I am trying to find out if it is possible to do proxy authentication in Java using jetty. I have been able to do basic and digest authentication schemes using jetty and there are easy ways in Jetty to set up these authentication schemes using pseudo code as this:
constraint = org.mortbay.jetty.security.Constraint();
constraint.setName(constraint.('__BASIC_AUTH'))
constraint.setRoles({'admin'});
constraint.setAuthenticate(true);
constraintMapping = ConstraintMapping();
constraintMapping.setConstraint(constraint);
constraintMapping.setPathSpec('/*');
securityHandler = SecurityHandler();
securityHandler.setUserRealm(myrealm);
securityHandler.setConstraintMappings(constraintMapping );
Similarly for DIGEST authentication __BASIC_AUTH can be replaced with __DIGEST_AUTH. I am using HttpServlets to handle requests/responses. However if I want to achieve proxy based authentication, how do I do this?
Do I need to use the httpservlet's doGet() and attempt authentication and explicit forwarding to another address or is there a way using jetty itself to setup a proxy based authentication(or a proxy localhost server) as shown in the pseudo above?
Can I get some help for code to do proxy based authentication that authenticates and forwards HttpServlet requests to another servlet/server?
As for the current version of Jetty (9.3.3.v20150827), the
Proxy-Authenticate
header is not related in any way to theWWW-Authenticate
header that the Servlet constraint system.There is nothing built into the the Servlet spec, or the Jetty implementation to support the
Proxy-Authenticate
client header from a Constraint point of view.However, using Jetty 9.3.x you can use the the
AsyncProxyServlet
,AsyncProxyServlet.Transparent
,AsyncMiddleManServlet
, orAsyncMiddleManServlet.Transparent
to have a means to handle thisProxy-Authenticate
header in your own terms.To accomplish this, you'll start by extending from one of those, and then overriding the
sendProxyRequest(HttpServletRequest clientRequest, HttpServletResponse proxyResponse, Request proxyRequest)
.In your version of
sendProxyRequest()
, look at theclientRequest
headers forProxy-Authenticate
andProxy-Authorize
, and perform the Proxy based authentication that best suits your needs.If the authentication passes, then call
super.sendProxyRequest(clientRequest, proxyResponse, proxyRequest);
.Otherwise use the
proxyResponse
to send back the challenge response.