Merge pull request #3954 from Agnul97/fix-errorMessageAuthenticationApi

FIX - wrong Cors filtering error upon unauthorized API request
eclipse · Feb 6, 2024 · 9dbba12 · 9dbba12
2 parents 1d45940 + 9b6c8ed
commit 9dbba12
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/...rest/filters/src/main/java/org/eclipse/kapua/commons/rest/filters/CORSResponseFilter.java b/...rest/filters/src/main/java/org/eclipse/kapua/commons/rest/filters/CORSResponseFilter.java
@@ -104,6 +104,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
  KapuaId scopeId = KapuaSecurityUtils.getSession() != null ? KapuaSecurityUtils.getSession().getScopeId() : null;
  String origin = httpRequest.getHeader(HttpHeaders.ORIGIN);
  String fetchSite = httpRequest.getHeader(HttpHeaders.SEC_FETCH_SITE);
+ String errorMessage = null;
 
  if (Strings.isNullOrEmpty(fetchSite)) {
  logger.warn("Sec-Fetch-Site' header not present in request: {} {}. CORSResponseFilter may produce false positives for this request. User-Agent is: {}", httpRequest.getMethod(), httpRequest.getPathInfo(), httpRequest.getHeader(HttpHeaders.USER_AGENT));
@@ -123,11 +124,10 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
  httpResponse.addHeader("Vary", HttpHeaders.ORIGIN);
  } else {
  //this log, for clients not supporting sec-fetch-site, logs false positive for same origin CORS. This thing is inevitable considering that here we cannot understand if the request comes from the same origin
- if (scopeId != null) {
- logger.error("HTTP Origin not allowed: {} for scope: {} for the request path: {} {}", origin, scopeId.toCompactId(), httpRequest.getMethod(), httpRequest.getPathInfo());
- } else {
- logger.error("HTTP Origin not allowed: {} for the request path: {} {}", origin, httpRequest.getMethod(), httpRequest.getPathInfo());
- }
+ errorMessage = scopeId != null ?
+ String.format("HTTP Origin not allowed: %s for scope: %s for the request path: %s %s", origin, scopeId.toCompactId(), httpRequest.getMethod(), httpRequest.getPathInfo()) :
+ String.format("HTTP Origin not allowed: %s for the request path: %s %s", origin, httpRequest.getMethod(), httpRequest.getPathInfo());
+ logger.error(errorMessage);
  }
  } else {
  logger.debug("HTTP sec-fetch-site same-origin detected and allowed. Request: {} {}. User-Agent is: {}", httpRequest.getMethod(), httpRequest.getPathInfo(), httpRequest.getHeader(HttpHeaders.USER_AGENT));
@@ -136,9 +136,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
  int errorCode = httpResponse.getStatus();
  if (errorCode >= 400) {
  // if there's an error code at this point, return it and stop the chain
- String errorMessage = scopeId != null ?
- String.format("HTTP Origin not allowed: %s for scope: %s for the request path: %s %s", origin, scopeId.toCompactId(), httpRequest.getMethod(), httpRequest.getPathInfo()) :
- String.format("HTTP Origin not allowed: %s for the request path: %s %s", origin, httpRequest.getMethod(), httpRequest.getPathInfo());
  httpResponse.sendError(errorCode, errorMessage);
  return;
  }

diff --git a/...ore/src/main/java/org/eclipse/kapua/app/api/core/auth/KapuaTokenAuthenticationFilter.java b/...ore/src/main/java/org/eclipse/kapua/app/api/core/auth/KapuaTokenAuthenticationFilter.java
@@ -69,7 +69,7 @@ protected AuthenticationToken createToken(ServletRequest request, ServletRespons
  protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
  HttpServletResponse httpResponse = WebUtils.toHttp(response);
  httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- // Continue with the filter chain, because CORS headers are still needed
+ // Continue with the filter chain, because CORS headers are still needed in the case when token is not authenticated or expired
  return true;
  }