Issue #4762 Request.authenticate must return true if already authenticated (#4763)

Signed-off-by: Jan Bartel <janb@webtide.com>
2020-04-14 12:49:22 +02:00 · 2020-04-14 12:49:22 +02:00 · 474fa8b8e9
parent b6489ccae0
commit 474fa8b8e9
2 changed files with 35 additions and 3 deletions
--- a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
+++ b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java
@ -1155,6 +1155,16 @@ public class ConstraintTest
        assertThat(response, startsWith("HTTP/1.1 200 OK"));
        assertThat(response, containsString("user=user0"));
        _server.stop();
+        
+        //loginauth
+        _server.start();
+        response = _connector.getResponse("GET /ctx/prog?action=loginauth HTTP/1.0\r\n\r\n");
+        assertThat(response, startsWith("HTTP/1.1 200 OK"));
+        assertThat(response, containsString("userPrincipal=admin"));
+        assertThat(response, containsString("remoteUser=admin"));
+        assertThat(response, containsString("authType=API"));
+        assertThat(response, containsString("auth=true"));
+        _server.stop();

        //Test constraint-based login with programmatic login/logout:
        // constraintlogin - perform constraint login, followed by programmatic login which should fail (already logged in)
@ -1692,6 +1702,15 @@ public class ConstraintTest
                response.getWriter().println("user=" + request.getRemoteUser());
                return;
            }
+            else if ("loginauth".equals(action))
+            {
+                request.login("admin", "password");
+                response.getWriter().println("userPrincipal=" + request.getUserPrincipal());
+                response.getWriter().println("remoteUser=" + request.getRemoteUser());
+                response.getWriter().println("authType=" + request.getAuthType());
+                response.getWriter().println("auth=" + request.authenticate(response));
+                return;
+            }
            else if ("login".equals(action))
            {
                request.login("admin", "password");
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
@ -2215,13 +2215,26 @@ public class Request implements HttpServletRequest
    @Override
    public boolean authenticate(HttpServletResponse response) throws IOException, ServletException
    {
+        //if already authenticated, return true
+        if (getUserPrincipal() != null && getRemoteUser() != null && getAuthType() != null)
+            return true;
+        
+        //do the authentication
        if (_authentication instanceof Authentication.Deferred)
        {
            setAuthentication(((Authentication.Deferred)_authentication).authenticate(this, response));
-            return !(_authentication instanceof Authentication.ResponseSent);
        }
-        response.sendError(HttpStatus.UNAUTHORIZED_401);
-        return false;
+        
+        //if the authentication did not succeed
+        if (_authentication instanceof Authentication.Deferred)
+            response.sendError(HttpStatus.UNAUTHORIZED_401);
+        
+        //if the authentication is incomplete, return false
+        if (!(_authentication instanceof Authentication.ResponseSent))
+            return false;
+        
+        //something has gone wrong
+        throw new ServletException("Authentication failed");
    }

    @Override