[
https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin...
]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
I have just double checked, the defaulting to 403 is a decision we previously made and is
not a part of this RFE.
If authentication is required and no authentication succeeds and no authentication
mechanism is able to issue a response we then return 403. The EXTERNAL mechanism is only
using information on the incoming request but has no ability to challenge by itself.
HTTP External Security: Both unauthorized and unauthenticated HTTP
requests return 403
--------------------------------------------------------------------------------------
Key: WFWIP-328
URL:
https://issues.redhat.com/browse/WFWIP-328
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Marek Kopecky
Assignee: Ashley Abdel-Sayed
Priority: Critical
Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
Both unauthorized and unauthenticated HTTP requests return 403.
Unauthorized user should receive 403 HTTP response, but unauthenticated user should
receive 401 HTTP code
I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong
authentication is failing (see [this
commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
This is not a regression against legacy security
Related RFC: [
RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)