[jira] Resolved: (FELIX-2768) HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted

Sat, 08 Jan 2011 19:26:10 -0800 

     [ 
https://issues.apache.org/jira/browse/FELIX-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Felix Meschberger resolved FELIX-2768.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: http-2.0.6
         Assignee: Felix Meschberger

Fixed in Rev. 1056878

> HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
> ---------------------------------------------------------------------------
>
>                 Key: FELIX-2768
>                 URL: https://issues.apache.org/jira/browse/FELIX-2768
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.0.4
>            Reporter: Derek Baum
>            Assignee: Felix Meschberger
>             Fix For: http-2.0.6
>
>
> The JavaDoc for HttpContext.handleSecurity states:
>        * If the request requires authentication and the Authorization header 
> in
>        * the request is missing or not acceptable, then this method should 
> set the
>        * WWW-Authenticate header in the response object, set the status in the
>        * response object to Unauthorized(401) and return <code>false</code>
> So the following implementation of handleSecurity() should cause an 
> UNAUTHORIZED response:
>                 response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure 
> Moixa Energy Gateway\"");
>                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>                 return false;
> This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in 
> org.apache.felix.http.jetty-2.0.4, by always returning SC_FORBIDDEN.
> Examining the implementation: 
> org/apache/felix/http/base/internal/handler/ServletHandler.java:
>         if (!getContext().handleSecurity(req, res)) {
>             if (!res.isCommitted()) {
>                 res.sendError(HttpServletResponse.SC_FORBIDDEN);
>             }
>         } 
> which means that SC_FORBIDDEN is always returned, unless the response is 
> committed.
> In order to commit the response, response.flushBuffer() must be called in the 
> handleSecurity() implementation after setting the response code to 
> unauthorized. Howver, the JavaDoc for HttpContext does not indicate that it 
> is necessary to commit the response.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to