Issue when using Basic Auth along with OAuth as application security - APIM 4.0.0

[LayaniMal]

Description

HTTP 401 has been observed intermittently for Basic Auth with correct credentials if an API has Basic Auth and OAuth as application security.

Steps to Reproduce

• Publish an API (PizzaShack) with Basic Auth + OAuth
• Run the below scripts in two threads in parallel

while :
do
  resp=$(curl -v -s -k -u admin:admin "https://localhost:8243/pizzashack/1.0.0/menu" --stderr -)
  result=$(echo "$resp" | grep "401")
  if [ "$result" != "" ]; then
    dt=$(date '+%d/%m/%Y %H:%M:%S');
    echo "Got 401 at "  $dt;
  fi
  sleep 0.1s
done

• Time to time, You'll observe HTTP 401
• In logs, We could see errors and some debug logs indicating that APIM was not able to find Basic Auth Header.

TID: [-1234] [] [2022-12-24 20:30:01,638] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthAuthenticator} - Basic Authentication: Username and Password authenticated
TID: [-1234] [] [2022-12-24 20:30:01,638]  INFO {org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthAuthenticator} - Basic Authentication initialized
TID: [-1234] [] [2022-12-24 20:30:01,638] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthCredentialValidator} - Basic Authentication: No scopes for the API resource: /pizzashack/1.0.0:1.0.0:/menu:GET
TID: [-1234] [] [2022-12-24 20:30:01,638] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthAuthenticator} - Basic Authentication: Expected authorization header with the name 'Authorization' was not found.
TID: [-1234] [] [2022-12-24 20:30:01,638] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthAuthenticator} - Basic Authentication: Scope validation passed
TID: [-1234] [] [2022-12-24 20:30:01,639] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.basicauth.BasicAuthAuthenticator} - Basic Authentication: No Basic Auth Header found
TID: [-1234] [] [2022-12-24 20:30:01,639] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.throttling.ThrottleHandler} - Resource level throttling set as unlimited and request will pass resource level
TID: [-1234] [] [2022-12-24 20:30:01,639] DEBUG {org.wso2.carbon.apimgt.gateway.throttling.publisher.ThrottleDataPublisher} - Publishing throttle data from gateway to traffic-manager for: /pizzashack/1.0.0 with ID: urn:uuid:44a3beef-e38e-420f-a669-96243755e7c1 started at [2022.12.24 20:30:01,639 BRT]
TID: [-1234] [] [2022-12-24 20:30:01,639] DEBUG {org.wso2.carbon.apimgt.gateway.throttling.publisher.ThrottleDataPublisher} - Publishing throttle data from gateway to traffic-manager for: /pizzashack/1.0.0 with ID: urn:uuid:44a3beef-e38e-420f-a669-96243755e7c1 ended at [2022.12.24 20:30:01,639 BRT]
TID: [-1234] [] [2022-12-24 20:30:01,639] DEBUG {org.wso2.carbon.apimgt.gateway.throttling.publisher.DataProcessAndPublishingAgent} - Remote IP address : 127.0.0.1
TID: [-1234] [] [2022-12-24 20:30:01,641] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - Call to Key Manager : API call failed reason=API_authentication_failure transactionId=urn:uuid:5c32fd0d-d634-4b20-bd4d-7dbdf07e83bd with userAgent=curl/7.64.1 for requestURI=/pizzashack/1.0.0/menu at time=Sat Dec 24 20:30:01 BRT 2022 from clientIP=127.0.0.1, elapsedTimeInMilliseconds=0
TID: [-1234] [] [2022-12-24 20:30:01,643]  WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Missing Credentials
TID: [-1234] [] [2022-12-24 20:30:01,643] DEBUG {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failed with error 900902 org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Invalid Credentials
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:542)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:522)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:409)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:361)
	at org.apache.synapse.api.API.process(API.java:389)
	at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:108)
	at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:128)
	at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:60)
	at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:84)
	at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:70)
	at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54)
	at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:344)
	at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101)
	at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
	at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:375)
	at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:189)
	at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:750)

Affected Component

APIM

Version

4.0.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

[hisanhunais]

Fixed via wso2/carbon-apimgt#11856