Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't seem to work with sbt #18

Open
hertg opened this issue Mar 22, 2019 · 9 comments
Open

Doesn't seem to work with sbt #18

hertg opened this issue Mar 22, 2019 · 9 comments

Comments

@hertg
Copy link

hertg commented Mar 22, 2019

I couldn't get this project to work properly with sbt.
I'm fairly certain that it has something to do with the Basic Auth, because you are forced to define a realm for the credentials in sbt, but this project doesn't return any.

curl https://maven.company.com -vv returns WWW-Authenticate: Basic instead of WWW-Authenticate: Basic realm="some-realm-name"

I have already commented an open issue on sbt describing the problem (link)

However, i do believe that it would be fairly simple to just return a realm in this application.
Unfortunately, i wasn't able to do it myself, because i lack knowledge about JAX-RS.
@renaudcerrato
Copy link
Owner

Thanks for reporting. Indeed, adding a realm isn't that hard. I'll look into this asap!

@renaudcerrato
Copy link
Owner

We'd just need to add a login-config to the web.xml IMO :

<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>the_realm</realm-name>
    </login-config>

@hertg
Copy link
Author

hertg commented Mar 22, 2019

Thanks for the fast response!
I've actually already tried that, but it doesn't seem to work.
It's still returning WWW-Authenticate: Basic

@renaudcerrato
Copy link
Owner

Very weird. I'm AFK right now, will look into this asap.

@hertg
Copy link
Author

hertg commented Mar 25, 2019

It has to be in the <web-app> object, right? Here's my full web.xml:

<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5">


    <servlet>
        <servlet-name>jerseyServlet</servlet-name>

        <servlet-class>
            org.glassfish.jersey.servlet.ServletContainer
        </servlet-class>

        <init-param>
            <param-name>javax.ws.rs.Application</param-name>
            <param-value>repo.Application</param-value>
        </init-param>

        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>jerseyServlet</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>everything</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>/_ah/start</web-resource-name>
            <url-pattern>/_ah/start</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>my-realm-name</realm-name>
    </login-config>
</web-app>

btw. I've added the /_ah/start route to allow basic scaling in the Google App Engine. This route has to return 200 OK, it won't work otherwise.

@renaudcerrato
Copy link
Owner

Looks correct. So, still no realm?

@hertg
Copy link
Author

hertg commented Mar 25, 2019

No, unfortunately not

@hertg
Copy link
Author

hertg commented Mar 25, 2019

Well, I've got it working with a very dirty workaround.

I created the class repo/provider/ResponseServerFilter.java

package repo.provider;

import java.io.IOException;

import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;

public class ResponseServerFilter implements ContainerResponseFilter {

    @Override
    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
        responseContext.getHeaders().remove("WWW-Authenticate");
        responseContext.getHeaders().add("WWW-Authenticate", "Basic realm=\"my-realm-name\"");
    }

}

and registered it in repo/Application.java

public Application() throws IOException {
...
register(ResponseServerFilter.class);
...
}

So the server just automatically replaces the WWW-Authenticate header for every request.
That's a very dirty solution, and it would probably be a lot better to implement the Basic-Auth correctly.

I think some parts of the Basic-Auth implementation are a bit odd, because the login-config should theoretically work, from what i've found. Also, it looks a bit different from examples i've found online (?) (eg. https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF113)

@renaudcerrato
Copy link
Owner

Weird....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@renaudcerrato @hertg