(tomcat) branch 9.0.x updated: If the Jakarta Authentication fails with an exception, set a 500 status

Thu, 19 Sep 2024 05:31:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 7532f9dc4a If the Jakarta Authentication fails with an exception, set 
a 500 status
7532f9dc4a is described below

commit 7532f9dc4a8c37ec958f79dc82c4924a6c539223
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Sep 19 13:25:24 2024 +0100

    If the Jakarta Authentication fails with an exception, set a 500 status
    
    Depending on what fails where, the status may not be set or may be set
    incorrectly.
---
 java/org/apache/catalina/authenticator/AuthenticatorBase.java | 2 ++
 webapps/docs/changelog.xml                                    | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index c0d4d8ccd5..4388cd2e9e 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -802,6 +802,8 @@ public abstract class AuthenticatorBase extends ValveBase 
implements Authenticat
             authStatus = 
state.serverAuthContext.validateRequest(state.messageInfo, client, null);
         } catch (AuthException e) {
             log.debug(sm.getString("authenticator.loginFail"), e);
+            // Need to explicitly set the return code as the ServerAuthContext 
may not have done.
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
             return false;
         }
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8074f32c43..3f9d8095f3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -112,6 +112,11 @@
         creates one <code>GenericPrincipal</code> in the <code>Subject</code>.
         (markt)
       </fix>
+      <fix>
+        If the Jakarta Authentication process fails with an Exception,
+        explicitly set the HTTP response status to 500 as the
+        <code>ServerAuthContext</code> may not have set it. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to