Yicong-Huang opened a new issue, #4901: URL: https://github.com/apache/texera/issues/4901
### Task Summary `org.apache.texera.auth.JwtAuthFilter` (microservices) currently silently passes a request through when the `Authorization: Bearer …` header is missing or invalid. The 401 only surfaces later, in Dropwizard's `@Auth` injection layer. amber's path (toastshaman + Dropwizard `AuthFilter`) instead returns 401 directly from the filter with a `WWW-Authenticate` challenge. Make the microservice filter behave the same way: 1. No `Bearer …` header → abort with `401` + `WWW-Authenticate: Bearer realm="texera"`. 2. Header present but token fails verification / parsing → log a warning and abort with `401`. 3. Header present and valid → set `SecurityContext` as today. Resource methods (or classes) annotated with `@PermitAll` are exempted from rule #1 only — a request without any token passes through with no `SecurityContext`, matching the `@Auth Optional[SessionUser]` pattern. An invalid token still returns `401` even on `@PermitAll` endpoints, so a tampered Bearer header is never silently treated as anonymous. The single in-tree consumer of the optional pattern is `file-service/.../DatasetResource.getDatasetCover` (`@Auth sessionUser: Optional[SessionUser]` for serving public dataset covers to anonymous users); annotate that method with `@PermitAll`. ### Task Type - [x] Refactor / Cleanup -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
