Default `AuthFailureHandler` for basic access authentication · line/armeria#4997

(4 评论) (0 反应) (0 负责人)Java (4,552 star) (863 fork)batch import

good first issueimprovement

描述

The original default AuthFailureHandler of AuthService returns 401 Unauthorized status without no additional headers. https://github.com/line/armeria/blob/5abd98ae5c1cb747b1c754f44f840a2756fe6c3e/core/src/main/java/com/linecorp/armeria/server/auth/AuthServiceBuilder.java#L42-L47 As the default failed response does not include WWW-Authenticate: "Basic realm="Accessing to ..." header, they only see 401 Unauthorized but no prompt for login.

If basic access authentication is configured, many users usually expect to see a prompt to enter their ID and password by default. However, a prompt is shown only when a custom error response for WWW-Authenticate is explicitly defined.

AuthService
  .builder()
  .addBasicAuth(httpBasicAuthorizer)
  .onFailure((delegate, ctx, req, cause) -> {
    return HttpResponse.of(ResponseHeaders.builder(HttpStatus.UNAUTHORIZED)
                                          .add(HttpHeaderNames.WWW_AUTHENTICATE,
                                            "Basic realm=\"Accessing to the ...\"")
                                          .build());
  }).newDecorator());

I don't see this as a sensible default for basic auth, so I propose to return WWW-Authenticate: "Basic realm="Accessing to ..." header when only basic access authentication is configured to AuthService.

贡献者指南

技术栈: java
领域: backendsecurityauthentication
议题类型: feature
难度: 3
预计时间: half day
活动状态: fresh
清晰度: clear
前置要求: JavaHTTP basic authentication
新手友好度: 75
研究方向: The issue points to the default AuthFailureHandler in AuthServiceBuilder (line 42-47). The fix involves modifying the onFailure lambda to include a WWW Authenticate header with realm when basic auth is configured. Look for existing tests for AuthService to add a test case verifying the header is present. Consider if the realm should be configurable or use a default message.