[MNT-24682] Kerberos: do not add authorization header (#10320)

* [MNT-24682] Prevent Authorization header from being added with basic auth when Kerberos is enabled * [MNT-24682] Add unit test
2025-07-24 17:32:15 +00:00 · 2024-10-25 14:14:52 +01:00
parent ea71e4cdd1
commit ba52074bb5
2 changed files with 17 additions and 2 deletions
--- a/lib/core/src/lib/auth/basic-auth/basic-alfresco-auth.service.ts
+++ b/lib/core/src/lib/auth/basic-auth/basic-alfresco-auth.service.ts
@@ -347,6 +347,10 @@ export class BasicAlfrescoAuthService extends BaseAuthenticationService {
    }

    private addBasicAuth(requestUrl: string, header: HttpHeaders): HttpHeaders {
+        if (this.isKerberosEnabled()) {
+            return header;
+        }
+
        const ticket = this.getTicketEcmBase64(requestUrl);

        if (!ticket) {
@@ -366,7 +370,7 @@ export class BasicAlfrescoAuthService extends BaseAuthenticationService {
     * @param requestUrl the request url
     * @returns The ticket or `null` if none was found
     */
-    private getTicketEcmBase64(requestUrl: string): string | null {
+    getTicketEcmBase64(requestUrl: string): string | null {
        let ticket = null;

        const contextRootBpm = this.appConfig.get<string>(AppConfigValues.CONTEXTROOTBPM) || 'activiti-app';
--- a/lib/core/src/lib/auth/services/authentication.service.spec.ts
+++ b/lib/core/src/lib/auth/services/authentication.service.spec.ts
@@ -21,7 +21,7 @@ import { CookieService } from '../../common/services/cookie.service';
 import { AppConfigService } from '../../app-config/app-config.service';
 import { BasicAlfrescoAuthService } from '../basic-auth/basic-alfresco-auth.service';
 import { AuthModule } from '../oidc/auth.module';
-import { HttpClientModule } from '@angular/common/http';
+import { HttpClientModule, HttpHeaders } from '@angular/common/http';
 import { CookieServiceMock } from '../../mock';
 import { AppConfigServiceMock } from '../../common';
 import { OidcAuthenticationService } from '../oidc/oidc-authentication.service';
@@ -39,6 +39,7 @@ xdescribe('AuthenticationService', () => {
    let appConfigService: AppConfigService;
    let cookie: CookieService;
    let oidcAuthenticationService: OidcAuthenticationService;
+    let headers: HttpHeaders;

    beforeEach(() => {
        TestBed.configureTestingModule({
@@ -80,6 +81,7 @@ xdescribe('AuthenticationService', () => {
        beforeEach(() => {
            appConfigService.config.providers = 'ALL';
            appConfigService.config.auth = { withCredentials: true };
+            headers = new HttpHeaders();
        });

        it('should emit login event for kerberos', (done) => {
@@ -107,6 +109,15 @@ xdescribe('AuthenticationService', () => {
            spyOn(basicAlfrescoAuthService, 'isKerberosEnabled').and.returnValue(true);
            expect(authService.isKerberosEnabled()).toEqual(true);
        });
+
+        it('should not add Authorization header if kerberos is enabled', () => {
+            const url = 'some-url';
+            spyOn(basicAlfrescoAuthService, 'isKerberosEnabled').and.returnValue(true);
+            spyOn(basicAlfrescoAuthService, 'getTicketEcmBase64').and.returnValue('some-ticket');
+            headers = basicAlfrescoAuthService.getAuthHeaders(url, headers);
+            expect(headers.get('Authorization')).toBeNull();
+            expect(basicAlfrescoAuthService.getTicketEcmBase64).not.toHaveBeenCalled();
+        });
    });

    describe('when the setting is ECM', () => {