3

I have a war file (specifically, gerrit.war), that expects the container (specifically, jetty) to handle basic HTTP authentication and pass that information down to the webapp. So I don't have access to the code or to the web.xml file.

I'm following these instructions to use exiting jetty configs to wrap gerrit in a realm, but when I access the base URL (/login/) I get a 403 (Forbidden) error. I'd expect to get a 401 which would prompt my browser to ask for credentials (no?)

I can post my files but I haven't changed anything from the example above. Let me know if it would help, however..

Community
  • 1
  • 1
Roy Truelove
  • 22,016
  • 18
  • 111
  • 153

1 Answers1

0

There are probably many ways in which this can occur. In my case it occured because my constraint did not have a role set. This code generated 403:

private void secureServlet(ServletContextHandler handler) {
    ConstraintSecurityHandler security = new ConstraintSecurityHandler();
    security.setRealmName(this.realm);
    security.setAuthenticator(new BasicAuthenticator());
    security.setLoginService(new WebLoginService(this.engine));

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__BASIC_AUTH);
    //constraint.setRoles(new String[]{"user"});
    constraint.setAuthenticate(true);

    ConstraintMapping mapping = new ConstraintMapping();
    mapping.setConstraint(constraint);
    mapping.setPathSpec("/*");

    security.addConstraintMapping(mapping);
    handler.setSecurityHandler(security);
}

Commenting in the role line will prompt jetty to answer with 401:s instead.

Bittrance
  • 2,202
  • 2
  • 20
  • 29