diff --git a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java index 44801de4d2..fe1aed181a 100644 --- a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java +++ b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java @@ -35,7 +35,6 @@ package sonia.scm.web.filter; //~--- non-JDK imports -------------------------------------------------------- -import com.google.common.base.Strings; import com.google.inject.Inject; import com.google.inject.Provider; import com.google.inject.Singleton; @@ -85,6 +84,9 @@ public class BasicAuthenticationFilter extends AutoLoginFilter /** Field description */ public static final String HEADER_AUTHORIZATION = "Authorization"; + /** marker for failed authentication */ + private static final String ATTRIBUTE_FAILED_AUTH = "sonia.scm.auth.failed"; + /** the logger for BasicAuthenticationFilter */ private static final Logger logger = LoggerFactory.getLogger(BasicAuthenticationFilter.class); @@ -195,9 +197,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter } /** - * Sends status code 401 back to client, if no authorization header was found, - * if a authorization is present and the authentication failed the method will - * send status code 403. + * Sends status code 403 back to client, if the authentication has failed. + * In all other cases the method will send status code 403 back to client. * * @param request servlet request * @param response servlet response @@ -212,15 +213,17 @@ public class BasicAuthenticationFilter extends AutoLoginFilter HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - String authentication = request.getHeader(HEADER_AUTHORIZATION); - if (Strings.isNullOrEmpty(authentication)) + // send only forbidden, if the authentication has failed. + // see https://bitbucket.org/sdorra/scm-manager/issue/545/git-clone-with-username-in-url-does-not + if (Boolean.TRUE.equals(request.getAttribute(ATTRIBUTE_FAILED_AUTH))) { - HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription()); + response.sendError(HttpServletResponse.SC_FORBIDDEN); } else { - response.sendError(HttpServletResponse.SC_FORBIDDEN); + HttpUtil.sendUnauthorized(request, response, + configuration.getRealmDescription()); } } @@ -267,6 +270,10 @@ public class BasicAuthenticationFilter extends AutoLoginFilter } catch (AuthenticationException ex) { + + // add a marker to the request that the authentication has failed + request.setAttribute(ATTRIBUTE_FAILED_AUTH, Boolean.TRUE); + if (logger.isTraceEnabled()) { logger.trace("authentication failed for user ".concat(username),