Hi,

On Thu, Dec 24, 2015 at 2:00 AM, Stuart Douglas <sdouglas@redhat.com> wrote:
Looks like I made a mistake in the JIRA, it should already be in Wildfly. Can you test it out?

I did a quick test yesterday with WF10 CR5 (using the above code) and it still failed. When I manually applied the exact patch to Undertow 1.3..x in WildFly 10 CR4 a few weeks back it worked. But to be absolutely sure I'll double check again today. Thanks!

Kind regards,
Arjan Tijms


 

Stuart

----- Original Message -----
> From: "arjan tijms" <arjan.tijms@gmail.com>
> To: "undertow-dev" <undertow-dev@lists.jboss.org>
> Sent: Wednesday, 23 December, 2015 11:24:57 PM
> Subject: [undertow-dev] UNDERTOW-577 - response code from SAM
>
> Hi,
>
> I wonder if it would make sense to port the (small) fix for UNDERTOW-577 back
> to Undertow 1.3.x, and hopefully still include this with WF 10 final.
>
> This concerns one of the last (known) larger bugs with JASPIC in WildFly.
> Without this being fixed, something like the 403 or 404 from a SAM is not
> possible, Returning a 403 is specifically needed for the BASIC scheme.
>
> For instance, the following JSR 375 authentication mechanism now works on
> GlassFish, but throws a "UT010019: Response already commited" on WildFly
> 10rc4/Undertow 1.3.11:
>
> public AuthStatus validateRequest(HttpServletRequest request,
> HttpServletResponse response, HttpMsgContext httpMsgContext) throws
> AuthException {
> String[] credentials = getCredentials(request);
> if (!isEmpty(credentials)) {
> IdentityStore identityStore =
> CDI.current().select(IdentityStore.class).get();
> CredentialValidationResult result = identityStore.validate(
> new UsernamePasswordCredential(credentials[0], new
> Password(credentials[1])));
>
> if (result.getStatus() == VALID) {
> return httpMsgContext.notifyContainerAboutLogin(
> result.getCallerName(), result.getCallerGroups());
> }
> }
> if (httpMsgContext.isProtected()) {
> response.setHeader("WWW-Authenticate", basicHeaderValue);
> return httpMsgContext.responseUnAuthorized();
> }
> return httpMsgContext.doNothing();
> }
>
> The problem is the "httpMsgContext.responseUnAuthorized();" which does:
>
> try {
> getResponse().sendError(SC_UNAUTHORIZED);
> } catch (IOException e) {
> throw new IllegalStateException(e);
> }
> return SEND_FAILURE;
>
> I'm not really sure what the schedule is for Undertow 1.4 vs a potential WF
> 11 and/or EAP 7. If WF 11 is still far away and EAP 7 will be based on WF
> 10, then it would really be great if this small but rather important fix
> could still be included in WF 10.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev