You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2011/01/08 01:05:46 UTC

[jira] Commented: (FELIX-2768) HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted

    [ https://issues.apache.org/jira/browse/FELIX-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12979026#action_12979026 ] 

Felix Meschberger commented on FELIX-2768:
------------------------------------------

I also ran into this issue a few times ...

I think the problem that the ServletHandler tries to solve is to send back a sensible error instead of a successfull 200 response in case the HttpContext did not send a response.

Maybe doHandle method should be modified like this:

    res.setStatus(HttpServletResponse.SC_FORBIDDEN);
    if (getContext().handleSecurity(req, res)) { 
       res.setStatus(HttpServletResponse.SC_OK); // default back to OK
       servlet.service(...)
    }

This would ensure the request is terminated with 403 unless the handleSecurity method returning false has set a different status.

WDYT ?

> HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
> ---------------------------------------------------------------------------
>
>                 Key: FELIX-2768
>                 URL: https://issues.apache.org/jira/browse/FELIX-2768
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.0.4
>            Reporter: Derek Baum
>
> The JavaDoc for HttpContext.handleSecurity states:
> 	 * If the request requires authentication and the Authorization header in
> 	 * the request is missing or not acceptable, then this method should set the
> 	 * WWW-Authenticate header in the response object, set the status in the
> 	 * response object to Unauthorized(401) and return <code>false</code>
> So the following implementation of handleSecurity() should cause an UNAUTHORIZED response:
>                 response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure Moixa Energy Gateway\"");
>                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>                 return false;
> This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in org.apache.felix.http.jetty-2.0.4, by always returning SC_FORBIDDEN.
> Examining the implementation: org/apache/felix/http/base/internal/handler/ServletHandler.java:
>         if (!getContext().handleSecurity(req, res)) {
>             if (!res.isCommitted()) {
>                 res.sendError(HttpServletResponse.SC_FORBIDDEN);
>             }
>         } 
> which means that SC_FORBIDDEN is always returned, unless the response is committed.
> In order to commit the response, response.flushBuffer() must be called in the handleSecurity() implementation after setting the response code to unauthorized. Howver, the JavaDoc for HttpContext does not indicate that it is necessary to commit the response.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.