Details
-
Enhancement
-
Status: Closed
-
Should
-
Resolution: Fixed
-
2.32.0
-
None
-
Medium
Description
We should update the AuthenticationFilter in the REST module to behave as described in the linked Talk post.
The logic should be:
1. If there is a valid HTTP session, the request is processed as usual and no additional filtering is done (apart from the IP filtering which shouldn't be touched by this ticket).
2. If there isn't a valid HTTP session, we should check for the Authorization: Basic ... header.
2.1. If there isn't an Authorization: ... header, we return an HTTP 401 error with the WWW-Authenticate header set to Basic, OpenMRS-Cookie.
2.2 If there is an Authorization: Basic ... header, we attempt to login with the provided credentials.
2.2.1 If the Authorization: Basic header does not have a provided credential (i.e., the header is empty after Basic, we should return an HTTP 400 error.
2.2.2 If the login attempt succeeds, the request is processed as normal.
2.2.3 If the login attempt fails, we return an HTTP 401 error with the WWW-Authenticate header set to OpenMRS-Cookie.
Gliffy Diagrams
Attachments
Issue Links
- depends on
-
-
- Closed
-
- is caused by
-
RESTWS-277 Authentication error is same for expired session id and auth failure
-
- Closed
-
