Request.getRemoteUser can throw undeclared IllegalStateException via DeferredAuthentication & FormAuthenticator

[jglick]

9.2.15.v20160210. As seen in JENKINS-37625 (workaround in https://github.com/jenkinsci/winstone/pull/31), it is possible to get

java.lang.IllegalStateException: Response is committed
    at org.eclipse.jetty.server.Request.getSession(Request.java:1400)
    at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:260)
    at org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:68)
    at org.eclipse.jetty.server.Request.getUserPrincipal(Request.java:1479)
    at org.eclipse.jetty.server.Request.getRemoteUser(Request.java:1087)
    at …

Seems to be a bug in Jetty’s FormAuthenticator in the sense that neither Authenticator.validateRequest nor its caller Deferred.authenticate makes any mention of a possible IllegalStateException being thrown. Certainly HttpServletRequest.getRemoteUser does not document such a runtime exception. HttpServletRequest.getSession does document it.

Or perhaps Request.getUserPrincipal should avoid considering Authentication.Deferred for a committed response.

AbstractNCSARequestLog is not affected since it bypasses Request.getRemoteUser (as well as .getResolvedUserIdentity) and checks directly for Authentication.User.

[janbartel]

@jglick can you provide an example of the security constraints that you have set up that would be relevant for this request?

[janbartel]

Fix committed in jetty-9.2.x, jetty-9.3.x, jetty-9.4.x and master branches.