Always return the WWW-Authenticate header for 401 error (#1007)

* Always return the WWW-Authenticate header for 401 error

* constant for the realm name

pac4j-core/src/main/java/org/pac4j/core/client/IndirectClient.java

@@ -1,5 +1,6 @@
 package org.pac4j.core.client;
 
+import org.pac4j.core.context.HttpConstants;
 import org.pac4j.core.context.Pac4jConstants;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.credentials.Credentials;
@@ -84,14 +85,18 @@ public RedirectAction getRedirectAction(final WebContext context) {
             logger.info("AJAX request detected -> returning 401");
             RedirectAction action = redirectActionBuilder.redirect(context);
             cleanRequestedUrl(context);
-            throw HttpAction.unauthorized("AJAX request -> 401", context, null, action.getLocation());
+            final String url = action.getLocation();
+            if (CommonHelper.isNotBlank(url)) {
+                context.setResponseHeader(HttpConstants.LOCATION_HEADER, url);
+            }
+            throw HttpAction.unauthorized("AJAX request -> 401", context);
         }
         // authentication has already been tried -> unauthorized
         final String attemptedAuth = (String) context.getSessionStore().get(context, getName() + ATTEMPTED_AUTHENTICATION_SUFFIX);
         if (CommonHelper.isNotBlank(attemptedAuth)) {
             cleanAttemptedAuthentication(context);
             cleanRequestedUrl(context);
-            throw HttpAction.unauthorized("authentication already tried -> forbidden", context, null, null);
+            throw HttpAction.unauthorized("authentication already tried -> forbidden", context);
         }
 
         return redirectActionBuilder.redirect(context);

pac4j-core/src/main/java/org/pac4j/core/context/Pac4jConstants.java

@@ -73,4 +73,6 @@ public interface Pac4jConstants {
     String CENTRAL_LOGOUT = "centralLogout";
 
     String DEFAULT_CLIENT_NAME_PARAMETER = "client_name";
+
+    String DEFAULT_REALM_NAME = "authentication required";
 }

pac4j-core/src/main/java/org/pac4j/core/engine/DefaultSecurityLogic.java

@@ -256,7 +256,7 @@ protected HttpAction redirectToIdentityProvider(final C context, final List<Clie
      * @return an unauthorized error
      */
     protected HttpAction unauthorized(final C context, final List<Client> currentClients) {
-        return HttpAction.unauthorized("unauthorized", context, null, null);
+        return HttpAction.unauthorized("unauthorized", context);
     }
 
     public ClientFinder getClientFinder() {

pac4j-core/src/main/java/org/pac4j/core/exception/HttpAction.java

@@ -78,62 +78,9 @@ public static HttpAction ok(final String message, final WebContext context, Stri
      *
      * @param message message
      * @param context context
-     * @param realmName realm name
      * @return a basic auth popup credentials
      */
-    public static HttpAction unauthorized(final String message, final WebContext context, final String realmName) {
-        return unauthorized(message, context, realmName, null);
-    }
-
-    /**
-     * Build a basic auth popup credentials.
-     *
-     * @param message message
-     * @param context context
-     * @param realmName realm name
-     * @param url url
-     * @return a basic auth popup credentials
-     */
-    public static HttpAction unauthorized(final String message, final WebContext context, final String realmName, final String url) {
-        if (CommonHelper.isNotBlank(realmName)) {
-            context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Basic realm=\"" + realmName + "\"");
-        }
-        if (CommonHelper.isNotBlank(url)) {
-            context.setResponseHeader(HttpConstants.LOCATION_HEADER, url);
-        }
-        context.setResponseStatus(HttpConstants.UNAUTHORIZED);
-        return new HttpAction(message, HttpConstants.UNAUTHORIZED);
-    }
-
-    /**
-     * Build a digest auth popup credentials.
-     *
-     * @param message message
-     * @param context context
-     * @param realmName realm name
-     * @param qop qop
-     * @param nonce nonce
-     * @return a digest auth popup credentials
-     */
-    public static HttpAction unauthorizedDigest(final String message, final WebContext context, final String realmName, final String qop,
-                                                final String nonce) {
-        if (CommonHelper.isNotBlank(realmName)) {
-            context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Digest realm=\"" + realmName + "\", qop=\""
-                + qop + "\", nonce=\"" + nonce + "\"");
-        }
-        context.setResponseStatus(HttpConstants.UNAUTHORIZED);
-        return new HttpAction(message, HttpConstants.UNAUTHORIZED);
-    }
-
-    /**
-     * Build a response requesting to provide credentials via Kerberos/SPNEGO Negotiate mechanism.
-     *
-     * @param message message
-     * @param context context
-     * @return 401 Unauthorized with "WWW-Authenticate: Negotiate"
-     */
-    public static HttpAction unauthorizedNegotiate(final String message, final WebContext context) {
-        context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Negotiate");
+    public static HttpAction unauthorized(final String message, final WebContext context) {
         context.setResponseStatus(HttpConstants.UNAUTHORIZED);
         return new HttpAction(message, HttpConstants.UNAUTHORIZED);
     }

