REPO-4859 : HTTP_UNAUTHORIZED instead of HTTP_FORBIDDEN for some CMIS apis

- moved the fix to a more suitable place - added explanatory comment (cherry picked from commit a219162 master to 6.2.N)
2025-07-31 17:39:05 +00:00 · 2020-04-30 15:15:16 +03:00
parent 273f68ef0a
commit 59cb203762
1 changed files with 31 additions and 20 deletions
--- a/src/main/java/org/alfresco/opencmis/PublicApiCallContextHandler.java
+++ b/src/main/java/org/alfresco/opencmis/PublicApiCallContextHandler.java
@@ -23,21 +23,23 @@
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 * #L%
 */
-package org.alfresco.opencmis;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler;
-
-public class PublicApiCallContextHandler extends BasicAuthCallContextHandler
-{
-    private static final long serialVersionUID = 8877878113507734452L;
-
-    @Override
-	public Map<String, String> getCallContextMap(HttpServletRequest request)
+package org.alfresco.opencmis;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.apache.chemistry.opencmis.commons.server.CallContext;
+import org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler;
+
+public class PublicApiCallContextHandler extends BasicAuthCallContextHandler
+{
+    private static final long serialVersionUID = 8877878113507734452L;
+
+    @Override
+	public Map<String, String> getCallContextMap(HttpServletRequest request)
 	{
        Map<String, String> map = new HashMap<String, String>();
        
@@ -46,8 +48,17 @@ public class PublicApiCallContextHandler extends BasicAuthCallContextHandler
        {
            map.putAll(basicAuthMap);
        }
-        
-        map.put("isPublicApi", "true");
-        return map;
-	}
-}
+
+        // Adding the username in the context is needed because of the following reasons:
+        // - CMISServletDispatcher is configured to ALWAYS use this class (PublicApiCallContextHandler)
+        // - this class extends the BasicAuthCallContextHandler class which only puts the username in the context ONLY IF the request is having Basic auth
+        // - therefor in the case of a Bearer auth, the username is never in the context, fact that ultimately leads to bugs when the response should be provided
+        if (map.get(CallContext.USERNAME) == null && AuthenticationUtil.getFullyAuthenticatedUser() != null)
+        {
+            map.put(CallContext.USERNAME, AuthenticationUtil.getFullyAuthenticatedUser());
+        }
+
+        map.put("isPublicApi", "true");
+        return map;
+	}
+}