From issues at jboss.org Fri May 29 23:43:15 2015
Content-Type: multipart/mixed; boundary="===============6741084439358009892=="
MIME-Version: 1.0
From: Jason Greene (JIRA) <issues at jboss.org>
To: jboss-jira at lists.jboss.org
Subject: [jboss-jira] [JBoss JIRA] (WFLY-3590) Option to disable processing of
 authentication tokens on unsecured resources.
Date: Fri, 29 May 2015 23:43:15 -0400
Message-ID: <JIRA.12545767.1404754399000.11648.1432957395118@Atlassian.JIRA>
In-Reply-To: JIRA.12545767.1404754399000@Atlassian.JIRA

--===============6741084439358009892==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


     [ https://issues.jboss.org/browse/WFLY-3590?page=3Dcom.atlassian.jira.=
plugin.system.issuetabpanels:all-tabpanel ]

Jason Greene updated WFLY-3590:
-------------------------------
    Fix Version/s: 10.0.0.Alpha3
                       (was: 10.0.0.Alpha2)


> Option to disable processing of authentication tokens on unsecured resour=
ces.
> -------------------------------------------------------------------------=
----
>
>                 Key: WFLY-3590
>                 URL: https://issues.jboss.org/browse/WFLY-3590
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
>            Reporter: Harald Wellmann
>            Assignee: Stuart Douglas
>             Fix For: 10.0.0.Alpha3
>
>
> WildFly sends a basic authentication challenge and denies access when it =
shouldn't in the following simple setup:
> {code:xml}
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>test</realm-name>
>     </login-config>
>     =

>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>all</web-resource-name>
>             <url-pattern>/hello</url-pattern>            =

>         </web-resource-collection>
>         <auth-constraint>        =

>             <role-name>USER</role-name>
>         </auth-constraint>       =

>     </security-constraint>
>     =

>     <security-role>
>         <role-name>USER</role-name>
>     </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs li=
ke {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, =
access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg=3D=3D
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> > =

> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm=3D"test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=3DISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> < =

> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

--===============6741084439358009892==--