pac4j-http/src/main/java/org/pac4j/http/client/direct/DirectBasicAuthClient.java

@@ -1,11 +1,15 @@
 package org.pac4j.http.client.direct;
 
 import org.pac4j.core.client.DirectClient;
+import org.pac4j.core.context.HttpConstants;
+import org.pac4j.core.context.Pac4jConstants;
+import org.pac4j.core.context.WebContext;
 import org.pac4j.core.credentials.UsernamePasswordCredentials;
 import org.pac4j.core.credentials.authenticator.Authenticator;
 import org.pac4j.core.profile.CommonProfile;
 import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
 import org.pac4j.core.profile.creator.ProfileCreator;
+import org.pac4j.core.util.CommonHelper;
 
 /**
  * <p>This class is the client to authenticate users directly through HTTP basic auth.</p>
@@ -15,7 +19,10 @@
  */
 public class DirectBasicAuthClient extends DirectClient<UsernamePasswordCredentials, CommonProfile> {
 
-    public DirectBasicAuthClient() {}
+    private String realmName = Pac4jConstants.DEFAULT_REALM_NAME;
+
+    public DirectBasicAuthClient() {
+    }
 
     public DirectBasicAuthClient(final Authenticator usernamePasswordAuthenticator) {
         defaultAuthenticator(usernamePasswordAuthenticator);
@@ -29,6 +36,31 @@ public DirectBasicAuthClient(final Authenticator usernamePasswordAuthenticator,
 
     @Override
     protected void clientInit() {
+        CommonHelper.assertNotBlank("realmName", this.realmName);
+
         defaultCredentialsExtractor(new BasicAuthExtractor(getName()));
     }
+
+    @Override
+    protected UsernamePasswordCredentials retrieveCredentials(final WebContext context) {
+        // set the www-authenticate in case of error
+        context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Basic realm=\"" + realmName + "\"");
+
+        return super.retrieveCredentials(context);
+    }
+
+    public String getRealmName() {
+        return realmName;
+    }
+
+    public void setRealmName(final String realmName) {
+        this.realmName = realmName;
+    }
+
+    @Override
+    public String toString() {
+        return CommonHelper.toString(this.getClass(), "name", getName(), "credentialsExtractor", getCredentialsExtractor(),
+            "authenticator", getAuthenticator(), "profileCreator", getProfileCreator(),
+            "authorizationGenerators", getAuthorizationGenerators(), "realmName", this.realmName);
+    }
 }

pac4j-http/src/main/java/org/pac4j/http/client/direct/DirectDigestAuthClient.java

@@ -1,6 +1,7 @@
 package org.pac4j.http.client.direct;
 
 import org.pac4j.core.client.DirectClient;
+import org.pac4j.core.context.HttpConstants;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.credentials.authenticator.Authenticator;
 import org.pac4j.core.exception.HttpAction;
@@ -53,7 +54,9 @@ protected DigestCredentials retrieveCredentials(final WebContext context) {
         DigestCredentials credentials = super.retrieveCredentials(context);
         if (credentials == null) {
             String nonce = calculateNonce();
-            HttpAction.unauthorizedDigest("Digest required", context, realm, "auth", nonce);
+            context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Digest realm=\"" + realm + "\", qop=\"auth\", nonce=\""
+                + nonce + "\"");
+            throw HttpAction.unauthorized("Digest required", context);
         }
         return credentials;
     }

pac4j-http/src/main/java/org/pac4j/http/client/indirect/IndirectBasicAuthClient.java

@@ -1,6 +1,8 @@
 package org.pac4j.http.client.indirect;
 
 import org.pac4j.core.client.IndirectClient;
+import org.pac4j.core.context.HttpConstants;
+import org.pac4j.core.context.Pac4jConstants;
 import org.pac4j.core.redirect.RedirectAction;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.credentials.authenticator.Authenticator;
@@ -23,7 +25,7 @@
  */
 public class IndirectBasicAuthClient extends IndirectClient<UsernamePasswordCredentials, CommonProfile> {
 
-    private String realmName = "authentication required";
+    private String realmName = Pac4jConstants.DEFAULT_REALM_NAME;
 
     public IndirectBasicAuthClient() {}
 
@@ -54,20 +56,23 @@ protected UsernamePasswordCredentials retrieveCredentials(final WebContext conte
         CommonHelper.assertNotNull("credentialsExtractor", getCredentialsExtractor());
         CommonHelper.assertNotNull("authenticator", getAuthenticator());
 
+        // set the www-authenticate in case of error
+        context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Basic realm=\"" + realmName + "\"");
+
         final UsernamePasswordCredentials credentials;
         try {
             // retrieve credentials
             credentials = getCredentialsExtractor().extract(context);
             logger.debug("credentials : {}", credentials);
 
             if (credentials == null) {
-                throw HttpAction.unauthorized("Requires authentication", context, this.realmName, null);
+                throw HttpAction.unauthorized("Requires authentication", context);
             }
 
