Only log Invalid Authorization header when HTTP Basic auth challenge is called

CHANGELOG.md

@@ -50,7 +50,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Fix issue computing diffs in compliance audit log when writing to security index ([#5279](https://github.com/opensearch-project/security/pull/5279))
 - Fixing dependabot broken pull_request workflow for changelog update ([#5331](https://github.com/opensearch-project/security/pull/5331))
 - Fixes assemble workflow failure during Jenkins build ([#5334](https://github.com/opensearch-project/security/pull/5334))
-- Fixes security index stale cache issue post snapshot restore([#5307](https://github.com/opensearch-project/security/pull/5307))
+- Fixes security index stale cache issue post snapshot restore ([#5307](https://github.com/opensearch-project/security/pull/5307))
+- Only log Invalid Authentication header when HTTP Basic auth challenge is called ([#5377](https://github.com/opensearch-project/security/pull/5377))
 
 ### Security
 

src/main/java/org/opensearch/security/auth/BackendRegistry.java

@@ -79,6 +79,7 @@
 import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE;
 import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
 import static org.opensearch.security.auth.http.saml.HTTPSamlAuthenticator.SAML_TYPE;
+import static org.opensearch.security.http.HTTPBasicAuthenticator.BASIC_TYPE;
 
 public class BackendRegistry {
 
@@ -349,8 +350,8 @@ public boolean authenticate(final SecurityRequestChannel request) {
                         if (!authDomain.getHttpAuthenticator().getType().equals(SAML_TYPE)) {
                             auditLog.logFailedLogin("<NONE>", false, null, request);
                         }
-                        if (isTraceEnabled) {
-                            log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
+                        if (authDomain.getHttpAuthenticator().getType().equals(BASIC_TYPE)) {
+                            log.warn("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
                         }
                         notifyIpAuthFailureListeners(request, authCredentials);
                         request.queueForSending(restResponse.get());

src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java

@@ -47,6 +47,8 @@ public class HTTPBasicAuthenticator implements HTTPAuthenticator {
 
     protected final Logger log = LogManager.getLogger(this.getClass());
 
+    public static final String BASIC_TYPE = "basic";
+
     public HTTPBasicAuthenticator(final Settings settings, final Path configPath) {
 
     }
@@ -78,6 +80,6 @@ public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest
 
     @Override
     public String getType() {
-        return "basic";
+        return BASIC_TYPE;
     }
 }

src/main/java/org/opensearch/security/support/HTTPHelper.java

@@ -39,10 +39,8 @@
 public class HTTPHelper {
 
     public static AuthCredentials extractCredentials(String authorizationHeader, Logger log) {
-
         if (authorizationHeader != null) {
             if (!authorizationHeader.trim().toLowerCase().startsWith("basic ")) {
-                log.warn("No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'");
                 return null;
             } else {
 
@@ -75,7 +73,7 @@ public static AuthCredentials extractCredentials(String authorizationHeader, Log
                 }
 
                 if (username == null || password == null) {
-                    log.warn("Invalid 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
+                    log.warn("Invalid 'Authorization' header for HTTP Basic auth");
                     return null;
                 } else {
                     return new AuthCredentials(username, password.getBytes(StandardCharsets.UTF_8)).markComplete();