Sorry for starting this email channel again.
We've successfully built our system with Jetty. Everything is great. The system gains noticeable performance improvement. But we've been struggling with role constraint.
Our system has 2 using scenarios, 1) REST apis and 2) using our own tool. Thus the HTTP request for the former one is generated by the browser and the latter is generated programmatically.
As our system doesn't need realm and maintains role information itself, so I just removed the role constraint of the root url from web.xml. It does work for the second case. But browsers fail to open the url, without a prompt to ask for user names and passwords, just showing "logout". So I set role-contstraint as "**" to match all roles. Then browsers function correctly but our tool is failing. The tool can log user in but any following commands will log the user out.
I suspect it's because I didn't set any roles in the second case, and thus an empty role cannot be matched to "**". I tried to add a role in getUserInfo but it doesn't work. Could anyone help with this urgent issue? Thanks!
FYI, this is what I set in web.xml for the role constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
jetty.xml
<Set name="securityHandler">
<New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.jaas.JAASLoginService">
<Set name="loginModuleName">my_login_module</Set>
</New>
</Set>
</New>
</Set>
getUserInfo in AbstractLoginModule
@Override
public UserInfo getUserInfo(String userName) throws Exception {
List<String> roleNames = new ArrayList<>();
roleNames.add("dummyrole");
return new MSUserInfo(userName, null, roleNames);
}