Skip to content

fixes for Response.writeError with servlet error dispatch #12698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lachlan-roberts merged 11 commits into from
Apr 3, 2025
Merged

fixes for Response.writeError with servlet error dispatch #12698

lachlan-roberts merged 11 commits into from
Apr 3, 2025

Conversation

@lachlan-roberts
Copy link
Contributor

@lachlan-roberts lachlan-roberts commented Jan 10, 2025

See issue #12697

Doing a Response.writeError() will try to invoke the servlet ErrorHandler, which can do an ERROR dispatch. This does not work properly if it is not done from within the scope of the ServletChannel.

  • Add checks inside the ErrorHandler implementations to stop dispatching to error pages unless we have already started the ServletChannel.
  • Authenticators now use the ServletChannel mechanism to do a sendError() when the ServletChannel starts handling the request. It uses a new static method ErrorHandler.writeError which is overriden by the servlet ErrorHandlers.

@lachlan-roberts
Issue #12697 - do not dispatch to error page outside of ServletChannel
65495d7 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts
Issue #12697 - resolve use of Response.writeError in authenticators
7f31cb4 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts
Issue #12697 - improve testing for FormAuthenticatorTest
cf504e5 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts
PR #12698 - fixes for SignInWithEthereumTest
d7e2743 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts lachlan-roberts marked this pull request as ready for review January 14, 2025 06:48
@janbartel
Copy link
Contributor

janbartel commented Jan 15, 2025

@lachlan-roberts this is quite a hefty refactor of ee10 error handling code, of publically available methods - are you sure we shouldn't just be doing this in ee11 only?

@lachlan-roberts
Copy link
Contributor Author

lachlan-roberts commented Jan 15, 2025

@janbartel I have aligned the EE10 ErrorHandler with changes from the EE11 one.

I think maybe the changes can be reduced, but I wanted the EE10 ErrorHandler to extend the core ErrorHandler like the EE11 one does, so that I could introduce this new ErrorHandler.writeError method.

If we really don't want to change the EE10 ErrorHandler I could introduce a new interface which both EE10 and EE11 ErrorHandlers could extend.

@lachlan-roberts lachlan-roberts self-assigned this Jan 15, 2025
@janbartel janbartel mentioned this pull request Jan 17, 2025
Closed
@lachlan-roberts
PR #12698 - changes from review
e7c003a 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts
Copy link
Contributor Author

lachlan-roberts commented Jan 17, 2025

@gregw @janbartel ready for review

gregw
gregw requested changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a few documentation changes

I also restarted CI, to get a clean build

@lachlan-roberts
PR #12698 - add comments and javadoc from review
08a3be7 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts lachlan-roberts requested a review from gregw January 28, 2025 03:35
@gregw
Copy link
Contributor

gregw commented Jan 28, 2025

Hmm AsyncMiddleMan tests failing here as well. So probably unrelated.

gregw
gregw requested changes Jan 28, 2025
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor niggle

@lachlan-roberts
PR #12698 - changes to javadoc from review
8d0111c 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
gregw
gregw requested changes Mar 4, 2025
View reviewed changes
...tty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java
value += ", charset=\"" + charset.name() + "\"";
res.getHeaders().put(HttpHeader.WWW_AUTHENTICATE.asString(), value);

// Don't use AuthenticationState.writeError, to avoid possibility of doing a Servlet error dispatch.
Copy link
Contributor

@gregw gregw Mar 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a known specific set of cases/codes for which we want to avoid doing a Servlet error dispatch? If so, can we codify in AuthenticationState.writeError and just always call it?

Copy link
Contributor Author

@lachlan-roberts lachlan-roberts Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think its just based on the use case rather than the code. I don't see why 401 couldn't be dispatched to a servlet error handler in a different case.

Although we only ever use AuthenticationState.writeError with 403 status codes.

@lachlan-roberts
PR #12698 - changes from review
ea61d5f 
Signed-off-by: Lachlan Roberts <lachlan.p.roberts@gmail.com>
@lachlan-roberts lachlan-roberts merged commit 6b00af8 into jetty-12.1.x Apr 3, 2025
10 checks passed
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in Jetty 12.1.0 - (FROZEN) Apr 3, 2025
@lachlan-roberts lachlan-roberts deleted the fix/12.1.x/writeErrorBeforeServlet branch April 3, 2025 00:37
@olamy olamy mentioned this pull request Jun 3, 2025
Merged
@lachlan-roberts lachlan-roberts mentioned this pull request Jun 23, 2025
Closed
@olamy olamy mentioned this pull request Jul 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gregw gregw gregw approved these changes

@janbartel janbartel Awaiting requested review from janbartel

Assignees

@lachlan-roberts lachlan-roberts

Labels

None yet

Projects

No open projects
Jetty 12.1.0 - (FROZEN)
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lachlan-roberts @janbartel @gregw