-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
map Jakarta.servlet.http.HttpServletRequest to org.eclipse.jetty.server.Request #11964
Comments
The core That's the role of Lines 46 to 58 in 15bcc5e
To see a The key takeaway is that the login occurs via the Servlet authentication techniques, based on constraints. |
Sounds like what you are looking for is the Been there since Servlet 3.0 |
Thanks a lot Mr @joakime for your answer.
I did not understand this part of your speech. Thank you for giving me a clearer explanation. My main problem right now is: In general, how is the login operation done in Jetty 12? Please send me an example of it? Jetty is not embeded in our code and we deploy our project on Jetty. It's just that we have used the login method of Jetty library in our code. And I want to write the code in such a way that Jetty itself turns the request that comes to it from client into |
A few more comments that might be helpful. If you use the EE8 or EE9 environment of jetty-12, then the Servlet Request passed does extend a nested.Request in the same way that jetty-9 did. It might be simpler to get your app working first on ee8 or ee9 and then migrate to ee10. However, as @joakime has said, it looks like your application is trying to mimic the behaviour of a SecurityHandler. Rather than replicate that code, it may be far simpler to implement your own Authenticator rather than write a handler that is doing Authentication. Note that in EE10, the request is not mutable and authentication is done by wrapping rather than setting. |
@joakime , @gregw public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
Request request= (req instanceof Request) ? (Request) req : null;
//other codes
UserIdentity identity= loginService.login(null, token, request);
//other codes
Authentication authentication= new UserAuthentication(...);
request.setAthentication(authentication);
//other codes
} In fact, this part is not the method of doGet of a servlet, but the implementation of doFilter method of a Filter public void doFilter(HttpServletRequest req, HttpServletResponse res,FilterChain Chain) throws ServletException, IOException {
Request request= (req instanceof Request) ? (Request) req : null;
//other codes
UserIdentity identity= loginService.login(null, token, request);
//other codes
Authentication authentication= new UserAuthentication(...);
request.setAthentication(authentication);
//other codes
} |
If you are handling the request in a Filter or Servlet, then you are already dispatched to the Filter Chain, and that means you are past the point of Servlet constraints and Servlet authentication. (The "Authentication" of the request is already set by this point) Instead of doing that login in a Filter, write a proper authentication layer, and define the constraints in your webapp to use that authentication layer (you wont have that Filter too). Other libraries that want security / authentication / authorization, but want to handle it during a Servlet dispatch (in a Filter or Servlet) do not use actually use the Servlet spec authentication / constraints to accomplish it. (eg: Spring security, and many others) But this means an entirely new security framework and APIs that your webapps must use instead of the Servlet security APIs. |
This is a very high level description of the steps involved. (there's a lot of nuance and detail missing)
The LoginService and things like the Authenticator happens around step 6. You are attempting to do things all the way down at step 12. |
@gregw , @joakime Is it possible to write my own authentication using handlers? And the next question, when deploying the project on Jetty 12, how do we introduce the handlers to it? |
@fgolzari It is possible to write your "own authentication using a handler". You will need to reverse engineer what the SecurityHandler is doing and do that yourself. But why do that? the SecurityHandler is designed to be pluggable with Authenticators. So just plug in your own algorithm there and don't duplicate all the effort in SecurityHandler. For a more complex As for adding handlers to jetty-12, there are many answers that depend on how you are using the server, if you are using servlets etc. etc. Have a read of the documentation available via https://jetty.org/ |
.... and yet another approach.... If you really want to do it in a filter, then just so the request you forward to return the values you want for authentication. No need to modify the underlying request, as you have already passed the votes authentication later and we don't think you are authenticated no matter what you do in a filter. |
I think we've given you several directions to try, so I'm closing this now. |
Jetty Version
jetty-12
Jetty Environment
ee10
Java Version
Java 21
Question
I want to upgrade our project from jetty 9 to 12. In the previous version, a servlet class was written in our project, whose doGet method is as follows
Request package :
org.eclipse.jetty.server.Request
HttpServletRequest package:
javax.servlet.http.HttpServletRequest
UserIdentity package:
org.eclipse.jetty.server.UserIdentity
and loginService is a object of :
org.eclipse.jetty.security.LoginService
Because that in jetty 9
org.eclipse.jetty.server.Request
extendsjavax.servlet.http.HttpServletRequest
, we castHttpServletRequest
class toRequest
class and therefore we did not have any problems in the code.but in jetty 12
org.eclipse.jetty.server.Request does not extend HttpServletRequest
.loginService.login()
in jetty 12 Takesorg.eclipse.jetty.server.Request
as input,Furthermore
HttpServletRequest
does not have a method to set authentication, so we need to have the Request objectHow do I map
HttpServletRequest
that I received as input of the servlet method intoorg.eclipse.jetty.server.Request
that I can pass toLoginService.login()
method? How do I initializeorg.eclipse.jetty.server.Request
to send to this method?Other than mapping, is there a better solution?
The text was updated successfully, but these errors were encountered: