How to configure security handler in embedded jetty after jetty start
I am trying to configure a security handler on ServletContext in Jetty after Jetty start.
Like this:
Handler contextHandlers = contexts.getHandlers();
for(Handler context : contextHandlers) {
if(context instanceof ServletContextHandler && ((ServletContextHandler) context).getContextPath().equals("/api"))
context.setSecurityHandler(securityHandler);
break;
But I get following exception:
java.lang.IllegalStateException: STARTED
at
org.eclipse.jetty.servlet.ServletContextHandler.setSecurityHandler(ServletContextHandler.java:483)
Why is this not possible?
Screenshot:
EDIT:
I looked at the source code & there it checks for isStarted flag. Is it a security flaw to add security handler after jetty start?:
public void setSecurityHandler(SecurityHandler securityHandler)
if (isStarted())
throw new IllegalStateException("STARTED");
if (_securityHandler!=null)
_securityHandler.setHandler(null);
_securityHandler = securityHandler;
relinkHandlers();
(Reason, I have to do this is a bit complicated but I will try to explain: I am running a keycloak server behind a proxy which is reachable though my Jetty server. Let's say Jetty s running on host1 and keycloak is running on host2. But at time of setting keycloak security hanlder, whichever host is configured , keycloak allows authentication on tokens generated from that domain only. Therefore I want to configure Jetty host in security handler, which is not available until Jetty start)
java jetty keycloak embedded-jetty
add a comment |
I am trying to configure a security handler on ServletContext in Jetty after Jetty start.
Like this:
Handler contextHandlers = contexts.getHandlers();
for(Handler context : contextHandlers) {
if(context instanceof ServletContextHandler && ((ServletContextHandler) context).getContextPath().equals("/api"))
context.setSecurityHandler(securityHandler);
break;
But I get following exception:
java.lang.IllegalStateException: STARTED
at
org.eclipse.jetty.servlet.ServletContextHandler.setSecurityHandler(ServletContextHandler.java:483)
Why is this not possible?
Screenshot:
EDIT:
I looked at the source code & there it checks for isStarted flag. Is it a security flaw to add security handler after jetty start?:
public void setSecurityHandler(SecurityHandler securityHandler)
if (isStarted())
throw new IllegalStateException("STARTED");
if (_securityHandler!=null)
_securityHandler.setHandler(null);
_securityHandler = securityHandler;
relinkHandlers();
(Reason, I have to do this is a bit complicated but I will try to explain: I am running a keycloak server behind a proxy which is reachable though my Jetty server. Let's say Jetty s running on host1 and keycloak is running on host2. But at time of setting keycloak security hanlder, whichever host is configured , keycloak allows authentication on tokens generated from that domain only. Therefore I want to configure Jetty host in security handler, which is not available until Jetty start)
java jetty keycloak embedded-jetty
add a comment |
I am trying to configure a security handler on ServletContext in Jetty after Jetty start.
Like this:
Handler contextHandlers = contexts.getHandlers();
for(Handler context : contextHandlers) {
if(context instanceof ServletContextHandler && ((ServletContextHandler) context).getContextPath().equals("/api"))
context.setSecurityHandler(securityHandler);
break;
But I get following exception:
java.lang.IllegalStateException: STARTED
at
org.eclipse.jetty.servlet.ServletContextHandler.setSecurityHandler(ServletContextHandler.java:483)
Why is this not possible?
Screenshot:
EDIT:
I looked at the source code & there it checks for isStarted flag. Is it a security flaw to add security handler after jetty start?:
public void setSecurityHandler(SecurityHandler securityHandler)
if (isStarted())
throw new IllegalStateException("STARTED");
if (_securityHandler!=null)
_securityHandler.setHandler(null);
_securityHandler = securityHandler;
relinkHandlers();
(Reason, I have to do this is a bit complicated but I will try to explain: I am running a keycloak server behind a proxy which is reachable though my Jetty server. Let's say Jetty s running on host1 and keycloak is running on host2. But at time of setting keycloak security hanlder, whichever host is configured , keycloak allows authentication on tokens generated from that domain only. Therefore I want to configure Jetty host in security handler, which is not available until Jetty start)
java jetty keycloak embedded-jetty
I am trying to configure a security handler on ServletContext in Jetty after Jetty start.
