531075 – HTTP server does not return WWW-Authenticate header when ServiceNotAuthorizedException is thrown

Bug 531075 - HTTP server does not return WWW-Authenticate header when ServiceNotAuthorizedException is thrown

Summary: HTTP server does not return WWW-Authenticate header when ServiceNotAuthorized...

Status:	NEW

Alias:	None

Product:	JGit
Classification:	Technology
Component:	JGit (show other bugs)
Version:	4.11
Hardware:	PC Linux

Importance:	P3 normal with 1 vote (vote)
Target Milestone:	---
Assignee:	Project Inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-12 20:26 EST by Hossein Pursultani
Modified:	2018-02-12 21:19 EST (History)
CC List:	0 users

See Also:	Gerrit Change

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hossein Pursultani

2018-02-12 20:26:01 EST

HTTP server does not include "WWW-Authenticate" header when an underlying call, e.g. "RepositoryResolver.open", throws "ServiceNotAuthorizedException".

This situation violates Section 10.16 of RFC 1945. As a result, Git clients fail to challenge the user to enter their credentials and retry the request.

In a test scenario (public-pull private-push), the Git command line (version 2.14.1) fails to ask for username and password when the server returns HTTP status 401.

Comment 1 Hossein Pursultani

2018-02-12 20:51:23 EST

I updated SmartClientSmartServerTest to catch this bug. As a result `SmartClientSmartServerTest#testPush_NotAuthorized` fails.

  See: https://github.com/pursultani/jgit/commit/32ecd539

My solution is to add another filter to the chain, i.e. `WWWAuthenticationFilter`, to ensure that the header is included.

Also, the realm name can be set by a new init param, "realm-name".

  See: https://github.com/pursultani/jgit/commit/fb19681f

Comment 2 Eclipse Genie

2018-02-12 21:19:41 EST

New Gerrit change created: https://git.eclipse.org/r/117220