[
https://issues.redhat.com/browse/WFWIP-328?page=com.atlassian.jira.plugin...
]
Darran Lofthouse commented on WFWIP-328:
----------------------------------------
In the case of external authentication it is not our place to be making the decision to
prompt the client to authenticate, whatever is handling the front end should have already
made that decision and prompted accordingly.
This WFWIP will only be reproducible where the front end has decided not to enforce
authentication of the remote client.
HTTP External Security: Both unauthorized and unauthenticated HTTP
requests return 403
--------------------------------------------------------------------------------------
Key: WFWIP-328
URL:
https://issues.redhat.com/browse/WFWIP-328
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Marek Kopecky
Assignee: Ashley Abdel-Sayed
Priority: Critical
Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron
Both unauthorized and unauthenticated HTTP requests return 403.
Unauthorized user should receive 403 HTTP response, but unauthenticated user should
receive 401 HTTP code
I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong
authentication is failing (see [this
commit|https://github.com/marekkopecky/wildfly/commit/959341c07e3ba5eaaf4...])
This is not a regression against legacy security
Related RFC: [
RFC-7235|https://tools.ietf.org/html/rfc7235]
--
This message was sent by Atlassian Jira
(v7.13.8#713008)