jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard

Published 20 hours ago verified publisher icon jetty

Jetty 12 Core SecurityHandler relies on ContextHandler

Open lachlan-roberts opened this issue 1 year ago • 2 comments

Jetty version(s) 12.0.x

Description The core SecurityHandler currently depends on being behind a ContextHandler. It implements the method:

public static SecurityHandler getCurrentSecurityHandler()
{
    ContextHandler contextHandler = ContextHandler.getCurrentContextHandler();
    if (contextHandler != null)
        return contextHandler.getDescendant(SecurityHandler.class);
    return null;
}

Which only works if it has a ContextHandler.

I think we should either; implement a way to get the current SecurityHandler without relying on ContextHandler OR we enforce that we are behind a ContextHandler during the SecurityHandler.doStart().

lachlan-roberts avatar Jun 06 '24 13:06 lachlan-roberts

It should be easy enough to add some code that if contextHandler is null, then to ask the server for its descendants security handlers.

Who calls this method and why?

gregw avatar Jun 06 '24 22:06 gregw

It is used by UserAuthenticationSucceeded#logout and SessionAuthentication#readObject.

It should be easy enough to add some code that if contextHandler is null, then to ask the server for its descendants security handlers.

Is there a static method to get the server somewhere? I couldn't find one.

lachlan-roberts avatar Jun 07 '24 04:06 lachlan-roberts