Option to disable processing of authentication tokens on unsecured resources. ----------------------------------------------------------------------------- Key: WFLY-3590 URL: https://issues.jboss.org/browse/WFLY-3590 Project: WildFly Issue Type: Feature Request Components: Web (Undertow) Affects Versions: 8.1.0.Final Environment: Oracle Java 1.8.0_05, Ubuntu 14.04 Reporter: Harald Wellmann Assignee: Darran Lofthouse Fix For: 10.0.0.Alpha1 WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup: {code:xml} <login-config> <auth-method>BASIC</auth-method> <realm-name>test</realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>all</web-resource-name> <url-pattern>/hello</url-pattern> </web-resource-collection> <auth-constraint> <role-name>USER</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>USER</role-name> </security-role> {code} {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public. When GETting /index.html with an (unneeded) basic authentication header, access is denied: {noformat} $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 8080 (#0) * Server auth using Basic with user 'foo' > GET /auth-basic/index.html HTTP/1.1 > Authorization: Basic Zm9vOmJhcg== > User-Agent: curl/7.35.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 401 Unauthorized < Connection: keep-alive * Authentication problem. Ignoring this. < WWW-Authenticate: Basic realm="test" < X-Powered-By: Undertow/1 * Server WildFly/8 is not blacklisted < Server: WildFly/8 < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 71 < Date: Mon, 07 Jul 2014 17:28:25 GMT < * Connection #0 to host localhost left intact <html><head><title>Error</title></head><body>Unauthorized</body></html> {noformat}