Details
-
Bug
-
Resolution: Timed out
-
Low
-
None
-
2.2.5
-
None
Description
When an user is not authorised to authenticate against an application, some REST end points inconsistently throw the checked exceptions ApplicationPermissionException, InvalidAuthenticationException or ApplicationAccessDeniedException, sometimes in opposition to what their javadocs say.
Examples, to authenticate the same user against the same application:
- com.atlassian.crowd.service.client.CrowdClient.authenticateSSOUserWithoutValidatingPassword() calls /session?validate-password=false, which returns a 403, which throws an ApplicationPermissionException to the caller (due to RestExecutor.MethodExecutor.throwError()). Whereas, according to the javadoc, it should throw ApplicationAccessDeniedException: "if the user does not have access to authenticate against the application")
- com.atlassian.crowd.service.client.CrowdClient.authenticateUser() throws ApplicationPermissionException for the same error (since /authentication returns a 400, which throws a CrowdRestException which then caught and re-throw as an InvalidAuthenticationException with the username)
- com.atlassian.crowd.integration.http.CrowdHttpAuthenticator.authenticate() com.atlassian.crowd.exception.InvalidAuthenticationException for the same problem (which calls {{ /session?validate-password=true}} and returns a 403, which throws an ApplicationPermissionException to the invoker)
This complicates the code invoking the CrowdClient and CrowdHttpAuthenticator.
Attachments
Issue Links
- is related to
-
FE-3791 Change authentication providers to return CommunicationException when appropriate
- Closed