[jboss-jira] [JBoss JIRA] (WFLY-4304) Servlet authentication kicked off when not a part of any security-constraint

Mon Feb 2 14:44:49 EST 2015

Brett Meyer created WFLY-4304:
---------------------------------

             Summary: Servlet authentication kicked off when *not* a part of any security-constraint
                 Key: WFLY-4304
                 URL: https://issues.jboss.org/browse/WFLY-4304
             Project: WildFly
          Issue Type: Bug
    Affects Versions: 8.2.0.Final
            Reporter: Brett Meyer
            Assignee: Jason Greene
            Priority: Critical

Artificer runs on Wildfly 8.2 and uses Keycloak for auth.  If our WAR contains a servlet that is *not* protected by a security-constraint in web.xml, Wildfly still attempts to authenticate the call (using Wireshark, I see the GET/POST get funneled through the Keycloak realm redirection) if basic auth credentials are in the header.  In a keycloak-dev thread this past Dec., [~bill.burke] suggested this was most likely an issue within Wildfly auth itself.

A credentialed call on an un-protected servlet does sound like an edge case.  However, this came up possibly due to a secondary symptom:

If I protect the servlet in web.xml, the call's Authorization header is stripped.  I'm not currently able to figure out exactly where that's occurring...

--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

[jboss-jira] [JBoss JIRA] (WFLY-4304) Servlet authentication kicked off when *not* a part of any security-constraint

[jboss-jira] [JBoss JIRA] (WFLY-4304) Servlet authentication kicked off when not a part of any security-constraint