Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN instead of UNAUTHORIZED #2108

Open
wants to merge 2 commits into
base: 2.x
Choose a base branch
from
Open

[ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN instead of UNAUTHORIZED #2108

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d6b6dc4
[ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN inste…
keshav-725 Apr 24, 2023
8270098
[ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN inste…
keshav-725 Apr 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java
View file
Open in desktop
Expand Up @@ -42,6 +42,7 @@
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.auth.callback.AvailableRealmsCallback;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism;
Expand Down Expand Up @@ -170,7 +171,7 @@ public void evaluateRequest(final HttpServerRequest request) throws HttpAuthenti
httpBasic.debugf("User %s authorization failed.", username);
fail();

request.authenticationFailed(httpBasic.authorizationFailed(username), response -> prepareResponse(request, displayRealmName, response));
request.authenticationFailed(httpBasic.authorizationFailed(username), response -> response.setStatusCode(HttpConstants.FORBIDDEN));
return;
}

Expand Down
11 changes: 11 additions & 0 deletions .../base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java
View file
Open in desktop
Expand Up @@ -112,4 +112,15 @@ public void testStatefulBasicRFC7617Examples() throws Exception {
testStatefulBasic("Aladdin", "WallyWorld", "open sesame", "basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==");
testStatefulBasic("test", "foo", "123\u00A3", "BASIC dGVzdDoxMjPCow==");
}

@Test
public void testBasicUnauthorizedUser() throws Exception {
HttpServerAuthenticationMechanism mechanism = basicFactory.createAuthenticationMechanism(HttpConstants.BASIC_NAME,
Collections.singletonMap(HttpConstants.CONFIG_REALM, "test-realm"), getCallbackHandler("unauthorizedUser", "test-realm", "password"));
TestingHttpServerRequest request = new TestingHttpServerRequest(new String[] {"Basic dW5hdXRob3JpemVkVXNlcjpwYXNzd29yZA=="});
mechanism.evaluateRequest(request);
Assert.assertEquals(Status.FAILED, request.getResult());
TestingHttpServerResponse response = request.getResponse();
Assert.assertEquals(HttpConstants.FORBIDDEN, response.getStatusCode());
}
}
5 changes: 5 additions & 0 deletions tests/base/src/test/java/org/wildfly/security/http/impl/AbstractBaseHttpTest.java
View file
Open in desktop
Expand Up @@ -483,6 +483,11 @@ protected CallbackHandler getCallbackHandler(String username, String realm, Stri
} else if (callback instanceof AuthorizeCallback) {
if (token != null) {
((AuthorizeCallback) callback).setAuthorized(true);
} else if(username.equalsIgnoreCase("unauthorizedUser")){
((AuthorizeCallback) callback).setAuthorized(false);
} else if(username.equals(((AuthorizeCallback) callback).getAuthenticationID()) &&
username.equals(((AuthorizeCallback) callback).getAuthorizationID())) {
((AuthorizeCallback) callback).setAuthorized(true);
} else {
if (username.equals(((AuthorizeCallback) callback).getAuthenticationID()) &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@darranl This is a minor but these conditions can be simplified, we can merge this now and then I can create a good-first-issue to simplify this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO I would say go ahead and raise a good first issue - this is not my fix I just addressed a merge conflict so we can clear some of the PR queue backlog.

username.equals(((AuthorizeCallback) callback).getAuthorizationID())) {
Expand Down