basic auth filter should return 403 instead of 401 for wrong credentials

2025-11-11 16:05:44 +01:00 · 2014-01-23 08:45:04 +01:00
parent 858ffd83b5
commit 199a99376d
1 changed files with 22 additions and 9 deletions
--- a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
@@ -35,6 +35,7 @@ package sonia.scm.web.filter;
 //~--- non-JDK imports --------------------------------------------------------
 import com.google.common.base.Strings;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -52,7 +53,6 @@ import sonia.scm.config.ScmConfiguration;
 import sonia.scm.user.User;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
 import sonia.scm.web.security.AuthenticationHandler;
 import sonia.scm.web.security.WebSecurityContext;
 //~--- JDK imports ------------------------------------------------------------
@@ -60,6 +60,7 @@ import sonia.scm.web.security.WebSecurityContext;
 import com.sun.jersey.core.util.Base64;
 import java.io.IOException;
 import java.util.Set;
 import javax.servlet.FilterChain;
@@ -105,6 +106,7 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
   * Constructs a new basic authenticaton filter
   *
   * @param configuration scm-manager global configuration
   * @param autoLoginModules auto login modules
   *
   * @since 1.21
   */
@@ -146,7 +148,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
      {
        if (logger.isTraceEnabled())
        {
-          logger.trace("found basic authorization header, start authentication");
+          logger.trace(
            "found basic authorization header, start authentication");
        }
        user = authenticate(request, response, subject, authentication);
@@ -192,12 +195,13 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
  }
  /**
-   * Method description
+   * Sends status code 401 back to client, if no authorization header was found,
   * if a authorization is present and the authentication failed the method will
   * send status code 403.
   *
-   *
+   * @param request servlet request
-   * @param request
+   * @param response servlet response
-   * @param response
+   * @param chain filter chain
   * @param chain
   *
   * @throws IOException
   * @throws ServletException
@@ -207,9 +211,18 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
  protected void handleUnauthorized(HttpServletRequest request,
    HttpServletResponse response, FilterChain chain)
    throws IOException, ServletException
  {
    String authentication = request.getHeader(HEADER_AUTHORIZATION);
    if (Strings.isNullOrEmpty(authentication))
    {
      HttpUtil.sendUnauthorized(request, response);
    }
    else
    {
      response.sendError(HttpServletResponse.SC_FORBIDDEN);
    }
  }
  /**
   * Method description