From 29a8d5d2bde421fb58a2f547e1ecd6d9ee4105d3 Mon Sep 17 00:00:00 2001
From: Lachlan Roberts <lachlan@webtide.com>
Date: Mon, 2 Aug 2021 15:22:43 +1000
Subject: [PATCH 1/3] Issue #6554 - create the DefaultIdentityService even if
 no realmName is provided

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
---
 .../java/org/eclipse/jetty/security/SecurityHandler.java   | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 6fb32155cb6d..c235eabbaf7f 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -334,11 +334,8 @@ protected void doStart()
 
             if (_identityService == null)
             {
-                if (_realmName != null)
-                {
-                    setIdentityService(new DefaultIdentityService());
-                    manage(_identityService);
-                }
+                setIdentityService(new DefaultIdentityService());
+                manage(_identityService);
             }
             else
                 unmanage(_identityService);

From d35ff03e61cccdfaf311e237c89a89a490ccedfe Mon Sep 17 00:00:00 2001
From: Lachlan Roberts <lachlan@webtide.com>
Date: Mon, 2 Aug 2021 15:23:28 +1000
Subject: [PATCH 2/3] Issue #6554 - DefaultAuthenticatorFactory should not
 create BasicAuthenticator for null AuthMethod

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
---
 .../eclipse/jetty/security/DefaultAuthenticatorFactory.java | 2 +-
 .../java/org/eclipse/jetty/security/SecurityHandler.java    | 6 +-----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
index 722599c47d16..e25bd9954e39 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/DefaultAuthenticatorFactory.java
@@ -62,7 +62,7 @@ public Authenticator getAuthenticator(Server server, ServletContext context, Aut
         String auth = configuration.getAuthMethod();
         Authenticator authenticator = null;
 
-        if (auth == null || Constraint.__BASIC_AUTH.equalsIgnoreCase(auth))
+        if (Constraint.__BASIC_AUTH.equalsIgnoreCase(auth))
             authenticator = new BasicAuthenticator();
         else if (Constraint.__DIGEST_AUTH.equalsIgnoreCase(auth))
             authenticator = new DigestAuthenticator();
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index c235eabbaf7f..f502898aac2d 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -293,9 +293,6 @@ protected IdentityService findIdentityService()
         return getServer().getBean(IdentityService.class);
     }
 
-    /**
-     *
-     */
     @Override
     protected void doStart()
         throws Exception
@@ -349,7 +346,7 @@ else if (_loginService.getIdentityService() != _identityService)
                 throw new IllegalStateException("LoginService has different IdentityService to " + this);
         }
 
-        if (_authenticator == null && _identityService != null)
+        if (_authenticator == null)
         {
             // If someone has set an authenticator factory only use that, otherwise try the list of discovered factories.
             if (_authenticatorFactory != null)
@@ -396,7 +393,6 @@ else if (_realmName != null)
     }
 
     @Override
-
     protected void doStop() throws Exception
     {
         //if we discovered the services (rather than had them explicitly configured), remove them.

From 705fe19e2af61f65303bf0335e5168c2be0becbd Mon Sep 17 00:00:00 2001
From: Lachlan Roberts <lachlan@webtide.com>
Date: Wed, 25 Aug 2021 12:10:06 +1000
Subject: [PATCH 3/3] Issue #6554 - add test for creation of
 DefaultIdentityService

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
---
 .../security/DefaultIdentityServiceTest.java  | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 jetty-security/src/test/java/org/eclipse/jetty/security/DefaultIdentityServiceTest.java

diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/DefaultIdentityServiceTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/DefaultIdentityServiceTest.java
new file mode 100644
index 000000000000..735ee27eab1c
--- /dev/null
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/DefaultIdentityServiceTest.java
@@ -0,0 +1,89 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.security;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.eclipse.jetty.server.Authentication;
+import org.eclipse.jetty.server.Server;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.instanceOf;
+
+public class DefaultIdentityServiceTest
+{
+    @Test
+    public void testDefaultIdentityService() throws Exception
+    {
+        Server server = new Server();
+        ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
+        TestAuthenticator authenticator = new TestAuthenticator();
+        securityHandler.setAuthenticator(authenticator);
+
+        try
+        {
+            server.setHandler(securityHandler);
+            server.start();
+
+            // The DefaultIdentityService should have been created by default.
+            assertThat(securityHandler.getIdentityService(), instanceOf(DefaultIdentityService.class));
+            assertThat(authenticator.getIdentityService(), instanceOf(DefaultIdentityService.class));
+        }
+        finally
+        {
+            server.stop();
+        }
+    }
+
+    public static class TestAuthenticator implements Authenticator
+    {
+        private IdentityService _identityService;
+
+        public IdentityService getIdentityService()
+        {
+            return _identityService;
+        }
+
+        @Override
+        public void setConfiguration(AuthConfiguration configuration)
+        {
+            _identityService = configuration.getIdentityService();
+        }
+
+        @Override
+        public String getAuthMethod()
+        {
+            return getClass().getSimpleName();
+        }
+
+        @Override
+        public void prepareRequest(ServletRequest request)
+        {
+        }
+
+        @Override
+        public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
+        {
+            return null;
+        }
+
+        @Override
+        public boolean secureResponse(ServletRequest request, ServletResponse response, boolean mandatory, Authentication.User validatedUser) throws ServerAuthException
+        {
+            return false;
+        }
+    }
+}