[jboss-jira] [JBoss JIRA] (WFLY-3590) HTTP 401 Unauthorized for unprotected URL

Harald Wellmann (JIRA) issues at jboss.org
Mon Jul 7 13:34:24 EDT 2014 

Harald Wellmann created WFLY-3590:
-------------------------------------

             Summary: HTTP 401 Unauthorized for unprotected URL
                 Key: WFLY-3590
                 URL: https://issues.jboss.org/browse/WFLY-3590
             Project: WildFly
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Web (Undertow)
    Affects Versions: 8.1.0.Final
         Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
            Reporter: Harald Wellmann
            Assignee: Stuart Douglas


WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:

{code:xml}
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>test</realm-name>
    </login-config>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/hello</url-pattern>            
        </web-resource-collection>
        <auth-constraint>        
            <role-name>USER</role-name>
        </auth-constraint>       
    </security-constraint>
    
    <security-role>
        <role-name>USER</role-name>
    </security-role>
{code}

{{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.

When GETting /index.html with an (unneeded) basic authentication header, access is denied:

{noformat}
$ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'foo'
> GET /auth-basic/index.html HTTP/1.1
> Authorization: Basic Zm9vOmJhcg==
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Connection: keep-alive
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="test"
< X-Powered-By: Undertow/1
* Server WildFly/8 is not blacklisted
< Server: WildFly/8
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 71
< Date: Mon, 07 Jul 2014 17:28:25 GMT
< 
* Connection #0 to host localhost left intact
<html><head><title>Error</title></head><body>Unauthorized</body></html>
{noformat}



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list