From dcd8bd5d27bcd8d030ec411f42c64f8997d681e0 Mon Sep 17 00:00:00 2001
From: Jiwei Guo <technoboy@apache.org>
Date: Fri, 6 Feb 2026 14:52:54 +0800
Subject: [PATCH 1/2] Give the detail msg when authencate error

---
 .../broker/web/AuthenticationFilter.java      |   8 +-
 .../broker/web/AuthenticationFilterTest.java  | 107 ++++++++++++++++++
 2 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java

diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java
index 3b85d9b03e4e6..bfe7864151798 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java
@@ -60,9 +60,13 @@ public void doFilter(
         try {
             doFilter = authenticationService.authenticateHttpRequest(httpRequest, httpResponse);
         } catch (Exception e) {
-            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication required");
+            String msg = e.getMessage();
+            if (msg == null) {
+                msg = "Authentication required";
+            }
+            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, msg);
             if (e instanceof AuthenticationException) {
-                LOG.warn("[{}] Failed to authenticate HTTP request: {}", request.getRemoteAddr(), e.getMessage());
+                LOG.warn("[{}] Failed to authenticate HTTP request: {}", request.getRemoteAddr(), msg);
             } else {
                 LOG.error("[{}] Error performing authentication for HTTP", request.getRemoteAddr(), e);
             }
diff --git a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java
new file mode 100644
index 0000000000000..2192fca502dfc
--- /dev/null
+++ b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.broker.web;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import javax.naming.AuthenticationException;
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.pulsar.broker.authentication.AuthenticationService;
+import org.testng.annotations.Test;
+
+public class AuthenticationFilterTest {
+
+    @Test
+    public void testDoFilterWithAuthenticationException() throws Exception {
+        AuthenticationService authenticationService = mock(AuthenticationService.class);
+        AuthenticationFilter filter = new AuthenticationFilter(authenticationService);
+
+        HttpServletRequest request = mock(HttpServletRequest.class);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        FilterChain chain = mock(FilterChain.class);
+
+        String errorMsg = "Specific authentication error";
+        doThrow(new AuthenticationException(errorMsg))
+                .when(authenticationService)
+                .authenticateHttpRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+
+        filter.doFilter(request, response, chain);
+
+        verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED, errorMsg);
+    }
+
+    @Test
+    public void testDoFilterWithGenericException() throws Exception {
+        AuthenticationService authenticationService = mock(AuthenticationService.class);
+        AuthenticationFilter filter = new AuthenticationFilter(authenticationService);
+
+        HttpServletRequest request = mock(HttpServletRequest.class);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        FilterChain chain = mock(FilterChain.class);
+
+        String errorMsg = "Some internal error";
+        doThrow(new RuntimeException(errorMsg))
+                .when(authenticationService)
+                .authenticateHttpRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+
+        filter.doFilter(request, response, chain);
+
+        verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED, errorMsg);
+    }
+
+    @Test
+    public void testDoFilterWithNullMessageGenericException() throws Exception {
+        AuthenticationService authenticationService = mock(AuthenticationService.class);
+        AuthenticationFilter filter = new AuthenticationFilter(authenticationService);
+
+        HttpServletRequest request = mock(HttpServletRequest.class);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        FilterChain chain = mock(FilterChain.class);
+
+        doThrow(new RuntimeException())
+                .when(authenticationService)
+                .authenticateHttpRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+
+        filter.doFilter(request, response, chain);
+
+        verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication required");
+    }
+
+    @Test
+    public void testDoFilterWithNullMessageAuthenticationException() throws Exception {
+        AuthenticationService authenticationService = mock(AuthenticationService.class);
+        AuthenticationFilter filter = new AuthenticationFilter(authenticationService);
+
+        HttpServletRequest request = mock(HttpServletRequest.class);
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        FilterChain chain = mock(FilterChain.class);
+
+        doThrow(new AuthenticationException(null))
+                .when(authenticationService)
+                .authenticateHttpRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+
+        filter.doFilter(request, response, chain);
+
+        verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication required");
+    }
+}

From b214aa01c224fcd0cb74bce7973d4f841b4642b3 Mon Sep 17 00:00:00 2001
From: Jiwei Guo <technoboy@apache.org>
Date: Mon, 9 Feb 2026 16:03:33 +0800
Subject: [PATCH 2/2] address comment

---
 .../pulsar/broker/web/AuthenticationFilter.java       | 11 ++++++-----
 .../pulsar/broker/web/AuthenticationFilterTest.java   |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java
index bfe7864151798..1a36c4405545b 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java
@@ -60,14 +60,15 @@ public void doFilter(
         try {
             doFilter = authenticationService.authenticateHttpRequest(httpRequest, httpResponse);
         } catch (Exception e) {
-            String msg = e.getMessage();
-            if (msg == null) {
-                msg = "Authentication required";
-            }
-            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, msg);
             if (e instanceof AuthenticationException) {
+                String msg = e.getMessage();
+                if (msg == null) {
+                    msg = "Authentication required";
+                }
+                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, msg);
                 LOG.warn("[{}] Failed to authenticate HTTP request: {}", request.getRemoteAddr(), msg);
             } else {
+                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication required");
                 LOG.error("[{}] Error performing authentication for HTTP", request.getRemoteAddr(), e);
             }
             return;
diff --git a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java
index 2192fca502dfc..744f4a1d18975 100644
--- a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java
+++ b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/web/AuthenticationFilterTest.java
@@ -66,7 +66,7 @@ public void testDoFilterWithGenericException() throws Exception {
 
         filter.doFilter(request, response, chain);
 
-        verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED, errorMsg);
+        verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication required");
     }
 
     @Test