[undertow-dev] Unprotected areas still trigger auth
Darran Lofthouse
darran.lofthouse at jboss.com
Fri Nov 15 08:14:51 EST 2013
If the required tokens were not within the message then the mechanism
should return NOT_ATTEMPTED.
If there are multiple mechanisms (or even a single mechanism) and
authentication is required but all the mechanisms return NOT_ATTEMPTED
then Undertow will take the decision to turn the request around and call
sendChallenge on each of them.
NOT_AUTHENTICATED means the mechanism saw 'something' in the incomming
requets and attempted to authenticate it but for some reason failed so
the message flow needs reversing and the challenges sending. This could
happen as an example if stale nonce is received in DIGEST.
Regards,
Darran Lofthouse.
On 15/11/13 13:09, Bill Burke wrote:
>
>
> On 11/15/2013 8:04 AM, Darran Lofthouse wrote:
>> On 15/11/13 12:59, Bill Burke wrote:
>>> sendChallenge is still called.
>>
>> That should only be happening if the mechanisms indicated during the
>> authenticate step that it wanted a challenge to be sent.
>>
>
> What is the indication? Sending back NOT_AUTHENTICATED?
>
>> As an example the DIGEST mechanism may want to do this if it receives a
>> stale nonce.
>> 4
>
> The problem is my oauth mechanism has no way to know if there is another
> mechanism or if the request is even supposed to be authenticated. If
> there is not appropriate information in the request, it sends back
> NOT_AUTHENTICATED and performs a redirect to the auth server in
> sendChallenge.
>
> Maybe I'm just using the SPI wrong. I'll take a look at Basic auth again.
>
> Bill
>
More information about the undertow-dev
mailing list