commit 0f8ca8cbcc551c457a095702406edabf57761444
author Girish Vasmatkar <girish.vasmatkar@hotwaxsystems.com> Mon Aug 31 16:51:08 2020 +0530
committer Girish Vasmatkar <girish.vasmatkar@hotwaxsystems.com> Mon Aug 31 16:51:08 2020 +0530
tree e489d1eb1975b1fad6e7e7b367a920712b647222
parent 3174bd92ec9b46fc781cd9550955bdaeece9af54

Fixed: Removed unncessary check for userLogin claim
2. Modified code to return 401 instead of 403 in case JWT auth fails.
(OFBIZ-11328)

ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java

diff --git a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
index a39b11a..d1bd212 100644
--- a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
+++ b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
@@ -70,22 +70,17 @@
         String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         Delegator delegator = (Delegator) servletContext.getAttribute("delegator");
         if (!isTokenBasedAuthentication(authorizationHeader)) {
-            abortWithUnauthorized(requestContext, false, "Unauthorized: Access is denied due to invalid or absent Authorization header");
+            abortWithUnauthorized(requestContext, false, "Unauthorized: Access is denied due to invalid or absent Authorization header.");
             return;
         }
         String jwtToken = JWTManager.getHeaderAuthBearerToken(httpRequest);
         Map<String, Object> claims = JWTManager.validateToken(jwtToken, JWTManager.getJWTKey(delegator));
         if (claims.containsKey(ModelService.ERROR_MESSAGE)) {
-            abortWithUnauthorized(requestContext, true, (String) claims.get(ModelService.ERROR_MESSAGE));
+            abortWithUnauthorized(requestContext, true, "Unauthorized: " + (String) claims.get(ModelService.ERROR_MESSAGE));
         } else {
             GenericValue userLogin = extractUserLoginFromJwtClaim(delegator, claims);
-            if (UtilValidate.isEmpty(userLogin)) {
-                abortWithUnauthorized(requestContext, true, "Access Denied: User does not exist in the system");
-                return;
-            }
             httpRequest.setAttribute("userLogin", userLogin);
         }
-
     }
 
     /**
@@ -107,7 +102,7 @@
                             .header(HttpHeaders.WWW_AUTHENTICATE, AuthenticationScheme.BEARER.getScheme() + " realm=\"" + REALM + "\"").build());
         } else {
             requestContext
-                    .abortWith(RestApiUtil.error(Response.Status.FORBIDDEN.getStatusCode(), Response.Status.FORBIDDEN.getReasonPhrase(), message));
+                .abortWith(RestApiUtil.error(Response.Status.UNAUTHORIZED.getStatusCode(), Response.Status.UNAUTHORIZED.getReasonPhrase(), message));
         }
 
     }