java.lang.IllegalStateException: Response is committed
at org.eclipse.jetty.server.Request.getSession(Request.java:1400)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:260)
at org.eclipse.jetty.security.authentication.DeferredAuthentication.authenticate(DeferredAuthentication.java:68)
at org.eclipse.jetty.server.Request.getUserPrincipal(Request.java:1479)
at org.eclipse.jetty.server.Request.getRemoteUser(Request.java:1087)
at …
Seems to be a bug in Jetty’s FormAuthenticator in the sense that neither Authenticator.validateRequest nor its caller Deferred.authenticate makes any mention of a possible IllegalStateException being thrown. Certainly HttpServletRequest.getRemoteUser does not document such a runtime exception. HttpServletRequest.getSession does document it.
Or perhaps Request.getUserPrincipal should avoid considering Authentication.Deferred for a committed response.
AbstractNCSARequestLog is not affected since it bypasses Request.getRemoteUser (as well as .getResolvedUserIdentity) and checks directly for Authentication.User.
9.2.15.v20160210. As seen in JENKINS-37625 (workaround in https://github.com/jenkinsci/winstone/pull/31), it is possible to get
Seems to be a bug in Jetty’s
FormAuthenticator
in the sense that neitherAuthenticator.validateRequest
nor its callerDeferred.authenticate
makes any mention of a possibleIllegalStateException
being thrown. CertainlyHttpServletRequest.getRemoteUser
does not document such a runtime exception.HttpServletRequest.getSession
does document it.Or perhaps
Request.getUserPrincipal
should avoid consideringAuthentication.Deferred
for a committed response.AbstractNCSARequestLog
is not affected since it bypassesRequest.getRemoteUser
(as well as.getResolvedUserIdentity
) and checks directly forAuthentication.User
.