Ensure that challenge response contains body (opensearch-project#4233)

Signed-off-by: Craig Perkins <cwperx@amazon.com>

Author: cwperks

src/integrationTest/java/org/opensearch/security/ResourceFocusedTests.java

@@ -41,6 +41,8 @@
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
 import static org.opensearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
@@ -127,11 +129,13 @@ private void runResourceTest(
             final var requests = AsyncActions.generate(() -> {
                 final HttpPost post = new HttpPost(client.getHttpServerUri() + requestPath);
                 post.setEntity(new ByteArrayEntity(compressedRequestBody, ContentType.APPLICATION_JSON));
-                return client.executeRequest(post);
+                TestRestClient.HttpResponse response = client.executeRequest(post);
+                return response.getStatusCode();
             }, parrallelism, totalNumberOfRequests);
 
-            AsyncActions.getAll(requests, 2, TimeUnit.MINUTES)
-                .forEach((response) -> { response.assertStatusCode(HttpStatus.SC_UNAUTHORIZED); });
+            AsyncActions.getAll(requests, 2, TimeUnit.MINUTES).forEach((responseCode) -> {
+                assertThat(responseCode, equalTo(HttpStatus.SC_UNAUTHORIZED));
+            });
         }
     }
 

src/integrationTest/java/org/opensearch/security/http/BasicAuthTests.java

@@ -106,6 +106,19 @@ public void testBrowserShouldRequestForCredentials() {
         }
     }
 
+    @Test
+    public void shouldRespondWithChallengeWhenNoCredentialsArePresent() {
+        try (TestRestClient client = cluster.getRestClient()) {
+            HttpResponse response = client.getAuthInfo();
+
+            assertThat(response, is(notNullValue()));
+            response.assertStatusCode(SC_UNAUTHORIZED);
+            assertThat(response.getHeader("WWW-Authenticate"), is(notNullValue()));
+            assertThat(response.getHeader("WWW-Authenticate").getValue(), equalTo("Basic realm=\"OpenSearch Security\""));
+            assertThat(response.getBody(), equalTo("Unauthorized"));
+        }
+    }
+
     @Test
     public void testUserShouldNotHaveAssignedCustomAttributes() {
         try (TestRestClient client = cluster.getRestClient(TEST_USER)) {

src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java

@@ -68,7 +68,11 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T
     @Override
     public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest request, AuthCredentials creds) {
         return Optional.of(
-            new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""), "")
+            new SecurityResponse(
+                HttpStatus.SC_UNAUTHORIZED,
+                Map.of("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""),
+                "Unauthorized"
+            )
         );
     }