If the Jakarta Authentication fails with an exception, set a 500 status · apache/tomcat@acc2f01 · GitHub
Skip to content

Commit

Permalink
If the Jakarta Authentication fails with an exception, set a 500 status
Browse files Browse the repository at this point in the history
Depending on what fails where, the status may not be set or may be set
incorrectly.
  • Loading branch information
markt-asf committed Sep 19, 2024
1 parent 7a8756b commit acc2f01
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions java/org/apache/catalina/authenticator/AuthenticatorBase.java
Original file line number Diff line number Diff line change
Expand Up @@ -803,6 +803,8 @@ private boolean authenticateJaspic(Request request, Response response, JaspicSta
authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
} catch (AuthException e) {
log.debug(sm.getString("authenticator.loginFail"), e);
// Need to explicitly set the return code as the ServerAuthContext may not have done.
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return false;
}

Expand Down
5 changes: 5 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,11 @@
creates one <code>GenericPrincipal</code> in the <code>Subject</code>.
(markt)
</fix>
<fix>
If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the
<code>ServerAuthContext</code> may not have set it. (markt)
</fix>
</changelog>
</subsection>
</section>
Expand Down

0 comments on commit acc2f01

Please sign in to comment.