Merge pull request #3266 from 4Science/CST-4123-RespondWith401InSteadThan403toInvalidOrExpiredJWT

If logged in through multiple devices, a logout results should result in a 401 on other devices.

dspace-server-webapp/src/main/java/org/dspace/app/rest/exception/DSpaceApiExceptionControllerAdvice.java

@@ -11,18 +11,17 @@ import static org.springframework.web.servlet.DispatcherServlet.EXCEPTION_ATTRIB
 
 import java.io.IOException;
 import java.sql.SQLException;
+import java.util.Objects;
 import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.dspace.app.rest.security.RestAuthenticationService;
 import org.dspace.app.rest.utils.ContextUtil;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.core.Context;
 import org.springframework.beans.TypeMismatchException;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.data.repository.support.QueryMethodParameterConversionException;
 import org.springframework.http.HttpHeaders;
@@ -59,13 +58,11 @@ public class DSpaceApiExceptionControllerAdvice extends ResponseEntityExceptionH
      */
     private static final Set<Integer> LOG_AS_ERROR = Set.of(422);
 
-    @Autowired
-    private RestAuthenticationService restAuthenticationService;
-
     @ExceptionHandler({AuthorizeException.class, RESTAuthorizationException.class, AccessDeniedException.class})
     protected void handleAuthorizeException(HttpServletRequest request, HttpServletResponse response, Exception ex)
         throws IOException {
-        if (restAuthenticationService.hasAuthenticationData(request)) {
+        Context context = ContextUtil.obtainContext(request);
+        if (Objects.nonNull(context.getCurrentUser())) {
             sendErrorResponse(request, response, ex, "Access is denied", HttpServletResponse.SC_FORBIDDEN);
         } else {
             sendErrorResponse(request, response, ex, "Authentication is required", HttpServletResponse.SC_UNAUTHORIZED);

dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java

@@ -1193,7 +1193,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
         String loginToken = getAuthToken(eperson.getEmail(), password);
         getClient().perform(get("/api/core/bitstreams/" + bitstream.getID()
                 + "/content?authentication-token=" + loginToken))
-            .andExpect(status().isForbidden());
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
@@ -1204,7 +1204,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
         Thread.sleep(1);
         getClient().perform(get("/api/core/bitstreams/" + bitstream.getID()
                 + "/content?authentication-token=" + shortLivedToken))
-            .andExpect(status().isForbidden());
+            .andExpect(status().isUnauthorized());
     }
 
     @Test

dspace-server-webapp/src/test/java/org/dspace/app/rest/StatisticsRestRepositoryIT.java

@@ -179,7 +179,7 @@ public class StatisticsRestRepositoryIT extends AbstractControllerIntegrationTes
         getClient("unvalidToken").perform(
             get("/api/statistics/usagereports/" + itemNotVisitedWithBitstreams.getID() + "_" + TOTAL_VISITS_REPORT_ID))
                                  // ** THEN **
-                                 .andExpect(status().isForbidden());
+                                 .andExpect(status().isUnauthorized());
     }
 
     @Test
@@ -829,7 +829,7 @@ public class StatisticsRestRepositoryIT extends AbstractControllerIntegrationTes
             .perform(get("/api/statistics/usagereports/search/object?uri=http://localhost:8080/server/api/core" +
                          "/items/" + itemNotVisitedWithBitstreams.getID()))
             // ** THEN **
-            .andExpect(status().isForbidden());
+            .andExpect(status().isUnauthorized());
     }
 
     @Test

dspace-server-webapp/src/test/java/org/dspace/app/rest/WorkflowActionRestRepositoryIT.java

@@ -49,8 +49,8 @@ public class WorkflowActionRestRepositoryIT extends AbstractControllerIntegratio
         String token = "nonValidToken";
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+             //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
@@ -112,8 +112,8 @@ public class WorkflowActionRestRepositoryIT extends AbstractControllerIntegratio
         WorkflowActionConfig existentWorkflow = xmlWorkflowFactory.getActionByName(nameActionWithOptions);
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT + "/" + nameActionWithOptions))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+             //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test

dspace-server-webapp/src/test/java/org/dspace/app/rest/WorkflowDefinitionRestRepositoryIT.java

@@ -121,8 +121,8 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
         String token = "NonValidToken";
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+            //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
@@ -192,8 +192,8 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
         String workflowName = defaultWorkflow.getID();
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + workflowName))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+            //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
@@ -402,8 +402,8 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
             + "/collections"))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+            //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test
@@ -441,8 +441,8 @@ public class WorkflowDefinitionRestRepositoryIT extends AbstractControllerIntegr
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_DEFINITIONS_ENDPOINT + "/" + defaultWorkflow.getID()
             + "/steps"))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+            //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test

dspace-server-webapp/src/test/java/org/dspace/app/rest/WorkflowStepRestRepositoryIT.java

@@ -47,8 +47,8 @@ public class WorkflowStepRestRepositoryIT extends AbstractControllerIntegrationT
         String token = "NonValidToken";
         //When we call this facets endpoint
         getClient(token).perform(get(WORKFLOW_ACTIONS_ENDPOINT))
-            //We expect a 403 Forbidden status
-            .andExpect(status().isForbidden());
+            //We expect a 401 Unauthorized status
+            .andExpect(status().isUnauthorized());
     }
 
     @Test