diff --git a/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java b/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java index be1ce0e9688..25dc84b08ae 100644 --- a/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java +++ b/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java @@ -42,6 +42,7 @@ import org.wildfly.common.iteration.ByteIterator; import org.wildfly.security.auth.callback.AvailableRealmsCallback; import org.wildfly.security.http.HttpAuthenticationException; +import org.wildfly.security.http.HttpConstants; import org.wildfly.security.http.HttpServerRequest; import org.wildfly.security.http.HttpServerResponse; import org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism; @@ -170,7 +171,7 @@ public void evaluateRequest(final HttpServerRequest request) throws HttpAuthenti httpBasic.debugf("User %s authorization failed.", username); fail(); - request.authenticationFailed(httpBasic.authorizationFailed(username), response -> prepareResponse(request, displayRealmName, response)); + request.authenticationFailed(httpBasic.authorizationFailed(username), response -> response.setStatusCode(HttpConstants.FORBIDDEN)); return; } diff --git a/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java b/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java index f38cea1eef7..21cb2f41b56 100644 --- a/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java +++ b/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java @@ -112,4 +112,15 @@ public void testStatefulBasicRFC7617Examples() throws Exception { testStatefulBasic("Aladdin", "WallyWorld", "open sesame", "basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="); testStatefulBasic("test", "foo", "123\u00A3", "BASIC dGVzdDoxMjPCow=="); } + + @Test + public void testBasicUnauthorizedUser() throws Exception { + HttpServerAuthenticationMechanism mechanism = basicFactory.createAuthenticationMechanism(HttpConstants.BASIC_NAME, + Collections.singletonMap(HttpConstants.CONFIG_REALM, "test-realm"), getCallbackHandler("unauthorizedUser", "test-realm", "password")); + TestingHttpServerRequest request = new TestingHttpServerRequest(new String[] {"Basic dW5hdXRob3JpemVkVXNlcjpwYXNzd29yZA=="}); + mechanism.evaluateRequest(request); + Assert.assertEquals(Status.FAILED, request.getResult()); + TestingHttpServerResponse response = request.getResponse(); + Assert.assertEquals(HttpConstants.FORBIDDEN, response.getStatusCode()); + } } diff --git a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java index 4e7640aca00..6cdfa785142 100644 --- a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java +++ b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java @@ -483,6 +483,11 @@ protected CallbackHandler getCallbackHandler(String username, String realm, Stri } else if (callback instanceof AuthorizeCallback) { if (token != null) { ((AuthorizeCallback) callback).setAuthorized(true); + } else if(username.equalsIgnoreCase("unauthorizedUser")){ + ((AuthorizeCallback) callback).setAuthorized(false); + } else if(username.equals(((AuthorizeCallback) callback).getAuthenticationID()) && + username.equals(((AuthorizeCallback) callback).getAuthorizationID())) { + ((AuthorizeCallback) callback).setAuthorized(true); } else { if (username.equals(((AuthorizeCallback) callback).getAuthenticationID()) && username.equals(((AuthorizeCallback) callback).getAuthorizationID())) {