Like this:
Handler contextHandlers = contexts.getHandlers();
for(Handler context : contextHandlers) {
if(context instanceof ServletContextHandler && ((ServletContextHandler) context).getContextPath().equals("/api"))
context.setSecurityHandler(securityHandler);
break;
But I get following exception:
java.lang.IllegalStateException: STARTED
at
org.eclipse.jetty.servlet.ServletContextHandler.setSecurityHandler(ServletContextHandler.java:483)
Why is this not possible?
Screenshot:
EDIT:
I looked at the source code & there it checks for isStarted flag. Is it a security flaw to add security handler after jetty start?:
public void setSecurityHandler(SecurityHandler securityHandler)
if (isStarted())
throw new IllegalStateException("STARTED");
if (_securityHandler!=null)
_securityHandler.setHandler(null);
_securityHandler = securityHandler;
relinkHandlers();
(Reason, I have to do this is a bit complicated but I will try to explain: I am running a keycloak server behind a proxy which is reachable though my Jetty server. Let's say Jetty s running on host1 and keycloak is running on host2. But at time of setting keycloak security hanlder, whichever host is configured , keycloak allows authentication on tokens generated from that domain only. Therefore I want to configure Jetty host in security handler, which is not available until Jetty start)
java jetty keycloak embedded-jetty
java jetty keycloak embedded-jetty
edited Nov 14 '18 at 5:57
tryingToLearn
asked Nov 14 '18 at 4:20
tryingToLearntryingToLearn
2,60222750
2,60222750
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You cannot modify the SecurityHandler
on a running (started) webapp.
This is mostly due to the nature of the Servlet initialization lifecycle, and the myriad of components that need access to the Security layer and its configuration.
You cannot yank that layer out and change it after the fact.
You'll have to call:
myWebAppContext.stop();
myWebAppContext.setSecurityHandler(mySuperDooperSecurityHandler);
myWebAppContext.start();
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53293147%2fhow-to-configure-security-handler-in-embedded-jetty-after-jetty-start%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You cannot modify the SecurityHandler
on a running (started) webapp.
This is mostly due to the nature of the Servlet initialization lifecycle, and the myriad of components that need access to the Security layer and its configuration.
You cannot yank that layer out and change it after the fact.
You'll have to call:
myWebAppContext.stop();
myWebAppContext.setSecurityHandler(mySuperDooperSecurityHandler);
myWebAppContext.start();
add a comment |
You cannot modify the SecurityHandler
on a running (started) webapp.
This is mostly due to the nature of the Servlet initialization lifecycle, and the myriad of components that need access to the Security layer and its configuration.
You cannot yank that layer out and change it after the fact.
You'll have to call:
myWebAppContext.stop();
myWebAppContext.setSecurityHandler(mySuperDooperSecurityHandler);
myWebAppContext.start();
add a comment |
You cannot modify the SecurityHandler
on a running (started) webapp.
This is mostly due to the nature of the Servlet initialization lifecycle, and the myriad of components that need access to the Security layer and its configuration.
You cannot yank that layer out and change it after the fact.
You'll have to call:
myWebAppContext.stop();
myWebAppContext.setSecurityHandler(mySuperDooperSecurityHandler);
myWebAppContext.start();
You cannot modify the SecurityHandler
on a running (started) webapp.
This is mostly due to the nature of the Servlet initialization lifecycle, and the myriad of components that need access to the Security layer and its configuration.
You cannot yank that layer out and change it after the fact.
You'll have to call:
myWebAppContext.stop();
myWebAppContext.setSecurityHandler(mySuperDooperSecurityHandler);
myWebAppContext.start();
answered Nov 14 '18 at 12:28
Joakim ErdfeltJoakim Erdfelt
32.6k45795
32.6k45795
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53293147%2fhow-to-configure-security-handler-in-embedded-jetty-after-jetty-start%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown