wildfly-security · keshav-725 · Apr 24, 2023
@@ -42,6 +42,7 @@
 import org.wildfly.common.iteration.ByteIterator;
 import org.wildfly.security.auth.callback.AvailableRealmsCallback;
 import org.wildfly.security.http.HttpAuthenticationException;
+import org.wildfly.security.http.HttpConstants;
 import org.wildfly.security.http.HttpServerRequest;
 import org.wildfly.security.http.HttpServerResponse;
 import org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism;
@@ -170,7 +171,7 @@ public void evaluateRequest(final HttpServerRequest request) throws HttpAuthenti
                                 httpBasic.debugf("User %s authorization failed.", username);
                                 fail();
 
-                                request.authenticationFailed(httpBasic.authorizationFailed(username), response -> prepareResponse(request, displayRealmName, response));
+                                request.authenticationFailed(httpBasic.authorizationFailed(username), response -> response.setStatusCode(HttpConstants.FORBIDDEN));
                                 return;
                             }
 

@@ -99,4 +99,15 @@ public void testStatefulBasicRFC7617Examples() throws Exception {
         testStatefulBasic("Aladdin", "WallyWorld", "open sesame", "basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==");
         testStatefulBasic("test", "foo", "123\u00A3", "BASIC dGVzdDoxMjPCow==");
     }
+
+    @Test
+    public void testBasicUnauthorizedUser() throws Exception {
+       HttpServerAuthenticationMechanism mechanism = basicFactory.createAuthenticationMechanism(HttpConstants.BASIC_NAME,
+                Collections.singletonMap(HttpConstants.CONFIG_REALM, "test-realm"), getCallbackHandler("unauthorizedUser", "test-realm", "password"));
+        TestingHttpServerRequest request = new TestingHttpServerRequest(new String[] {"Basic dW5hdXRob3JpemVkVXNlcjpwYXNzd29yZA=="});
+        mechanism.evaluateRequest(request);
+        Assert.assertEquals(Status.FAILED, request.getResult());
+        TestingHttpServerResponse response = request.getResponse();
+        Assert.assertEquals(HttpConstants.FORBIDDEN, response.getStatusCode());
+    }
 }
@@ -471,7 +471,10 @@ protected CallbackHandler getCallbackHandler(String username, String realm, Stri
                     Assert.assertNotNull(clearPwdCredential);
                     Assert.assertArrayEquals(password.toCharArray(), clearPwdCredential.getPassword());
                 } else if (callback instanceof AuthorizeCallback) {
-                    if(username.equals(((AuthorizeCallback) callback).getAuthenticationID()) &&
+                    if(username.equalsIgnoreCase("unauthorizedUser")){
+                        ((AuthorizeCallback) callback).setAuthorized(false);
+                    }
+                    else if(username.equals(((AuthorizeCallback) callback).getAuthenticationID()) &&
                        username.equals(((AuthorizeCallback) callback).getAuthorizationID())) {
                         ((AuthorizeCallback) callback).setAuthorized(true);
                     } else {