Uploaded image for project: 'Webservices REST Module'
  1. Webservices REST Module
  2. RESTWS-859

Authentication Filter should not return 403

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: 2.32.0
    • Fix Version/s: 2.34.0
    • Component/s: None
    • Complexity:
      Medium

      Description

      Talk Post

      We should update the AuthenticationFilter in the REST module to behave as described in the linked Talk post.

      The logic should be:

      1. If there is a valid HTTP session, the request is processed as usual and no additional filtering is done (apart from the IP filtering which shouldn't be touched by this ticket).
      2. If there isn't a valid HTTP session, we should check for the Authorization: Basic ... header.
      2.1. If there isn't an Authorization: ... header, we return an HTTP 401 error with the WWW-Authenticate header set to Basic, OpenMRS-Cookie.
      2.2 If there is an Authorization: Basic ... header, we attempt to login with the provided credentials.
      2.2.1 If the Authorization: Basic header does not have a provided credential (i.e., the header is empty after Basic, we should return an HTTP 400 error.
      2.2.2 If the login attempt succeeds, the request is processed as normal.
      2.2.3 If the login attempt fails, we return an HTTP 401 error with the WWW-Authenticate header set to OpenMRS-Cookie.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                abertnamanya Namanya Abert
                Reporter:
                ibacher Ian Bacher
                Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: