[jira] Commented: (FELIX-2768) HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted

Sat, 08 Jan 2011 02:58:14 -0800 

    [ 
https://issues.apache.org/jira/browse/FELIX-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12979114#action_12979114
 ] 

Derek Baum commented on FELIX-2768:
-----------------------------------

I've only come across this recently (since switching to 2.0.4). Incidentally, 
it took me a while to find the correct source code, since there's an http.jetty 
directory under the felix trunk, while the code for http.jetty is just under 
the http directory.

Yes, it looks like the change you suggest would resolve this problem.





> HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
> ---------------------------------------------------------------------------
>
>                 Key: FELIX-2768
>                 URL: https://issues.apache.org/jira/browse/FELIX-2768
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.0.4
>            Reporter: Derek Baum
>
> The JavaDoc for HttpContext.handleSecurity states:
>        * If the request requires authentication and the Authorization header 
> in
>        * the request is missing or not acceptable, then this method should 
> set the
>        * WWW-Authenticate header in the response object, set the status in the
>        * response object to Unauthorized(401) and return <code>false</code>
> So the following implementation of handleSecurity() should cause an 
> UNAUTHORIZED response:
>                 response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure 
> Moixa Energy Gateway\"");
>                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>                 return false;
> This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in 
> org.apache.felix.http.jetty-2.0.4, by always returning SC_FORBIDDEN.
> Examining the implementation: 
> org/apache/felix/http/base/internal/handler/ServletHandler.java:
>         if (!getContext().handleSecurity(req, res)) {
>             if (!res.isCommitted()) {
>                 res.sendError(HttpServletResponse.SC_FORBIDDEN);
>             }
>         } 
> which means that SC_FORBIDDEN is always returned, unless the response is 
> committed.
> In order to commit the response, response.flushBuffer() must be called in the 
> handleSecurity() implementation after setting the response code to 
> unauthorized. Howver, the JavaDoc for HttpContext does not indicate that it 
> is necessary to commit the response.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to