tessl/maven-org-eclipse-jetty--jetty-security
Security framework for Eclipse Jetty providing authentication, authorization, and user identity management.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-eclipse-jetty--jetty-security@12.0.0index.mddocs/
Jetty Security Framework
Package: org.eclipse.jetty:jetty-security:12.0.21
Java Version: 11+
Module: org.eclipse.jetty.security
Overview
The Jetty Security Framework provides comprehensive authentication, authorization, and user identity management for Java web applications. It offers a pluggable architecture supporting multiple authentication mechanisms (Basic, Form, Digest, Client Certificate, SPNEGO) with flexible login services and JAAS integration.
Installation
Maven
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-security</artifactId>
<version>12.0.21</version>
</dependency>Gradle
implementation 'org.eclipse.jetty:jetty-security:12.0.21'Core Imports
import org.eclipse.jetty.security.*;
import org.eclipse.jetty.security.authentication.*;
import org.eclipse.jetty.security.jaas.*;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.util.Callback;Basic Usage
Setting Up Security Handler
// Create security handler with form authentication
SecurityHandler.PathMapped security = new SecurityHandler.PathMapped();
security.setRealmName("MyRealm");
// Configure hash-based login service
HashLoginService loginService = new HashLoginService();
loginService.setName("MyRealm");
loginService.setConfig(Resource.newResource("realm.properties"));
security.setLoginService(loginService);
// Set authenticator
FormAuthenticator authenticator = new FormAuthenticator("/login.html", "/login-error.html", false);
security.setAuthenticator(authenticator);
// Add constraints
security.put("/*", Constraint.from("user"));
security.put("/admin/*", Constraint.from("admin"));Basic Authentication Example
public class BasicAuthExample {
public void setupBasicAuth() {
SecurityHandler.PathMapped security = new SecurityHandler.PathMapped();
security.setRealmName("SecureRealm");
// Create login service
HashLoginService loginService = new HashLoginService("SecureRealm");
security.setLoginService(loginService);
// Configure basic authenticator
BasicAuthenticator basicAuth = new BasicAuthenticator();
basicAuth.setCharset(StandardCharsets.UTF_8);
security.setAuthenticator(basicAuth);
// Set constraints
security.put("/api/*", Constraint.from("api-user"));
}
}Architecture
The Jetty Security Framework is built around several core components that work together to provide comprehensive security:
Core Interfaces
Authenticator- Handles authentication mechanisms (Basic, Form, Digest, etc.)LoginService- Manages user credentials and authenticationIdentityService- Associates user identities with execution threadsUserIdentity- Represents authenticated users with rolesConstraint- Defines security constraints for resources
Component Relationships
SecurityHandler
├── Authenticator (validates requests)
│ ├── BasicAuthenticator
│ ├── FormAuthenticator
│ ├── DigestAuthenticator
│ └── SslClientCertAuthenticator
│
├── LoginService (manages users)
│ ├── HashLoginService
│ ├── JDBCLoginService
│ └── JAASLoginService
│
└── IdentityService (thread association)
└── DefaultIdentityServiceCapabilities
Security Framework
Core security infrastructure with handlers, constraints, and authentication states:
// Security constraint definition
Constraint constraint = Constraint.from("admin", Constraint.Transport.SECURE, "admin", "manager");
// Authentication state handling
AuthenticationState auth = AuthenticationState.authenticate(request);
if (auth instanceof AuthenticationState.Succeeded) {
UserIdentity user = ((AuthenticationState.Succeeded) auth).getUserIdentity();
boolean isAdmin = user.isUserInRole("admin");
}Authentication
Multiple authentication mechanisms with session management:
// Form authentication with custom pages
FormAuthenticator formAuth = new FormAuthenticator("/custom-login.jsp", "/login-error.jsp", true);
// Digest authentication with nonce configuration
DigestAuthenticator digestAuth = new DigestAuthenticator();
digestAuth.setMaxNonceAge(60000);
digestAuth.setNonceSecret(System.currentTimeMillis());
// SSL client certificate authentication
SslClientCertAuthenticator certAuth = new SslClientCertAuthenticator();
certAuth.setValidateCerts(true);Login Services
Flexible user and role storage with multiple backends:
// Property file-based users
HashLoginService hashLogin = new HashLoginService("MyRealm",
Resource.newResource("users.properties"));
hashLogin.setReloadInterval(30); // Auto-reload every 30 seconds
// Database-backed authentication
