If the Jakarta Authentication fails with an exception, set a 500 status

markt-asf · markt-asf · commit acc2f01395f8 · 2024-09-19T13:29:26.000+01:00
Depending on what fails where, the status may not be set or may be set
incorrectly.
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -803,6 +803,8 @@ private boolean authenticateJaspic(Request request, Response response, JaspicSta
             authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
         } catch (AuthException e) {
             log.debug(sm.getString("authenticator.loginFail"), e);
+            // Need to explicitly set the return code as the ServerAuthContext may not have done.
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
             return false;
         }
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -117,6 +117,11 @@
         creates one <code>GenericPrincipal</code> in the <code>Subject</code>.
         (markt)
       </fix>
+      <fix>
+        If the Jakarta Authentication process fails with an Exception,
+        explicitly set the HTTP response status to 500 as the
+        <code>ServerAuthContext</code> may not have set it. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>

Original file line number	Diff line number	Diff line change
`@@ -803,6 +803,8 @@ private boolean authenticateJaspic(Request request, Response response, JaspicSta`
`803`	`803`	`authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);`
`804`	`804`	`} catch (AuthException e) {`
`805`	`805`	`log.debug(sm.getString("authenticator.loginFail"), e);`
	`806`	`+ // Need to explicitly set the return code as the ServerAuthContext may not have done.`
	`807`	`+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);`
`806`	`808`	`return false;`
`807`	`809`	`}`
`808`	`810`