Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review usage of Authentication.UNAUTHENTICATED in SecurityHandler #6553

Closed
lachlan-roberts opened this issue Jul 28, 2021 · 1 comment
Closed

Review usage of Authentication.UNAUTHENTICATED in SecurityHandler #6553

lachlan-roberts opened this issue Jul 28, 2021 · 1 comment
Assignees
@lachlan-roberts
Labels
Bug For general bugs on Jetty side
Projects
Jetty 9.4.44 FROZEN Jetty 10.0.7/11.0.7 FROZEN

Comments

@lachlan-roberts
Copy link
Contributor

Review usage of Authentication.UNAUTHENTICATED in SecurityHandler.

The JaspiAuthenticator may return this in the case that it did not receive a Principal to use and returning UNAUTHENTICATED the request to continue through the SecurityHandler even if authentication was mandatory.

I think we may need to add a case in SecurityHandler.handle for:

else if ((authentication == Authentication.UNAUTHENTICATED) && isAuthMandatory)
{
    response.sendError(HttpServletResponse.SC_FORBIDDEN, "unauthenticated");
    baseRequest.setHandled(true);
}
@lachlan-roberts lachlan-roberts added the Bug For general bugs on Jetty side label Jul 28, 2021
@lachlan-roberts lachlan-roberts self-assigned this Jul 28, 2021
lachlan-roberts added a commit that referenced this issue Jul 29, 2021
@lachlan-roberts
Issue #6553 - give 403 response if UNAUTHENTICATED and auth is mandatory
40c7934 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@janbartel
Copy link
Contributor

Looks good - PR?

@lachlan-roberts lachlan-roberts mentioned this issue Aug 2, 2021
Merged
lachlan-roberts added a commit that referenced this issue Aug 20, 2021
@lachlan-roberts
Issue #6553 - add tests, use 401 code instead of 403, add same check …
a27018b 
…for DeferredAuth

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Aug 20, 2021
@lachlan-roberts
Issue #6553 - revert behaviour for DeferredAuthentication
b854b0b 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Aug 24, 2021
@lachlan-roberts
Merge pull request #6568 from eclipse/jetty-10.0.x-6553-SecurityHandler
e3e630b 
Issue #6553 - give 403 response if UNAUTHENTICATED and auth is mandatory
lachlan-roberts added a commit that referenced this issue Aug 24, 2021
@lachlan-roberts
Issue #6553 - give 403 response if UNAUTHENTICATED and auth is mandatory
a575607 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this issue Aug 24, 2021
Merged
lachlan-roberts added a commit that referenced this issue Aug 25, 2021
@lachlan-roberts
Merge pull request #6659 from eclipse/jetty-9.4.x-6568-SecurityHandle…
f9bb80a 
…r-isAuthMandatory

Issue #6553 - give 401 response if UNAUTHENTICATED and auth is mandatory (9.4)
@lachlan-roberts lachlan-roberts added this to To do in Jetty 9.4.44 FROZEN via automation Aug 25, 2021
@lachlan-roberts lachlan-roberts added this to To do in Jetty 10.0.7/11.0.7 FROZEN via automation Aug 25, 2021
Jetty 9.4.44 FROZEN automation moved this from To do to Done Aug 25, 2021
Jetty 10.0.7/11.0.7 FROZEN automation moved this from To do to Done Aug 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lachlan-roberts lachlan-roberts

Labels
Bug For general bugs on Jetty side
Projects
No open projects
Jetty 10.0.7/11.0.7 FROZEN
Done
Jetty 9.4.44 FROZEN
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janbartel @lachlan-roberts