Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] FormAuthenticator redirects with a connector behind externally terminated TLS

Yup, I think that's it.
I looked at the HttpConfiguration and the default for secureScheme seemed to be https / 443,
but somewhere between Jetty startup and Spring Boot having its tendrils everywhere, by runtime that is
no longer the case.  Setting it back to the default https / 443 seems to do the trick.

Thanks Joakim!

On Mon, May 3, 2021 at 11:02 AM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
What is the configuration of your ServerConnectors, and the HttpConfiguration + SecureRequestCustomizer settings on those connectors?

Chances are you just haven't set that up properly for your environment.

The HttpConfiguration needs to be setup properly to point to the external TLS layer.
Optionally, the SecureRequestCustomizer needs to be present and possibly configured to use the Forwarding header that your TLS layer could be adding to the request.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Mon, May 3, 2021 at 12:30 PM Steven Schlansker <stevenschlansker@xxxxxxxxx> wrote:
Hi again jetty-users,

I'm still stuck on this problem.  Has anyone done something similar, or have a resource to suggest I could dig deeper to answer my own question?
I'm so close to having the authentication flow work, this is the last non-working bit...

Thanks,
Steven

On Mon, Apr 26, 2021 at 2:48 PM Steven Schlansker <stevenschlansker@xxxxxxxxx> wrote:
Hi jetty-users, happy Monday :)
I am trying to configure FormAuthenticator in Jetty 9.4.40 on a server that serves HTTP terminated behind an external load balancer handling the TLS termination.

Everything works fine in testing, but when it is behind the external TLS termination, Jetty serves up 303 See Other responses to e.g. the login page with an absolute http url, which redirects the user away from the secure site.  The FormAuthenticator seems to allow me to customize the path to the form and error page, but not the scheme.

I tried attaching ForwardedRequestCustomizer to see if parsing the forwarding headers would help, but it did not seem to change anything.

I tried using FormAuthenticator dispatch mode instead of redirect, but that caused all server responses to 404 for reasons I didn't really understand, so I gave up on that pretty quick.

What's the right way to configure FormAuthenticator or its connector in embedded jetty to preserve the https nature of the site, even when Jetty doesn't do TLS termination?  I can't help but feel this should be answered on Google but I must be searching for the wrong thing...

I've attached my handler setup below in case that helps.
Thanks for any advice,
Steven

        final var securityHandler = new ConstraintSecurityHandler();
        securityHandler.setLoginService(loginService);
        securityHandler.addRole("ws");

        final var constraintMapping = new ConstraintMapping();
        final var constraint = new Constraint(Constraint.__FORM_AUTH, "ws");
        constraint.setAuthenticate(true);
        constraintMapping.setConstraint(constraint);
        constraintMapping.setPathSpec("/*");

        securityHandler.addConstraintMapping(constraintMapping);

        final var noAuth = new Constraint();
        noAuth.setName(Constraint.NONE);
        final String loginPath = "/login";
        final String loginErrPath = loginPath + "/error";
        for (final var exclude : new String[] { "/favicon.ico", "/health", "/health/*", loginPath, loginErrPath }) {
            final var noAuthMapping = new ConstraintMapping();
            noAuthMapping.setConstraint(noAuth);
            noAuthMapping.setPathSpec(exclude);
            securityHandler.addConstraintMapping(noAuthMapping);
        }
        securityHandler.setHandler(servletContextHandler);

        securityHandler.setAuthenticator(new FormAuthenticator(loginPath, loginErrPath, false));

        final var sessionHandler = new SessionHandler();
        sessionHandler.setHandler(securityHandler);
        sessionHandler.setMaxInactiveInterval((int) Duration.ofDays(7).toSeconds());

        final var sessionSchema = new SessionTableSchema();
        sessionSchema.setTableName("JettySessions_" + serviceName);

        final var dbAdapt = new DatabaseAdaptor();
        dbAdapt.setDatasource(ds);

        final var dataStoreFactory = new JDBCSessionDataStoreFactory();
        dataStoreFactory.setGracePeriodSec((int) Duration.ofDays(7).toSeconds());
        dataStoreFactory.setSessionTableSchema(sessionSchema);
        dataStoreFactory.setDatabaseAdaptor(dbAdapt);
        server.addBean(dataStoreFactory);

        final var sessionIdMgr = new DefaultSessionIdManager(server);
        sessionIdMgr.setWorkerName(GraphiteTags.pod());
        server.setSessionIdManager(sessionIdMgr);

        return sessionHandler;
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top