[
https://issues.apache.org/jira/browse/FELIX-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12979026#action_12979026
]
Felix Meschberger commented on FELIX-2768:
------------------------------------------
I also ran into this issue a few times ...
I think the problem that the ServletHandler tries to solve is to send back a
sensible error instead of a successfull 200 response in case the HttpContext
did not send a response.
Maybe doHandle method should be modified like this:
res.setStatus(HttpServletResponse.SC_FORBIDDEN);
if (getContext().handleSecurity(req, res)) {
res.setStatus(HttpServletResponse.SC_OK); // default back to OK
servlet.service(...)
}
This would ensure the request is terminated with 403 unless the handleSecurity
method returning false has set a different status.
WDYT ?
> HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
> ---------------------------------------------------------------------------
>
> Key: FELIX-2768
> URL: https://issues.apache.org/jira/browse/FELIX-2768
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http-2.0.4
> Reporter: Derek Baum
>
> The JavaDoc for HttpContext.handleSecurity states:
> * If the request requires authentication and the Authorization header
> in
> * the request is missing or not acceptable, then this method should
> set the
> * WWW-Authenticate header in the response object, set the status in the
> * response object to Unauthorized(401) and return <code>false</code>
> So the following implementation of handleSecurity() should cause an
> UNAUTHORIZED response:
> response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure
> Moixa Energy Gateway\"");
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> return false;
> This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in
> org.apache.felix.http.jetty-2.0.4, by always returning SC_FORBIDDEN.
> Examining the implementation:
> org/apache/felix/http/base/internal/handler/ServletHandler.java:
> if (!getContext().handleSecurity(req, res)) {
> if (!res.isCommitted()) {
> res.sendError(HttpServletResponse.SC_FORBIDDEN);
> }
> }
> which means that SC_FORBIDDEN is always returned, unless the response is
> committed.
> In order to commit the response, response.flushBuffer() must be called in the
> handleSecurity() implementation after setting the response code to
> unauthorized. Howver, the JavaDoc for HttpContext does not indicate that it
> is necessary to commit the response.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
