[ofbiz-plugins] branch trunk updated: Fixed: Removed unncessary check for userLogin claim 2. Modified code to return 401 instead of 403 in case JWT auth fails. (OFBIZ-11328)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] branch trunk updated: Fixed: Removed unncessary check for userLogin claim 2. Modified code to return 401 instead of 403 in case JWT auth fails. (OFBIZ-11328)

grv-2
This is an automated email from the ASF dual-hosted git repository.

grv pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 0f8ca8c  Fixed: Removed unncessary check for userLogin claim 2. Modified code to return 401 instead of 403 in case JWT auth fails. (OFBIZ-11328)
0f8ca8c is described below

commit 0f8ca8cbcc551c457a095702406edabf57761444
Author: Girish Vasmatkar <[hidden email]>
AuthorDate: Mon Aug 31 16:51:08 2020 +0530

    Fixed: Removed unncessary check for userLogin claim
    2. Modified code to return 401 instead of 403 in case JWT auth fails.
    (OFBIZ-11328)
---
 .../org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java   | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
index a39b11a..d1bd212 100644
--- a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
+++ b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
@@ -70,22 +70,17 @@ public class APIAuthFilter implements ContainerRequestFilter {
         String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         Delegator delegator = (Delegator) servletContext.getAttribute("delegator");
         if (!isTokenBasedAuthentication(authorizationHeader)) {
-            abortWithUnauthorized(requestContext, false, "Unauthorized: Access is denied due to invalid or absent Authorization header");
+            abortWithUnauthorized(requestContext, false, "Unauthorized: Access is denied due to invalid or absent Authorization header.");
             return;
         }
         String jwtToken = JWTManager.getHeaderAuthBearerToken(httpRequest);
         Map<String, Object> claims = JWTManager.validateToken(jwtToken, JWTManager.getJWTKey(delegator));
         if (claims.containsKey(ModelService.ERROR_MESSAGE)) {
-            abortWithUnauthorized(requestContext, true, (String) claims.get(ModelService.ERROR_MESSAGE));
+            abortWithUnauthorized(requestContext, true, "Unauthorized: " + (String) claims.get(ModelService.ERROR_MESSAGE));
         } else {
             GenericValue userLogin = extractUserLoginFromJwtClaim(delegator, claims);
-            if (UtilValidate.isEmpty(userLogin)) {
-                abortWithUnauthorized(requestContext, true, "Access Denied: User does not exist in the system");
-                return;
-            }
             httpRequest.setAttribute("userLogin", userLogin);
         }
-
     }
 
     /**
@@ -107,7 +102,7 @@ public class APIAuthFilter implements ContainerRequestFilter {
                             .header(HttpHeaders.WWW_AUTHENTICATE, AuthenticationScheme.BEARER.getScheme() + " realm=\"" + REALM + "\"").build());
         } else {
             requestContext
-                    .abortWith(RestApiUtil.error(Response.Status.FORBIDDEN.getStatusCode(), Response.Status.FORBIDDEN.getReasonPhrase(), message));
+                .abortWith(RestApiUtil.error(Response.Status.UNAUTHORIZED.getStatusCode(), Response.Status.UNAUTHORIZED.getReasonPhrase(), message));
         }
 
     }