Re: [jetty-users] FormAuthenticator redirects with a connector behind ex

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Mon, 3 May 2021 13:01:53 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

What is the configuration of your ServerConnectors, and the HttpConfiguration + SecureRequestCustomizer settings on those connectors?

Chances are you just haven't set that up properly for your environment.

The HttpConfiguration needs to be setup properly to point to the external TLS layer.

Optionally, the SecureRequestCustomizer needs to be present and possibly configured to use the Forwarding header that your TLS layer could be adding to the request.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, May 3, 2021 at 12:30 PM Steven Schlansker <stevenschlansker@xxxxxxxxx> wrote:

Hi again jetty-users,

I'm still stuck on this problem. Has anyone done something similar, or have a resource to suggest I could dig deeper to answer my own question?
I'm so close to having the authentication flow work, this is the last non-working bit...

Thanks,
Steven

On Mon, Apr 26, 2021 at 2:48 PM Steven Schlansker <stevenschlansker@xxxxxxxxx> wrote:
Hi jetty-users, happy Monday :)
I am trying to configure FormAuthenticator in Jetty 9.4.40 on a server that serves HTTP terminated behind an external load balancer handling the TLS termination.

Everything works fine in testing, but when it is behind the external TLS termination, Jetty serves up 303 See Other responses to e.g. the login page with an absolute http url, which redirects the user away from the secure site. The FormAuthenticator seems to allow me to customize the path to the form and error page, but not the scheme.

I tried attaching ForwardedRequestCustomizer to see if parsing the forwarding headers would help, but it did not seem to change anything.

I tried using FormAuthenticator dispatch mode instead of redirect, but that caused all server responses to 404 for reasons I didn't really understand, so I gave up on that pretty quick.

What's the right way to configure FormAuthenticator or its connector in embedded jetty to preserve the https nature of the site, even when Jetty doesn't do TLS termination? I can't help but feel this should be answered on Google but I must be searching for the wrong thing...

I've attached my handler setup below in case that helps.
Thanks for any advice,
Steven

final var securityHandler = new ConstraintSecurityHandler();
securityHandler.setLoginService(loginService);
securityHandler.addRole("ws");

final var constraintMapping = new ConstraintMapping();
final var constraint = new Constraint(Constraint.__FORM_AUTH, "ws");
constraint.setAuthenticate(true);
constraintMapping.setConstraint(constraint);
constraintMapping.setPathSpec("/*");

securityHandler.addConstraintMapping(constraintMapping);

final var noAuth = new Constraint();
noAuth.setName(Constraint.NONE);
final String loginPath = "/login";
final String loginErrPath = loginPath + "/error";
for (final var exclude : new String[] { "/favicon.ico", "/health", "/health/*", loginPath, loginErrPath }) {
final var noAuthMapping = new ConstraintMapping();
noAuthMapping.setConstraint(noAuth);
noAuthMapping.setPathSpec(exclude);
securityHandler.addConstraintMapping(noAuthMapping);
}
securityHandler.setHandler(servletContextHandler);

securityHandler.setAuthenticator(new FormAuthenticator(loginPath, loginErrPath, false));

final var sessionHandler = new SessionHandler();
sessionHandler.setHandler(securityHandler);
sessionHandler.setMaxInactiveInterval((int) Duration.ofDays(7).toSeconds());

final var sessionSchema = new SessionTableSchema();
sessionSchema.setTableName("JettySessions_" + serviceName);

final var dbAdapt = new DatabaseAdaptor();
dbAdapt.setDatasource(ds);

final var dataStoreFactory = new JDBCSessionDataStoreFactory();
dataStoreFactory.setGracePeriodSec((int) Duration.ofDays(7).toSeconds());
dataStoreFactory.setSessionTableSchema(sessionSchema);
dataStoreFactory.setDatabaseAdaptor(dbAdapt);
server.addBean(dataStoreFactory);

final var sessionIdMgr = new DefaultSessionIdManager(server);
sessionIdMgr.setWorkerName(GraphiteTags.pod());
server.setSessionIdManager(sessionIdMgr);

return sessionHandler;

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
  - From: Steven Schlansker

References:
- [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
  - From: Steven Schlansker
- Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
  - From: Steven Schlansker

Prev by Date: Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
Next by Date: Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
Previous by thread: Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
Next by thread: Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS
Index(es):
- Date
- Thread

Breadcrumbs