This is currently the case. The server caches things such that subsequent connections
(even without auth headers) can be accepted.
I have had a PR for a while that handles this somewhat abruptly (disables caching), and
also fixes issues with logout when using BASIC auth (which wasn't handled):
From: "Jason Greene" <jgreene(a)redhat.com>
To: "Harald Pehl" <hpehl(a)redhat.com>
Cc: "Darran Lofthouse" <darran.lofthouse(a)redhat.com>,
wildfly-dev(a)lists.jboss.org
Sent: Friday, August 9, 2013 7:37:11 AM
Subject: Re: [wildfly-dev] Broken logout / HAL-60
Hmm we need to look into a security issue then because that could mean that
subsequent requests with incorrect credentials are somehow accepted when
they should be rejected.
On Aug 9, 2013, at 5:06 AM, Harald Pehl <hpehl(a)redhat.com> wrote:
> I'm trying to fix the broken logout in the console
> (
https://issues.jboss.org/browse/HAL-60). With the switch to undertow, the
> redirects in LogoutHandler do not longer work in Chrome and Safari. I came
> up with a solution that adds a call to SecurityContext.logout() before
> doing the redirects.
>
> My changes are in PR #4879:
https://github.com/wildfly/wildfly/pull/4897.
> Can you take a look at my solution. I don't know if that's an appropriate
> solution to get rid of the digest authentication information. At least it
> does work across common browsers.
>
> Thanks
> Harald
>
> ---
> Harald Pehl
> JBoss by Red Hat
>
http://hpehl.info
>
>
>
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/wildfly-dev
_______________________________________________
wildfly-dev mailing list
wildfly-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/wildfly-dev