merge with branch issue-545

This commit is contained in:
Sebastian Sdorra
2014-03-15 13:47:56 +01:00

View File

@@ -35,7 +35,6 @@ package sonia.scm.web.filter;
//~--- non-JDK imports --------------------------------------------------------
import com.google.common.base.Strings;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
@@ -85,6 +84,9 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
/** Field description */
public static final String HEADER_AUTHORIZATION = "Authorization";
/** marker for failed authentication */
private static final String ATTRIBUTE_FAILED_AUTH = "sonia.scm.auth.failed";
/** the logger for BasicAuthenticationFilter */
private static final Logger logger =
LoggerFactory.getLogger(BasicAuthenticationFilter.class);
@@ -195,9 +197,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
}
/**
* Sends status code 401 back to client, if no authorization header was found,
* if a authorization is present and the authentication failed the method will
* send status code 403.
* Sends status code 403 back to client, if the authentication has failed.
* In all other cases the method will send status code 403 back to client.
*
* @param request servlet request
* @param response servlet response
@@ -212,15 +213,17 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
HttpServletResponse response, FilterChain chain)
throws IOException, ServletException
{
String authentication = request.getHeader(HEADER_AUTHORIZATION);
if (Strings.isNullOrEmpty(authentication))
// send only forbidden, if the authentication has failed.
// see https://bitbucket.org/sdorra/scm-manager/issue/545/git-clone-with-username-in-url-does-not
if (Boolean.TRUE.equals(request.getAttribute(ATTRIBUTE_FAILED_AUTH)))
{
HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription());
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
else
{
response.sendError(HttpServletResponse.SC_FORBIDDEN);
HttpUtil.sendUnauthorized(request, response,
configuration.getRealmDescription());
}
}
@@ -267,6 +270,10 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
}
catch (AuthenticationException ex)
{
// add a marker to the request that the authentication has failed
request.setAttribute(ATTRIBUTE_FAILED_AUTH, Boolean.TRUE);
if (logger.isTraceEnabled())
{
logger.trace("authentication failed for user ".concat(username),