list, visit
 https://www.eclipse.org/mailman/listinfo/jetty-users

>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or
>>> unsubscribe from this list, visit
>>>

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-24 Thread Wang Yicheng

Sorry for the late reply. Yes we use BASIC as the authentication method. It
works fine with WebLogic without extra configuration to create sessions. So
I supposed Jetty would do the same at the beginning. The thing is our
system doesn't have HTML pages as we only use the web server for
remote communication.

I've tried to change the  to FORM in web.xml but it's
prompting that the pages are needed. I simply put "/" for the login page
and the error page but then the customized login module is not working
properly. We have a servlet for domain "/" but it wouldn't return any HTML
pages. I didn't get a chance to do further investigation.

Any suggestions would be appreciated!

On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins  wrote:

>
> What auth mechanism are you using?
> BASIC and DIGEST send auth information with every request
> FORM stores the auth in the session.
>
> You can have other varieties (eg OPENID) which do either, but you need to
> set an authenticator to do whatever auth conversation you want to have.
>
> So tell us a bit more detail about your actual authentication mechanism.
>
> cheers
>
>
>
>
> On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:
>
>> If you use BASIC authentication, every single request must contain the
>> realm, username and password and is authenticated on reception - there is
>> no concept of a session maintaining state.
>>
>> The form login page can be generated by a servlet, it doesn't have to be
>> a static html resource.
>>
>> Jan
>>
>> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
>> wrote:
>>
>>> Thanks Jan! The thing is, my project actually doesn't have any pages.
>>> So, is it possible to have FORM authentication without login pages? Or does
>>> it mean I should go with BASIC while create sessions myself?
>>>
>>> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>>>
 You need to set up what the authentication method is, ie the equivalent
 of the  in web.xml. The default
 is basic authentication. If you want to use sessions to maintain the
 authentication state, then configure FORM authentication, either in web.xml
 or by setting an instance of
 https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
 on the SecurityHandler.

 Jan

 On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
 wrote:

> Thanks Joakim!
>
> Yes I do have a customized login module following JAAS spec. So it
> seems the missing session is causing the problem. Then my question is: 
> With
> default configuration, does Jetty generate session automatically for
> authenticated user? Or is my code responsible for doing that?
>
> I actually published another question here
> 
> which contains more details about my issue. Any help is highly 
> appreciated!
>
> Best
>
> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
> wrote:
>
>> If using Servlet authentication (or JAAS) the principal would be set.
>>
>> If you are using a 3rd party web library (like spring) then odds are
>> you are not integrating with Servlet security.
>>
>> Joakim Erdfelt / joa...@webtide.com
>>
>>
>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
>> wangyicheng1...@gmail.com> wrote:
>>
>>> Hi team,
>>>
>>> My question is as the subject state. My issue is the login request
>>> does have
>>> the principal by calling getUserPrincipal. But after logging in, the
>>> second
>>> request has a null principal. Besides, neither of the requests have
>>> sessions. So I'm wondering if Jetty uses session information to set
>>> the
>>> principal in HTTP request. Do appreciate your help!
>>>
>>> Best
>>>
>>>
>>>
>>> --
>>> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or
>>> unsubscribe from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>>
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or
>> unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users



 --
 Jan Bartel 
 www.webtide.com
 *Expert assistance from the creators of Jetty and CometD*

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-23 Thread Greg Wilkins

What auth mechanism are you using?
BASIC and DIGEST send auth information with every request
FORM stores the auth in the session.

You can have other varieties (eg OPENID) which do either, but you need to
set an authenticator to do whatever auth conversation you want to have.

So tell us a bit more detail about your actual authentication mechanism.

cheers




On Wed, 19 Feb 2020 at 11:23, Jan Bartel  wrote:

> If you use BASIC authentication, every single request must contain the
> realm, username and password and is authenticated on reception - there is
> no concept of a session maintaining state.
>
> The form login page can be generated by a servlet, it doesn't have to be a
> static html resource.
>
> Jan
>
> On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
> wrote:
>
>> Thanks Jan! The thing is, my project actually doesn't have any pages. So,
>> is it possible to have FORM authentication without login pages? Or does it
>> mean I should go with BASIC while create sessions myself?
>>
>> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>>
>>> You need to set up what the authentication method is, ie the equivalent
>>> of the  in web.xml. The default
>>> is basic authentication. If you want to use sessions to maintain the
>>> authentication state, then configure FORM authentication, either in web.xml
>>> or by setting an instance of
>>> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
>>> on the SecurityHandler.
>>>
>>> Jan
>>>
>>> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
>>> wrote:
>>>
 Thanks Joakim!

 Yes I do have a customized login module following JAAS spec. So it
 seems the missing session is causing the problem. Then my question is: With
 default configuration, does Jetty generate session automatically for
 authenticated user? Or is my code responsible for doing that?

