diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
index c1cf0897dc..8c837c5338 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
@@ -106,6 +106,14 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
}
private boolean isNonSecuredEndPoint(Request request) {
+ if (request.getCoyoteRequest() != null && request.getCoyoteRequest().getMimeHeaders() !=
+ null && request.getCoyoteRequest().getMimeHeaders().getValue(Constants
+ .HTTPHeaders.HEADER_HTTP_AUTHORIZATION) != null) {
+ //This is to handle the DEP behaviours of the same endpoint being non-secured in the
+ // first call and then being secured in the second call which comes with the basic
+ // auth header.
+ return false;
+ }
String uri = request.getRequestURI();
if (uri == null) {
uri = "";
@@ -146,8 +154,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
String msg = "Failed to authorize incoming request";
if (authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) {
msg = authenticationInfo.getMessage();
- response.setHeader("WWW-Authenticate", msg);
+ response.setHeader("WWW-Authenticate", "Basic");
}
+
if (log.isDebugEnabled()) {
log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI()));
}
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java
index 1b2afedc46..0f4a7b7700 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java
@@ -50,6 +50,14 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
@Override
public boolean canHandle(Request request) {
+ /*
+ This is done to avoid every endpoint being able to use basic auth. Add the following to
+ the required web.xml of the web app.
+
+ basicAuth
+ true
+
+ */
if (!isAuthenticationSupported(request)) {
return false;
}
@@ -84,6 +92,7 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
authenticationInfo.setTenantDomain(Utils.getTenantDomain(tenantId));
authenticationInfo.setTenantId(tenantId);
} else {
+ authenticationInfo.setMessage("Failed to authorize incoming request.");
authenticationInfo.setStatus(Status.FAILURE);
}
} catch (UserStoreException e) {
diff --git a/pom.xml b/pom.xml
index a41a6b3397..efb9f870ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1918,7 +1918,7 @@
2.26.1.wso2v3
- 2.0.0.wso2v1
+ 3.0.0.wso2v1
1.3
2.3.1
1.1.1