From 40c79346c1246accab589ba429775f88391a4564 Mon Sep 17 00:00:00 2001
From: Lachlan Roberts <lachlan@webtide.com>
Date: Thu, 29 Jul 2021 20:17:34 +1000
Subject: [PATCH] Issue #6553 - give 403 response if UNAUTHENTICATED and auth
 is mandatory

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
---
 .../java/org/eclipse/jetty/security/SecurityHandler.java     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 6fb32155cb6d..0a63e17b256f 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -572,6 +572,11 @@ else if (authentication instanceof Authentication.Deferred)
                             authenticator.secureResponse(request, response, isAuthMandatory, null);
                     }
                 }
+                else if ((authentication == Authentication.UNAUTHENTICATED) && isAuthMandatory)
+                {
+                    response.sendError(HttpServletResponse.SC_FORBIDDEN, "unauthenticated");
+                    baseRequest.setHandled(true);
+                }
                 else
                 {
                     baseRequest.setAuthentication(authentication);