HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
---------------------------------------------------------------------------
Key: FELIX-2768
URL: https://issues.apache.org/jira/browse/FELIX-2768
Project: Felix
Issue Type: Bug
Components: HTTP Service
Reporter: Derek Baum
The JavaDoc for HttpContext.handleSecurity states:
* If the request requires authentication and the Authorization header
in
* the request is missing or not acceptable, then this method should
set the
* WWW-Authenticate header in the response object, set the status in the
* response object to Unauthorized(401) and return <code>false</code>
So the following implementation of handleSecurity() should cause an
UNAUTHORIZED response:
response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure
Moixa Energy Gateway\"");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return false;
This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in
org.apache.felix.http.jetty-2.0.4, by always returning SC_FORBIDDEN.
Examining the implementation:
org/apache/felix/http/base/internal/handler/ServletHandler.java:
if (!getContext().handleSecurity(req, res)) {
if (!res.isCommitted()) {
res.sendError(HttpServletResponse.SC_FORBIDDEN);
}
}
which means that SC_FORBIDDEN is always returned, unless the response is
committed.
In order to commit the response, response.flushBuffer() must be called in the
handleSecurity() implementation after setting the response code to
unauthorized. Howver, the JavaDoc for HttpContext does not indicate that it is
necessary to commit the response.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
