I am trying to configure a security handler on ServletContext in Jetty after Jetty start.
Like this:
Handler[] contextHandlers = contexts.getHandlers();
for(Handler context : contextHandlers) {
if(context instanceof ServletContextHandler && ((ServletContextHandler) context).getContextPath().equals("/api")) {
context.setSecurityHandler(securityHandler);
break;
}
But I get following exception:
java.lang.IllegalStateException: STARTED
at org.eclipse.jetty.servlet.ServletContextHandler.setSecurityHandler(ServletContextHandler.java:483)
Why is this not possible?
Screenshot:
EDIT:
I looked at the source code & there it checks for isStarted flag. Is it a security flaw to add security handler after jetty start?:
public void setSecurityHandler(SecurityHandler securityHandler)
{
if (isStarted())
throw new IllegalStateException("STARTED");
if (_securityHandler!=null)
_securityHandler.setHandler(null);
_securityHandler = securityHandler;
relinkHandlers();
}
(Reason, I have to do this is a bit complicated but I will try to explain: I am running a keycloak server behind a proxy which is reachable though my Jetty server. Let's say Jetty s running on host1 and keycloak is running on host2. But at time of setting keycloak security hanlder, whichever host is configured , keycloak allows authentication on tokens generated from that domain only. Therefore I want to configure Jetty host in security handler, which is not available until Jetty start)