Issue #6553 - revert behaviour for DeferredAuthentication

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
jetty · Aug 20, 2021 · b854b0b · b854b0b
1 parent a27018b
commit b854b0b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -546,11 +546,6 @@ else if (authentication instanceof Authentication.User)
                     if (authenticator != null)
                         authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
                 }
-                else if (isAuthMandatory)
-                {
-                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "unauthenticated");
-                    baseRequest.setHandled(true);
-                }
                 else if (authentication instanceof Authentication.Deferred)
                 {
                     DeferredAuthentication deferred = (DeferredAuthentication)authentication;
@@ -577,6 +572,11 @@ else if (authentication instanceof Authentication.Deferred)
                             authenticator.secureResponse(request, response, isAuthMandatory, null);
                     }
                 }
+                else if (isAuthMandatory)
+                {
+                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "unauthenticated");
+                    baseRequest.setHandled(true);
+                }
                 else
                 {
                     baseRequest.setAuthentication(authentication);

diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/UnauthenticatedTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/UnauthenticatedTest.java
@@ -102,9 +102,10 @@ public void testDeferredAuth() throws Exception
         assertThat(response, containsString("HTTP/1.1 200 OK"));
         assertThat(response, containsString("DeferredAuthentication"));
 
-        // This URI requires just that the request is authenticated.
+        // This URI requires just that the request is authenticated. But DeferredAuthentication can bypass this.
         response = connector.getResponse("GET /requireAuth/test HTTP/1.1\r\nHost: localhost\r\n\r\n");
-        assertThat(response, containsString("HTTP/1.1 401 Unauthorized"));
+        assertThat(response, containsString("HTTP/1.1 200 OK"));
+        assertThat(response, containsString("DeferredAuthentication"));
     }
 
     public static class TestAuthenticator extends LoginAuthenticator