fix basic authentication for urls which contain a username, but no password

This commit is contained in:
Sebastian Sdorra
2014-03-11 18:58:18 +01:00
parent 014220a45b
commit 7c1f746def

View File

@@ -84,6 +84,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
/** Field description */
public static final String HEADER_AUTHORIZATION = "Authorization";
private static final String ATTRIBUTE_FAILED_AUTH = "sonia.scm.auth.failed";
/** the logger for BasicAuthenticationFilter */
private static final Logger logger =
@@ -195,9 +197,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
}
/**
* Sends status code 401 back to client, if no authorization header was found,
* if a authorization is present and the authentication failed the method will
* send status code 403.
* Sends status code 403 back to client, if the authentication has failed.
* In all other cases the method will send status code 403 back to client.
*
* @param request servlet request
* @param response servlet response
@@ -212,15 +213,15 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
HttpServletResponse response, FilterChain chain)
throws IOException, ServletException
{
String authentication = request.getHeader(HEADER_AUTHORIZATION);
if (Strings.isNullOrEmpty(authentication))
// send only forbidden, if the authentication has failed.
// see https://bitbucket.org/sdorra/scm-manager/issue/545/git-clone-with-username-in-url-does-not
if (Boolean.TRUE.equals(request.getAttribute(ATTRIBUTE_FAILED_AUTH)))
{
HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription());
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
else
{
response.sendError(HttpServletResponse.SC_FORBIDDEN);
HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription());
}
}
@@ -242,7 +243,7 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
String token = authentication.substring(6);
token = new String(Base64.decode(token.getBytes()));
int index = token.indexOf(CREDENTIAL_SEPARATOR);
User user = null;
@@ -267,6 +268,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter
}
catch (AuthenticationException ex)
{
// add a marker to the request that the authentication has failed
request.setAttribute(ATTRIBUTE_FAILED_AUTH, Boolean.TRUE);
if (logger.isTraceEnabled())
{
logger.trace("authentication failed for user ".concat(username),