[ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN inste…

…ad of UNAUTHORIZED
wildfly-security · Jan 27, 2025 · 0dc6c8a · 0dc6c8a
1 parent 197587a
commit 0dc6c8a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java b/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java
@@ -42,6 +42,7 @@
 import org.wildfly.common.iteration.ByteIterator;
 import org.wildfly.security.auth.callback.AvailableRealmsCallback;
 import org.wildfly.security.http.HttpAuthenticationException;
+import org.wildfly.security.http.HttpConstants;
 import org.wildfly.security.http.HttpServerRequest;
 import org.wildfly.security.http.HttpServerResponse;
 import org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism;
@@ -170,7 +171,7 @@ public void evaluateRequest(final HttpServerRequest request) throws HttpAuthenti
                                 httpBasic.debugf("User %s authorization failed.", username);
                                 fail();
 
-                                request.authenticationFailed(httpBasic.authorizationFailed(username), response -> prepareResponse(request, displayRealmName, response));
+                                request.authenticationFailed(httpBasic.authorizationFailed(username), response -> response.setStatusCode(HttpConstants.FORBIDDEN));
                                 return;
                             }
 

diff --git a/.../base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java b/.../base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java
@@ -112,4 +112,15 @@ public void testStatefulBasicRFC7617Examples() throws Exception {
         testStatefulBasic("Aladdin", "WallyWorld", "open sesame", "basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==");
         testStatefulBasic("test", "foo", "123\u00A3", "BASIC dGVzdDoxMjPCow==");
     }
+
+    @Test
+    public void testBasicUnauthorizedUser() throws Exception {
+       HttpServerAuthenticationMechanism mechanism = basicFactory.createAuthenticationMechanism(HttpConstants.BASIC_NAME,
+                Collections.singletonMap(HttpConstants.CONFIG_REALM, "test-realm"), getCallbackHandler("unauthorizedUser", "test-realm", "password"));
+        TestingHttpServerRequest request = new TestingHttpServerRequest(new String[] {"Basic dW5hdXRob3JpemVkVXNlcjpwYXNzd29yZA=="});
+        mechanism.evaluateRequest(request);
+        Assert.assertEquals(Status.FAILED, request.getResult());
+        TestingHttpServerResponse response = request.getResponse();
+        Assert.assertEquals(HttpConstants.FORBIDDEN, response.getStatusCode());
+    }
 }