             // validate credentials
             getAuthenticator().validate(credentials, context);
         } catch (final CredentialsException e) {
-            throw HttpAction.unauthorized("Requires authentication", context, this.realmName, null);
+            throw HttpAction.unauthorized("Requires authentication", context);
         }
 
         return credentials;
@@ -83,8 +88,11 @@ public void setRealmName(String realmName) {
 
     @Override
     public String toString() {
-        return CommonHelper.toString(this.getClass(), "callbackUrl", this.callbackUrl, "name", getName(),
-                "realmName", this.realmName, "extractor", getCredentialsExtractor(), "authenticator", getAuthenticator(),
-                "profileCreator", getProfileCreator());
+        return CommonHelper.toString(this.getClass(), "name", getName(), "callbackUrl", this.callbackUrl,
+            "callbackUrlResolver", this.callbackUrlResolver, "ajaxRequestResolver", getAjaxRequestResolver(),
+            "redirectActionBuilder", getRedirectActionBuilder(), "credentialsExtractor", getCredentialsExtractor(),
+            "authenticator", getAuthenticator(), "profileCreator", getProfileCreator(),
+            "logoutActionBuilder", getLogoutActionBuilder(), "authorizationGenerators", getAuthorizationGenerators(),
+            "realmName", this.realmName);
     }
 }

pac4j-jwt/src/main/java/org/pac4j/jwt/credentials/authenticator/JwtAuthenticator.java

@@ -7,6 +7,8 @@
 import java.util.List;
 import java.util.Map;
 
+import org.pac4j.core.context.HttpConstants;
+import org.pac4j.core.context.Pac4jConstants;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.credentials.TokenCredentials;
 import org.pac4j.core.credentials.authenticator.Authenticator;
@@ -54,6 +56,8 @@ public class JwtAuthenticator extends ProfileDefinitionAware<JwtProfile> impleme
 
     private List<SignatureConfiguration> signatureConfigurations = new ArrayList<>();
 
+    private String realmName = Pac4jConstants.DEFAULT_REALM_NAME;
+
     public JwtAuthenticator() {}
 
     public JwtAuthenticator(final List<SignatureConfiguration> signatureConfigurations) {
@@ -77,6 +81,8 @@ public JwtAuthenticator(final SignatureConfiguration signatureConfiguration, fin
 
     @Override
     protected void internalInit() {
+        CommonHelper.assertNotBlank("realmName", this.realmName);
+
         defaultProfileDefinition(new CommonProfileDefinition<>(x -> new JwtProfile()));
 
         if (signatureConfigurations.isEmpty()) {
@@ -124,6 +130,11 @@ public void validate(final TokenCredentials credentials, final WebContext contex
         init();
         final String token = credentials.getToken();
 
+        if (context != null) {
+            // set the www-authenticate in case of error
+            context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Bearer realm=\"" + realmName + "\"");
+        }
+
         try {
             // Parse the token
             JWT jwt = JWTParser.parse(token);
@@ -280,9 +291,17 @@ public void setEncryptionConfigurations(final List<EncryptionConfiguration> encr
         this.encryptionConfigurations = encryptionConfigurations;
     }
 
+    public String getRealmName() {
+        return realmName;
+    }
+
+    public void setRealmName(final String realmName) {
+        this.realmName = realmName;
+    }
+
     @Override
     public String toString() {
         return CommonHelper.toString(this.getClass(), "signatureConfigurations", signatureConfigurations,
-            "encryptionConfigurations", encryptionConfigurations);
+            "encryptionConfigurations", encryptionConfigurations, "realmName", this.realmName);
     }
 }

pac4j-kerberos/src/main/java/org/pac4j/kerberos/client/indirect/IndirectKerberosClient.java

@@ -1,6 +1,7 @@
 package org.pac4j.kerberos.client.indirect;
 
 import org.pac4j.core.client.IndirectClient;
+import org.pac4j.core.context.HttpConstants;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.credentials.authenticator.Authenticator;
 import org.pac4j.core.exception.CredentialsException;
@@ -41,18 +42,21 @@ protected KerberosCredentials retrieveCredentials(final WebContext context) {
         CommonHelper.assertNotNull("credentialsExtractor", getCredentialsExtractor());
         CommonHelper.assertNotNull("authenticator", getAuthenticator());
 
+        // set the www-authenticate in case of error
+        context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Negotiate");
+
         final KerberosCredentials credentials;
         try {
             // retrieve credentials
             credentials = getCredentialsExtractor().extract(context);
             logger.debug("kerberos credentials : {}", credentials);
             if (credentials == null) {
-                throw HttpAction.unauthorizedNegotiate("Kerberos Header not found", context);
+                throw HttpAction.unauthorized("Kerberos Header not found", context);
             }
             // validate credentials
             getAuthenticator().validate(credentials, context);
         } catch (final CredentialsException e) {
-            throw HttpAction.unauthorizedNegotiate("Kerberos auth failed", context);
+            throw HttpAction.unauthorized("Kerberos auth failed", context);
         }
 
         return credentials;