Merge pull request #1149 from inoshperera/master

Improvement on the basic auth handling

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java

@@ -106,6 +106,14 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
     }
 
     private boolean isNonSecuredEndPoint(Request request) {
+        if (request.getCoyoteRequest() != null && request.getCoyoteRequest().getMimeHeaders() !=
+                null && request.getCoyoteRequest().getMimeHeaders().getValue(Constants
+                .HTTPHeaders.HEADER_HTTP_AUTHORIZATION) != null) {
+            //This is to handle the DEP behaviours of the same endpoint being non-secured in the
+            // first call and then being secured in the second call which comes with the basic
+            // auth header.
+            return false;
+        }
         String uri = request.getRequestURI();
         if (uri == null) {
             uri = "";
@@ -146,8 +154,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
             String msg = "Failed to authorize incoming request";
             if (authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) {
                 msg = authenticationInfo.getMessage();
-                response.setHeader("WWW-Authenticate", msg);
+                response.setHeader("WWW-Authenticate", "Basic");
             }
+
             if (log.isDebugEnabled()) {
                 log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI()));
             }

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java

@@ -50,6 +50,14 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
 
     @Override
     public boolean canHandle(Request request) {
+        /*
+        This is done to avoid every endpoint being able to use basic auth. Add the following to
+        the required web.xml of the web app.
+        <context-param>
+            <param-name>basicAuth</param-name>
+            <param-value>true</param-value>
+	    </context-param>
+         */
         if (!isAuthenticationSupported(request)) {
             return false;
         }
@@ -84,6 +92,7 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
                 authenticationInfo.setTenantDomain(Utils.getTenantDomain(tenantId));
                 authenticationInfo.setTenantId(tenantId);
             } else {
+                authenticationInfo.setMessage("Failed to authorize incoming request.");
                 authenticationInfo.setStatus(Status.FAILURE);
             }
         } catch (UserStoreException e) {

pom.xml

@@ -1918,7 +1918,7 @@
         <!-- Nimbus Jose-->
         <nimbus.orbit.version>2.26.1.wso2v3</nimbus.orbit.version>
 
-        <commons-json.version>2.0.0.wso2v1</commons-json.version>
+        <commons-json.version>3.0.0.wso2v1</commons-json.version>
         <json.smart.version>1.3</json.smart.version>
         <google.gson.version>2.3.1</google.gson.version>
         <jsr311.version>1.1.1</jsr311.version>