[ofbiz-plugins] branch trunk updated: Fixed: Removed unncessary check for userLogin claim 2. Modified code to return 401 instead of 403 in case JWT auth fails. (OFBIZ-11328)

Mon, 31 Aug 2020 04:21:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

grv pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 0f8ca8c  Fixed: Removed unncessary check for userLogin claim 2. 
Modified code to return 401 instead of 403 in case JWT auth fails. (OFBIZ-11328)
0f8ca8c is described below

commit 0f8ca8cbcc551c457a095702406edabf57761444
Author: Girish Vasmatkar <girish.vasmat...@hotwaxsystems.com>
AuthorDate: Mon Aug 31 16:51:08 2020 +0530

    Fixed: Removed unncessary check for userLogin claim
    2. Modified code to return 401 instead of 403 in case JWT auth fails.
    (OFBIZ-11328)
---
 .../org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java   | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git 
a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
 
b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
index a39b11a..d1bd212 100644
--- 
a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
+++ 
b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
@@ -70,22 +70,17 @@ public class APIAuthFilter implements 
ContainerRequestFilter {
         String authorizationHeader = 
requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         Delegator delegator = (Delegator) 
servletContext.getAttribute("delegator");
         if (!isTokenBasedAuthentication(authorizationHeader)) {
-            abortWithUnauthorized(requestContext, false, "Unauthorized: Access 
is denied due to invalid or absent Authorization header");
+            abortWithUnauthorized(requestContext, false, "Unauthorized: Access 
is denied due to invalid or absent Authorization header.");
             return;
         }
         String jwtToken = JWTManager.getHeaderAuthBearerToken(httpRequest);
         Map<String, Object> claims = JWTManager.validateToken(jwtToken, 
JWTManager.getJWTKey(delegator));
         if (claims.containsKey(ModelService.ERROR_MESSAGE)) {
-            abortWithUnauthorized(requestContext, true, (String) 
claims.get(ModelService.ERROR_MESSAGE));
+            abortWithUnauthorized(requestContext, true, "Unauthorized: " + 
(String) claims.get(ModelService.ERROR_MESSAGE));
         } else {
             GenericValue userLogin = extractUserLoginFromJwtClaim(delegator, 
claims);
-            if (UtilValidate.isEmpty(userLogin)) {
-                abortWithUnauthorized(requestContext, true, "Access Denied: 
User does not exist in the system");
-                return;
-            }
             httpRequest.setAttribute("userLogin", userLogin);
         }
-
     }
 
     /**
@@ -107,7 +102,7 @@ public class APIAuthFilter implements 
ContainerRequestFilter {
                             .header(HttpHeaders.WWW_AUTHENTICATE, 
AuthenticationScheme.BEARER.getScheme() + " realm=\"" + REALM + "\"").build());
         } else {
             requestContext
-                    
.abortWith(RestApiUtil.error(Response.Status.FORBIDDEN.getStatusCode(), 
Response.Status.FORBIDDEN.getReasonPhrase(), message));
+                
.abortWith(RestApiUtil.error(Response.Status.UNAUTHORIZED.getStatusCode(), 
Response.Status.UNAUTHORIZED.getReasonPhrase(), message));
         }
 
     }

Reply via email to