REPO-4859 : HTTP_UNAUTHORIZED instead of HTTP_FORBIDDEN for some CMIS apis

- moved the fix to a more suitable place
    - added explanatory comment

(cherry picked from commit a219162 master to 6.2.N)

src/main/java/org/alfresco/opencmis/PublicApiCallContextHandler.java

@@ -30,6 +30,8 @@ import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.apache.chemistry.opencmis.commons.server.CallContext;
 import org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler;
 
 public class PublicApiCallContextHandler extends BasicAuthCallContextHandler
@@ -47,6 +49,15 @@ public class PublicApiCallContextHandler extends BasicAuthCallContextHandler
             map.putAll(basicAuthMap);
         }
 
+        // Adding the username in the context is needed because of the following reasons:
+        // - CMISServletDispatcher is configured to ALWAYS use this class (PublicApiCallContextHandler)
+        // - this class extends the BasicAuthCallContextHandler class which only puts the username in the context ONLY IF the request is having Basic auth
+        // - therefor in the case of a Bearer auth, the username is never in the context, fact that ultimately leads to bugs when the response should be provided
+        if (map.get(CallContext.USERNAME) == null && AuthenticationUtil.getFullyAuthenticatedUser() != null)
+        {
+            map.put(CallContext.USERNAME, AuthenticationUtil.getFullyAuthenticatedUser());
+        }
+
         map.put("isPublicApi", "true");
         return map;
 	}