Issue #6553 - give 403 response if UNAUTHENTICATED and auth is mandatory

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
jetty · Jul 29, 2021 · 40c7934 · 40c7934
1 parent 5dcc14b
commit 40c7934
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -572,6 +572,11 @@ else if (authentication instanceof Authentication.Deferred)
                             authenticator.secureResponse(request, response, isAuthMandatory, null);
                     }
                 }
+                else if ((authentication == Authentication.UNAUTHENTICATED) && isAuthMandatory)
+                {
+                    response.sendError(HttpServletResponse.SC_FORBIDDEN, "unauthenticated");
+                    baseRequest.setHandled(true);
+                }
                 else
                 {
                     baseRequest.setAuthentication(authentication);