fix: in 4.5 and in 4.3.1.sp1, server responding with 200 even when (#…

…1844) request is not correct #1843
GluuFederation · Jun 2, 2023 · 11b0008 · 11b0008
1 parent af74796
commit 11b0008
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/Server/src/main/java/org/gluu/oxauth/auth/AuthenticationFilter.java b/Server/src/main/java/org/gluu/oxauth/auth/AuthenticationFilter.java
@@ -128,8 +128,14 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
             boolean revokeSessionEndpoint = requestUrl.endsWith("/revoke_session");
             String authorizationHeader = httpRequest.getHeader("Authorization");
 
-            if (processMTLS(httpRequest, httpResponse, filterChain)) {
-                return;
+            try {
+	            if (processMTLS(httpRequest, httpResponse, filterChain)) {
+	                return;
+	            }
+            } catch (Throwable ex) {
+            	// Catch exceptions like org.eclipse.jetty.http.BadMessageException when form is invalid
+            	// https://github.com/GluuFederation/oxAuth/issues/1843
+                log.error(ex.getMessage(), ex);
             }
 
             if ((tokenRevocationEndpoint || deviceAuthorizationEndpoint) && clientService.isPublic(httpRequest.getParameter("client_id"))) {