[jboss-jira] [JBoss JIRA] (WFLY-3590) HTTP 401 Unauthorized for unprotected URL
Darran Lofthouse (JIRA)
issues at jboss.org
Tue Jul 8 07:24:25 EDT 2014
[ https://issues.jboss.org/browse/WFLY-3590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12982996#comment-12982996 ]
Darran Lofthouse commented on WFLY-3590:
----------------------------------------
+1 on making this a configuration option.
However an argument on the basis of a client doing something that you never know why just really does not cut it as a justification for something broken.
One of the main reasons it is implemented this way is that for those servers listed if you select an authentication mechanism that has protection built in for the protection against replay attacks that protection is immediately undermined by the introduction of a single token that allows for access without further verification of the users identity - as a result if the client is continuing to send security headers we continue to validate them - failure to validate would leave intercepted headers available for a replay attack against the server if the server had not previously validated them.
So at this point in time I still do not see a valid reason for a client to be sending in invalid credentials, if that scenario genuinely exists and is more than a badly configured curl call I am more than interested in hearing about it so we can evaluate it further. Regarding the servlet specification can you please identify the section which prohibits us from validating authentication tokens we are presented with?
> HTTP 401 Unauthorized for unprotected URL
> -----------------------------------------
>
> Key: WFLY-3590
> URL: https://issues.jboss.org/browse/WFLY-3590
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Web (Undertow)
> Affects Versions: 8.1.0.Final
> Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
> Reporter: Harald Wellmann
> Assignee: Darran Lofthouse
>
> WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
> {code:xml}
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>test</realm-name>
> </login-config>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>all</web-resource-name>
> <url-pattern>/hello</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>USER</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <role-name>USER</role-name>
> </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg==
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm="test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> <
> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list