Regression on Basic authentication with pac4j 6.2.0
25 views
Skip to first unread message
Nicolas Crittin
Aug 13, 2025, 3:26:47 AMAug 13
to Pac4j development mailing list
Hi,
I encounter a regression with pac4j 6.2.0 for basic authentication: the browser (tested with Chrome and Firefox) does not show the basic username/password prompt when using basic authentication and immediately displays the 401 error page. Therefore it is not possible to authenticate this way
anymore.
The regression appears with commit d3cb41379d29926de7131d5d86e3ded4776399dc "Conditional header" because everything is ok if I compile a snapshot before this commit (in my case, regression disappears as soon as I rollback pac4j-jakartaee lib)
The regression is due to HTTP response WWW-Authenticate header whose value is now Bearer realm="pac4j" instead of Basic realm="UserDatabase".
Nicolas Crittin
Aug 13, 2025, 4:38:42 AMAug 13
to Pac4j development mailing list
I did some additional checks and I think I've found a solution:
Before setting a header for the response, the HttpActionHelper.buildUnauthenticatedAction() method checks whether the header is already set by invoking
val hasHeader = context.getResponseHeader(HttpConstants.AUTHENTICATE_HEADER).isPresent();
However, context.getResponseHeader() returns the value of the current response header but does not take into account the fact that savedAuthenticateHeader contains a value.
So I adapted the JEEContext.getResponseHeader() method as follows, and that fixed my problem:
@Override
public Optional<String> getResponseHeader(final String name) {
if (HttpConstants.AUTHENTICATE_HEADER.equals(name)) {
return Optional.ofNullable(savedAuthenticateHeader);
}
return Optional.ofNullable(this.response.getHeader(name));
}
Before setting a header for the response, the HttpActionHelper.buildUnauthenticatedAction() method checks whether the header is already set by invoking
val hasHeader = context.getResponseHeader(HttpConstants.AUTHENTICATE_HEADER).isPresent();
However, context.getResponseHeader() returns the value of the current response header but does not take into account the fact that savedAuthenticateHeader contains a value.
So I adapted the JEEContext.getResponseHeader() method as follows, and that fixed my problem:
@Override
public Optional<String> getResponseHeader(final String name) {
if (HttpConstants.AUTHENTICATE_HEADER.equals(name)) {
return Optional.ofNullable(savedAuthenticateHeader);
}
return Optional.ofNullable(this.response.getHeader(name));
}
Jérôme LELEU
Aug 13, 2025, 4:59:16 AMAug 13
to Nicolas Crittin, Pac4j development mailing list
Hi,
I just committed the fix: https://github.com/pac4j/pac4j/commit/6713cb3c4ca0c8cf6ef402175529bdeaf0a2a01c
Check the latest snapshots again in a few minutes.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/926ded41-f0d5-4045-a6f7-f645d3f1d06fn%40googlegroups.com.
Nicolas Crittin
Aug 13, 2025, 5:13:19 AMAug 13
to Pac4j development mailing list
I just tested 6.2.1-snapshot and it fixes the problem.
Thank you, best regards.
Thank you, best regards.
Jérôme LELEU
Aug 14, 2025, 4:54:45 AMAug 14
to Nicolas Crittin, Pac4j development mailing list
Hi,
I just cut the v6.2.1 release. You can get rid of the snapshots now.
Thanks.
Best regards,
Jérôme
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/53d3f127-d912-4218-89e0-efa29b66af28n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages