Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Unable to Authenticate Session with Cookie in Jetty 12

Hi, 

I wanted to follow up on this to see if anyone was able to provide some help.

I also missed one of your questions -  "Does curl send the cookie with the request that gets the 401 response?"

Yes, we send the cookie with curl and get the 401 response. The same thing happens when we send the message in Java, using the CookieManager and CookieStore classes to handle cookies for us. 

Thanks! 
Shan Parikh

On Wed, Dec 4, 2024 at 12:11 PM Shan Parikh <ssp237@xxxxxxxxxxx> wrote:
Hi, 

I wanted to follow up on this with some more information. 

We found that Jetty is actually accepting the cookie, but is then looking for the Authorization field from the request header, which is empty. See the logs below: 


2024-11-28 01:11:40.627:DEBUG:oejs.AbstractSessionManager:qtp990398217-27: Got Session IDs [<session>.node0] from cookies 1

2024-11-28 01:11:40.627:DEBUG:oejs.ManagedSession:qtp990398217-27: Session <session> in use, stopping timer, active requests=1

2024-11-28 01:11:40.627:DEBUG:oejs.SessionInactivityTimer:qtp990398217-27: Cancelled timer for session <session>

2024-11-28 01:11:40.627:DEBUG:oejs.SessionData:qtp990398217-27: Testing expiry on session <session>: expires at 1732770699429 now 1732756300627 maxIdle 14400000

2024-11-28 01:11:40.627:DEBUG:oejs.AbstractSessionManager:qtp990398217-27: Selected session ManagedSession@3ed13a48{id=node0wnpxvxn4oz86ni6ea6e6olu31,x=<session>.node0,req=1,res=true}

2024-11-28 01:11:40.627:DEBUG:oejs.SessionData:qtp990398217-27: Testing expiry on session <session>: expires at 1732770700627 now 1732756300627 maxIdle 14400000

2024-11-28 01:11:40.627:DEBUG:oejs.SecurityHandler:qtp990398217-27: getConstraint(/cell/list) -> Constraint@16eedee2{exa_rsc,ANY,ANY_USER,[]}

2024-11-28 01:11:40.627:DEBUG:oejs.SecurityHandler:qtp990398217-27: constraintAuthorization ANY_USER

2024-11-28 01:11:40.627:DEBUG:oejs.Response:qtp990398217-27: writeError: status=401, message=null, response=org.eclipse.jetty.ee10.servlet.ServletContextResponse@b202813


Do you have any advice on how to fix this, so that we don't need to check the authorization when the cookie is accepted? 


Also, RE Jetty 12.0.15 - it looks like that was an error on our end, and I successfully upgraded to Jetty 12.0.15. Sorry for the confusion there. 


Thanks, 
Shan Parikh 


On Wed, Nov 27, 2024 at 1:57 PM Shan Parikh <ssp237@xxxxxxxxxxx> wrote:
Hi Greg, 

Thanks so much for getting back to me. 

We are currently using EE10, but we are open to using EE8/9 if that would fix the problem. 

This is going to a webapp. 

Our login module is implemented as a subclass of AbstractLoginModule, with a corresponding subclass of JAASUser. 
To enable it, we include the following in jetty-web.xml: 

  <Set name="securityHandler">
    <New class="org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler">
      <Set name="loginService">
        <New class="org.eclipse.jetty.security.jaas.JAASLoginService">
          <Set name="name"><name></Set>
          <Set name="loginModuleName"><name></Set>
        </New>
      </Set>
    </New>
  </Set>

Please let me know if I can provide any more information! 

Additionally, after upgrading from Jetty 12.0.14 to 12.0.15 I have found that we are getting an error on startup due to jetty-web.xml: 
org.eclipse.jetty.xml.XmlConfigurationException: Bad Jetty XML configuration in file:<path>/jetty-web.xml
...
Caused by:
java.lang.NullPointerException: Cannot invoke "java.util.Map.containsKey(Object)" because "this.fTableOfIDAttributeNames" is null

This was not previously happening, and we did not change jetty-web.xml at all during the upgrade. The file jetty-web.xml is small, and just sets the securityHandler and an errorHandler. Do you know what could be causing us to read it as an improper configuration? 

Thanks for your help, 
Shan Parikh

On Tue, Nov 26, 2024 at 3:09 PM Greg Wilkins <gregw@xxxxxxxxxxx> wrote:

Shan,

We need a bit more information to help.

What environment are you using? EE10?
Is this going to a webapp or an programmatic context?
How is your custom login module/mechanism installed/implemented?

Does curl send the cookie with the request that gets the 401 response?

regards





On Tue, 26 Nov 2024 at 08:50, Shan Parikh via jetty-users <jetty-users@xxxxxxxxxxx> wrote:
Hi, 

I am currently running Jetty 11 and looking to upgrade to Jetty 12 because of the upcoming end of life for Jetty 11 in Jan 2025. 

I have gotten the server running after reconfiguring some of the modules and XML files. However, we are having some issues with authentication that were not present in the Jetty 11 configuration. 

We have a custom login module that gets triggered when we POST to the /login/ endpoint with the login information (base 64 encoding of username + password). We are able to login, and get a cookie in the response that corresponds to a session. 

However, when we send a curl request (or post a request through Java) using this cookie (without the login information), we always receive a 401: unauthorized error. This same request goes through to the same server running Jetty 11, so it has to be a server side issue. 

For reference, when sending requests through Java we are using the CookieManager and CookieStore classes, which seem to automatically populate the session information. 

Are there any changes to how Jetty 12 processes cookies that would prevent us from accepting cookies? Is there any debug information I could include that would help address this issue?

Thanks for your help, 
Shan Parikh


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


--

Back to the top