fix

Author: p-hoffmann

docker/auth-test/setup-test-users.sql

@@ -1,3 +1,20 @@
+-- Initial security data (roles required for the application to function)
+-- These must be created before WebAPI can properly handle authentication
+INSERT INTO webapi.sec_role (id, name, system_role) VALUES (1, 'public', true) ON CONFLICT (id) DO NOTHING;
+INSERT INTO webapi.sec_role (id, name, system_role) VALUES (2, 'admin', true) ON CONFLICT (id) DO NOTHING;
+INSERT INTO webapi.sec_role (id, name, system_role) VALUES (1001, 'Atlas users', true) ON CONFLICT (id) DO NOTHING;
+INSERT INTO webapi.sec_role (id, name, system_role) VALUES (1002, 'Moderator', true) ON CONFLICT (id) DO NOTHING;
+
+-- Anonymous user (required for public endpoints)
+INSERT INTO webapi.sec_user (id, login, name) VALUES (1, 'anonymous', 'anonymous') ON CONFLICT (id) DO NOTHING;
+INSERT INTO webapi.sec_user_role (id, user_id, role_id, origin) VALUES (1, 1, 1, 'SYSTEM') ON CONFLICT (id) DO NOTHING;
+
+-- Update sequences to avoid conflicts
+SELECT setval('webapi.sec_role_sequence', GREATEST((SELECT COALESCE(MAX(id), 0) + 1 FROM webapi.sec_role), nextval('webapi.sec_role_sequence')));
+SELECT setval('webapi.sec_user_sequence', GREATEST((SELECT COALESCE(MAX(id), 0) + 1 FROM webapi.sec_user), nextval('webapi.sec_user_sequence')));
+SELECT setval('webapi.sec_user_role_sequence', GREATEST((SELECT COALESCE(MAX(id), 0) + 1 FROM webapi.sec_user_role), nextval('webapi.sec_user_role_sequence')));
+
+-- Test users table for JDBC authentication
 CREATE TABLE IF NOT EXISTS webapi.users (
     id SERIAL PRIMARY KEY,
     email VARCHAR(255) UNIQUE NOT NULL,

docker/auth-test/test-results/auth-test-results.xml

@@ -64,6 +64,15 @@ public ShiroFilterFactoryBean shiroFilter(Security security, LockoutPolicy locko
 
         Map<String, String> filterChain = security.getFilterChain();
 
+        // Debug: log the filter chain configuration
+        log.info("=== Shiro Filter Chain Configuration ===");
+        log.info("Security implementation: {}", security.getClass().getName());
+        log.info("Number of filters: {}", filters.size());
+        log.info("Filter names: {}", filters.keySet());
+        log.info("Filter chain paths ({} entries):", filterChain.size());
+        filterChain.forEach((path, chain) -> log.info("  {} -> {}", path, chain));
+        log.info("=== End Shiro Filter Chain Configuration ===");
+
         shiroFilter.setFilterChainDefinitionMap(filterChain);
 
         return shiroFilter;

src/main/java/org/ohdsi/webapi/ShiroConfiguration.java

@@ -4,6 +4,7 @@
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletResponse;
 import org.ohdsi.webapi.arachne.logging.event.FailedLoginEvent;
+import java.io.IOException;
 import org.ohdsi.webapi.arachne.logging.event.SuccessLoginEvent;
 import org.ohdsi.webapi.shiro.ServletBridge;
 import org.apache.shiro.authc.AuthenticationException;
@@ -55,6 +56,17 @@ protected boolean onLoginFailure(AuthenticationToken token, AuthenticationExcept
         boolean result = super.onLoginFailure(token, e, request, response);
         eventPublisher.publishEvent(new FailedLoginEvent(this, username));
         eventPublisher.publishEvent(new AuditTrailLoginFailedEvent(this, username, request.getRemoteHost()));
+
+        // Write response body and commit to prevent Spring MVC from processing
+        try {
+            httpResponse.setContentType("application/json");
+            String errorMessage = e instanceof LockedAccountException ? e.getMessage() : "Invalid credentials";
+            httpResponse.getWriter().write("{\"error\":\"" + errorMessage + "\"}");
+            httpResponse.flushBuffer(); // Commit the response
+        } catch (IOException ioe) {
+            // Response may already be committed, ignore
+        }
+
         return result;
     }
 }

src/main/java/org/ohdsi/webapi/shiro/filters/AuthenticatingPropagationFilter.java

@@ -44,8 +44,10 @@ protected boolean preHandle(ServletRequest request, ServletResponse response) {
     httpResponse.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
     httpResponse.setStatus(HttpServletResponse.SC_OK);
 
-    try (final PrintWriter responseWriter = response.getWriter()) {
+    try {
+      final PrintWriter responseWriter = response.getWriter();
       responseWriter.print(objectMapper.writeValueAsString(permissions));
+      httpResponse.flushBuffer(); // Commit the response
     } catch (IOException e) {
       LOGGER.error(ERROR_WRITING_PERMISSIONS_TO_RESPONSE_LOG, e);
     }

src/main/java/org/ohdsi/webapi/shiro/filters/SendTokenInHeaderFilter.java

@@ -18,16 +18,23 @@
  */
 package org.ohdsi.webapi.shiro.filters.auth;
 
