启动码头后如何在嵌入式码头配置安全处理程序

Question

I am trying to configure a security handler on ServletContext in Jetty after Jetty start.

Like this:

Handler[] contextHandlers = contexts.getHandlers();
for(Handler context : contextHandlers) {
    if(context instanceof ServletContextHandler && ((ServletContextHandler) context).getContextPath().equals("/api")) {
        context.setSecurityHandler(securityHandler);
        break;
}

But I get following exception:

java.lang.IllegalStateException: STARTED

at org.eclipse.jetty.servlet.ServletContextHandler.setSecurityHandler(ServletContextHandler.java:483)

Why is this not possible?

Screenshot:

EDIT:

I looked at the source code & there it checks for isStarted flag. Is it a security flaw to add security handler after jetty start?:

public void setSecurityHandler(SecurityHandler securityHandler)
    {
        if (isStarted())
            throw new IllegalStateException("STARTED");

        if (_securityHandler!=null)
            _securityHandler.setHandler(null);
        _securityHandler = securityHandler;
        relinkHandlers();
    }

(Reason, I have to do this is a bit complicated but I will try to explain: I am running a keycloak server behind a proxy which is reachable though my Jetty server. Let's say Jetty s running on host1 and keycloak is running on host2. But at time of setting keycloak security hanlder, whichever host is configured , keycloak allows authentication on tokens generated from that domain only. Therefore I want to configure Jetty host in security handler, which is not available until Jetty start)

Answer 1

You cannot modify the SecurityHandler on a running (started) webapp.

This is mostly due to the nature of the Servlet initialization lifecycle, and the myriad of components that need access to the Security layer and its configuration.

You cannot yank that layer out and change it after the fact.

You'll have to call:

myWebAppContext.stop();
myWebAppContext.setSecurityHandler(mySuperDooperSecurityHandler);
myWebAppContext.start();