Jetty: programmatically authentication not working after reboot

Question

I am new to Jetty and working on a test app to do the basic authentication. There is no web.xml in the project. Everything is handled by code.

I followed this example: https://github.com/eclipse/jetty.project/blob/master/examples/embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java

Here is the test code

Server server = new Server(8080);
LoginService loginService = new HashLoginService("MyRealm", path);
loginService.setRefreshInterval(5);
server.addBean(loginService);

ConstraintSecurityHandler security = new ConstraintSecurityHandler();
server.setHandler(security);

Constraint constraint = new Constraint();
constraint.setName("auth");
constraint.setAuthenticate(true);
constraint.setRoles(new String[] { "user", "admin" });

ConstraintMapping mapping = new ConstraintMapping();
mapping.setPathSpec("/*");
mapping.setConstraint(constraint);

security.setConstraintMappings(Collections.singletonList(mapping));
security.setAuthenticator(new BasicAuthenticator());
security.setLoginService(loginService);

HelloWorld hw = new HelloWorld();
security.setHandler(hw);

server.start();

Here is my test realm.properties

guest:CRYPT:guVeRgi5kAY4k,user,admin

The code is triggered by a test button in a test PDE project. When the server started for the first time, it prompted a window for username/password. I typed "guest" and "guest", and it worked. But after that, when I restarted the server, it never asked for username/password again. The page was loaded without authentication. If I changed password in the realm property file, the prompt will show up again, and still only for that one time. What did I miss? Thanks

Answer 1

Standard HTTP Cookie and Servlet Session behavior is what is going on.

The restart of the server doesn't cause the client provided Cookies to no longer work. You'll want to configure your Cookie and Session behavior to suit your needs (search on SessionCookieConfig and its ilk).