Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
http-2.0.4
-
None
Description
The JavaDoc for HttpContext.handleSecurity states:
- If the request requires authentication and the Authorization header in
- the request is missing or not acceptable, then this method should set the
- WWW-Authenticate header in the response object, set the status in the
- response object to Unauthorized(401) and return <code>false</code>
So the following implementation of handleSecurity() should cause an UNAUTHORIZED response:
response.setHeader("WWW-Authenticate", "BASIC realm=\"Secure Moixa Energy Gateway\"");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return false;
This worked OK in org.apache.felix.http.jetty-1.0.1, but fails in org.apache.felix.http.jetty-2.0.4, by always returning SC_FORBIDDEN.
Examining the implementation: org/apache/felix/http/base/internal/handler/ServletHandler.java:
if (!getContext().handleSecurity(req, res)) {
if (!res.isCommitted())
}
which means that SC_FORBIDDEN is always returned, unless the response is committed.
In order to commit the response, response.flushBuffer() must be called in the handleSecurity() implementation after setting the response code to unauthorized. Howver, the JavaDoc for HttpContext does not indicate that it is necessary to commit the response.