[jboss-jira] [JBoss JIRA] (WFLY-3590) Option to disable processing of authentication tokens on unsecured resources.

[Joachim Klausner (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-3590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13063714#comment-13063714 ] 

Joachim Klausner commented on WFLY-3590:
----------------------------------------

Here's a scenario which may justify the addition of such an option:
My application simulates "logout" with Basic Authentification by sending invalid credentials (logout/logout) to an unsecured servlet, which only accepts logout/logout and replies with 401 otherwise. This clears the credential cache of the browser, so the user is prompted to enter new credentials when he redirects to other (secured) URLs of the application.
Works with JBoss AS 7.x but does not anymore with WildFly 8.2.


> Option to disable processing of authentication tokens on unsecured resources.
> -----------------------------------------------------------------------------
>
>                 Key: WFLY-3590
>                 URL: https://issues.jboss.org/browse/WFLY-3590
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>         Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
>            Reporter: Harald Wellmann
>            Assignee: Darran Lofthouse
>             Fix For: 10.0.0.Alpha1
>
>
> WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
> {code:xml}
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>test</realm-name>
>     </login-config>
>     
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>all</web-resource-name>
>             <url-pattern>/hello</url-pattern>            
>         </web-resource-collection>
>         <auth-constraint>        
>             <role-name>USER</role-name>
>         </auth-constraint>       
>     </security-constraint>
>     
>     <security-role>
>         <role-name>USER</role-name>
>     </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg==
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> > 
> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm="test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> < 
> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)