[BUG] Response content-type changed in 2.11 for some endpoints

[cwperks]

In 2.11, there was a change to introduce a SecurityResponse wrapper around a BytesRestResponse. In the method to cast the SecurityResponse to a RestResponse, the method creates a BytesRestResponse using the constructor without contentType. (Here's the BytesResponseResponse constructor for context). Even if an instance of SecurityResponse is created with a Content-Type header it is being ignored since the constructor of BytesRestResponse will set it at the time the RestResponse is instantiated.

APIs impacted:

• /_plugins/security/api/authtoken
• Any Unauthed call now responds with application/json instead of text/plain

[stephen-crawford]

The change to the SecurityResponse class causes all of the methods hit with asRestResponse() to be converted.

This means that the impacted APIs can be found by moving up a level to where the asRestResponse() method is called inside of the SecurityRestFilter . Then we can look at each of the scenarios inside the wrap method to determine which calls are impacted.

Notably, the wrap method is called on all rest requests so it is more about the actual cases and whether they trigger the if-statements that lead to the asRestResponse than anything else.

The first asRestResponse is called when we try to determine whether the response has been cached. This is then based in the SecurityHttpServerTransport logic. Looking at this, it seems that we try to signify early responses for handling of decompression by identifying request attributes which are set in the Netty4HttpRequestHeaderVerifier.

The second asRestResponse happens when we check whether the request is authenticated and skip any that are not. This covers the scenarios that Craig mentioned above with his second bullet about unauthed calls.

The third asRestResponse happens when a request is denied. This is what it sounds like, we check whether a request is not allowlisted (if allowlisting is enabled). We return false if it is not allowlisted and then set this optional which will cause the asRestResponse call.

The final asRestResponse happens when a response is queued for delivery. This occurs when a response is placed in the response queue for a channel based on the SecurityRequestChannel interface. If the channel has a queued response we send a response by grabbing the queued response from the channel and calling asRestResponse on it.

---

APIs impacted appear to be any calls falling under the above scenarios and then specifically these classes:

AuthTokenProcessorHandler -- explicitly requires JSON response.

HTTPSpnegoAuthenticator adds a SecurityResponse.CONTENT_TYPE_APP_JSON header.

AbstractHTTPJWTAuthenticator -- constructs a new response with the <String, String> map.

...

This list is a work in progress. Additional usage can be found through searching for Optional<SecurityResponse>