Re: [jetty-users] Basic Authenticator response to OPTIONS request with 401

Sun, 12 May 2019 08:51:21 -0700 

You'll use the <security-constraint> section in your WEB-INF/web.xml,
specifically the <web-resource-collection> and one of (or a combination of)
the two options <http-method> or <http-method-omission>.

Here's an example from the Jetty webdefault.xml for disabling TRACE, but
enabling everything other http method.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable TRACE</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Enable everything but TRACE</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method-omission>TRACE</http-method-omission>
    </web-resource-collection>
  </security-constraint>

Joakim Erdfelt / [email protected]


On Sat, May 11, 2019 at 5:23 AM Gregor Jarisch <[email protected]> wrote:

> Hi Joakim,
>
> yes, I had the same thought, it would be great to avoid running through
> the Authenticator on OPTIONS, but how?
> I haven't found an option to do that in jetty.
>
> Gregor
>
> Gregor Jarisch
> *Head of Research & Development*
> *Labs.ai Technology GmbH*
> m: +43 699 1 822 74 47
> w: www.labs.ai e: [email protected]
>
> ------ Original Message ------
> From: "Joakim Erdfelt" <[email protected]>
> To: "Gregor Jarisch" <[email protected]>; "JETTY user mailing list" <
> [email protected]>
> Sent: 05/10/2019 5:25:19 PM
> Subject: Re: [jetty-users] Basic Authenticator response to OPTIONS request
> with 401
>
> Perhaps its best to not have OPTIONS covered by Authentication?
>
> The problem is that standard Servlet Authentication is early, super early,
> before any filter or servlet is called early.
>
> Joakim Erdfelt / [email protected]
>
>
> On Fri, May 10, 2019 at 10:20 AM Gregor Jarisch <[email protected]>
> wrote:
>
>> Hi,
>>
>> when using the CORS Filter + Basic Authentication, jetty returns a 401
>> when a client makes an OPTIONS call.
>> Within the CORS Filter the preflight handling is done correctly, however,
>> it never gets there because jetty returns the 401 before hand.
>>
>> Is there any way to let the CORS Filter handle the request first?
>>
>> My current workaround is overriding the verify method and exclude the
>> setting of 401 if method is OPTIONS. This workaround feels not right
>> though..
>>
>> Gregor
>> _______________________________________________
>> jetty-users mailing list
>> [email protected]
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/jetty-users
>
>

_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to