Jetty authentication architecture

Question

The Jetty authentication architecture uses the following 4 interfaces:

org.eclipse.jetty.server.UserIdentity
org.eclipse.jetty.security.LoginService
org.eclipse.jetty.security.IdentityService
java.security.Principal

Could somebody explain how these 4 interfaces interact to eachother in the authentication flow.

Browsing through the code seems not very helpful because there are so many corner cases. I am just interesting in the main flow.

Answer 1

This question is hard to answer as its very open ended / vague.

I'll try the simple answer first.

First, the basics, what's provided by the JVM:

• java.security.Principal - this is the Servlet spec object that holds the person / company / group (login name).
• javax.security.auth.Subject - this holds related information about the Principal (see link to javadoc for list of things it can reveal)

Now the Jetty specifics:

• org.eclipse.jetty.server.UserIdentity - this represents the identification for the user. aka the Principal and Subject for the user (if principal is null, then the user is not authenticated). This also includes some methods to help with isUserInRole(String) style logic.
• org.eclipse.jetty.security.IdentityService - this associates the UserIdentity with the scope / thread that is belongs to. (this is an advanced concept that some security implementations need to hook into to handle security properly. Jetty only ships with a default behavior that merely creates and performs no such association for UserIdentity . As its not needed for the security implementations that Jetty ships with).
• org.eclipse.jetty.security.LoginService - this is the API for security implementations to use to create/validate/destroy runtime UserIdentity objects from a login() and logout() style events.

Finally, how it ties together:

• A org.eclipse.jetty.security.Authenticator is responsible for the HTTP portion of the authentication piece, such as responding with 401 Unauthorized and 403 Forbidden . It uses the LoginService to do its thing.
• The LoginService uses the IdentityService to associate the UserIdentity to the thread processing the request.
• The default Servlet behavior exposes the Principal directly, via HttpServletRequest.getUserPrincipal() .
• The Subject is not available via the standard Servlet API.
• The UserIdentity is partially exposed via the HttpServletRequest.isUserInRole(String role) method.
• The LoginService is not accessible via the Servlet API directly, but you can use the HttpServletRequest.login(String user, String pass) and HttpServletRequest.logout() respectively to access these essential features.
• There are also some authentication and authorization features of the Servlet spec that are auto wired:
  • Any <security-constraint> sections in the WEB-INF/web.xml
  • Use of javax.annotation.security annotations:
    • @DeclareRoles
    • @DenyAll
    • @PermitAll
    • @RolesAllowed
    • @RunAs