basic auth filter should return 403 instead of 401 for wrong credentials

scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java

@@ -35,6 +35,7 @@ package sonia.scm.web.filter;
 
 //~--- non-JDK imports --------------------------------------------------------
 
+import com.google.common.base.Strings;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -52,7 +53,6 @@ import sonia.scm.config.ScmConfiguration;
 import sonia.scm.user.User;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.AuthenticationHandler;
 import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
@@ -60,6 +60,7 @@ import sonia.scm.web.security.WebSecurityContext;
 import com.sun.jersey.core.util.Base64;
 
 import java.io.IOException;
+
 import java.util.Set;
 
 import javax.servlet.FilterChain;
@@ -105,12 +106,13 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
    * Constructs a new basic authenticaton filter
    *
    * @param configuration scm-manager global configuration
+   * @param autoLoginModules auto login modules
    *
    * @since 1.21
    */
   @Inject
   public BasicAuthenticationFilter(ScmConfiguration configuration,
-                                   Set<AutoLoginModule> autoLoginModules)
+    Set<AutoLoginModule> autoLoginModules)
   {
     super(autoLoginModules);
     this.configuration = configuration;
@@ -146,7 +148,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
       {
         if (logger.isTraceEnabled())
         {
-          logger.trace("found basic authorization header, start authentication");
+          logger.trace(
+            "found basic authorization header, start authentication");
         }
 
         user = authenticate(request, response, subject, authentication);
@@ -192,12 +195,13 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
   }
 
   /**
-   * Method description
+   * Sends status code 401 back to client, if no authorization header was found,
+   * if a authorization is present and the authentication failed the method will
+   * send status code 403.
    *
-   *
-   * @param request
-   * @param response
-   * @param chain
+   * @param request servlet request
+   * @param response servlet response
+   * @param chain filter chain
    *
    * @throws IOException
    * @throws ServletException
@@ -208,7 +212,16 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
     HttpServletResponse response, FilterChain chain)
     throws IOException, ServletException
   {
-    HttpUtil.sendUnauthorized(request, response);
+    String authentication = request.getHeader(HEADER_AUTHORIZATION);
+
+    if (Strings.isNullOrEmpty(authentication))
+    {
+      HttpUtil.sendUnauthorized(request, response);
+    }
+    else
+    {
+      response.sendError(HttpServletResponse.SC_FORBIDDEN);
+    }
   }
 
   /**