 I actually published another question here
 
 which contains more details about my issue. Any help is highly appreciated!

 Best

 On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
 wrote:

> If using Servlet authentication (or JAAS) the principal would be set.
>
> If you are using a 3rd party web library (like spring) then odds are
> you are not integrating with Servlet security.
>
> Joakim Erdfelt / joa...@webtide.com
>
>
> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <
> wangyicheng1...@gmail.com> wrote:
>
>> Hi team,
>>
>> My question is as the subject state. My issue is the login request
>> does have
>> the principal by calling getUserPrincipal. But after logging in, the
>> second
>> request has a null principal. Besides, neither of the requests have
>> sessions. So I'm wondering if Jetty uses session information to set
>> the
>> principal in HTTP request. Do appreciate your help!
>>
>> Best
>>
>>
>>
>> --
>> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or
>> unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users

 ___
 jetty-users mailing list
 jetty-users@eclipse.org
 To change your delivery options, retrieve your password, or unsubscribe
 from this list, visit
 https://www.eclipse.org/mailman/listinfo/jetty-users
>>>
>>>
>>>
>>> --
>>> Jan Bartel 
>>> www.webtide.com
>>> *Expert assistance from the creators of Jetty and CometD*
>>>
>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> --
> Jan Bartel 
> www.webtide.com
> *Expert assistance from the creators of Jetty and CometD*
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
>

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-19 Thread Jan Bartel

If you use BASIC authentication, every single request must contain the
realm, username and password and is authenticated on reception - there is
no concept of a session maintaining state.

The form login page can be generated by a servlet, it doesn't have to be a
static html resource.

Jan

On Tue, 18 Feb 2020 at 20:34, Wang Yicheng 
wrote:

> Thanks Jan! The thing is, my project actually doesn't have any pages. So,
> is it possible to have FORM authentication without login pages? Or does it
> mean I should go with BASIC while create sessions myself?
>
> On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:
>
>> You need to set up what the authentication method is, ie the equivalent
>> of the  in web.xml. The default
>> is basic authentication. If you want to use sessions to maintain the
>> authentication state, then configure FORM authentication, either in web.xml
>> or by setting an instance of
>> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
>> on the SecurityHandler.
>>
>> Jan
>>
>> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
>> wrote:
>>
>>> Thanks Joakim!
>>>
>>> Yes I do have a customized login module following JAAS spec. So it seems
>>> the missing session is causing the problem. Then my question is: With
>>> default configuration, does Jetty generate session automatically for
>>> authenticated user? Or is my code responsible for doing that?
>>>
>>> I actually published another question here
>>> 
>>> which contains more details about my issue. Any help is highly appreciated!
>>>
>>> Best
>>>
>>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
>>> wrote:
>>>
 If using Servlet authentication (or JAAS) the principal would be set.

 If you are using a 3rd party web library (like spring) then odds are
 you are not integrating with Servlet security.

 Joakim Erdfelt / joa...@webtide.com


 On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang 
 wrote:

> Hi team,
>
> My question is as the subject state. My issue is the login request
> does have
> the principal by calling getUserPrincipal. But after logging in, the
> second
> request has a null principal. Besides, neither of the requests have
> sessions. So I'm wondering if Jetty uses session information to set the
> principal in HTTP request. Do appreciate your help!
>
> Best
>
>
>
> --
> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
 ___
 jetty-users mailing list
 jetty-users@eclipse.org
 To change your delivery options, retrieve your password, or unsubscribe
 from this list, visit
 https://www.eclipse.org/mailman/listinfo/jetty-users
>>>
>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>
>>
>>
>> --
>> Jan Bartel 
>> www.webtide.com
>> *Expert assistance from the creators of Jetty and CometD*
>>
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users



-- 
Jan Bartel 
www.webtide.com
*Expert assistance from the creators of Jetty and CometD*
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-18 Thread Wang Yicheng

Thanks Jan! The thing is, my project actually doesn't have any pages. So,
is it possible to have FORM authentication without login pages? Or does it
mean I should go with BASIC while create sessions myself?

