[NEXUS-8036] Use custom 401 status line message when content protection by token is enabled

Author: jdillon

components/nexus-core/src/main/java/org/sonatype/nexus/security/filter/authc/NexusHttpAuthenticationFilter.java

@@ -180,14 +180,21 @@ protected boolean onAccessDenied(ServletRequest request, ServletResponse respons
     return loggedIn;
   }
 
+  /**
+   * Allow customization of 401 status line message.
+   */
+  protected String getUnauthorizedMessage(final ServletRequest request) {
+    return "Unauthorized";
+  }
+
   /**
    * If request comes from a web-browser render an error page, else perform default challenge.
    */
   @Override
   protected boolean sendChallenge(final ServletRequest request, final ServletResponse response) {
     if (browserDetector.isBrowserInitiated(request)) {
       HttpServletResponse httpResponse = WebUtils.toHttp(response);
-      httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED, getUnauthorizedMessage(request));
       // omit WWW-Authenticate we do NOT want to have browser prompt
 
       Map<String,Object> params = ImmutableMap.of(
@@ -209,7 +216,13 @@ protected boolean sendChallenge(final ServletRequest request, final ServletRespo
       return false;
     }
     else {
-      return super.sendChallenge(request, response);
+      String message = getUnauthorizedMessage(request);
+      getLogger().debug("Authentication required: sending 401 Authentication challenge response: {}", message);
+      HttpServletResponse httpResponse = WebUtils.toHttp(response);
+      httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED, message);
+      String authcHeader = getAuthcScheme() + " realm=\"" + getApplicationName() + "\"";
+      httpResponse.setHeader(AUTHENTICATE_HEADER, authcHeader);
+      return false;
     }
   }
 

plugins/basic/nexus-content-plugin/src/main/java/org/sonatype/nexus/content/internal/ContentAuthenticationFilter.java

@@ -66,11 +66,33 @@ private boolean isRestricted(final ServletRequest request) {
     return false;
   }
 
+  /**
+   * Servlet request attribute to mark request as protected.
+   */
+  private static final String RESTRICTED_ATTR = ContentRestrictedToken.class.getSimpleName();
+
+  /**
+   * Return custom error message when content access is protected.
+   */
+  @Override
+  protected String getUnauthorizedMessage(final ServletRequest request) {
+    Object attr = request.getAttribute(RESTRICTED_ATTR);
+    if (attr != null) {
+      return "Content access is protected by token";
+    }
+    else {
+      return super.getUnauthorizedMessage(request);
+    }
+  }
+
   @Override
   protected AuthenticationToken createToken(final ServletRequest request, final ServletResponse response) {
     if (isRestricted(request)) {
       getLogger().debug("Content authentication for request is restricted");
 
+      // mark request as protected for better error messaging
+      request.setAttribute(RESTRICTED_ATTR, true);
+
       // We know our super-class makes UsernamePasswordTokens, ask super to pull out the relevant details
       UsernamePasswordToken basis = (UsernamePasswordToken) super.createToken(request, response);