From 7e268bc3207677e9c064adbc89f42f5cf38340f5 Mon Sep 17 00:00:00 2001
From: Brian Long <brian.long@fiscal.treasury.gov>
Date: Thu, 22 Aug 2024 14:41:35 -0400
Subject: [PATCH] Fix 500 error for keycloak NotFoundException

Check for a NotFoundException in the KeycloakAuthenticationFilter and
return a 404 if one is thrown.
---
 .../KeycloakAuthenticationFilter.java         | 35 ++++++++++++-------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
index 53ee61a..7a00d73 100644
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
@@ -45,6 +45,7 @@ import org.alfresco.repo.webdav.auth.AuthenticationDriver;
 import org.alfresco.repo.webdav.auth.BaseAuthenticationFilter;
 import org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter;
 import org.alfresco.rest.api.PublicApiTenantWebScriptServletRuntime;
+import org.alfresco.rest.framework.core.exceptions.NotFoundException;
 import org.alfresco.util.PropertyCheck;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.logging.Log;
@@ -310,23 +311,33 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
                     this.keycloakDeployment.getAuthServerBaseUrl());
         }
 
-        final boolean skip = !keycloakDeploymentReady || this.checkForSkipCondition(context, req, res);
+        // Wrap the call to checkForSkipCondition in a try-catch in order to catch any NotFoundExceptions
+        // and set the status on the response to a 404. This prevents the return of 500 errors which security
+        // scanning determines is a security finding.
+        try {
+            final boolean skip = !keycloakDeploymentReady || this.checkForSkipCondition(context, req, res);
 
-        if (skip)
-        {
-            chain.doFilter(request, response);
-        }
-        else
-        {
-            if (!this.checkAndProcessHttpBasicAuthentication(req))
-            {
-                this.processKeycloakAuthenticationAndActions(context, req, res, chain);
-            }
-            else
+            if (skip)
             {
                 chain.doFilter(request, response);
             }
+            else
+            {
+                if (!this.checkAndProcessHttpBasicAuthentication(req))
+                {
+                    this.processKeycloakAuthenticationAndActions(context, req, res, chain);
+                }
+                else
+                {
+                    chain.doFilter(request, response);
+                }
+            }
+
+        } catch (NotFoundException nfex) {
+            LOGGER.debug("Not Found Exception was returned while handling KeyCloak auth!", nfex);
+            res.setStatus(HttpServletResponse.SC_NOT_FOUND);
         }
+
     }
 
     /**