JDBCLoginService jdbcLogin = new JDBCLoginService();
jdbcLogin.setConfig("jdbc.properties");
jdbcLogin.setUserTableName("users");
jdbcLogin.setRoleTableName("user_roles");JAAS Integration
Enterprise authentication with JAAS login modules:
// JAAS login service configuration
JAASLoginService jaasLogin = new JAASLoginService("JAASRealm");
jaasLogin.setLoginModuleName("myLoginModule");
jaasLogin.setCallbackHandlerClass("com.example.MyCallbackHandler");
jaasLogin.setRoleClassNames(new String[]{"com.example.MyRole"});
// LDAP login module configuration
LdapLoginModule ldapModule = new LdapLoginModule();
// Configuration via JAAS config file or programmaticallyUser Identity Management
User principals, roles, and identity services:
// Create user identity
UserIdentity identity = UserIdentity.from(
new Subject(),
new UserPrincipal("john", Credential.getCredential("password")),
"user", "developer"
);
// Role checking
boolean canAccess = identity.isUserInRole("admin");
// Identity service operations
IdentityService identityService = new DefaultIdentityService();
try (IdentityService.Association assoc = identityService.associate(identity, null)) {
// Execute with user context
performSecureOperation();
}Key Features
Security Mechanisms
- Multiple Authentication Types: Basic, Form, Digest, Client Certificate, SPNEGO
- Flexible Login Services: Hash-based, JDBC, JAAS, property files
- Role-Based Authorization: Fine-grained access control with role mappings
- Transport Security: HTTPS requirement enforcement
- Session Integration: Stateful authentication with session management
Enterprise Integration
- JAAS Support: Full integration with Java Authentication and Authorization Service
- LDAP Authentication: Enterprise directory services support
- Database Integration: JDBC-based user and role storage
- Custom Extensions: Pluggable authenticators and login services
Security Best Practices
- Credential Protection: Secure password hashing and storage
- Session Security: Session renewal on authentication
- CSRF Protection: Built-in form authentication protections
- Error Handling: Comprehensive exception handling for security failures
Common Patterns
Custom Authenticator
public class CustomAuthenticator extends LoginAuthenticator {
@Override
public String getAuthenticationType() {
return "CUSTOM";
}
@Override
public AuthenticationState validateRequest(Request request, Response response, Callback callback)
throws ServerAuthException {
// Custom authentication logic
String token = request.getHeaders().get("X-Auth-Token");
if (isValidToken(token)) {
UserIdentity user = createUserFromToken(token);
return new UserAuthenticationSucceeded(getAuthenticationType(), user);
}
return AuthenticationState.SEND_FAILURE;
}
}Programmatic Security Configuration
public void configureAdvancedSecurity(SecurityHandler security) {
// Multiple authentication types
security.setAuthenticator(new BasicAuthenticator());
// Session configuration
security.setSessionRenewedOnAuthentication(true);
security.setSessionMaxInactiveIntervalOnAuthentication(1800); // 30 minutes
// Complex constraints
security.put("/public/*", Constraint.ANY_USER);
security.put("/users/*", Constraint.KNOWN_ROLE);
security.put("/admin/*", Constraint.from("admin"));
security.put("/secure/*", Constraint.from("secure-user", Constraint.Transport.SECURE));
}Error Handling
try {
AuthenticationState auth = authenticator.validateRequest(request, response, callback);
if (auth instanceof AuthenticationState.Succeeded) {
// Authentication successful
UserIdentity user = ((AuthenticationState.Succeeded) auth).getUserIdentity();
} else {
// Authentication failed or challenge sent
handleAuthenticationFailure(auth);
}
} catch (ServerAuthException e) {
// Handle authentication errors
logger.error("Authentication error", e);
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR_500);
}Thread Safety
The Jetty Security Framework is designed to be thread-safe:
- Authenticators are stateless and can be shared across requests
- LoginServices handle concurrent authentication requests safely
- IdentityService provides thread-local user context management
- SecurityHandler can handle multiple concurrent requests
Performance Considerations
- Credential Caching: Login services cache user lookups for performance
- Session Storage: Authentication state is cached in HTTP sessions
- Database Connections: JDBC login services use connection pooling
- LDAP Connections: Connection reuse for directory service queries
This framework provides enterprise-grade security with the flexibility to adapt to various authentication requirements while maintaining high performance and security standards.