On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel  wrote:

> You need to set up what the authentication method is, ie the equivalent of
> the  in web.xml. The default is
> basic authentication. If you want to use sessions to maintain the
> authentication state, then configure FORM authentication, either in web.xml
> or by setting an instance of
> https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
> on the SecurityHandler.
>
> Jan
>
> On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
> wrote:
>
>> Thanks Joakim!
>>
>> Yes I do have a customized login module following JAAS spec. So it seems
>> the missing session is causing the problem. Then my question is: With
>> default configuration, does Jetty generate session automatically for
>> authenticated user? Or is my code responsible for doing that?
>>
>> I actually published another question here
>> 
>> which contains more details about my issue. Any help is highly appreciated!
>>
>> Best
>>
>> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt 
>> wrote:
>>
>>> If using Servlet authentication (or JAAS) the principal would be set.
>>>
>>> If you are using a 3rd party web library (like spring) then odds are you
>>> are not integrating with Servlet security.
>>>
>>> Joakim Erdfelt / joa...@webtide.com
>>>
>>>
>>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang 
>>> wrote:
>>>
 Hi team,

 My question is as the subject state. My issue is the login request does
 have
 the principal by calling getUserPrincipal. But after logging in, the
 second
 request has a null principal. Besides, neither of the requests have
 sessions. So I'm wondering if Jetty uses session information to set the
 principal in HTTP request. Do appreciate your help!

 Best



 --
 Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
 ___
 jetty-users mailing list
 jetty-users@eclipse.org
 To change your delivery options, retrieve your password, or unsubscribe
 from this list, visit
 https://www.eclipse.org/mailman/listinfo/jetty-users

>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> --
> Jan Bartel 
> www.webtide.com
> *Expert assistance from the creators of Jetty and CometD*
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-17 Thread Jan Bartel

You need to set up what the authentication method is, ie the equivalent of
the  in web.xml. The default is
basic authentication. If you want to use sessions to maintain the
authentication state, then configure FORM authentication, either in web.xml
or by setting an instance of
https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html
on the SecurityHandler.

Jan

On Mon, 10 Feb 2020 at 23:12, Wang Yicheng 
wrote:

> Thanks Joakim!
>
> Yes I do have a customized login module following JAAS spec. So it seems
> the missing session is causing the problem. Then my question is: With
> default configuration, does Jetty generate session automatically for
> authenticated user? Or is my code responsible for doing that?
>
> I actually published another question here
> 
> which contains more details about my issue. Any help is highly appreciated!
>
> Best
>
> On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt  wrote:
>
>> If using Servlet authentication (or JAAS) the principal would be set.
>>
>> If you are using a 3rd party web library (like spring) then odds are you
>> are not integrating with Servlet security.
>>
>> Joakim Erdfelt / joa...@webtide.com
>>
>>
>> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang 
>> wrote:
>>
>>> Hi team,
>>>
>>> My question is as the subject state. My issue is the login request does
>>> have
>>> the principal by calling getUserPrincipal. But after logging in, the
>>> second
>>> request has a null principal. Besides, neither of the requests have
>>> sessions. So I'm wondering if Jetty uses session information to set the
>>> principal in HTTP request. Do appreciate your help!
>>>
>>> Best
>>>
>>>
>>>
>>> --
>>> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
>>> ___
>>> jetty-users mailing list
>>> jetty-users@eclipse.org
>>> To change your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>>
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users



-- 
Jan Bartel 
www.webtide.com
*Expert assistance from the creators of Jetty and CometD*
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-10 Thread Wang Yicheng

Thanks Joakim!

Yes I do have a customized login module following JAAS spec. So it seems
the missing session is causing the problem. Then my question is: With
default configuration, does Jetty generate session automatically for
authenticated user? Or is my code responsible for doing that?

I actually published another question here

which contains more details about my issue. Any help is highly appreciated!

Best

On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt  wrote:

> If using Servlet authentication (or JAAS) the principal would be set.
>
> If you are using a 3rd party web library (like spring) then odds are you
> are not integrating with Servlet security.
>
> Joakim Erdfelt / joa...@webtide.com
>
>
> On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang 
> wrote:
>
>> Hi team,
>>
>> My question is as the subject state. My issue is the login request does
>> have
>> the principal by calling getUserPrincipal. But after logging in, the
>> second
>> request has a null principal. Besides, neither of the requests have
>> sessions. So I'm wondering if Jetty uses session information to set the
>> principal in HTTP request. Do appreciate your help!
>>
>> Best
>>
>>
>>
>> --
>> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
>> ___
>> jetty-users mailing list
>> jetty-users@eclipse.org
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>>
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

2020-02-10 Thread Joakim Erdfelt

If using Servlet authentication (or JAAS) the principal would be set.

If you are using a 3rd party web library (like spring) then odds are you
are not integrating with Servlet security.

Joakim Erdfelt / joa...@webtide.com


On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang 
wrote:

> Hi team,
>
> My question is as the subject state. My issue is the login request does
> have
> the principal by calling getUserPrincipal. But after logging in, the second
> request has a null principal. Besides, neither of the requests have
> sessions. So I'm wondering if Jetty uses session information to set the
> principal in HTTP request. Do appreciate your help!
>
> Best
>
>
>
> --
> Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
> ___
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
___
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

12 matches

Site Navigation

Mail list logo

Footer information