felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Meschberger (JIRA)" <j...@apache.org>
Subject [jira] Updated: (FELIX-2768) HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
Date Sat, 08 Jan 2011 00:05:47 GMT

     [ https://issues.apache.org/jira/browse/FELIX-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Felix Meschberger updated FELIX-2768:

    Affects Version/s: http-2.0.4

> HttpContext.handleSecurity returns SC_FORBIDDEN unless response is comitted
> ---------------------------------------------------------------------------
>                 Key: FELIX-2768
>                 URL: https://issues.apache.org/jira/browse/FELIX-2768
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.0.4
>            Reporter: Derek Baum
> The JavaDoc for HttpContext.handleSecurity states:
> 	 * If the request requires authentication and the Authorization header in
> 	 * the request is missing or not acceptable, then this method should set the
> 	 * WWW-Authenticate header in the response object, set the status in the
> 	 * response object to Unauthorized(401) and return <code>false</code>
> So the following implementation of handleSecurity() should cause an UNAUTHORIZED response:
>                 response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure Moixa Energy
>                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>                 return false;
> This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in org.apache.felix.http.jetty-2.0.4,
by always returning SC_FORBIDDEN.
> Examining the implementation: org/apache/felix/http/base/internal/handler/ServletHandler.java:
>         if (!getContext().handleSecurity(req, res)) {
>             if (!res.isCommitted()) {
>                 res.sendError(HttpServletResponse.SC_FORBIDDEN);
>             }
>         } 
> which means that SC_FORBIDDEN is always returned, unless the response is committed.
> In order to commit the response, response.flushBuffer() must be called in the handleSecurity()
implementation after setting the response code to unauthorized. Howver, the JavaDoc for HttpContext
does not indicate that it is necessary to commit the response.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message