[jboss-jira] [JBoss JIRA] (WFLY-3590) Option to disable processing of authentication tokens on unsecured resources.

[Darran Lofthouse (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-3590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983049#comment-12983049 ] 

Darran Lofthouse commented on WFLY-3590:
----------------------------------------

In this case however it is not that we are requiring authentication of the user it is that the user is attempting authentication - if the user accessed this resource without attempting to authenticate we would not challenge them to authenticate.  i.e. We are not requiring them to authenticate but they are choosing to attempt to authenticate.

> Option to disable processing of authentication tokens on unsecured resources.
> -----------------------------------------------------------------------------
>
>                 Key: WFLY-3590
>                 URL: https://issues.jboss.org/browse/WFLY-3590
>             Project: WildFly
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
>            Reporter: Harald Wellmann
>            Assignee: Darran Lofthouse
>             Fix For: 9.0.0.Alpha1
>
>
> WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
> {code:xml}
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>test</realm-name>
>     </login-config>
>     
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>all</web-resource-name>
>             <url-pattern>/hello</url-pattern>            
>         </web-resource-collection>
>         <auth-constraint>        
>             <role-name>USER</role-name>
>         </auth-constraint>       
>     </security-constraint>
>     
>     <security-role>
>         <role-name>USER</role-name>
>     </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg==
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> > 
> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm="test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> < 
> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)