From 199a99376d80f20cd5ac975a782e82bcf5aa6a7e Mon Sep 17 00:00:00 2001
From: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Date: Thu, 23 Jan 2014 08:45:04 +0100
Subject: [PATCH] basic auth filter should return 403 instead of 401 for wrong
 credentials

---
 .../web/filter/BasicAuthenticationFilter.java | 31 +++++++++++++------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
index 379507ab4e..5a81a7c53c 100644
--- a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
@@ -35,6 +35,7 @@ package sonia.scm.web.filter;
 
 //~--- non-JDK imports --------------------------------------------------------
 
+import com.google.common.base.Strings;
 import com.google.inject.Inject;
 import com.google.inject.Provider;
 import com.google.inject.Singleton;
@@ -52,7 +53,6 @@ import sonia.scm.config.ScmConfiguration;
 import sonia.scm.user.User;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.AuthenticationHandler;
 import sonia.scm.web.security.WebSecurityContext;
 
 //~--- JDK imports ------------------------------------------------------------
@@ -60,6 +60,7 @@ import sonia.scm.web.security.WebSecurityContext;
 import com.sun.jersey.core.util.Base64;
 
 import java.io.IOException;
+
 import java.util.Set;
 
 import javax.servlet.FilterChain;
@@ -105,12 +106,13 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
    * Constructs a new basic authenticaton filter
    *
    * @param configuration scm-manager global configuration
+   * @param autoLoginModules auto login modules
    *
    * @since 1.21
    */
   @Inject
   public BasicAuthenticationFilter(ScmConfiguration configuration,
-                                   Set<AutoLoginModule> autoLoginModules)
+    Set<AutoLoginModule> autoLoginModules)
   {
     super(autoLoginModules);
     this.configuration = configuration;
@@ -146,7 +148,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
       {
         if (logger.isTraceEnabled())
         {
-          logger.trace("found basic authorization header, start authentication");
+          logger.trace(
+            "found basic authorization header, start authentication");
         }
 
         user = authenticate(request, response, subject, authentication);
@@ -192,12 +195,13 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
   }
 
   /**
-   * Method description
+   * Sends status code 401 back to client, if no authorization header was found,
+   * if a authorization is present and the authentication failed the method will
+   * send status code 403.
    *
-   *
-   * @param request
-   * @param response
-   * @param chain
+   * @param request servlet request
+   * @param response servlet response
+   * @param chain filter chain
    *
    * @throws IOException
    * @throws ServletException
@@ -208,7 +212,16 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
     HttpServletResponse response, FilterChain chain)
     throws IOException, ServletException
   {
-    HttpUtil.sendUnauthorized(request, response);
+    String authentication = request.getHeader(HEADER_AUTHORIZATION);
+
+    if (Strings.isNullOrEmpty(authentication))
+    {
+      HttpUtil.sendUnauthorized(request, response);
+    }
+    else
+    {
+      response.sendError(HttpServletResponse.SC_FORBIDDEN);
+    }
   }
 
   /**