Technoboy- commented on code in PR #25221:
URL: https://github.com/apache/pulsar/pull/25221#discussion_r2781182320
##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java:
##########
@@ -60,9 +60,13 @@ public void doFilter(
try {
doFilter =
authenticationService.authenticateHttpRequest(httpRequest, httpResponse);
} catch (Exception e) {
- httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Authentication required");
+ String msg = e.getMessage();
+ if (msg == null) {
+ msg = "Authentication required";
+ }
+ httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, msg);
Review Comment:
- Only exceptions of type javax.naming.AuthenticationException are passed to
the client. These exceptions typically contain a clear reason for
authentication failure (such as "Token expired"), and are secure and useful to
the user.
- For all other types of Exceptions (such as NullPointerException,
IOException, etc.), the system will uniformly return a generic "Authentication
required" error message, without including the specific exception stack trace
or message.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
