Issue #12720 - fix servlet error dispatch for errors generated by SecurityHandler #13693

lachlan-roberts · 2025-10-10T06:32:30Z

Closes #12720

Currently SecurityHandler does only Response.writeError when a 403 response needs to be sent. However this will not dispatch to a servlet error page, for this we need to do AuthenticationState.writeError and handle the case if it returns AuthenticationState.ServeAs.

…curityHandler Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

gregw · 2025-10-13T06:00:07Z

@lachlan-roberts the CI failures look to be more than flakes.

gregw

more than flakes

lachlan-roberts · 2025-10-13T06:06:16Z

@gregw the tests are failing because the AuthenticationState.writeError and ErrorHandler.writeError do not support taking a message string.

So do you think i should adjust both the AuthenticationState.writeError and ErrorHandler.writeError API to take a String message, or should I adjust the tests to not check for the !authroized string?

Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java

gregw · 2025-10-21T06:39:31Z

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java

+            };
+        }
+
+        return response;


This can return the unwrapped response, which will provide the unwrapped request. So either only wrap the request in the if statement above OR you always need to wrap the response to return the wrapped request. See above suggestion

gregw · 2025-10-21T06:42:17Z

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java

+        HttpURI uri = request.getHttpURI();
+        Request wrappedRequest = serveAs.wrap(request);
+        if (!uri.equals(wrappedRequest.getHttpURI()))
+        {
+            // URI is replaced, so filter out all metadata for the old URI
+            response.getHeaders().put(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());
+            response.getHeaders().putDate(HttpHeader.EXPIRES.asString(), 1);
+            HttpFields.Mutable headers = new HttpFields.Mutable.Wrapper(response.getHeaders())
+            {
+                @Override
+                public HttpField onAddField(HttpField field)
+                {
+                    if (field.getHeader() == null)
+                        return field;
+                    return switch (field.getHeader())
+                    {
+                        case CACHE_CONTROL, PRAGMA, ETAG, EXPIRES, LAST_MODIFIED, AGE -> null;
+                        default -> field;
+                    };
+                }
+            };
+
+            return new Response.Wrapper(wrappedRequest, response)
+            {
+                @Override
+                public HttpFields.Mutable getHeaders()
+                {
+                    return headers;
+                }
+
+                @Override
+                public Request getRequest()
+                {
+                    return wrappedRequest;
+                }
+            };
+        }


Suggested change

HttpURI uri = request.getHttpURI();

Request wrappedRequest = serveAs.wrap(request);

if (!uri.equals(wrappedRequest.getHttpURI()))

{

// URI is replaced, so filter out all metadata for the old URI

response.getHeaders().put(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());

response.getHeaders().putDate(HttpHeader.EXPIRES.asString(), 1);

HttpFields.Mutable headers = new HttpFields.Mutable.Wrapper(response.getHeaders())

{

@Override

public HttpField onAddField(HttpField field)

{

if (field.getHeader() == null)

return field;

return switch (field.getHeader())

{

case CACHE_CONTROL, PRAGMA, ETAG, EXPIRES, LAST_MODIFIED, AGE -> null;

default -> field;

};

}

};

return new Response.Wrapper(wrappedRequest, response)

{

@Override

public HttpFields.Mutable getHeaders()

{

return headers;

}

@Override

public Request getRequest()

{

return wrappedRequest;

}

};

}

HttpURI uri = request.getHttpURI();

Request wrappedRequest = serveAs.wrap(request);

HttpFields.Mutable headers;

if (uri.equals(wrappedRequest.getHttpURI()))

{

headers = response.getHeaders()

}

else

{

// URI is replaced, so filter out all metadata for the old URI

response.getHeaders().put(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());

response.getHeaders().putDate(HttpHeader.EXPIRES.asString(), 1);

headers = new HttpFields.Mutable.Wrapper(response.getHeaders())

{

@Override

public HttpField onAddField(HttpField field)

{

if (field.getHeader() == null)

return field;

return switch (field.getHeader())

{

case CACHE_CONTROL, PRAGMA, ETAG, EXPIRES, LAST_MODIFIED, AGE -> null;

default -> field;

};

}

};

}

return new Response.Wrapper(wrappedRequest, response)

{

@Override

public HttpFields.Mutable getHeaders()

{

return headers;

}

@Override

public Request getRequest()

{

return wrappedRequest;

}

};

}

Issue #12720 - fix servlet error dispatch for 403's generated from Se…

be33798

…curityHandler Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

lachlan-roberts requested review from gregw and janbartel October 10, 2025 06:32

lachlan-roberts self-assigned this Oct 10, 2025

lachlan-roberts added this to Jetty 12.1.3 - FROZEN Oct 10, 2025

Remove expectation of !authorized in tests

735f3c7

Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

gregw requested changes Oct 13, 2025

View reviewed changes

joakime added this to Jetty 12.1.4 Oct 16, 2025

joakime removed this from Jetty 12.1.3 - FROZEN Oct 16, 2025

joakime moved this to 👀 In review in Jetty 12.1.4 Oct 16, 2025

PR #13693 - Remove expectation of !authorized in tests

ed8cd86

Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

lachlan-roberts requested a review from gregw October 20, 2025 23:33

PR #13693 - changes from review

c0f394f

Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>

gregw requested changes Oct 21, 2025

View reviewed changes

jetty-core/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java Outdated Show resolved Hide resolved

lachlan-roberts requested a review from gregw October 21, 2025 00:19

gregw requested changes Oct 21, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Issue #12720 - fix servlet error dispatch for errors generated by SecurityHandler #13693

Issue #12720 - fix servlet error dispatch for errors generated by SecurityHandler #13693

Uh oh!

lachlan-roberts commented Oct 10, 2025

Uh oh!

gregw commented Oct 13, 2025

Uh oh!

gregw left a comment

Uh oh!

lachlan-roberts commented Oct 13, 2025

Uh oh!

Uh oh!

gregw Oct 21, 2025

Uh oh!

gregw Oct 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Issue #12720 - fix servlet error dispatch for errors generated by SecurityHandler #13693

Are you sure you want to change the base?

Issue #12720 - fix servlet error dispatch for errors generated by SecurityHandler #13693

Uh oh!

Conversation

lachlan-roberts commented Oct 10, 2025

Closes #12720

Uh oh!

gregw commented Oct 13, 2025

Uh oh!

gregw left a comment

Choose a reason for hiding this comment

Uh oh!

lachlan-roberts commented Oct 13, 2025

Uh oh!

Uh oh!

gregw Oct 21, 2025

Choose a reason for hiding this comment

Uh oh!

gregw Oct 21, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants