FormAuthenticator does not dispatch to an error page but redirect

[rakeshk15]

Jetty version(s)
Jetty 12.0.0

Java version/vendor
Java 17

OS type/version
macOS Ventura 13.5

Description
Jetty 12 FormAuthenticator constructor takes the dispatch argument and I have passed true there but when there is a login error then the redirect happens and not dispatch.

Jetty 11 dispatches the request if the dispatch is true.

This is inconsistent behaviour.

[lachlan-roberts]

There are multiple versions of FormAuthenticator in Jetty-12. I assume you're talking about the jetty-core version. Because its in jetty-core it doesn't know about servlets and dispatching at all. The ee8/ee9 version of FormAuthenticator does, and so it should be respecting the dispatch setting.

If you need the dispatching behaviour we will need to look into implementing some extension of this class that will live in the jetty-ee10-security module.

But regardless, the constructor argument should be removed because it is not possible to do a servlet dispatch from this class.

[rakeshk15]

It makes sense, thanks for the clarification @lachlan-roberts.

Will the ee10 version of FormAuthenticator be made available in upcoming releases, 12.0.x maybe?

[lachlan-roberts]

@rakeshk15 yes this will be in a future 12.0.x release, which shouldn't be too long.
I am looking at how to implement a fix now, will update this issue when I have a PR.

[lachlan-roberts]

@rakeshk15 I have opened a PR for this (#10313), but it has been marked as low priority for the moment.

Could you describe your use-case and why you require this feature.

[rakeshk15]

@lachlan-roberts I have a login page where on putting the wrong username/password I show an error message, since in Jetty 11 the request was dispatched to the error page in case of login error(basically the form login page and error pages are same) and the error message was shown but now with Jetty 12 there is a redirect to form error page thats why the error attribute set from the backend is lost and user never gets to know what actually had happened.

Basically this is my setup for FormAuthenticator

There is a servlet mounted at /admin/login which renders the login page, user submits the credentials to /j_security_check, FormAuthenticator(Jetty 11) kicks in and if the credentials are wrong it dispatches to error page which is nothing but the /admin/login url, since in this case the request remains a POST and there is a doPost method in servlet, so request comes in there and I set the error attribute there and re-renders the login template.

This way the error message is displayed to the user but if there is a redirect then the attribute i set is lost and no error message is displayed.

This is the reason I was looking for this feature.

[lachlan-roberts]

@rakeshk15 PR #10313 has been merged, the jetty-core form authenticator will now dispatch to a target in EE10 without a redirect.

It is marked for the 12.0.1 release which should be very soon.

[rakeshk15]

thanks you @lachlan-roberts