<div dir="ltr">Hi,<div><br></div><div>I wonder if it would make sense to port the (small) fix for UNDERTOW-577 back to Undertow 1.3.x, and hopefully still include this with WF 10 final.</div><div><br></div><div>This concerns one of the last (known) larger bugs with JASPIC in WildFly. Without this being fixed, something like the 403 or 404 from a SAM is not possible, Returning a 403 is specifically needed for the BASIC scheme.</div><div><br></div><div>For instance, the following JSR 375 authentication mechanism now works on GlassFish, but throws a &quot;UT010019: Response already commited&quot; on WildFly 10rc4/Undertow 1.3.11:</div><div><br></div><div><div><span class="" style="white-space:pre">        </span>public AuthStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMsgContext httpMsgContext) throws AuthException {</div><div><span class="" style="white-space:pre">                </span></div><div><span class="" style="white-space:pre">                </span>String[] credentials = getCredentials(request);</div><div><span class="" style="white-space:pre">                </span>if (!isEmpty(credentials)) {</div><div><span class="" style="white-space:pre">                </span>    </div><div><span class="" style="white-space:pre">                </span>    IdentityStore identityStore = CDI.current().select(IdentityStore.class).get();</div><div><span class="" style="white-space:pre">                </span>    </div><div><span class="" style="white-space:pre">                </span>    CredentialValidationResult result = identityStore.validate(</div><div>                new UsernamePasswordCredential(credentials[0], new Password(credentials[1])));</div><div><br></div><div>            if (result.getStatus() == VALID) {</div><div>                return httpMsgContext.notifyContainerAboutLogin(</div><div>                    result.getCallerName(), result.getCallerGroups());</div><div><span class="" style="white-space:pre">                        </span>}<span class="" style="white-space:pre">                </span></div><div><span class="" style="white-space:pre">                </span>}</div><div><span class="" style="white-space:pre">                </span></div><div><span class="" style="white-space:pre">                </span>if (httpMsgContext.isProtected()) {</div><div><span class="" style="white-space:pre">                        </span>response.setHeader(&quot;WWW-Authenticate&quot;, basicHeaderValue);</div><div><span class="" style="white-space:pre">                        </span>return httpMsgContext.responseUnAuthorized();</div><div><span class="" style="white-space:pre">                </span>}</div><div><span class="" style="white-space:pre">                </span></div><div><span class="" style="white-space:pre">                </span>return httpMsgContext.doNothing();</div><div><span class="" style="white-space:pre">        </span>}</div></div><div><br></div><div>The problem is the &quot;httpMsgContext.responseUnAuthorized();&quot; which does:<br><br><div>    <span class="" style="white-space:pre">        </span>try {</div><div><span class="" style="white-space:pre">                        </span>getResponse().sendError(SC_UNAUTHORIZED);</div><div><span class="" style="white-space:pre">                </span>} catch (IOException e) {</div><div><span class="" style="white-space:pre">                        </span>throw new IllegalStateException(e);</div><div><span class="" style="white-space:pre">                </span>}</div><div>    <span class="" style="white-space:pre">        </span></div><div>    <span class="" style="white-space:pre">        </span>return SEND_FAILURE;</div></div><div><br></div><div>I&#39;m not really sure what the schedule is for Undertow 1.4 vs a potential WF 11 and/or EAP 7. If WF 11 is still far away and EAP 7 will be based on WF 10, then it would really be great if this small but rather important fix could still be included in WF 10.</div><div><br></div><div>Kind regards,</div><div>Arjan Tijms</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div>