diff --git a/c/httpserver.c b/c/httpserver.c index 0dd6e843e..8250b7b1e 100644 --- a/c/httpserver.c +++ b/c/httpserver.c @@ -92,6 +92,7 @@ typedef struct AuthResponse_tag { union { SAFAuthStatus safStatus; } responseDetails; + bool authDataFound; } AuthResponse; /* FIX THIS: a temporary "low profile" way of hiding printfs. Improves @@ -2485,6 +2486,7 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo authResponse->type = AUTH_TYPE_RACF; authResponse->responseDetails.safStatus = status.safStatus; + authResponse->authDataFound = (bool)authDataFound; if (pwdCheckRC != 0) { #ifdef DEBUG_AUTH @@ -2868,7 +2870,7 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest * response->sessionCookie = NULL; AUTH_TRACE("AUTH: tokenCookieText: %s\n",(tokenCookieText ? tokenCookieText : "")); - + authResponse->authDataFound = authDataFound || (tokenCookieText != NULL); if (tokenCookieText){ zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "serviceAuthNativeWithSessionToken: tokenCookieText: %s\n", @@ -2933,7 +2935,8 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest * static int serviceAuthWithJwt(HttpService *service, HttpRequest *request, - HttpResponse *response) { + HttpResponse *response, + AuthResponse *authResponse) { HttpHeader *const authorizationHeader = getHeader(request, "Authorization"); char *jwtTokenText = getCookieValue(request,JWT_COOKIE_NAME); @@ -2971,6 +2974,7 @@ static int serviceAuthWithJwt(HttpService *service, if (request->authToken == NULL) { return FALSE; } + authResponse->authDataFound = TRUE; JwtContext *const jwtContext = service->server->config->jwtContext; if (jwtContext == NULL) { @@ -3232,7 +3236,7 @@ static int handleHttpService(HttpServer *server, int clearSessionToken = FALSE; - AuthResponse authResponse; + AuthResponse authResponse = {0}; switch (service->authType){ @@ -3259,7 +3263,7 @@ static int handleHttpService(HttpServer *server, switch (server->config->authTokenType) { case SERVICE_AUTH_TOKEN_TYPE_JWT: case SERVICE_AUTH_TOKEN_TYPE_JWT_WITH_LEGACY_FALLBACK: - request->authenticated = serviceAuthWithJwt(service, request, response); + request->authenticated = serviceAuthWithJwt(service, request, response, &authResponse); if (request->authenticated || service->server->config->authTokenType @@ -3275,9 +3279,12 @@ static int handleHttpService(HttpServer *server, #ifdef DEBUG printf("service=%s authenticated=%d\n",service->name,request->authenticated); #endif + AUTH_TRACE("request->authenticated %s, authResponse.authDataFound %s\n", + request->authenticated ? "true" : "false", + authResponse.authDataFound ? "true" : "false"); if (request->authenticated == FALSE){ - if (service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL) { - // Allow the service to decide when to respond with HTTP 401 + if (service->authFlags & SERVICE_AUTH_FLAG_OPTIONAL && !authResponse.authDataFound) { + AUTH_TRACE("Allow the service to handle the request because auth is optional and authData not found\n"); serveRequest(service, response, request); } else { respondWithAuthError(response, &authResponse);