Search code examples
javaauthenticationservletsjettyproxy-server

proxy authentication using jetty

I am trying to find out if it is possible to do proxy authentication in Java using jetty. I have been able to do basic and digest authentication schemes using jetty and there are easy ways in Jetty to set up these authentication schemes using pseudo code as this:

constraint = org.mortbay.jetty.security.Constraint();
constraint.setName(constraint.('__BASIC_AUTH'))
constraint.setRoles({'admin'});
constraint.setAuthenticate(true);
constraintMapping = ConstraintMapping();
constraintMapping.setConstraint(constraint);
constraintMapping.setPathSpec('/*');
securityHandler = SecurityHandler();
securityHandler.setUserRealm(myrealm);
securityHandler.setConstraintMappings(constraintMapping );

Similarly for DIGEST authentication __BASIC_AUTH can be replaced with __DIGEST_AUTH. I am using HttpServlets to handle requests/responses. However if I want to achieve proxy based authentication, how do I do this?

Do I need to use the httpservlet's doGet() and attempt authentication and explicit forwarding to another address or is there a way using jetty itself to setup a proxy based authentication(or a proxy localhost server) as shown in the pseudo above?

Can I get some help for code to do proxy based authentication that authenticates and forwards HttpServlet requests to another servlet/server?

Solution

  • As for the current version of Jetty (9.3.3.v20150827), the Proxy-Authenticate header is not related in any way to the WWW-Authenticate header that the Servlet constraint system.

    There is nothing built into the the Servlet spec, or the Jetty implementation to support the Proxy-Authenticate client header from a Constraint point of view.

    However, using Jetty 9.3.x you can use the the AsyncProxyServlet, AsyncProxyServlet.Transparent, AsyncMiddleManServlet, or AsyncMiddleManServlet.Transparent to have a means to handle this Proxy-Authenticate header in your own terms.

    To accomplish this, you'll start by extending from one of those, and then overriding the sendProxyRequest(HttpServletRequest clientRequest, HttpServletResponse proxyResponse, Request proxyRequest).

    In your version of sendProxyRequest(), look at the clientRequest headers for Proxy-Authenticate and Proxy-Authorize, and perform the Proxy based authentication that best suits your needs.

    If the authentication passes, then call super.sendProxyRequest(clientRequest, proxyResponse, proxyRequest);.

    Otherwise use the proxyResponse to send back the challenge response.