To reproduce this bug do the following:
- The repository has to have a login mechanism that requires users to login on a different web site then where the DSpace is located.
- A non logged in user clicks on a bitstream url (to which only certain users have access) & is sent to the login mechanism.
- The login is completed successfully so the user is sent back to the bitstream url (he is logged in as a proper user so should have access).
- The user will see an authorize exception
- When the user refreshes the page the bitstream will be accessible.
Now why does to happen ?
The first time the user attempt to retrieve the file an authorize exception is thrown which is caught in the DSpaceServlet.java & the startAuthentication method will be called upon.
If the first "if" fails (due to for example bad arguments) the user will be redirected to the authentication website.
When the authentication website is done the user is sent back to the bitstream page which results in another authorize exception (since even though he might have the proper argument no login has occurred).
In this case the exception will again be caught by the DSpaceServlet.java & the startAuthentication will be called again, only this time it is successfull resulting in the method returning true & so the DSpaceServlet.java sends us to an "not authenticated" page. (Even though we are authenticated & might have access)
I am not 100% sure this is a bug (or even if it is if my fix is the correct one), but I have attached a patch that will solve the issue.