]
Jan Kalina updated ELY-1014:
----------------------------
Git Pull Request:
Elytron auth method misconfiguration not logged
-----------------------------------------------
Key: ELY-1014
URL:
https://issues.jboss.org/browse/ELY-1014
Project: WildFly Elytron
Issue Type: Bug
Components: Authentication Mechanisms
Reporter: Martin Choma
Assignee: Jan Kalina
Priority: Blocker
Labels: user_experience
When deployment is configured to be secured with DIGEST, but
{{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about
misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403
http code is returned and Forbidden is shown in browser. I would expect browser dialog to
appear to allow user provide credentials (401 http status code).
{code:title=web.xml}
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>ApplicaitonRealm</realm-name>
</login-config>
{code}
{code:title=standalone-elytron.xml}
<http-authentication-factory name="application-http-authentication"
http-server-mechanism-factory="global"
security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="Application Realm"/>
</mechanism>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>
{code}
This applies globally to all authentication mechanisms, not only DIGEST.
Could elytron handle misconfiguration:
* either fail during deploying application as deployment requirement can't be satisfy
* or provide reasonable elytron defaults of missing mechanism configuration.