[
https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin...
]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
I think we should double check this one, a 401 also often implies a challenge but in this
case the client can not respond. There may be an argument for 403 in this case as the
client can not be informed of an action to correct this.
HTTP External Security: Both unauthorized and unauthenticated HTTP
requests return 403
--------------------------------------------------------------------------------------
Key: WFWIP-328
URL:
https://issues.redhat.com/browse/WFWIP-328
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Marek Kopecky
Assignee: Ashley Abdel-Sayed
Priority: Critical
Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
Both unauthorized and unauthenticated HTTP requests return 403.
Unauthorized user should receive 403 HTTP response, but unauthenticated user should
receive 401 HTTP code
I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong
authentication is failing (see [this
commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
This is not a regression against legacy security
--
This message was sent by Atlassian Jira
(v7.13.8#713008)