[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Marek Kopecky closed WFWIP-328.
-------------------------------
Resolution: Explained
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Marek Kopecky commented on WFWIP-328:
-------------------------------------
[~dlofthouse] Thank you, your reasoning makes sense, so I'm closing this jira.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
I have just double checked, the defaulting to 403 is a decision we previously made and is not a part of this RFE.
If authentication is required and no authentication succeeds and no authentication mechanism is able to issue a response we then return 403. The EXTERNAL mechanism is only using information on the incoming request but has no ability to challenge by itself.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
In the case of external authentication it is not our place to be making the decision to prompt the client to authenticate, whatever is handling the front end should have already made that decision and prompted accordingly.
This WFWIP will only be reproducible where the front end has decided not to enforce authentication of the remote client.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Marek Kopecky updated WFWIP-328:
--------------------------------
Description:
Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
Both unauthorized and unauthenticated HTTP requests return 403.
Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
This is not a regression against legacy security
Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
was:
Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
Both unauthorized and unauthenticated HTTP requests return 403.
Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
This is not a regression against legacy security
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
> Related RFC: [RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Marek Kopecky commented on WFWIP-328:
-------------------------------------
bq. client can not be informed of an action to correct this.
Hmm, wouldn't be the correct action this? - "Use proper authentication data (correct username and password)"
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
I think we should double check this one, a 401 also often implies a challenge but in this case the client can not respond. There may be an argument for 403 in this case as the client can not be informed of an action to correct this.
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin... ]
Marek Kopecky commented on WFWIP-328:
-------------------------------------
[~aabdelsa] || [~fjuma]: please let me know if I'm wrong with this:
bq. Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
> --------------------------------------------------------------------------------------
>
> Key: WFWIP-328
> URL: https://issues.redhat.com/browse/WFWIP-328
> Project: WildFly WIP
> Issue Type: Bug
> Components: Security
> Reporter: Marek Kopecky
> Assignee: Ashley Abdel-Sayed
> Priority: Critical
>
> Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
> Both unauthorized and unauthenticated HTTP requests return 403.
> Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
> I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
> This is not a regression against legacy security
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
Marek Kopecky created WFWIP-328:
-----------------------------------
Summary: HTTP External Security: Both unauthorized and unauthenticated HTTP requests return 403
Key: WFWIP-328
URL: https://issues.redhat.com/browse/WFWIP-328
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Marek Kopecky
Assignee: Ashley Abdel-Sayed
Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
Both unauthorized and unauthenticated HTTP requests return 403.
Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code
I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see [this commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
This is not a regression against legacy security
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
[ https://issues.redhat.com/browse/WFWIP-327?page=com.atlassian.jira.plugin... ]
Marek Kopecky deleted WFWIP-327:
--------------------------------
> HTTP External Security: 403 is returned if user is not authenticated
> --------------------------------------------------------------------
>
> Key: WFWIP-327
> URL: https://issues.redhat.com/browse/WFWIP-327
> Project: WildFly WIP
> Issue Type: Bug
> Reporter: Marek Kopecky
> Priority: Critical
>
--
This message was sent by Atlassian Jira
(v7.13.8#713008)