TestWfsPost - don't forward Authentication header

src/wfs/src/main/java/org/vfny/geoserver/wfs/servlets/TestWfsPost.java

@@ -185,21 +185,13 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
                 acon.setDoInput(true);
                 acon.setUseCaches(false);
 
-                // SISfixed - if there was authentication info in the request,
-                //           Pass it along the way to the target URL
-                // DJB: applied patch in GEOS-335
-                String authHeader = request.getHeader("Authorization");
-
                 String username = request.getParameter("username");
 
                 if ((username != null) && !username.trim().equals("")) {
                     String password = request.getParameter("password");
                     String up = username + ":" + password;
                     byte[] encoded = Base64.encodeBase64(up.getBytes());
-                    authHeader = "Basic " + new String(encoded);
-                }
-
-                if (authHeader != null) {
+                    String authHeader = "Basic " + new String(encoded);
                     acon.setRequestProperty("Authorization", authHeader);
                 }
 

src/wfs/src/test/java/org/vfny/geoserver/wfs/servlets/TestWfsPostOnlineIntegrationTest.java

@@ -11,6 +11,7 @@
 import java.net.HttpURLConnection;
 import java.net.URL;
 import javax.servlet.ServletException;
+import org.apache.commons.codec.binary.Base64;
 import org.junit.Assume;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -46,14 +47,27 @@ protected MockHttpServletResponse doWfsPost() throws ServletException, IOExcepti
 
     protected MockHttpServletResponse doWfsPost(String username, String password)
             throws ServletException, IOException {
-        TestWfsPost servlet = new TestWfsPost();
+        return doWfsPost(username, password, false);
+    }
+
+    protected MockHttpServletResponse doWfsPost(
+            String username, String password, boolean useHttpBasicAuth)
+            throws ServletException, IOException {
+        TestWfsPost servlet = TestWfsPostTest.buildMockServlet();
         MockHttpServletRequest request = TestWfsPostTest.buildMockRequest();
         request.setParameter("url", "http://localhost:8080/geoserver/wfs");
         request.setParameter("body", WFS_REQUEST);
 
         if (username != null && password != null) {
-            request.setParameter("username", username);
-            request.setParameter("password", password);
+            if (useHttpBasicAuth) {
+                String up = username + ":" + password;
+                byte[] encoded = Base64.encodeBase64(up.getBytes());
+                String authHeader = "Basic " + new String(encoded);
+                request.addHeader("Authorization", authHeader);
+            } else {
+                request.setParameter("username", username);
+                request.setParameter("password", password);
+            }
         }
         request.setMethod("GET");
 
@@ -99,4 +113,14 @@ public void testWfsPostInvalidAuth() throws ServletException, IOException {
         assertFalse(response.getContentAsString().contains("wfs:FeatureCollection"));
         assertTrue(response.getContentAsString().contains("HTTP response: 401"));
     }
+
+    @Test
+    public void testWfsPostNotForwardingHeader() throws IOException, ServletException {
+        Assume.assumeTrue(isOnline());
+        // Use a header with bad credentials, expecting it will be ignored
+        MockHttpServletResponse response = doWfsPost("admin", "badpassword", true);
+
+        assertFalse(response.getContentAsString().contains("HTTP response: 401"));
+        assertTrue(response.getContentAsString().contains("wfs:FeatureCollection"));
+    }
 }