[ELY-2548] BasicAuthenticationMechanism should return FORBIDDEN instead of UNAUTHORIZED

keshav-725 · pedro-hos · commit 0dc6c8a08de2 · 2025-01-27T14:19:55.000-03:00
diff --git a/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java b/http/basic/src/main/java/org/wildfly/security/http/basic/BasicAuthenticationMechanism.java
@@ -42,6 +42,7 @@
 import org.wildfly.common.iteration.ByteIterator;
 import org.wildfly.security.auth.callback.AvailableRealmsCallback;
 import org.wildfly.security.http.HttpAuthenticationException;
+import org.wildfly.security.http.HttpConstants;
 import org.wildfly.security.http.HttpServerRequest;
 import org.wildfly.security.http.HttpServerResponse;
 import org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism;
@@ -170,7 +171,7 @@ public void evaluateRequest(final HttpServerRequest request) throws HttpAuthenti
                                 httpBasic.debugf("User %s authorization failed.", username);
                                 fail();
 
-                                request.authenticationFailed(httpBasic.authorizationFailed(username), response -> prepareResponse(request, displayRealmName, response));
+                                request.authenticationFailed(httpBasic.authorizationFailed(username), response -> response.setStatusCode(HttpConstants.FORBIDDEN));
                                 return;
                             }
 
diff --git a/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java b/tests/base/src/test/java/org/wildfly/security/http/basic/BasicAuthenticationMechanismTest.java
@@ -112,4 +112,15 @@ public void testStatefulBasicRFC7617Examples() throws Exception {
         testStatefulBasic("Aladdin", "WallyWorld", "open sesame", "basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==");
         testStatefulBasic("test", "foo", "123\u00A3", "BASIC dGVzdDoxMjPCow==");
     }
+
+    @Test
+    public void testBasicUnauthorizedUser() throws Exception {
+       HttpServerAuthenticationMechanism mechanism = basicFactory.createAuthenticationMechanism(HttpConstants.BASIC_NAME,
+                Collections.singletonMap(HttpConstants.CONFIG_REALM, "test-realm"), getCallbackHandler("unauthorizedUser", "test-realm", "password"));
+        TestingHttpServerRequest request = new TestingHttpServerRequest(new String[] {"Basic dW5hdXRob3JpemVkVXNlcjpwYXNzd29yZA=="});
+        mechanism.evaluateRequest(request);
+        Assert.assertEquals(Status.FAILED, request.getResult());
+        TestingHttpServerResponse response = request.getResponse();
+        Assert.assertEquals(HttpConstants.FORBIDDEN, response.getStatusCode());
+    }
 }
