diff --git a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java index 44801de4d2..ee2d9649a7 100644 --- a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java +++ b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java @@ -84,6 +84,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter /** Field description */ public static final String HEADER_AUTHORIZATION = "Authorization"; + + private static final String ATTRIBUTE_FAILED_AUTH = "sonia.scm.auth.failed"; /** the logger for BasicAuthenticationFilter */ private static final Logger logger = @@ -195,9 +197,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter } /** - * Sends status code 401 back to client, if no authorization header was found, - * if a authorization is present and the authentication failed the method will - * send status code 403. + * Sends status code 403 back to client, if the authentication has failed. + * In all other cases the method will send status code 403 back to client. * * @param request servlet request * @param response servlet response @@ -212,15 +213,15 @@ public class BasicAuthenticationFilter extends AutoLoginFilter HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - String authentication = request.getHeader(HEADER_AUTHORIZATION); - - if (Strings.isNullOrEmpty(authentication)) + // send only forbidden, if the authentication has failed. + // see https://bitbucket.org/sdorra/scm-manager/issue/545/git-clone-with-username-in-url-does-not + if (Boolean.TRUE.equals(request.getAttribute(ATTRIBUTE_FAILED_AUTH))) { - HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription()); + response.sendError(HttpServletResponse.SC_FORBIDDEN); } else { - response.sendError(HttpServletResponse.SC_FORBIDDEN); + HttpUtil.sendUnauthorized(request, response, configuration.getRealmDescription()); } } @@ -242,7 +243,7 @@ public class BasicAuthenticationFilter extends AutoLoginFilter String token = authentication.substring(6); token = new String(Base64.decode(token.getBytes())); - + int index = token.indexOf(CREDENTIAL_SEPARATOR); User user = null; @@ -267,6 +268,8 @@ public class BasicAuthenticationFilter extends AutoLoginFilter } catch (AuthenticationException ex) { + // add a marker to the request that the authentication has failed + request.setAttribute(ATTRIBUTE_FAILED_AUTH, Boolean.TRUE); if (logger.isTraceEnabled()) { logger.trace("authentication failed for user ".concat(username),