Reputation: 41
How do you provide security authentication for a ResourceHandler in Jetty without XML?
I'm trying to provide authentication of one of my pages on my Jetty server. I'm doing it all programatically, so there's no xml involved.
I've found I can protect particular contexts by using the ConstraintSecurityHandler. While this works fine for Servlets I'm running, I've tried to extend it to work for the ResourceHandler as well, and I've ran into problems. The code I am trying is found below.
If I place the ResourceHandler block first, then the authentication fails to pop up. If I place the ResourceHandler block after the SecurityHandler block, then the authentication pops up, but after authentication, the ResourceHandler page (/resources) does not appear, and Jetty gives me a 404.
Is there any way I can password protect the page hosted by the ResourceHandler programatically??
final static String REALM = "REALM";
.
.
.
public static void main(String[] args){
.
.
.
ResourceHandler resourceHandler = new ResourceHandler(); //set up resourceHandler to host directory of files at /resources
resourceHandler.setDirectoriesListed(true);
resourceHandler.setResourceBase("." + File.separator + "files");
ContextHandler resourceContextHandler = new ContextHandler();
resourceContextHandler.setContextPath("/resources");
resourceContextHandler.setHandler(resourceHandler);
handlers.addHandler(resourceContextHandler);
.
.
.
ConstraintSecurityHandler csh = getConstraintSecurityHandler();
ServletContextHandler servletContextHandler = new ServletContextHandler(ServletContextHandler.SESSIONS);
servletContextHandler.setSecurityHandler(csh);
handlers.addHandler(servletContextHandler);
.
.
.
server.setHandler(handlers);
server.start();
server.join();
}
private ConstraintSecurityHandler getConstraintSecurityHandler(){
Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "user");
constraint.setRoles(new String[]{"user","admin"});
constraint.setAuthenticate(true);
ConstraintMapping statsConstraintMapping = new ConstraintMapping();
statsConstraintMapping.setConstraint(constraint);
statsConstraintMapping.setPathSpec("/resources"); //directory I want to protect
ConstraintSecurityHandler csh = new ConstraintSecurityHandler();
csh.setAuthenticator(new BasicAuthenticator());
csh.setRealmName(REALM);
csh.setConstraintMappings(new ConstraintMapping[] {statsConstraintMapping});
csh.setLoginService(getHashLoginService());
return csh;
}
private HashLoginService getHashLoginService() {
HashLoginService loginServ = new HashLoginService();
loginServ.setName(REALM);
loginServ.setConfig("realm.properties"); //location of authentication file
loginServ.setRefreshInterval(1);
return loginServ;
}
Upvotes: 3
Views: 3434
Answers (1)
Reputation: 7182
The security handler goes in front of the resource handler so in the chain of processing the security handler is consulted first.
See:
Upvotes: 4
Related Questions
- Excluding HTTP methods using security constraint, jetty
- HashLoginService and Jetty9
- Jetty Basic Authentication
- Authentication with embedded Jetty
- Jetty authentication architecture
- web.xml security: how to get root unrestricted, but all else restricted?
- howto add custom authentication to a Jetty webserver running solr
- Ignoring web.xml security-constraint in Jetty
- Basic Authentication with embedded Jetty 7 server and no web.xml file
- adding security to embedded jetty