[jboss-jira] [JBoss JIRA] Created: (JBAS-6569) Wrong coded Basic Authentication header gives an OK header back

Wrong coded Basic Authentication header gives an OK header back --------------------------------------------------------------- Key: JBAS-6569 URL: https://jira.jboss.org/jira/browse/JBAS-6569 Project: JBoss Application Server Issue Type: Bug Security Level: Public (Everyone can see) Affects Versions: JBossAS-4.2.3.GA Environment: Linux Red Hat Enterprise 5 Reporter: Magnus Runesson Priority: Minor Assume a client post a HTTP-POST-request with an basic authorization header (Authorization: Basic) where the authorizationstring is not properly encoded, i.e. including non BASE-64-characters. The response from JBoss is a 200 OK code and transfer-encoding chunked, ie: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Transfer-Encoding: chunked It should return a HTTP error 400-code. <security-constraint> <web-resource-collection> <web-resource-name>alert</web-resource-name> <description>Security config for KEPS.</description> <url-pattern>/path/*</url-pattern> <url-pattern>/path</url-pattern> <http-method>POST</http-method> <http-method>DELETE</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>foo</role-name> </auth-constraint> <!-- <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> --> </security-constraint> <security-role> <description>Role for that are allowed to post thunder warnings.</description> <role-name>foo</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>KEPS</realm-name> </login-config> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira