[undertow-dev] HttpServletRequestImpl.authenticate (incorrectly?) closes response upon false outcome

Stuart Douglas sdouglas at redhat.com
Thu Jun 12 12:50:58 EDT 2014


Can you file a JIRA about this?

Stuart

arjan tijms wrote:
> Hi,
>
> When an authentication mechanism (e.g. a JASPIC SAM) did not actually
> authenticate following a call to HttpServletRequest#authenticate,
> Undertow closes the stream.
>
> This happens in
> io.undertow.servlet.spec.HttpServletRequestImpl.authenticate(HttpServletResponse)
> via the following code fragment:
>
> if (sc.authenticate()) {
>          ...
> } else {
>      // Not authenticated and response already sent.
>      HttpServletResponseImpl responseImpl =
> exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getOriginalResponse();
>      responseImpl.closeStreamAndWriter();
>      return false;
> }
>
> I'm not 100% sure why it closes the response stream (or writer) here.
> The Javadoc for HttpServletRequest#authenticate doesn't say this happens
> and it's not in the Servlet spec either.
>
> Most importantly perhaps, it's not what JBoss AS 7/EAP 6 does. I don't
> think any other server actually does this (but have to investigate to be
> sure).
>
> It looks like Undertow assumes that the authentication mechanism always
> sets all headers and commits the response, but the contract as expressed
> in its Javadoc seems weaker:
>
> "Use the container login mechanism configured for the ServletContext to
> authenticate the user making this request.
>
> This method *may* modify and commit the argument HttpServletResponse."
>
> (note the phrasing "may")
>
> As with many things in Servlet it's not entirely clear whether for the
> case that the method returns "false" the response "must" have been
> modified and committed, but whether this is the case or not, I don't
> think it says anywhere that after a call to this method nothing can be
> written to the response any more.
>
> Furthermore, this also doesn't behave very well when a (wrapped)
> response is passed in, as it closes the original response, not the one
> passed in.
>
> Kind regards,
> Arjan
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev


More information about the undertow-dev mailing list