Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Does Jetty Uses Session to Set the Principal in HTTP Request

If you are using BASIC auth (or DIGEST which is a little more secure) then it is the responsibility of your client to send auth headers with every request and the server will validate every request from scratch and populate the auth fields of the request.  Browsers do this by default. but it sounds like you are not using a browser.

There are other methods such as FORM and OPENID that do an authentication conversation and leave the results in a session, so that all following requests in the same session are considered authenticated.    Now by default FORM auth does use HTML pages to run a conversation, but ultimately it does not need those pages to do the auth, it just needs:
  • one GET request to establish a session (could be for anything and could get a 401 response)
  • a POST request to  "/j_security_check" with parameters "j_username" and "j_password"
  • all subsequent requests carrying the session cookie will then be authenticated.
Ultimately our authenticators and authentications are pluggable and you can do all sorts of stuff.  It would not be hard to authenticate with BASIC, save that in a session and then all subsequent requests would be authenticated.

The login module is used by all of these auth methods to check the credentials - either for every request or once to put in the session.  So it is orthogonal to the auth method used.

Finally,  Webtide LLC is available for commercial services and we can implement a custom auth mechanism for you as part of that.... if none of the standard mechanisms works for you and  you don 't want to customize yourself.

cheers


On Mon, 24 Feb 2020 at 23:46, Wang Yicheng <wangyicheng1209@xxxxxxxxx> wrote:
Hi Greg,

Yes, I've got the point that BASIC is bound to be stateless and work without session. And we did observe the authentication header in the first request while the second one didn't carry it.

I think our question is, we do need sessions to keep users logged in, but we don't have HTML pages as FORM asks for. In this case, which authentication method should we use? And I suppose all auth-methods support JAAS customized login module right?

Do apologize if any of my previous questions are vague or misleading :)

On Mon, Feb 24, 2020 at 2:04 PM Greg Wilkins <gregw@xxxxxxxxxxx> wrote:
OK,

so if you are using BASIC auth, then you don't need sessions, so we're barking up the wrong tree!

Can you share the headers of  your first and second requests?  Does the second request have the authentication header?

cheers



On Mon, 24 Feb 2020 at 20:21, Wang Yicheng <wangyicheng1209@xxxxxxxxx> wrote:
Sorry for the late reply. Yes we use BASIC as the authentication method. It works fine with WebLogic without extra configuration to create sessions. So I supposed Jetty would do the same at the beginning. The thing is our system doesn't have HTML pages as we only use the web server for remote communication.

I've tried to change the <auth-method> to FORM in web.xml but it's prompting that the pages are needed. I simply put "/" for the login page and the error page but then the customized login module is not working properly. We have a servlet for domain "/" but it wouldn't return any HTML pages. I didn't get a chance to do further investigation.

Any suggestions would be appreciated!

On Sun, Feb 23, 2020 at 10:02 AM Greg Wilkins <gregw@xxxxxxxxxxx> wrote:

What auth mechanism are you using?
BASIC and DIGEST send auth information with every request
FORM stores the auth in the session.

You can have other varieties (eg OPENID) which do either, but you need to set an authenticator to do whatever auth conversation you want to have.

So tell us a bit more detail about your actual authentication mechanism.

cheers




On Wed, 19 Feb 2020 at 11:23, Jan Bartel <janb@xxxxxxxxxxx> wrote:
If you use BASIC authentication, every single request must contain the realm, username and password and is authenticated on reception - there is no concept of a session maintaining state.

The form login page can be generated by a servlet, it doesn't have to be a static html resource.

Jan

On Tue, 18 Feb 2020 at 20:34, Wang Yicheng <wangyicheng1209@xxxxxxxxx> wrote:
Thanks Jan! The thing is, my project actually doesn't have any pages. So, is it possible to have FORM authentication without login pages? Or does it mean I should go with BASIC while create sessions myself?

On Mon, Feb 17, 2020 at 2:16 AM Jan Bartel <janb@xxxxxxxxxxx> wrote:
You need to set up what the authentication method is, ie the equivalent of the <login-config><auth-method/></login-config> in web.xml. The default is basic authentication. If you want to use sessions to maintain the authentication state, then configure FORM authentication, either in web.xml or by setting an instance of https://www.eclipse.org/jetty/javadoc/9.4.26.v20200117/org/eclipse/jetty/security/authentication/FormAuthenticator.html on the SecurityHandler.

Jan

On Mon, 10 Feb 2020 at 23:12, Wang Yicheng <wangyicheng1209@xxxxxxxxx> wrote:
Thanks Joakim!

Yes I do have a customized login module following JAAS spec. So it seems the missing session is causing the problem. Then my question is: With default configuration, does Jetty generate session automatically for authenticated user? Or is my code responsible for doing that?

I actually published another question here which contains more details about my issue. Any help is highly appreciated!

Best

On Mon, Feb 10, 2020 at 1:11 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
If using Servlet authentication (or JAAS) the principal would be set.

If you are using a 3rd party web library (like spring) then odds are you are not integrating with Servlet security.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Mon, Feb 10, 2020 at 2:05 PM Yicheng Wang <wangyicheng1209@xxxxxxxxx> wrote:
Hi team,

My question is as the subject state. My issue is the login request does have
the principal by calling getUserPrincipal. But after logging in, the second
request has a null principal. Besides, neither of the requests have
sessions. So I'm wondering if Jetty uses session information to set the
principal in HTTP request. Do appreciate your help!

Best



--
Sent from: http://jetty.4.x6.nabble.com/Jetty-User-f3247280.html
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Back to the top