Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #6553 - give 401 response if UNAUTHENTICATED and auth is mandatory #6568

Merged
merged 4 commits into from Aug 24, 2021
Merged

Issue #6553 - give 401 response if UNAUTHENTICATED and auth is mandatory #6568

merged 4 commits into from Aug 24, 2021

Conversation

lachlan-roberts
Copy link
Contributor

Issue #6553

If Authenticator returns UNAUTHENTICATED and auth is mandatory then we should return 403 response.

@lachlan-roberts
Issue #6553 - give 403 response if UNAUTHENTICATED and auth is mandatory
40c7934 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Issue #6553 - add tests, use 401 code instead of 403, add same check …
a27018b 
…for DeferredAuth

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Issue #6553 - revert behaviour for DeferredAuthentication
b854b0b 
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts
Merge remote-tracking branch 'origin/jetty-10.0.x' into jetty-10.0.x-…
a508fc5 
…6553-SecurityHandler
@lachlan-roberts lachlan-roberts added this to In progress in Jetty 10.0.7/11.0.7 FROZEN via automation Aug 23, 2021
@lachlan-roberts lachlan-roberts dismissed sbordet’s stale review August 24, 2021 04:01

test case has been added

Jetty 10.0.7/11.0.7 FROZEN automation moved this from In progress to Reviewer approved Aug 24, 2021
@lachlan-roberts lachlan-roberts merged commit e3e630b into jetty-10.0.x Aug 24, 2021
Jetty 10.0.7/11.0.7 FROZEN automation moved this from Reviewer approved to Done Aug 24, 2021
@lachlan-roberts lachlan-roberts deleted the jetty-10.0.x-6553-SecurityHandler branch August 24, 2021 04:04
@lachlan-roberts
Copy link
Contributor Author

@gregw do you think this should be brought back to 9.4?

@gregw
Copy link
Contributor

gregw commented Aug 24, 2021

@lachlan-roberts if we updated the JASPI auth in 9.4 to be usable, then yes this needs to be backported. But if the recent jaspi changes were 10 only, then I say leave 9.4 as is.

@lachlan-roberts
Copy link
Contributor Author

@gregw this is not related to the JASPI updates. Looks like the existing JASPI implementation in 9.4 to can also return UNAUTHENTICATED in which case the request will be allowed past the security constraint.

@gregw
Copy link
Contributor

gregw commented Aug 24, 2021

OK then I think backport is needed.

@lachlan-roberts lachlan-roberts mentioned this pull request Aug 24, 2021
Merged
@lachlan-roberts lachlan-roberts changed the title Issue #6553 - give 403 response if UNAUTHENTICATED and auth is mandatory Issue #6553 - give 401 response if UNAUTHENTICATED and auth is mandatory Aug 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregw gregw gregw approved these changes

@janbartel janbartel Awaiting requested review from janbartel

@sbordet sbordet Awaiting requested review from sbordet

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Jetty 10.0.7/11.0.7 FROZEN
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lachlan-roberts @gregw @sbordet