mirror of
https://github.com/scm-manager/scm-manager.git
synced 2026-07-05 07:48:14 +02:00
fix basic authentication for urls which contain a username, but no password
This commit is contained in:
@@ -84,6 +84,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
|
||||
|
||||
/** Field description */
|
||||
public static final String HEADER_AUTHORIZATION = "Authorization";
|
||||
|
||||
private static final String ATTRIBUTE_FAILED_AUTH = "sonia.scm.auth.failed";
|
||||
|
||||
/** the logger for BasicAuthenticationFilter */
|
||||
private static final Logger logger =
|
||||
@@ -195,9 +197,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
|
||||
}
|
||||
|
||||
/**
|
||||
* Sends status code 401 back to client, if no authorization header was found,
|
||||
* if a authorization is present and the authentication failed the method will
|
||||
* send status code 403.
|
||||
* Sends status code 403 back to client, if the authentication has failed.
|
||||
* In all other cases the method will send status code 403 back to client.
|
||||
*
|
||||
* @param request servlet request
|
||||
* @param response servlet response
|
||||
@@ -212,15 +213,15 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
|
||||
HttpServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException
|
||||
{
|
||||
String authentication = request.getHeader(HEADER_AUTHORIZATION);
|
||||
|
||||
if (Strings.isNullOrEmpty(authentication))
|
||||
// send only forbidden, if the authentication has failed.
|
||||
// see https://bitbucket.org/sdorra/scm-manager/issue/545/git-clone-with-username-in-url-does-not
|
||||
if (Boolean.TRUE.equals(request.getAttribute(ATTRIBUTE_FAILED_AUTH)))
|
||||
{
|
||||
HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription());
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
else
|
||||
{
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription());
|
||||
}
|
||||
}
|
||||
|
||||
@@ -242,7 +243,7 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
|
||||
String token = authentication.substring(6);
|
||||
|
||||
token = new String(Base64.decode(token.getBytes()));
|
||||
|
||||
|
||||
int index = token.indexOf(CREDENTIAL_SEPARATOR);
|
||||
User user = null;
|
||||
|
||||
@@ -267,6 +268,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
|
||||
}
|
||||
catch (AuthenticationException ex)
|
||||
{
|
||||
// add a marker to the request that the authentication has failed
|
||||
request.setAttribute(ATTRIBUTE_FAILED_AUTH, Boolean.TRUE);
|
||||
if (logger.isTraceEnabled())
|
||||
{
|
||||
logger.trace("authentication failed for user ".concat(username),
|
||||
|
||||
Reference in New Issue
Block a user