From d6b6dc4bd5f1d5af9b39c7e58fad77d2064128ca Mon Sep 17 00:00:00 2001 From: keshav kumar Date: Mon, 24 Apr 2023 14:52:10 +0530 Subject: [PATCH] [ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN instead of UNAUTHORIZED --- .../http/basic/BasicAuthenticationMechanism.java | 3 ++- .../http/basic/BasicAuthenticationMechanismTest.java | 11 +++++++++++ .../security/http/impl/AbstractBaseHttpTest.java | 5 ++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java b/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java index be1ce0e9688..25dc84b08ae 100644 --- a/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java +++ b/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java @@ -42,6 +42,7 @@ import org.wildfly.common.iteration.ByteIterator; import org.wildfly.security.auth.callback.AvailableRealmsCallback; import org.wildfly.security.http.HttpAuthenticationException; +import org.wildfly.security.http.HttpConstants; import org.wildfly.security.http.HttpServerRequest; import org.wildfly.security.http.HttpServerResponse; import org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism; @@ -170,7 +171,7 @@ public void evaluateRequest(final HttpServerRequest request) throws HttpAuthenti httpBasic.debugf("User %s authorization failed.", username); fail(); - request.authenticationFailed(httpBasic.authorizationFailed(username), response -> prepareResponse(request, displayRealmName, response)); + request.authenticationFailed(httpBasic.authorizationFailed(username), response -> response.setStatusCode(HttpConstants.FORBIDDEN)); return; } diff --git a/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java b/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java index 3bcea70c47c..b3e00b3ea09 100644 --- a/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java +++ b/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java @@ -99,4 +99,15 @@ public void testStatefulBasicRFC7617Examples() throws Exception { testStatefulBasic("Aladdin", "WallyWorld", "open sesame", "basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="); testStatefulBasic("test", "foo", "123\u00A3", "BASIC dGVzdDoxMjPCow=="); } + + @Test + public void testBasicUnauthorizedUser() throws Exception { + HttpServerAuthenticationMechanism mechanism = basicFactory.createAuthenticationMechanism(HttpConstants.BASIC_NAME, + Collections.singletonMap(HttpConstants.CONFIG_REALM, "test-realm"), getCallbackHandler("unauthorizedUser", "test-realm", "password")); + TestingHttpServerRequest request = new TestingHttpServerRequest(new String[] {"Basic dW5hdXRob3JpemVkVXNlcjpwYXNzd29yZA=="}); + mechanism.evaluateRequest(request); + Assert.assertEquals(Status.FAILED, request.getResult()); + TestingHttpServerResponse response = request.getResponse(); + Assert.assertEquals(HttpConstants.FORBIDDEN, response.getStatusCode()); + } } diff --git a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java index 52c7bde6181..392ee2f7fe1 100644 --- a/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java +++ b/tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java @@ -471,7 +471,10 @@ protected CallbackHandler getCallbackHandler(String username, String realm, Stri Assert.assertNotNull(clearPwdCredential); Assert.assertArrayEquals(password.toCharArray(), clearPwdCredential.getPassword()); } else if (callback instanceof AuthorizeCallback) { - if(username.equals(((AuthorizeCallback) callback).getAuthenticationID()) && + if(username.equalsIgnoreCase("unauthorizedUser")){ + ((AuthorizeCallback) callback).setAuthorized(false); + } + else if(username.equals(((AuthorizeCallback) callback).getAuthenticationID()) && username.equals(((AuthorizeCallback) callback).getAuthorizationID())) { ((AuthorizeCallback) callback).setAuthorized(true); } else {