+import java.io.IOException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.apache.shiro.authc.AuthenticationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.ohdsi.webapi.shiro.filters.AuthenticatingPropagationFilter;
 import org.springframework.context.ApplicationEventPublisher;
 
 public abstract class AbstractLdapAuthFilter<T extends UsernamePasswordToken> extends AuthenticatingPropagationFilter {
+
+    private static final Logger log = LoggerFactory.getLogger(AbstractLdapAuthFilter.class);
+
     protected AbstractLdapAuthFilter(ApplicationEventPublisher eventPublisher) {
         super(eventPublisher);
     }
@@ -58,8 +65,23 @@ protected boolean onAccessDenied(ServletRequest request, ServletResponse respons
 
         if (request.getParameter("login") != null) {
             loggedIn = executeLogin(request, response);
+        } else {
+            // No credentials provided - write error response and commit
+            writeUnauthorizedResponse(response, "Missing credentials");
         }
 
         return loggedIn;
     }
+
+    private void writeUnauthorizedResponse(ServletResponse response, String message) {
+        try {
+            HttpServletResponse httpResponse = (HttpServletResponse) response;
+            httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            httpResponse.setContentType("application/json");
+            httpResponse.getWriter().write("{\"error\":\"" + message + "\"}");
+            httpResponse.flushBuffer(); // Commit the response
+        } catch (IOException e) {
+            log.error("Failed to write unauthorized response", e);
+        }
+    }
 }

src/main/java/org/ohdsi/webapi/shiro/filters/auth/AbstractLdapAuthFilter.java

@@ -2,6 +2,7 @@
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwtException;
+import java.io.IOException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletResponse;
@@ -46,6 +47,14 @@ protected boolean onAccessDenied(ServletRequest request, ServletResponse respons
     if (!loggedIn) {
         HttpServletResponse httpResponse = ServletBridge.toHttp(response);
         httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        // Write response body and commit to prevent Spring MVC from processing
+        try {
+            httpResponse.setContentType("application/json");
+            httpResponse.getWriter().write("{\"error\":\"Invalid or missing JWT token\"}");
+            httpResponse.flushBuffer(); // Commit the response
+        } catch (IOException e) {
+            logger.error("Failed to write unauthorized response", e);
+        }
     }
 
     return loggedIn;

src/main/java/org/ohdsi/webapi/shiro/filters/auth/AtlasJwtAuthFilter.java

@@ -24,8 +24,10 @@
 
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.ohdsi.webapi.shiro.filters.AuthenticatingPropagationFilter;
+import java.io.IOException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationEventPublisher;
@@ -57,8 +59,23 @@ protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse
 
         if (servletRequest.getParameter("login") != null) {
             loggedIn = executeLogin(servletRequest, servletResponse);
+        } else {
+            // No credentials provided - write error response and commit
+            writeUnauthorizedResponse(servletResponse, "Missing credentials");
         }
         return loggedIn;
     }
 
+    private void writeUnauthorizedResponse(ServletResponse response, String message) {
+        try {
+            HttpServletResponse httpResponse = (HttpServletResponse) response;
+            httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            httpResponse.setContentType("application/json");
+            httpResponse.getWriter().write("{\"error\":\"" + message + "\"}");
+            httpResponse.flushBuffer(); // Commit the response
+        } catch (IOException e) {
+            log.error("Failed to write unauthorized response", e);
+        }
+    }
+
 }

src/main/java/org/ohdsi/webapi/shiro/filters/auth/JdbcAuthFilter.java

@@ -18,19 +18,24 @@
  */
 package org.ohdsi.webapi.shiro.filters.auth;
 
+import java.io.IOException;
 import java.util.Base64;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.ohdsi.webapi.shiro.ServletBridge;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
 import org.ohdsi.webapi.shiro.tokens.SpnegoToken;
 
 public class KerberosAuthFilter extends AuthenticatingFilter {
 
+    private static final Logger log = LoggerFactory.getLogger(KerberosAuthFilter.class);
+
     private String getAuthHeader(ServletRequest servletRequest) {
 
         HttpServletRequest request = ServletBridge.toHttp(servletRequest);
@@ -69,6 +74,14 @@ protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse
             HttpServletResponse response = ServletBridge.toHttp(servletResponse);
             response.addHeader("WWW-Authenticate", "Negotiate");
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            // Write response body and commit to prevent Spring MVC from processing
+            try {
+                response.setContentType("application/json");
+                response.getWriter().write("{\"error\":\"Kerberos authentication required\"}");
+                response.flushBuffer(); // Commit the response
+            } catch (IOException e) {
+                log.error("Failed to write unauthorized response", e);
+            }
         }
 
         return loggedIn;